Snort keeps blocking my WAN

wifiuk

I am on the latest version as of todays date 29/01/2015 . Latest snort and pfsense.

I dont have my config available at the moment as im at work, but snort has blocked my WAN ip address … again.

It did this the other day, there must have been a rule that kicked it off, but is there not a way to "not block wan no matter what" ?

What have i missed?

bmeeks

@wifiuk:

I am on the latest version as of todays date 29/01/2015 . Latest snort and pfsense.

I dont have my config available at the moment as im at work, but snort has blocked my WAN ip address … again.

It did this the other day, there must have been a rule that kicked it off, but is there not a way to "not block wan no matter what" ?

What have i missed?

The WAN IP is automatically included in the default  PASS LIST (or the "do not block" list), so it should never be blocked.  However, if you create a custom PASS LIST and assign it to the interface, you must be sure to leave the box checked in the Pass List dialog for including the WAN IP.  Another possibility is that your WAN IP is frequently changing and Snort is not getting restarted to so it can recognize the WAN IP change and update its in-memory table.

Bill

wifiuk

i do have a dynamic ip. but it doesnt change that often …

is there a way if it was the snort wan ip changing issue to help resolve that in the future ?

wifiuk

well im home and after the predetermined timeout for snort blocking it came back as expected, the pass list i have one IP and all the "add auto-generated IP address" box are ticked.

wifiuk

could it be this ….

Which IP to Block BOTH]  Select which IP extracted from the packet you wish to block
Hint: Choosing BOTH is suggested, and it is the default value.

so when Snort is blocking something like a UDP filtered scan, it seems to be blocking the WAN also ?

or maybe im missing something ?

my current WAN ip is in that default list…. is there any way to make snort check WAN ip more often?

bmeeks

It should not be blocking your WAN IP unless Snort is not getting restarted when your WAN IP changes.  Remember that Snort only reads the Pass List contents once at startup.  It stores the contents in a memory array and refers to that array when getting ready to block an IP.  If the IP is in the memory list, it is not blocked.  If it's not in the memory list, it is blocked.  But this memory list is only created at startup and is not updated again until Snort restarts.

The BOTH selection should be fine.  You can change it if you wish, but depending on the direction of traffic, it may not help with your blocking problem.  I think that issue is caused by Snort not recognizing your WAN IP updated.

If you WAN IP changes and Snort does not restart, you can get a block.  You should see some system log entries when your WAN IP changes.  Look for a line near the IP change message that says "…restarting packages...".  If you don't see that line, and your IP changed, that's going to be the problem.  You would next need to determine why the packages did not restart.  Have you applied any manual patches to pfSense itself?

Bill