Snort - granular DROP targets, ads, etc...



  • Wow, so I have finally gotten a stable system with Snort in IPS mode.
    I also see that I am able to DROP targets via SID Management, such as ad sites like the following.
    Yes, I have pfBlockerNG setup pretty good for this, also.
    Just something I find useful from the Snort Alert Description field.

    1:71787 # 151.101.6.49:443 - tubemogul

    1:70864 # 104.118.221.72:443 - pinterest

    1:71720 # 23.199.14.114:443 - bluekai

    1:71689 # 64.95.182.2:80 - richrelevance

    1:70995 # 108.177.122.149:443 - doubleclick

    1:71722 # 152.195.19.97:443 - iperceptions



  • The IPS mode does provide more efficient blocking. WIth that mode, and by enabling DROP with some rules but leaving the default ALERT in place with others, you can drop specific traffic to or from a host without having to block everything from that host as Legacy Blocking does. So IPS mode, when rules have the DROP action, will drop individual packets matching a rule, but let other traffic pass. The Legacy Mode, on the other hand, simply blocks the host's IP address when a packet matching a rule is detected. After that, all traffic to and from that host is blocked until the IP block is removed either automatically by timing out via the "Clear Blocked Hosts" cron task, or manually by the admin.

    Inline IPS Mode can really be useful when combined with the OpenAppID rules.



  • And you get really good info ones like:

    1:2009968 # Potential Corporate Privacy Violation -
    Src.192.168.2.45:27960 Dest.68.232.172.16:27960
    ET P2P eMule KAD Network Connection Request(2)

    Though this is showing I am the Source?
    Hmm, time to thorough scan...

    Haha, that WAS me, playing Enemy Territory.
    BUSTED! hehe...


Log in to reply