Snort, how to FORCE a block from an alert?

  • Hello,

    Anyway to use the snort alerts to force a block?

    Date Pri Proto Class Source IP SPort DestIP DPort SID Decscription
    2020-09-10 14:04:34 3 TCP Misc activity 56170 443 1:70439 facebook

    The Description field like above, facebook.
    I have seen descriptions like, microcsoft, malwarebytes, etc.
    That is somehow identifying something on my end?

  • When you enable blocking on the INTERFACE SETTINGS tab for an interface, all alerts will result in IP blocks unless the IP address is on a Pass List.

    Have you not enabled blocking for the interface and then restarted Snort on the interface?

    If you have enabled blocking and restarted Snort after the change, is the IP address you are wanting to block on a Pass List?

  • Thanks, I've tried that twice, and could not keep up.
    Snort is really difficult to have it blocking everything.
    Thought it would be easier to tune.
    I'm using the Balanced IPS Policy Selection, and adding to the Suppress list.
    All the ones that do not resolve, I leave.

    I am back to having blocking disabled, though, I don't know what good that is doing me, just seeing all the alerts?
    I would really like to use blocking mode, it is just difficult to keep up with, sigh...

  • For a new IDS/IPS admin, I recommend using the IPS Connectivity Policy. It provides very good protection but minimizes false positive alerts.

    Also, you probably need to disable a number of the HTTP_INSPECT preprocessor rules. You can identify those in your alerts by looking at the alert messages. They also can be identified by their GID (Generator ID) values of either 119 or 120.

    Finally, have a look at this very long historical thread on the forum here: Folks give their most commonly suppressed or disabled rules and why they suppressed or disabled them in posts within that thread.

  • Thank you for this informative reply!
    I will check this out.

  • Also remember that with the ever increasing use of SSL transport (think all the HTTPS web sites out there), the usefulness of IDS tools on the firewall is greatly reduced unless you use a proxy and some manner of man-in-the-middle (MITM) interception. The IDS needs to see unencrypted traffic to be 100% effective. But when accessing HTTPS sites or using something like TLS with email, the IDS only sees the encrypted traffic flow as it goes through the firewall. The decryption is happening on the endpoint client and not on the firewall unless you use MITM. However, implementing a MITM configuration carries its own problems; both ethical and technical.

    An IDS such as Snort or Suricata can still be marginally effective on SSL traffic, but it does so by examining the preamble stuff like the initial HTTP header exchanges that are not encrypted. That technique and identifying target IP addresses are how most of the OpenAppID rules in Snort work, for example.

  • Wow, you have been VERY helpful, and I VERY MUCH appreciate this!
    Though I am only doing this for my family at my home, I actually enjoy this type of work.
    I am very glad I started this, as I have always wanted to learn and use pfsense and Snort.

    I will have to read more about proxies, I have the simple Squid stuff running in pfsense, though, i'm sure that is not the same as you are talking about.
    As for MITM, it's my equipment and not in a work environment, so I can be okay in knowing the traffic patterns and data, and actually need to know.

  • Okay, gotta setup cert. and setup MITM Transparent SSL in Squid.

    I just loaded LightSquid, wow.