Snort 3.2.9.1 on PFSense 2.2.6 - Alert but no host in Blocked list
-
Hello,
i have installed from scratch a new PFSense firewall 2.2.6 using Snort 3.2.9.1
I have configured things for "Block Offenders" and it seems to work since alert are displayed in "Alerts Tab"
I'm blocking "BOTH" sources in "Wich IP to block"The problem is that there is no host listed in "Blocked" tab.
I have another PF configured in the same way and it work like a charm, does anyone have an idea on this issue?
I have try to reinstalled snort package, start/stop interface, reboot, nothing workThanks for help
-
IN blocked Tab , update Number of entries to show to 1000 and save and also enable Kill States
-
Hello, Thanks for help.
I have already play with this settings without success.
I have reset to 1000 ans Kill state was already active but still nothing in Blocked list :(
-
If i click on "download" in Blocked TAB (just to be sure that it's not a problem of display) i get the error "No content on snort block list"
-
upgraded to PF 2.3 and still the same issue…
-
upgraded to PF 2.3 and still the same issue…
Update to the most recent Snort package (version 3.2.9.1_12) posted a few minutes ago. That contains the fix for your "no blocks" problem. In the original Bootstrap conversion of the Snort package, some values were incorrectly set for an array holding the snort.conf parameter settings for the blocking plugin. As a result, when a new or fresh install enabled blocking, the blocking plugin was fed an incorrect parameter which it ignored and thus did not enable blocking.
Bill
-
Thanks for help, i have reinstall from scratch so cannot verify is this paquet fix the issue.
-
I'm having the same issue. I have alerts but they are not being blocked except for 1. Not sure why that particular 1 alert was blocked, but none others are being blocked.
Snort 3.2.9.1_12, pfSense 2.3 Release.
I have both Block Offenders & Kill States checked w/ "BOTH" selected in "Whick IP To Block". Kill States was default activated, and I've tried the 1000 entries and made no difference. -
I'm having the same issue. I have alerts but they are not being blocked except for 1. Not sure why that particular 1 alert was blocked, but none others are being blocked.
Snort 3.2.9.1_12, pfSense 2.3 Release.
I have both Block Offenders & Kill States checked w/ "BOTH" selected in "Whick IP To Block". Kill States was default activated, and I've tried the 1000 entries and made no difference.To be sure your "# of blocks to display" parameter is not corrupted, type a number in the box (say 250) and then explicitly save it using the SAVE button on the BLOCKS tab. There was a previous bug that could result in a bogus value getting stored.
Also look under DIAGNOSTICS > TABLES and see if any IP addresses are shown in the snort2c table. The BLOCKS tab simply reads out the values from that table and displays them. The bug I mentioned caused it to only display 1 address, though.
Bill
-
To be sure your "# of blocks to display" parameter is not corrupted, type a number in the box (say 250) and then explicitly save it using the SAVE button on the BLOCKS tab. There was a previous bug that could result in a bogus value getting stored.
OK did that.
Also look under DIAGNOSTICS > TABLES and see if any IP addresses are shown in the snort2c table.
Says"
Date of last update of table is unknown. 1 records.and displays the 1 record that is also displayed in the "Blocked" tab.
-
I just got another alert and it has appeared in the Blocked list. So maybe its working again now..
-
I suspect it is working now. That bug with the number of entries to display on the BLOCKS tab would cause it to by default display just one row. Forcibly saving a new numerical value would fix any bogus value that might have gotten saved when the bug was in the code.
All these things are fallout from the Bootstrap conversion of the package. Bootstrap implements things a bit differently than the old system, and lots of things related to form input elements had to be changed in the GUI code.
Bill
