Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - granular DROP targets, ads, etc...

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 7.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • buggzB
      buggz
      last edited by

      Wow, so I have finally gotten a stable system with Snort in IPS mode.
      I also see that I am able to DROP targets via SID Management, such as ad sites like the following.
      Yes, I have pfBlockerNG setup pretty good for this, also.
      Just something I find useful from the Snort Alert Description field.

      1:71787 # 151.101.6.49:443 - tubemogul

      1:70864 # 104.118.221.72:443 - pinterest

      1:71720 # 23.199.14.114:443 - bluekai

      1:71689 # 64.95.182.2:80 - richrelevance

      1:70995 # 108.177.122.149:443 - doubleclick

      1:71722 # 152.195.19.97:443 - iperceptions

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        The IPS mode does provide more efficient blocking. WIth that mode, and by enabling DROP with some rules but leaving the default ALERT in place with others, you can drop specific traffic to or from a host without having to block everything from that host as Legacy Blocking does. So IPS mode, when rules have the DROP action, will drop individual packets matching a rule, but let other traffic pass. The Legacy Mode, on the other hand, simply blocks the host's IP address when a packet matching a rule is detected. After that, all traffic to and from that host is blocked until the IP block is removed either automatically by timing out via the "Clear Blocked Hosts" cron task, or manually by the admin.

        Inline IPS Mode can really be useful when combined with the OpenAppID rules.

        1 Reply Last reply Reply Quote 0
        • buggzB
          buggz
          last edited by buggz

          And you get really good info ones like:

          1:2009968 # Potential Corporate Privacy Violation -
          Src.192.168.2.45:27960 Dest.68.232.172.16:27960
          ET P2P eMule KAD Network Connection Request(2)

          Though this is showing I am the Source?
          Hmm, time to thorough scan...

          Haha, that WAS me, playing Enemy Territory.
          BUSTED! hehe...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.