Is Snort the right tool for the job?

  • Greetings all,

    Looking for some advice.  I am running pfSense 2.2.6 on a data center firewall protecting our hosted web servers.  Recently, we have been asked to allow SFTP connectivity to these servers for remote file management.  To that end, I have created some NAT connections on the WAN side pointing to some of the internal servers.  For example, I have a NAT rule redirecting external port 41250 to an internal host on port 32001 (SFTP server running on non-standard port).  So far, so good.

    I now need a way to protect the NAT connections from DDOS/abusers in the wild.  Essentially, I need a tool that will watch for incoming connections on a range of ports (ie: 41250-42250) and block remote IPs if we get excessive traffic (ie: 5 connection attempts in 10seconds).  These could be temporary or permanent depending on how many failures occur during a given time period.  I could do something similar with iptables and fail2ban, but I want these connections terminated as close to the firewall as possible.

    After doing some research, it appears Snort might be the tool for the job.  Thus, my questions:

    • Is Snort the right tool for the job?  If not, which tool would work best under pfSense?

    • Assuming Snort is the right tool, what kind of custom rule(s) need to be created to make this happen?  An example would be great.

    Thanks in advance…

Log in to reply