<![CDATA[Correctly configuring SNORT to block limewire from the LAN side]]>Hey guys,

I've got SNORT humming along, but…I can not get it to block P2P/Limewire stuff.

System setup:
P4 2.8Ghz, 1GB DDR-400, 40GB IDE drive.
Software:
PFSense 1.2.3-Release, Snort 2.8.6, 1.27, Squid 2.7.9_1 and Lightsquid 1.7.1, also BandwidthD 2.0.1.2

I've enabled SNORT on the WAN interface, manually updating the rules (thanks for the guide RUNE!!) and I can select rulesets.
Rulesets enabled are emerging-p2p and p2p (along with a handful of others covering virus, spyware, scan, exploit etc)

I'm hoping to build an all-round decent firewall with IPS detection and caching.

Now the problem: Torrenting seems to be blocked now, but I can still fire up Limewire, search and download. I have the block offenders ticked, and when I look in the alerts log I do see things triggered with my WAN port as the source. I get entries in the blocked list if I fire up bitlord and try a download, the hosts are all external IPs, but limewire just keeps going.

Can someone please assist me with this? I'm running out of ideas. Once I get this all working I'm intending to replace a Sonicwall (with the security subscriptions configured), but I need this to do the same base functions first :)

TIA

Joe

]]>https://forum.netgate.com/topic/25023/correctly-configuring-snort-to-block-limewire-from-the-lan-sideRSS for NodeFri, 08 May 2026 15:25:39 GMTWed, 14 Jul 2010 10:37:53 GMT60<![CDATA[Reply to Correctly configuring SNORT to block limewire from the LAN side on Tue, 20 Jul 2010 20:07:14 GMT]]>@weselko:

First of all PfSense is not a L7 firewall.

It is in 2.0 :-)

]]>https://forum.netgate.com/post/240326https://forum.netgate.com/post/240326Tue, 20 Jul 2010 20:07:14 GMT<![CDATA[Reply to Correctly configuring SNORT to block limewire from the LAN side on Tue, 20 Jul 2010 20:01:45 GMT]]>Sorry for the OT, but that's a good point; and that's how we treat our users in our office - like adults.  The new hires usually get a brief speech from one of us, to the effect of; we're all adults - complete and unfettered Internet usage isn't a problem unless it becomes a problem and/or we hear something from management.

aka - gaming, slacking, surfing YouTube all day isn't our issue - it's a management issue.  Sure, we know who the slackers are - but usually keep quiet unless it's supremely excessive (causes bottlenecks or otherwise becomes disruptive), or management asks.  Sometimes we'll drop hints to a manager…and the problem quickly fixes itself.  Five years of this philosophy has resulted in only ONE person receiving discipline, no viruses, and only token spyware.

We're not the Internet police :)  ...every office is different, but it's sure nice to be free of this stuff.

]]>https://forum.netgate.com/post/240325https://forum.netgate.com/post/240325Tue, 20 Jul 2010 20:01:45 GMT<![CDATA[Reply to Correctly configuring SNORT to block limewire from the LAN side on Tue, 20 Jul 2010 18:45:35 GMT]]>First of all PfSense is not a L7 firewall. Completly blocking P2P will probably be mission imposible. You can run a tight outgoing policy set with only allowing port 80 and a few other to the outside, but P2P uses http ports as much as any other. What you can do, is use the trafic shaper to slow down P2P to a minimal or use a trafic quota for the users.

What I do is allow my users full access, log the trafic and penalize them if theyre breaking the rules. Never had any need to block anything for them since I run that kind of policy.

Hope it helps.

]]>https://forum.netgate.com/post/240310https://forum.netgate.com/post/240310Tue, 20 Jul 2010 18:45:35 GMT<![CDATA[Reply to Correctly configuring SNORT to block limewire from the LAN side on Fri, 16 Jul 2010 06:53:32 GMT]]>Ah - yes. uPNP is not enabled.

I have configured SNORT to scan the WAN interface. Is this correct, or should SNORT be checking the LAN interface for Limewire?

Ideally I want things like Limewire (I'm using this as an example, I'd like to block ALL P2P packages) and torrenting etc blocked silently - EG Limewire just doesn't connect without banning the host (Local LAN PC) from the Internet.

Any more ideas?

]]>https://forum.netgate.com/post/239828https://forum.netgate.com/post/239828Fri, 16 Jul 2010 06:53:32 GMT<![CDATA[Reply to Correctly configuring SNORT to block limewire from the LAN side on Thu, 15 Jul 2010 15:01:21 GMT]]>In pfsense web gui:

Services / UPnP, and ensure the "Enable UPnP" is de-selected.

Not sure why Snort isn't blocking, but if for some reason UPnP is enabled, Limewire will happily open up all the ports it needs to communicate.

]]>https://forum.netgate.com/post/239746https://forum.netgate.com/post/239746Thu, 15 Jul 2010 15:01:21 GMT<![CDATA[Reply to Correctly configuring SNORT to block limewire from the LAN side on Thu, 15 Jul 2010 10:58:52 GMT]]>DigitalJer is talking about UPnP http://en.wikipedia.org/wiki/Universal_Plug_and_Play not PNP.

]]>https://forum.netgate.com/post/239684https://forum.netgate.com/post/239684Thu, 15 Jul 2010 10:58:52 GMT<![CDATA[Reply to Correctly configuring SNORT to block limewire from the LAN side on Thu, 15 Jul 2010 10:48:26 GMT]]>PNP is disabled in the BIOS of the PFSense box.
Is there another setting I need to disable or change? PFSense is all default with the exception of the Squid, Lightsquid, BandwidthD and SNORT packages installed.

]]>https://forum.netgate.com/post/239683https://forum.netgate.com/post/239683Thu, 15 Jul 2010 10:48:26 GMT<![CDATA[Reply to Correctly configuring SNORT to block limewire from the LAN side on Thu, 15 Jul 2010 04:24:35 GMT]]>Out of curiosity, do you have UPnP disabled ?

]]>https://forum.netgate.com/post/239669https://forum.netgate.com/post/239669Thu, 15 Jul 2010 04:24:35 GMT<![CDATA[Reply to Correctly configuring SNORT to block limewire from the LAN side on Thu, 15 Jul 2010 02:50:15 GMT]]>Bump - Anyone?
Do I need to configure SNORT on the LAN interface instead of the WAN interface?

]]>https://forum.netgate.com/post/239664https://forum.netgate.com/post/239664Thu, 15 Jul 2010 02:50:15 GMT