Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort enable_react problem

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 739 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheoWolf
      last edited by

      Dear all,

      is it possible to use the enable_react funktion in Snort to provide a HTML site if an IP is blocked? I think that this option is not used during the build. Is it possible to use that option in futher builds of PfSense?

      Best,
      Theo

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        The react rule option requires Snort to be running with Inline IPS mode. That mode is not currently available in the pfSense package. I am looking into some possible improvements to the DAQ netmap module for the future, that if I am successful with, could bring a netmap-enabled inline IPS mode to the Snort package. I have just started looking into that possibility, so I do not have any estimate on when it may be ready (or even if I can be successful implementing it).

        The Snort package today implements its "blocking" by using a custom output plugin that communicates via system ioctl() calls to place offenders' IP addresses into the firewall's pf packet filter in a table called snort2c. Blocking today uses a parallel processing path with libpcap and not inline IPS-type processing.

        1 Reply Last reply Reply Quote 0
        • T
          TheoWolf
          last edited by

          okay thanks for checking!

          Best,
          Theo

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @TheoWolf
            last edited by

            @theowolf said in Snort enable_react problem:

            okay thanks for checking!

            Best,
            Theo

            And to elaborate a bit more ... DAQ's netmap mode in Snort today requires that you dedicate two physical NIC interfaces to the connection: one as input and the other as output. The netmap module in DAQ then bridges those two physical interfaces, but with Snort sitting between the two operating in Inline IPS mode. So Snort then can either pass on, or drop, packets destined for the other interface.

            The main issue that makes this unattractive on a UTM-type firewall such as pfSense is the requirement of using two physical interfaces. So a typical minimal firewall would need four physical NIC interfaces: LAN, WAN and then another pair for the Snort-DAQ netmap bridge pair. That's a little wasteful of physical NICs in most situations.

            What I am looking into is patching DAQ's netmap module so that it can use the special "host stack" connection provided by native netmap on FreeBSD and other operating systems. This requires changes to DAQ's netmap module source code. If I can get this to work, then Snort Inline IPS mode can be configured the same as Suricata is done today on pfSense. That mode creates a pipe between the physical NIC interface and the host network stack, so the IPS can exist on the same interface as the LAN or WAN.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.