Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block P2P specially with Suricata Configuration.

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 860 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      krishan
      last edited by

      Hey guys help me out to Block all the P2P request in WAN interface. Currently I am using suricata IDS/IPS to block all the P2P request. Detailed instruction or guide will be better.
      As am beginner.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        First of all, you will need to enable the emerging-p2p rules category on the CATEGORIES tab. I assume you have done that. Then you enable blocking for the interface on the INTERFACE SETTINGS tab. After making any change on the INTERFACE SETTINGS or CATEGORIES tabs, you would need to restart Suricata in order for it to see the changes.

        You might fare better blocking some of the newer P2P stuff using the Layer 7 DPI capabilities provided by Snort's OpenAppID feature. However, blocking P2P is getting harder at the packet level because many clients now attempt to hide or disguise their traffic so it appears as normal HTTPS traffic.

        A tool such as pfBockerNG-devel can be useful. It uses lists of host IP addresses for various categories of network traffic. You subscribe to various lists and then have them populate firewall aliases. You then use those aliases in blocking rules. There is a separate sub-forum here in the Packages section for pfBlockerNG.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.