Block subnets in snort

dcol · Aug 3, 2016, 4:28 PM

Is there any way to create an alert rule that would not just block the IP, but also the entire CIDR/24 of that IP.
Example - an alert was triggered and IP 10.10.10.10 was blocked. I want 10.10.10.0/24 to be blocked

is this possible?

Reason I ask is because I use a rule to block emails from a particular TLD which sends multiple emails incrementing the IP to avoid blocking.
example - I would get 4 emails in one second from 10.10.10.1, 10.10.10.2, 10.10.10.3, then 10.10.10.4
By the time Snort blocks each individual IP, they got through, so Snort is useless for this type of attack.

Any suggestions for a workaround?

Paint · Aug 4, 2016, 2:11 PM

Out of the box, no this is not possible.

You can turn on IP Reputation and add the IP/Subnet to the ipBlacklist.txt file

dcol · Aug 4, 2016, 3:12 PM

How do I add automatically to the ipblacklist.txt?
These attacks happen all day and night. Each IP range lasts for 10 to 30 minutes, then they start with a new range of IP's. I average 250-500 per day. You would think they would exhaust their supply of IP's but it seems endless and never repeats.

I already have an Easy Rule IP Alias that I add to every day that blocks these IP CIDR's. I was looking for a way to block them automatically. I am afraid that this alias will get so large it will affect the pfsense performance. There are already 45K IP's in there from these attacks.

Paint · Aug 4, 2016, 3:20 PM

@dcol:

How do I add automatically to the ipblacklist.txt?
These attacks happen all day and night. Each IP range lasts for 10 to 30 minutes, then they start with a new range of IP's. I average 250-500 per day. You would think they would exhaust their supply of IP's but it seems endless and never repeats.

I already have an Easy Rule IP Alias that I add to every day that blocks these IP CIDR's. I was looking for a way to block them automatically. I am afraid that this alias will get so large it will affect the pfsense performance. There are already 45K IP's in there from these attacks.

im not aware of any way to do this automatically

You could write a script to run as a cron job to parse the Snort Alert log and then add those IPs to the ipblacklist.txt

dcol · Aug 4, 2016, 4:31 PM

Impossible to control with a cron script. Attack is finished by the time script is run.

If anyone has an ingenious way of handling this, let me know. Eventually every email server will be prone to this type of spam. I do prevent these emails from getting into mailboxes with a filter, I just want to eliminate it from the source so the attacker thinks this IP is blocked.

Every day I add another 2K-4K IP's to the block alias. Eventually this will have performance effects.