Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Better Blocking for Snort Package

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 613 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BCSNetAdminDF
      last edited by

      I work as Network and Systems Administrator at a private school, and we are looking for a non-SSL-Inspection tool for enforcing our acceptable use policies in our network. I came across Snort using OpenAppID, and it detects all of the traffic I am looking to block very well.

      However, the blocking in Snort is a sort of Ban Hammer approach. I don't want to block the source IP (my user), since I want the student to be able to continue working, but I want to block the student's VPN connection. I don't want to block the destination IP (google for example), I just want to block the student from accessing it with Internet Exploder. What I ultimately want is for the traffic which caused the alert to be dropped without disrupting any other traffic. We tried Suricata for its blocking finesse, but without OpenAppID it has no way of detecting the traffic I want to block. I know, I'm trying to use an IPS for internal traffic blocking and that's not really the original intent, but Snort with OpenAppID does a marvelous job of it anyway.

      All that to say, is there anyone that worked on the development of the Snort or Suricata packages that would be interested in making Snort block better? We would rather support the development of OS software than throw our money at a firewall company for a proprietary solution that still doesn't do what we want. Does anyone know how I can get in contact with the devs of the Snort package?

      Many thanks!

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        You want the newer Snort 4.x package available in pfSense-2.5 DEVELOPMENT. That package has updated supporting libraries that support use of an inline IPS mode using the kernel netmap device.

        A decision was made, due to various potential issues with supporting libraries, to only incorporate this new functionality in the DEVEL branch of FreeBSD which is based on FreeBSD 12.x. The current 2.4.4 RELEASE branch of pfSense is based on the older FreeBSD 11.x branch.

        So the only way to install and take advantage of the new Snort 4.x package is to upgrade your firewall to the latest pfSense-2.5 snapshot.

        1 Reply Last reply Reply Quote 1
        • B
          BCSNetAdminDF
          last edited by

          @bmeeks said in Better Blocking for Snort Package:

          the only way to install and take advantage of the new Snort 4.x package is to upgrade

          I had no idea, thank you so much. I'll set that up in my lab right away.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @BCSNetAdminDF
            last edited by

            @BCSNetAdminDF said in Better Blocking for Snort Package:

            @bmeeks said in Better Blocking for Snort Package:

            the only way to install and take advantage of the new Snort 4.x package is to upgrade

            I had no idea, thank you so much. I'll set that up in my lab right away.

            Once you get the new Snort 4.x package installed, have a look at this Sticky Post for configuration instructions: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.