pfSense » pfSense Packages

I have learned that Snort's GUI Passlist Auto-Generated IP addresses area is not 100% passing and still blocking when an IP is being used in decoy or spoofed port scans of the system.

https://www.snort.org/faq/readme-sfportscan
https://redmine.pfsense.org/issues/14754
https://redmine.pfsense.org/issues/14514
https://redmine.pfsense.org/issues/14821

Example of standard non decoy detection and block of port scan attached below showing port scan blocking is fully functional.

Kali OS has decoy scanning abilities for lan tests that are being abused such that a port scan target is utilizing the target IP as the decoy IP creating a snort block on its own wan IP

P: WAN ISP Issued IP or DNS pfSense forwards to, or P = IP of WAN interface snort resides on/DNS unbound uses

Q: snort set to block port scans or Q(source IP of port scans)

A: a decoy IP or A(any decoy IP needed)

R: result block the source IP of a detected port scan

therefore equation can be
(Q(A(P))) = R

Q of A of P = resulting block
this is the equivalent of Q(P) = R

This condition should always be Q(~P) = R however the auto generated IP passlist is not functional at times.

now suppose Q(P) = R
or where q is from the universe of all blocked port scans
and a is from the universe of the decoy scans.
and p is from the universe WAN ISP Issued IP address or DNS that pfSense forwards to for this system that snort resides on

∀q∃a(p)

This should be ∀q ¬ ∃a(p) Per pass-list Auto-Generated IP Addresses in Snort

Per Marcos M
"This isn't a bug. To avoid the issue, relevant IP addresses can be added to a passlist. There also likely exist rules for Snort/Suricata to detect spoofed scans, further details here:
https://www.snort.org/faq/readme-sfportscan"

I have spoof rules enabled they are still blocking the passlist addresses seen below.

However they are not being auto-generated into the pass-list in snort per GUI settings. Something is not allowing it to add the Auto-Generated IP pass-list group.