Snort not blocking P2P IP addresses



  • Hello guys just wondering why my snort, logs p2p connections such as Utorrent and blocks the DST Ip addresses but in reality when i download a movie through utorrent it still is able to download without any problems. And by the way i got pfsense running behind my Isp router. Kindly help



  • Are you sure you actually have blocking enabled? It is not turned on by default. You must click the Block Offenders checkbox on the INTERFACE SETTINGS tab and then restart Snort after saving the change.

    Is the Destination IP of a torrent server listed in the table on the BLOCKS tab?

    Make sure the Kill States checkbox is still checked on the INTERFACE SETTINGS tab. It is checked by default, but you may have inadvertently turned it off.

    Is the DST IP address possibly in a Pass List you have configured? And are these torrent destinations out on the Internet and not local on the LAN?



  • @bmeeks the interface is on the lan



  • @OpenWifi said in Snort not blocking P2P IP addresses:

    @bmeeks the interface is on the lan

    You need to clarify this. Your reply did not answer any of my questions or address my troubleshooting tips.

    Is the Bit Torrent server on your LAN or just the client's accessing the server and the server (or servers, for Bit Torrent) is located somewhere out on the Internet?

    If the Bit Torrent server is on your LAN, then are you sure the clients have to transit the firewall to access it?



  • @bmeeks To clarify, Block Offenders is ON. The destination Ip address of the torrent server is listed on Block Tab. The kill states checkbox is ticked. The DST Ip is not in any PassList. And the DST Ips are out on the internet. Let me clarify more with a screenshot. Thank you
    IMG_20190525_025140_563.jpg
    IMG_20190525_025159_565.JPG
    IMG_20190525_025217_757.JPG
    IMG_20190525_025626_489.jpg
    IMG_20190525_025714_554.jpg
    Now as you can see from my screenshot, the DST torrent ip address circle is blocked in the Block Tab but unfortunately i can still download a torrent through same ip address. Thank you



  • What is the IP address of you client? Are you sure the client you are using must traverse the firewall's LAN interface in order to get to the Torrent host? I'm asking because the screenshots you posted indicate Snort is working. It puts the IP address to be blocked into a special list maintained by the pfSense firewall. Any IP address in that list is blocked. When you view the BLOCKED tab, that screen is populated by dumping out this list of currently blocked IP addresses.

    So looking at the screenshots my first inclination is that the client you are using is not traversing the pfSense firewall in order to get to the host, or it is using a different IP address now.

    Try to ping that IP address from the same client you are using to download the torrent. Also you need to be aware that Torrent clients don't use a single IP address for download. They use a bunch of servers all over the world. So maybe your client is actually using another IP from the Torrent pool when downloading. The block of that IP you have in the screenshot came from an HTTP_INSPECT preprocessor rule and from detection of a Torrent download. As a matter of fact, all four of the currently shown blocks are from HTTP_INSPECT preprocessor rules and not from P2P traffic.



  • @bmeeks so how can force clients to transverse the firewall's LAN and also how can i achieve what you are trying to explain? Because my main objective is to discourage use of torrents on the network.Kindly help



  • @OpenWifi said in Snort not blocking P2P IP addresses:

    @bmeeks so how can force clients to transverse the firewall's LAN and also how can i achieve what you are trying to explain? Because my main objective is to discourage use of torrents on the network.Kindly help

    Well, you would start by enabling the proper rule categories including the OpenAppID feature. As I said in my previous post, the blocks you are showing for that 195.22.28.198 host came from an HTTP_INSPECT preprocessor rule and not from a rule designed to detect P2P traffic. You need to do some research on Google and learn about Snort and how to select and use the various rules.

    As for forcing your clients to traverse the firewall's LAN, that is determined by your particular network's topology. And to be honest, if you have to ask that question it leads me to believe you are not very experienced with networking concepts. You can try drawing and posting a diagram of your network showing all of the connection paths from your ISP modem/router to your final endpoint clients. Include any wired connections and any wireless connections. Maybe looking at that will give me insight into what your problem might be. Looking at the previous screenshots you posted, Snort is working correctly and blocking the offending hosts on the pfSense firewall. But if your clients have another route to the Internet, then pfSense could well be out of the picture in terms of effectively blocking their traffic.



  • @bmeeks Thank you. The screenshots i am attatching are of the current block tab and my network topology respectively.
    IMG_20190526_103409_108.jpg
    The highlighted Ips confirm that i enabled OpenAppID feature.
    IMG_20190526_101207_560.JPG
    This is the Network topology. Kindly consider the reason as to why i didnot disable DHCP on the ISP router is because the router lacks bridging capabilities and so i decided to port forward some few ports i.e 53(DNS) and 1194(OpenVpn).



  • @OpenWifi said in Snort not blocking P2P IP addresses:

    @bmeeks Thank you. The screenshots i am attatching are of the current block tab and my network topology respectively.
    IMG_20190526_103409_108.jpg
    The highlighted Ips confirm that i enabled OpenAppID feature.
    IMG_20190526_101207_560.JPG
    This is the Network topology. Kindly consider the reason as to why i didnot disable DHCP on the ISP router is because the router lacks bridging capabilities and so i decided to port forward some few ports i.e 53(DNS) and 1194(OpenVpn).

    What is the WAN IP address on your pfSense box? And what is the default route given to the clients hanging off that switch. For that setup to work, you would need your pfSense box to have a WAN address in the 192.168.1.0/24 network and then the LAN be the 192.168.7.0/24 network. Finally, the DHCP settings in the ISP router where you have the DHCP server enabled should handing out your pfSense box's LAN address as the default route to be used by the clients.

    Does the ISP route have wireless capability? If so, it should be disabled; otherwise it could provide a bypass of the pfSense firewall.

    I can tell you from the screenshot you posted that the pfSense box and Snort are working correctly. With those IP addresses listed on the BLOCK tab, they will and are being blocked for anything trying to go through your pfSense box. Now, if clients have another way to access the ISP router that bypasses pfSense, then obviously pfSense can't block them. And because pfSense with Snort runs the interfaces in promiscuous mode, Snort will see all traffic on the segment even if that traffic is not targeted to the MAC of your LAN interface.

    As a final test, try to ping those IP addresses of the Torrent servers listed on the BLOCKS tab. They should fail to respond to a ping request if they are blocked. If they respond to a ping, them I'm almost 100% certain your problem is going to be the clients have another path to the Internet that bypasses the pfSense box.


Log in to reply