Snort Doesn't Expire Blocked Hosts

  • Hi all –
    I've been having the same problem with snort for a while now.  I think this problem has been present for me for most of the 1.2 pre-releases and it still is a problem.

    Snort will install OK.  I configure snort to detect on my WAN, block offenders, update rules automatically, and whitelist VPNs (I use OpenVPN).  I update the rules.  I choose the categories to block.  After that snort seems to detect fine.  The problem is the blocked hosts, as shown in the blocked tab, never are removed.  It blocked me once when I was VPNed into the pfSense box.  I expected to be able to try again in an hour (I gave it two), but it never let me in again.  When I had access to it again I looked at the Web GUI and, sure enough, it had blocked me but never expired the block.  Thus, I could never access the VPN until I manually cleared the block from the GUI.

    Installing snort means I must handhold the router and manually clear blocked hosts occasionally.  This is really annoying to say the least.

    There is only one line in /etc/crontab:

    #cat /etc/crontab
    */60	* 	 1	 *	 *	 root	 /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php

    That didn't surprise me too much because I think most things were moved from crontab into the config.xml.  So I looked there.

    #cat /cf/conf/config.xml | grep snort2c

    There was no output.  So I checked using pfctl.

    # pfctl -rt snort2c -vT show
    ```Again, no output.
    I'm at a loss.  Every time I've upgraded versions of pfSense they have been complete fresh reinstalls.  Thus, I don't think this behavior is an artifact of a bad upgrade process.  It was annoying enough that I was going to leave snort uninstalled, but I decided to try to get it working right with a little help.
    I'm very technical, but have only slight knowledge of pfSense internally.  The above debugging steps were surmised from searches in this forum.  If someone can point me to some other useful information, or lead me through some debugging, I would greatly appreciate it.  Thanks.

  • There should be an item in crontab called expiretable that is run periodically.  Do you not see then in /etc/crontab?

  • The only entry in /etc/crontab is shown in the original post.  There is no expiretable entry.  I remember that used to be present in my snort installs in the 1.1 days.

    So snort is still using cron to expire rules?  I must have been mistaken that the expire mechanism was changed.