Snort 3.2.6 not saving alert or block list when pfsense is rebooted
-
Snort 3.2.6 is not saving the alert & block list when pfsense is rebooted, I thought it used to keep this data?
Remove Blocked Hosts Interval set to Never
Remove Blocked Hosts After Deinstall unticked/unchecked
Keep Snort Settings After Deinstall is ticked/checked -
Nope, blocks have never been persistent across reboots nor packet filter resets. Snort hands the IP addresses to block off to the packet filter by stuffing them in a pfSense system table called <snort2c>. This alias table is recreated from scratch on each reboot of the firewall, so any existing IPs are lost when the table is recreated. It has always worked this way for both Snort and Suricata.
Bill</snort2c>
-
Ok my bad then.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.