Snort block on selected interface only

expert_az

Hello,
Is it possible using snort2c table only on selected interface?

In my situation I have special interface for guests named GUEST,snort runnig on this interface and blocking enabled .

But as I understand snort block table (snort2c) working globally.
I'm running Snort OpenappID on the guest interface to catch streaming traffic and block them, everything working well, snort detecting streaming traffic and blocking their ip addresses. But snort blocking these IP addresses globally.

People from other interfaces also blocked and could not access streaming sites.

Any idea about this issue?

Regards,
Hafiz.

NogBadTheBad

Out of interest what are you trying to block ?

It might be better to use pfBlockerNG and block streaming outbound.

expert_az

in this example youtube or facebook traffic,snort openappid has signature database for these kind of traffics.
Do pfBlockerNG has this kind of URL base or feeding?

NogBadTheBad

@expert_az said in Snort block on selected interface only:

n this example youtube or facebook traffic,snort openappid

Yes it does, either in DNSBL blacklists or in the IP section and block by ASN number.

https://forum.netgate.com/assets/uploads/files/1542893420680-screenshot-2018-11-22-at-13.30.02.png

expert_az

Thanks,it looks like ASN not supported at the moment

NogBadTheBad

Ah sorry download pfBlockerNG Dev

expert_az

I'll will try pfBlockerNG Dev,
But my question is about the possibility of creating snort2c table per interface.
In my example, snort will block streaming DST ip addresses on the GUEST interface, but people on LAN will access streaming sites.

It this possible with snort just now?

bmeeks

@expert_az said in Snort block on selected interface only:

I'll will try pfBlockerNG Dev,
But my question is about the possibility of creating snort2c table per interface.
In my example, snort will block streaming DST ip addresses on the GUEST interface, but people on LAN will access streaming sites.

It this possible with snort just now?

No, this is not possible now. There is only a single snort2c table created in the packet filter at pfSense boot-up.

But if you just want to block on your GUEST interface you can do the following:

1. Run Snort on the GUEST interface and set the "Which IP to Block" option on the INTERFACE SETTINGS tab to "SRC" (or source IP). This would prevent users from your GUEST interface from initiating outbound sessions based on the Snort rules that fire. So if you did not want them to access Facebook at all, you could enable the Facebook OpenAppID rules and configure Snort to block the SRC IP. So then if a user on the GUEST network attempted to establish a Facebook session the AppID rule would trigger and block the SRC IP (which would be an IP in your GUEST subnet). It would not block the DST (or destination) IP which would be Facebook. Thus users on other firewall interfaces would not be impacted.

2. The downside of this approach is that the user would be blocked for all outbound traffic since their IP address is in the snort2c table now. I would change the "Removed Blocked Hosts" interface setting on the GLOBAL SETTINGS tab to a very low value if you take this route so blocks removed relatively quickly.

expert_az

.

@bmeeks said in Snort block on selected interface only:

@expert_az said in Snort block on selected interface only:

I'll will try pfBlockerNG Dev,
But my question is about the possibility of creating snort2c table per interface.
In my example, snort will block streaming DST ip addresses on the GUEST interface, but people on LAN will access streaming sites.

It this possible with snort just now?

No, this is not possible now. There is only a single snort2c table created in the packet filter at pfSense boot-up.

But if you just want to block on your GUEST interface you can do the following:

1. Run Snort on the GUEST interface and set the "Which IP to Block" option on the INTERFACE SETTINGS tab to "SRC" (or source IP). This would prevent users from your GUEST interface from initiating outbound sessions based on the Snort rules that fire. So if you did not want them to access Facebook at all, you could enable the Facebook OpenAppID rules and configure Snort to block the SRC IP. So then if a user on the GUEST network attempted to establish a Facebook session the AppID rule would trigger and block the SRC IP (which would be an IP in your GUEST subnet). It would not block the DST (or destination) IP which would be Facebook. Thus users on other firewall interfaces would not be impacted.

2. The downside of this approach is that the user would be blocked for all outbound traffic since their IP address is in the snort2c table now. I would change the "Removed Blocked Hosts" interface setting on the GLOBAL SETTINGS tab to a very low value if you take this route so blocks removed relatively quickly.

Thank you for quick response.
As you sad GUEST user will lose all outboud connection min. 15min(snort min. block duration).
Because of this reason I'm asking blocking DST adress per interface.
It will be very userfull option because of L7 openappid addon,I think application layer blocking best effective mothod .

Thanks,
Hafiz.