Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense2.3RC - snort removes blacklist after reboot?

    2.3-RC Snapshot Feedback and Issues - ARCHIVED
    2
    4
    2708
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cremesk last edited by

      hi,

      i have the following settings for snort:

      see attachment: snort_general-settings.png
      
      

      but snort delete all blocked entry's after an reboot. i think this is not so good.. its a bug or,
      can we a checkbox for the setting option: 'delete after reboote' '0|1'?
      (alertlist its also required)

      Sven

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        I have posted this information numerous times in the past.  Snort does not have a "block list".  All it does is stuff IP addresses in the firewall's packet filter table called "snort2c".  It does this real time, and then forgets about the IP.  When you view "blocked IPs", all you are seeing is the list of IP addresses in that firewall table.  That table is maintained in RAM by pfSense.  This list does not persist across a reboot.  There is no need.  If the offender attacks you again, Snort will block it again just like it did the first time.  No benefit at all of persisting a block list forever someplace.

        The behavior you describe is by design.

        Bill

        1 Reply Last reply Reply Quote 0
        • C
          cremesk last edited by

          Okay thank you! i will learn everyday ;)

          Sven

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            I re-read my reply and it sort of sounds like a rant and that was not the intent.  It's just that this is a somewhat frequent complaint/request that I have answered a number of times.

            If you consider that the vast majority of actual malicious attacks from the Internet are going to be using the equivalent of "throw away" IP addresses, then maintaining say 100,000 or more previously blocked IP addresses won't be very productive.  The attacker will abandon one and just switch to some other IP address to spoof.  So that attack yesterday from one address is likely to come from a new and different one today.  So why burden your firewall with storing thousands and thousands of old blocked IPs?  Also, what if this month 100 of the ones you blocked last month are now in use by legitimate web sites/users that mysteriously can't reach your system because of the block from last month?

            If Snort (or Suricata) was smart enough to catch the attack and block it today from IP address 1.2.3.4, then why would you think it can't detect and block the same attack tomorrow from IP address 1.2.3.4?  Why should it keep a running list of previous blocks?  And so long as you don't reboot the firewall (and if you have the Clear Blocked Hosts parameter set to Never), then the IP will stay in the snort2c table and remain blocked until a reboot.  However, I don't recommend folks run Snort that way.  You want the blocked hosts to clear out on a fairly frequent basis.  I personally have mine set to one hour.  What if the block was just a false positive?  Would you want the false positive to stay blocked forever?  Likely not.  So I recommend choosing a reasonably short interval for the Clear Blocked Hosts parameter, but not Never.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense Plus
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy