4. Snort enable_react problem

Snort enable_react problem

  • T

    Dear all,

    is it possible to use the enable_react funktion in Snort to provide a HTML site if an IP is blocked? I think that this option is not used during the build. Is it possible to use that option in futher builds of PfSense?

    Best,
    Theo

    0

  • The react rule option requires Snort to be running with Inline IPS mode. That mode is not currently available in the pfSense package. I am looking into some possible improvements to the DAQ netmap module for the future, that if I am successful with, could bring a netmap-enabled inline IPS mode to the Snort package. I have just started looking into that possibility, so I do not have any estimate on when it may be ready (or even if I can be successful implementing it).

    The Snort package today implements its "blocking" by using a custom output plugin that communicates via system ioctl() calls to place offenders' IP addresses into the firewall's pf packet filter in a table called snort2c. Blocking today uses a parallel processing path with libpcap and not inline IPS-type processing.

    0
  • T

    okay thanks for checking!

    Best,
    Theo

    0 1 Reply

  • @theowolf said in Snort enable_react problem:

    okay thanks for checking!

    Best,
    Theo

    And to elaborate a bit more ... DAQ's netmap mode in Snort today requires that you dedicate two physical NIC interfaces to the connection: one as input and the other as output. The netmap module in DAQ then bridges those two physical interfaces, but with Snort sitting between the two operating in Inline IPS mode. So Snort then can either pass on, or drop, packets destined for the other interface.

    The main issue that makes this unattractive on a UTM-type firewall such as pfSense is the requirement of using two physical interfaces. So a typical minimal firewall would need four physical NIC interfaces: LAN, WAN and then another pair for the Snort-DAQ netmap bridge pair. That's a little wasteful of physical NICs in most situations.

    What I am looking into is patching DAQ's netmap module so that it can use the special "host stack" connection provided by native netmap on FreeBSD and other operating systems. This requires changes to DAQ's netmap module source code. If I can get this to work, then Snort Inline IPS mode can be configured the same as Suricata is done today on pfSense. That mode creates a pipe between the physical NIC interface and the host network stack, so the IPS can exist on the same interface as the LAN or WAN.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy