Snort enable_react problem
-
Dear all,
is it possible to use the enable_react funktion in Snort to provide a HTML site if an IP is blocked? I think that this option is not used during the build. Is it possible to use that option in futher builds of PfSense?
Best,
Theo -
The
react
rule option requires Snort to be running with Inline IPS mode. That mode is not currently available in the pfSense package. I am looking into some possible improvements to the DAQ netmap module for the future, that if I am successful with, could bring a netmap-enabled inline IPS mode to the Snort package. I have just started looking into that possibility, so I do not have any estimate on when it may be ready (or even if I can be successful implementing it).The Snort package today implements its "blocking" by using a custom output plugin that communicates via system
ioctl()
calls to place offenders' IP addresses into the firewall's pf packet filter in a table called snort2c. Blocking today uses a parallel processing path with libpcap and not inline IPS-type processing. -
okay thanks for checking!
Best,
Theo -
@theowolf said in Snort enable_react problem:
okay thanks for checking!
Best,
TheoAnd to elaborate a bit more ... DAQ's netmap mode in Snort today requires that you dedicate two physical NIC interfaces to the connection: one as input and the other as output. The netmap module in DAQ then bridges those two physical interfaces, but with Snort sitting between the two operating in Inline IPS mode. So Snort then can either pass on, or drop, packets destined for the other interface.
The main issue that makes this unattractive on a UTM-type firewall such as pfSense is the requirement of using two physical interfaces. So a typical minimal firewall would need four physical NIC interfaces: LAN, WAN and then another pair for the Snort-DAQ netmap bridge pair. That's a little wasteful of physical NICs in most situations.
What I am looking into is patching DAQ's netmap module so that it can use the special "host stack" connection provided by native netmap on FreeBSD and other operating systems. This requires changes to DAQ's netmap module source code. If I can get this to work, then Snort Inline IPS mode can be configured the same as Suricata is done today on pfSense. That mode creates a pipe between the physical NIC interface and the host network stack, so the IPS can exist on the same interface as the LAN or WAN.