We have Snort set up to do blocking for rule offenders.
Also, all logs from pfSense are being sent to a Syslog server. In parsing through the logs, I'm not seeing anything in the logs stating specifically that a block was set for an IP. Of course, I may not be looking for the correct thing (for example, a certain event number?).
Does anyone have any experience with detecting these blocked IP events and how I could go about this?
The end goal is to have our SIEM send an alert when an IP ends up on the block list. We need to track this information for service purposes.