Snort doesn't block all I ask it to

sullrich

Try this from a shell after a block occurs:

pfctl -t snort2c -T show

Do you see the host in the table?

Also try:

ps awux | grep snort2c

Is snort2c running?

SPITwSPOTS

No the host is not in the block list and yes snort2c is running.

Here is the snort alert I used as a test. 66.230.xxx.xxx is my IP

[ ** ] [ 1:2181:3 ] P2P BitTorrent transfer [ ** ] 
[ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ] 
04/22-14:44:01.392800 66.230.xxx.xxx:65313 -> 68.151.192.237:16881 
TCP TTL:126 TOS:0x0 ID:9735 IpLen:20 DgmLen:108 DF 
AP Seq: 0x1C6DA3AA Ack: 0xBC8FC1E2 Win: 0x4204 TcpLen: 20

Here is the block list after this alert occers.

pfctl -t snort2c -T show

8.152.164.215
  12.162.175.177
  24.64.39.159
  24.64.62.40
  24.64.120.71
  24.64.250.62
  58.19.183.42
  58.246.86.109
  59.112.85.33
  60.11.125.52
  60.11.125.53
  60.11.125.54
  60.12.166.152
  60.12.166.199
  60.12.166.201
  60.12.192.37
  62.214.198.4
  65.75.82.249
  66.231.133.164
  66.233.27.228
  68.85.145.235
  69.25.40.50
  69.111.84.79
  71.128.249.77
  77.178.84.221
  77.179.174.139
  77.181.204.62
  77.182.214.188
  80.133.145.199
  80.143.116.9
  80.144.234.13
  81.203.169.43
  82.83.223.10
  82.149.191.227
  83.245.170.195
  84.132.102.85
  84.133.221.212
  84.134.175.230
  84.134.228.13
  84.136.78.202
  84.136.184.112
  84.142.91.50
  84.151.135.179
  84.151.246.29
  84.157.21.19
  84.157.169.82
  84.162.145.103
  84.165.74.198
  84.170.109.94
  84.171.187.249
  84.172.166.127
  84.184.110.123
  84.190.37.112
  85.113.169.253
  85.127.180.245
  85.181.11.135
  86.122.170.217
  87.79.243.90
  87.160.250.79
  87.165.62.142
  87.166.198.74
  87.168.173.140
  87.207.135.41
  87.230.112.59
  89.12.198.249
  89.12.217.9
  89.14.61.57
  89.15.64.68
  89.48.6.15
  89.49.40.1
  89.53.206.137
  89.54.20.14
  89.55.22.153
  89.57.60.28
  89.61.153.91
  89.62.25.80
  89.105.240.48
  91.4.201.117
  91.5.193.254
  91.6.133.16
  91.6.229.101
  91.34.39.74
  128.252.195.16
  129.143.1.42
  172.173.15.20
  172.174.111.151
  172.174.186.72
  172.177.90.75
  190.47.83.20
  200.175.183.230
  200.177.24.168
  202.97.238.202
  202.97.238.203
  204.16.209.14
  204.16.210.235
  204.16.211.19
  211.140.138.43
  213.212.194.6
  217.80.106.204
  217.80.205.70
  217.94.252.164
  217.187.90.238
  217.225.119.136
  217.234.248.107
  217.238.78.77
  217.238.233.57
  218.10.137.131
  218.27.148.78
  221.12.113.237
  221.12.113.238
  221.12.113.239
  221.12.113.242
  221.12.113.243
  221.12.113.247
  221.12.113.248
  221.12.113.249
  221.130.192.55
  221.130.192.72
  221.130.192.89
  221.130.192.106
  221.208.208.83
  221.208.208.87
  221.208.208.89
  221.208.208.90
  221.208.208.93
  221.208.208.94
  221.208.208.95
  221.208.208.96
  221.208.208.97
  221.208.208.101
  221.208.208.212
  221.209.110.50

And here are the results of ps awux | grep snort2c

ps awux | grep snort2c

root  23953  0.0  0.4  3820  3500  ??  Ss  Sat01PM  0:16.56 snort2c -w /var/db/whitelist -a /var/log/snort/alert
root  20602  0.0  0.0  348  228  p0  R+    2:45PM  0:00.00 grep snort2c

I believe that when the alert has the format

04/22-14:44:01.392800 xxx.xxx.xxx.xxx:65313 -> yyy.yyy.yyy.yyy:16881

That it is only the xxx.xxx.xxx.xxx that gets blocked

sullrich

Strange…  Can you tell if it is adding the wrong entry or just not adding an entry at all for the host?

SPITwSPOTS

As far as I can tell nothing is being added to the block list.  Am I correct in assuming that snort only blocks the source ip?  Because the source IP is my IP.  (which is in the white list) If snort blocked both the source AND destination IPs then I think it would work properly.  Am I missing something?  Is snort supposed to block the destination IP? (if so I apologize for repeating myself)

sullrich

As far as I know it should block the destination IP.

Do you see anything in system logs from snort2c when the snort alert occurs.  snort2c should report that it is blocking one of the two ip's.

SPITwSPOTS

No I don't see anything.  I also checked other alerts i.e. spyware-put and icmp rules.  It defiantly seems that it is only blocking the source ip and not the destination.  I checked 4-5 different non-p2p alerts.  The only ones that resulted in a blocked ip are those who's source IP was not my own (i.e. non whitelisted src ips).  Can anyone else verify this behaviour?

sullrich

Interesting.  I'll have to dive into the snort2c code.

SPITwSPOTS

Just wondering if there was any news on snort bloking?

sullrich

No, sorry there is not.

SPITwSPOTS

I see there is still no word on proper snort blocking.  This is badly needed on our network.  Is this the sort of thing I should post a bounty for?  Mostly I just need a GOOD way to block most common P2P.  I think (based on the alerts we get) That snort would be great for this IF it actualy blocked the traffic.

BTW….thanks for the incredible firewall software.

sullrich

Snort has been blocking things just fine here.  Too much in fact at times.

SPITwSPOTS

Yes SNORT seems to do a very good at blocking based on alerts as long as they are generated by a remote host.  Where it seems to not be affective is when my public ip is the one generating the alert.  Which is almost always the case with p2p traffic.  When a user on my network uses a p2p app it generates a snort alert that looks like this (07/06-18:42:03.794734 "my public ip address":58701 -> "remote host's ip":22264 )  In this situation my public IP is in the white list (for obvious reasons) and I need it to block the remote host's ip.  But it does not. I have also noticed this same behavior with spyware and other filters.  If the source ip is something other than my ip it blocks that host.  however when my ip generates the alert I need it to block the dst ip instead.  But it does not.  It seems this should be a fairly easy thing to fix but it is beyond my realm or expertise.  I just need some one to believe me  ;)

If I am completely wrong then I apologize and humbly ask for your assistance in making it work.  :)

SPITwSPOTS

I REALLY need to find a way to get snort to block these p2p clients.  If not Snort then something else.  I am willing to spend money to make this happen. I contacted the company who is providing commercial support but they do not offer support for packages.  Is this something that would be suitable for the bounty section?  I am sure that this would be a valuable feature.  It is very easy to demonstrate that this does NOT currently work.  Snort blocks src ips  but not dst ips which makes it virtually worthless when it comes to blocking p2p running snort on the WAN interface.  If there is any one who can help we will pay any REASONABLE amount to make this feature work in this situation.

Also I don't want to omit…....I really love pfsense  I think what you guys are doing is great and I hope it pays off for you.

sullrich

Yes its a suitable for a bounty but keep in mind this bounty will require C skills and that it will be harder to find someone interested in it.  But money can motivate anyone, or thats what they say.

cdsu

One way I have been able to successfully block P2P traffic on my networks is by explicitly denying any udp traffic outbound, and only allowing DNS traffic from servers outbound. Egress filtering is another method I use. turn off the default lan to any and allow only specific traffic outbound
ie ftp (port 21 TCP and you will need to allow port 20/UDP outbound for data ) http https pop3 imap  Let me know if this helps