Is Snort the right tool for the job?



  • Greetings all,

    Looking for some advice.  I am running pfSense 2.2.6 on a data center firewall protecting our hosted web servers.  Recently, we have been asked to allow SFTP connectivity to these servers for remote file management.  To that end, I have created some NAT connections on the WAN side pointing to some of the internal servers.  For example, I have a NAT rule redirecting external port 41250 to an internal host on port 32001 (SFTP server running on non-standard port).  So far, so good.

    I now need a way to protect the NAT connections from DDOS/abusers in the wild.  Essentially, I need a tool that will watch for incoming connections on a range of ports (ie: 41250-42250) and block remote IPs if we get excessive traffic (ie: 5 connection attempts in 10seconds).  These could be temporary or permanent depending on how many failures occur during a given time period.  I could do something similar with iptables and fail2ban, but I want these connections terminated as close to the firewall as possible.

    After doing some research, it appears Snort might be the tool for the job.  Thus, my questions:

    • Is Snort the right tool for the job?  If not, which tool would work best under pfSense?

    • Assuming Snort is the right tool, what kind of custom rule(s) need to be created to make this happen?  An example would be great.

    Thanks in advance…