Snort blocks even after force disabling rule
-
Trying to run speedtest.net and getting blocked by Snort over and over again even after force disabling the rules. Other problems as well. Don't want to but will disable Snort until things get s(n)orted out.
Edit: This is after upgrading to 2.3
-
When you go to the ALERTS tab after disabling the rule, is the SID shown with a yellow X icon?
And if you hover over that icon, does a tooltip pop up and say the rule is disabled?
If the above are "yes", then does the rule showing as the cause of the block on the BLOCKS tab have the same SID as the disabled rule on the ALERTS tab?
When you disabled the rule, did you then go to the BLOCKS tab and clear the blocked host (by clicking the red X icon to remove the blocked host). You can also do this on the ALERTS.
If the answers to all of the above questions is "yes" and the issue is still happening, go to the INTERFACES tab in Snort and restart Snort on the interface. Test again and report back here.
Bill
-
The answer to all questions is 'yes'. However, I reinstalled PF2.3 and Snort appears to be behaving. Can't explain that except that perhaps something happened on the initial install. Now if I could only get CRON to work. Thanks for your reply. To address my CRON issue, I am going to install 2.2.6 (confirm CRON is working correctly) and then upgrade to 2.3. I have two machines; one that was already in use which I successfully upgraded and this one which I just now built and installed 2.3 on a virgin drive. You'd think that would have gone better but that's the one having issues. I will investigate if there is something different about installing fresh vs upgrading. I don't see why there would be a difference though.
-
The answer to all questions is 'yes'. However, I reinstalled PF2.3 and Snort appears to be behaving. Can't explain that except that perhaps something happened on the initial install. Now if I could only get CRON to work. Thanks for your reply. To address my CRON issue, I am going to install 2.2.6 (confirm CRON is working correctly) and then upgrade to 2.3. I have two machines; one that was already in use which I successfully upgraded and this one which I just now built and installed 2.3 on a virgin drive. You'd think that would have gone better but that's the one having issues. I will investigate if there is something different about installing fresh vs upgrading. I don't see why there would be a difference though.
Can't answer your CRON problems, but another reason you might have been seeing those blocks is from a duplicate Snort process. That can happen now and then for some reason. That duplicate process would not be honoring the rule changes you were making in the active process the GUI was spawning. Rebooting/reinstalling from scratch would have killed that zombie.
Bill
-
Good point and that is exactly what I was experiencing with Snort. Seems to be working OK now after reinstall. And just to follow up on my CRON issues that has cleared up as well. One of my CRON entries uses the wget command. I'd forgotten I had to install that command as it is not native to the pFsense package. So, for the machine I updated to 2.3 the wget command was already there and CRON worked. For the machine I installed a fresh 2.3 the wget command was not there so CRON did not work and I assumed it was for some other reason. Once I had time to look closer I realized the problem. All is running smoothly now. Again, thanks for your response.
