Better Blocking for Snort Package
-
I work as Network and Systems Administrator at a private school, and we are looking for a non-SSL-Inspection tool for enforcing our acceptable use policies in our network. I came across Snort using OpenAppID, and it detects all of the traffic I am looking to block very well.
However, the blocking in Snort is a sort of Ban Hammer approach. I don't want to block the source IP (my user), since I want the student to be able to continue working, but I want to block the student's VPN connection. I don't want to block the destination IP (google for example), I just want to block the student from accessing it with Internet Exploder. What I ultimately want is for the traffic which caused the alert to be dropped without disrupting any other traffic. We tried Suricata for its blocking finesse, but without OpenAppID it has no way of detecting the traffic I want to block. I know, I'm trying to use an IPS for internal traffic blocking and that's not really the original intent, but Snort with OpenAppID does a marvelous job of it anyway.
All that to say, is there anyone that worked on the development of the Snort or Suricata packages that would be interested in making Snort block better? We would rather support the development of OS software than throw our money at a firewall company for a proprietary solution that still doesn't do what we want. Does anyone know how I can get in contact with the devs of the Snort package?
Many thanks!
-
You want the newer Snort 4.x package available in pfSense-2.5 DEVELOPMENT. That package has updated supporting libraries that support use of an inline IPS mode using the kernel netmap device.
A decision was made, due to various potential issues with supporting libraries, to only incorporate this new functionality in the DEVEL branch of FreeBSD which is based on FreeBSD 12.x. The current 2.4.4 RELEASE branch of pfSense is based on the older FreeBSD 11.x branch.
So the only way to install and take advantage of the new Snort 4.x package is to upgrade your firewall to the latest pfSense-2.5 snapshot.
-
@bmeeks said in Better Blocking for Snort Package:
the only way to install and take advantage of the new Snort 4.x package is to upgrade
I had no idea, thank you so much. I'll set that up in my lab right away.
-
@BCSNetAdminDF said in Better Blocking for Snort Package:
@bmeeks said in Better Blocking for Snort Package:
the only way to install and take advantage of the new Snort 4.x package is to upgrade
I had no idea, thank you so much. I'll set that up in my lab right away.
Once you get the new Snort 4.x package installed, have a look at this Sticky Post for configuration instructions: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions.