P2p and Torrent Blocking Faq?
-
I need to block all p2p traffic on my wireless network. This is a brand new install.
I have just installed pfsense 2.3.4 p1 and snort, adding to snort packages
For WAN the snort libraries selected are as follows
emerging-p2p.rules
snort_p2p.rules
snort_pua-p2p.rules
snort_pua-p2p.so.rules
openappid-p2p_file_sharing.rulesnothing for LAN
After downloading updates and rebooting system
To test I install qbtorrent on my win10 machine and go to the infamous bay of pirates to download ubuntu in different flavors.
IT DOES NOT STOP ME form torrenting
I am getting SNORT alerts p2p alerts then I go to the blocked tab and see the same alert ip in the blocked tab.
What am I doing wrong or is SNORT not capable of FAST real time blocking
Thank you
George
+wife and 4 boys in house -
Just a guess on my part without looking at all the rules, but maybe the rules are firing at the step when the torrent "seeders" are being located, but then each seeder will have its own IP address different from the "host" where the seeder addresses were pulled from. Perhaps the rules are failing to identify the subsequent streams from those seeders ??? Are you seeing alerts from every seed host? In other words, do you get lots of different IP addresses on the ALERTS tab and then see the same IP addresses on the BLOCKED tab?
Another possibility is the "leakage" problem Snort has due to its dependence on libpcap. Snort is actually looking at copies of the packets as they traverse the firewall. The actual original packet got through while Snort analyzed the copy. If enought packets get through to set up a connection, then a "state" is established and traffic can flow and will continue to flow even after Snort inserts the block rule. This is because when a matching entry exists in the state table, traffic bypasses the firewall rules and thus Snort's block. There is an option in the blocking section of the INTERFACE SETTINGS tab to kill states when a rule fires. Make sure that option is enabled. When that is enabled, each time Snort inserts an address into the snort2c table it will also kill all open firewall states for that IP address.
Lastly, make sure you have BOTH selected in the "Which IP to Block" drop down selector on the INTERFACE SETTINGS tab.
Bill
-
An update to my previous reply above. I assumed initially the OP had turned on blocking mode, but the OP has this post in another sub-forum here on the board:
https://forum.pfsense.org/index.php?topic=136442.msg746548#msg746548
In that post it is stated that "BLOCKING" and "BARNYARD2" both show as Disabled on the SNORT INTERFACES tab. That would be why you are getting alerts and no blocking. Snort does not block by default. It is an IDS when using the defaults. You must go to the INTERFACE SETTINGS tab by clicking the edit icon beside the interface. On the INTERFACE SETTINGS tab, click the checkbox for Block Offenders in order to turn on IPS or blocking mode. Save the change and then restart Snort on the interface. You restart it back on the INTERFACES tab using the icon there.
You will also need to weed out potential false positives.
Bill