Snort doesn't block all I ask it to
-
As far as I can tell nothing is being added to the block list. Am I correct in assuming that snort only blocks the source ip? Because the source IP is my IP. (which is in the white list) If snort blocked both the source AND destination IPs then I think it would work properly. Am I missing something? Is snort supposed to block the destination IP? (if so I apologize for repeating myself)
-
As far as I know it should block the destination IP.
Do you see anything in system logs from snort2c when the snort alert occurs. snort2c should report that it is blocking one of the two ip's.
-
No I don't see anything. I also checked other alerts i.e. spyware-put and icmp rules. It defiantly seems that it is only blocking the source ip and not the destination. I checked 4-5 different non-p2p alerts. The only ones that resulted in a blocked ip are those who's source IP was not my own (i.e. non whitelisted src ips). Can anyone else verify this behaviour?
-
Interesting. I'll have to dive into the snort2c code.
-
Just wondering if there was any news on snort bloking?
-
No, sorry there is not.
-
I see there is still no word on proper snort blocking. This is badly needed on our network. Is this the sort of thing I should post a bounty for? Mostly I just need a GOOD way to block most common P2P. I think (based on the alerts we get) That snort would be great for this IF it actualy blocked the traffic.
BTW….thanks for the incredible firewall software.
-
Snort has been blocking things just fine here. Too much in fact at times.
-
Yes SNORT seems to do a very good at blocking based on alerts as long as they are generated by a remote host. Where it seems to not be affective is when my public ip is the one generating the alert. Which is almost always the case with p2p traffic. When a user on my network uses a p2p app it generates a snort alert that looks like this (07/06-18:42:03.794734 "my public ip address":58701 -> "remote host's ip":22264 ) In this situation my public IP is in the white list (for obvious reasons) and I need it to block the remote host's ip. But it does not. I have also noticed this same behavior with spyware and other filters. If the source ip is something other than my ip it blocks that host. however when my ip generates the alert I need it to block the dst ip instead. But it does not. It seems this should be a fairly easy thing to fix but it is beyond my realm or expertise. I just need some one to believe me ;)
If I am completely wrong then I apologize and humbly ask for your assistance in making it work. :)
-
I REALLY need to find a way to get snort to block these p2p clients. If not Snort then something else. I am willing to spend money to make this happen. I contacted the company who is providing commercial support but they do not offer support for packages. Is this something that would be suitable for the bounty section? I am sure that this would be a valuable feature. It is very easy to demonstrate that this does NOT currently work. Snort blocks src ips but not dst ips which makes it virtually worthless when it comes to blocking p2p running snort on the WAN interface. If there is any one who can help we will pay any REASONABLE amount to make this feature work in this situation.
Also I don't want to omit…....I really love pfsense I think what you guys are doing is great and I hope it pays off for you.
-
Yes its a suitable for a bounty but keep in mind this bounty will require C skills and that it will be harder to find someone interested in it. But money can motivate anyone, or thats what they say.
-
One way I have been able to successfully block P2P traffic on my networks is by explicitly denying any udp traffic outbound, and only allowing DNS traffic from servers outbound. Egress filtering is another method I use. turn off the default lan to any and allow only specific traffic outbound
ie ftp (port 21 TCP and you will need to allow port 20/UDP outbound for data ) http https pop3 imap Let me know if this helps