The pfSense Store

Author Topic: pfSense2.3RC - snort removes blacklist after reboot?  (Read 1973 times)

0 Members and 1 Guest are viewing this topic.

Offline cremesk

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
    • mySEC - Secure Foundation
pfSense2.3RC - snort removes blacklist after reboot?
« on: April 06, 2016, 08:40:14 am »
hi,

i have the following settings for snort:
Code: [Select]
see attachment: snort_general-settings.png

but snort delete all blocked entry's after an reboot. i think this is not so good.. its a bug or,
can we a checkbox for the setting option: 'delete after reboote' '0|1'?
(alertlist its also required)

Sven
« Last Edit: April 06, 2016, 08:44:46 am by cremesk »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3148
  • Karma: +817/-0
    • View Profile
Re: pfSense2.3RC - snort removes blacklist after reboot?
« Reply #1 on: April 06, 2016, 06:31:52 pm »
I have posted this information numerous times in the past.  Snort does not have a "block list".  All it does is stuff IP addresses in the firewall's packet filter table called "snort2c".  It does this real time, and then forgets about the IP.  When you view "blocked IPs", all you are seeing is the list of IP addresses in that firewall table.  That table is maintained in RAM by pfSense.  This list does not persist across a reboot.  There is no need.  If the offender attacks you again, Snort will block it again just like it did the first time.  No benefit at all of persisting a block list forever someplace.

The behavior you describe is by design.

Bill

Offline cremesk

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
    • mySEC - Secure Foundation
Re: pfSense2.3RC - snort removes blacklist after reboot?
« Reply #2 on: April 07, 2016, 02:25:47 am »
Okay thank you! i will learn everyday ;)

Sven

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3148
  • Karma: +817/-0
    • View Profile
Re: pfSense2.3RC - snort removes blacklist after reboot?
« Reply #3 on: April 07, 2016, 07:14:30 am »
I re-read my reply and it sort of sounds like a rant and that was not the intent.  It's just that this is a somewhat frequent complaint/request that I have answered a number of times.

If you consider that the vast majority of actual malicious attacks from the Internet are going to be using the equivalent of "throw away" IP addresses, then maintaining say 100,000 or more previously blocked IP addresses won't be very productive.  The attacker will abandon one and just switch to some other IP address to spoof.  So that attack yesterday from one address is likely to come from a new and different one today.  So why burden your firewall with storing thousands and thousands of old blocked IPs?  Also, what if this month 100 of the ones you blocked last month are now in use by legitimate web sites/users that mysteriously can't reach your system because of the block from last month?

If Snort (or Suricata) was smart enough to catch the attack and block it today from IP address 1.2.3.4, then why would you think it can't detect and block the same attack tomorrow from IP address 1.2.3.4?  Why should it keep a running list of previous blocks?  And so long as you don't reboot the firewall (and if you have the Clear Blocked Hosts parameter set to Never), then the IP will stay in the snort2c table and remain blocked until a reboot.  However, I don't recommend folks run Snort that way.  You want the blocked hosts to clear out on a fairly frequent basis.  I personally have mine set to one hour.  What if the block was just a false positive?  Would you want the false positive to stay blocked forever?  Likely not.  So I recommend choosing a reasonably short interval for the Clear Blocked Hosts parameter, but not Never.

Bill