Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense2.3RC - snort removes blacklist after reboot?

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    4 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cremesk
      last edited by

      hi,

      i have the following settings for snort:

      see attachment: snort_general-settings.png
      
      

      but snort delete all blocked entry's after an reboot. i think this is not so good.. its a bug or,
      can we a checkbox for the setting option: 'delete after reboote' '0|1'?
      (alertlist its also required)

      Sven
      snort_general-settings.png
      snort_general-settings.png_thumb

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        I have posted this information numerous times in the past.  Snort does not have a "block list".  All it does is stuff IP addresses in the firewall's packet filter table called "snort2c".  It does this real time, and then forgets about the IP.  When you view "blocked IPs", all you are seeing is the list of IP addresses in that firewall table.  That table is maintained in RAM by pfSense.  This list does not persist across a reboot.  There is no need.  If the offender attacks you again, Snort will block it again just like it did the first time.  No benefit at all of persisting a block list forever someplace.

        The behavior you describe is by design.

        Bill

        1 Reply Last reply Reply Quote 0
        • C
          cremesk
          last edited by

          Okay thank you! i will learn everyday ;)

          Sven

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            I re-read my reply and it sort of sounds like a rant and that was not the intent.  It's just that this is a somewhat frequent complaint/request that I have answered a number of times.

            If you consider that the vast majority of actual malicious attacks from the Internet are going to be using the equivalent of "throw away" IP addresses, then maintaining say 100,000 or more previously blocked IP addresses won't be very productive.  The attacker will abandon one and just switch to some other IP address to spoof.  So that attack yesterday from one address is likely to come from a new and different one today.  So why burden your firewall with storing thousands and thousands of old blocked IPs?  Also, what if this month 100 of the ones you blocked last month are now in use by legitimate web sites/users that mysteriously can't reach your system because of the block from last month?

            If Snort (or Suricata) was smart enough to catch the attack and block it today from IP address 1.2.3.4, then why would you think it can't detect and block the same attack tomorrow from IP address 1.2.3.4?  Why should it keep a running list of previous blocks?  And so long as you don't reboot the firewall (and if you have the Clear Blocked Hosts parameter set to Never), then the IP will stay in the snort2c table and remain blocked until a reboot.  However, I don't recommend folks run Snort that way.  You want the blocked hosts to clear out on a fairly frequent basis.  I personally have mine set to one hour.  What if the block was just a false positive?  Would you want the false positive to stay blocked forever?  Likely not.  So I recommend choosing a reasonably short interval for the Clear Blocked Hosts parameter, but not Never.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.