How to block P2P specially with Suricata Configuration.

krishan

Hey guys help me out to Block all the P2P request in WAN interface. Currently I am using suricata IDS/IPS to block all the P2P request. Detailed instruction or guide will be better.
As am beginner.

bmeeks

First of all, you will need to enable the emerging-p2p rules category on the CATEGORIES tab. I assume you have done that. Then you enable blocking for the interface on the INTERFACE SETTINGS tab. After making any change on the INTERFACE SETTINGS or CATEGORIES tabs, you would need to restart Suricata in order for it to see the changes.

You might fare better blocking some of the newer P2P stuff using the Layer 7 DPI capabilities provided by Snort's OpenAppID feature. However, blocking P2P is getting harder at the packet level because many clients now attempt to hide or disguise their traffic so it appears as normal HTTPS traffic.

A tool such as pfBockerNG-devel can be useful. It uses lists of host IP addresses for various categories of network traffic. You subscribe to various lists and then have them populate firewall aliases. You then use those aliases in blocking rules. There is a separate sub-forum here in the Packages section for pfBlockerNG.