Use Snort or Suricata to populate pfSense Alias?

  • Hello everyone - I've been trying to figure out a way to use Layer-4 inspection to get pfSense to route matched outbound traffic across a specific interface. I know how to statically set an IP or subnet as an alias and pass it through a firewall rule with a specific gateway set, in a rule higher than the default rule. This works great when you know there's a specific device inside the network that absolutely must go over a specific network (i.e. route based on known source IP). However, I need to route based on a destination IP variable, in this case "unknown outbound networks" where I will never know the IP in advance.

    This is where Snort and/or Suricata come into place in my theory. Both of these apps can detect a myriad of traffic, Facebook, Netflix, etc and so on, and can block or permit the traffic in real time. What I'd like to do is have an alias populated with the destination network IPs in realtime, pump the IPs into a pfSense alias, then add that alias to a firewall rule, across the appropriate gateway.

    A use case, for example, would be to shunt "low priority" traffic over a 2nd-level ISP (i.e. not the Primary ISP), freeing up resources for business use, therefore balancing out the traffic. This would be great considering a simple "inside" LAN where you have to be selective about what is routed in this fashion. The traffic can't be treated like a "guest" network where all traffic is sent over the lower priority gateway, but rather portions of the destination traffic are sent to a specific gateway.

    I have looked high and low in Snort and haven't found a way to set a pfSense alias with a Snort rule. Is this possible? Could Suricata do it instead? I'm not familiar with Suricata, figured I'd ask around before going in an unknown direction.

    Perhaps there's another way around this? I figured given the L4 capabilities of those two IDS/IPS apps, that a solution either exists today in pfSense, is being considered in the future, or if it doesn't exist at all and I should start learning how to program. :)

    I thought about using DNS a-la-pfBlockerNG. However, that doesn't match my goals, because I don't know all of the FQDNs any specific app could look up. As this isn't traditionally an automated solution - manual curation of all the domain lookups an app could ever generate as it evolved with time - routing like this it was a no-go from the start. At least pfBlockerNG has the ability to populate pfSense Aliases, but it isn't the right tool for the job.

    Thanks for any help.

  • You cannot populate aliases with either the Snort or Suricata packages. They are just not designed for that purpose. Also, Suricata does not have a DPI equivalent of Snort's OpenAppID feature.

    If I understand what you are wanting to do, I know of nothing that can do that. Sounds like you want to dynamically route traffic depending on the packet type (after a Layer 7 deep packet inspection to identify the underlying app protocol).

Log in to reply