• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Correctly configuring SNORT to block limewire from the LAN side

Scheduled Pinned Locked Moved pfSense Packages
10 Posts 5 Posters 7.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    SnoSalmon
    last edited by Jul 14, 2010, 10:37 AM

    Hey guys,

    I've got SNORT humming along, but…I can not get it to block P2P/Limewire stuff.

    System setup:
    P4 2.8Ghz, 1GB DDR-400, 40GB IDE drive.
    Software:
    PFSense 1.2.3-Release, Snort 2.8.6, 1.27, Squid 2.7.9_1 and Lightsquid 1.7.1, also BandwidthD 2.0.1.2

    I've enabled SNORT on the WAN interface, manually updating the rules (thanks for the guide RUNE!!) and I can select rulesets.
    Rulesets enabled are emerging-p2p and p2p (along with a handful of others covering virus, spyware, scan, exploit etc)

    I'm hoping to build an all-round decent firewall with IPS detection and caching.

    Now the problem: Torrenting seems to be blocked now, but I can still fire up Limewire, search and download. I have the block offenders ticked, and when I look in the alerts log I do see things triggered with my WAN port as the source. I get entries in the blocked list if I fire up bitlord and try a download, the hosts are all external IPs, but limewire just keeps going.

    Can someone please assist me with this? I'm running out of ideas. Once I get this all working I'm intending to replace a Sonicwall (with the security subscriptions configured), but I need this to do the same base functions first :)

    TIA

    Joe

    1 Reply Last reply Reply Quote 0
    • S
      SnoSalmon
      last edited by Jul 15, 2010, 2:50 AM

      Bump - Anyone?
      Do I need to configure SNORT on the LAN interface instead of the WAN interface?

      1 Reply Last reply Reply Quote 0
      • D
        DigitalJer
        last edited by Jul 15, 2010, 4:24 AM

        Out of curiosity, do you have UPnP disabled ?

        –------------------------------------------------
        2.4.3-RELEASE (amd64)
        built on Mon Mar 26 18:02:04 CDT 2018
        FreeBSD 11.1-RELEASE-p7
        VM in ESXi 5.5
        1 x 1000baseTX (WAN)
        1 x 1000baseTX (LAN)

        1 Reply Last reply Reply Quote 0
        • S
          SnoSalmon
          last edited by Jul 15, 2010, 10:48 AM

          PNP is disabled in the BIOS of the PFSense box.
          Is there another setting I need to disable or change? PFSense is all default with the exception of the Squid, Lightsquid, BandwidthD and SNORT packages installed.

          1 Reply Last reply Reply Quote 0
          • G
            GruensFroeschli
            last edited by Jul 15, 2010, 10:58 AM

            DigitalJer is talking about UPnP http://en.wikipedia.org/wiki/Universal_Plug_and_Play not PNP.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • D
              DigitalJer
              last edited by Jul 15, 2010, 3:01 PM

              In pfsense web gui:

              Services / UPnP, and ensure the "Enable UPnP" is de-selected.

              Not sure why Snort isn't blocking, but if for some reason UPnP is enabled, Limewire will happily open up all the ports it needs to communicate.

              –------------------------------------------------
              2.4.3-RELEASE (amd64)
              built on Mon Mar 26 18:02:04 CDT 2018
              FreeBSD 11.1-RELEASE-p7
              VM in ESXi 5.5
              1 x 1000baseTX (WAN)
              1 x 1000baseTX (LAN)

              1 Reply Last reply Reply Quote 0
              • S
                SnoSalmon
                last edited by Jul 16, 2010, 6:53 AM

                Ah - yes. uPNP is not enabled.

                I have configured SNORT to scan the WAN interface. Is this correct, or should SNORT be checking the LAN interface for Limewire?

                Ideally I want things like Limewire (I'm using this as an example, I'd like to block ALL P2P packages) and torrenting etc blocked silently - EG Limewire just doesn't connect without banning the host (Local LAN PC) from the Internet.

                Any more ideas?

                1 Reply Last reply Reply Quote 0
                • W
                  weselko
                  last edited by Jul 20, 2010, 6:45 PM

                  First of all PfSense is not a L7 firewall. Completly blocking P2P will probably be mission imposible. You can run a tight outgoing policy set with only allowing port 80 and a few other to the outside, but P2P uses http ports as much as any other. What you can do, is use the trafic shaper to slow down P2P to a minimal or use a trafic quota for the users.

                  What I do is allow my users full access, log the trafic and penalize them if theyre breaking the rules. Never had any need to block anything for them since I run that kind of policy.

                  Hope it helps.

                  1 Reply Last reply Reply Quote 0
                  • D
                    DigitalJer
                    last edited by Jul 20, 2010, 8:01 PM Jul 20, 2010, 7:59 PM

                    Sorry for the OT, but that's a good point; and that's how we treat our users in our office - like adults.  The new hires usually get a brief speech from one of us, to the effect of; we're all adults - complete and unfettered Internet usage isn't a problem unless it becomes a problem and/or we hear something from management.

                    aka - gaming, slacking, surfing YouTube all day isn't our issue - it's a management issue.  Sure, we know who the slackers are - but usually keep quiet unless it's supremely excessive (causes bottlenecks or otherwise becomes disruptive), or management asks.  Sometimes we'll drop hints to a manager…and the problem quickly fixes itself.  Five years of this philosophy has resulted in only ONE person receiving discipline, no viruses, and only token spyware.

                    We're not the Internet police :)  ...every office is different, but it's sure nice to be free of this stuff.

                    –------------------------------------------------
                    2.4.3-RELEASE (amd64)
                    built on Mon Mar 26 18:02:04 CDT 2018
                    FreeBSD 11.1-RELEASE-p7
                    VM in ESXi 5.5
                    1 x 1000baseTX (WAN)
                    1 x 1000baseTX (LAN)

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Jul 20, 2010, 8:07 PM

                      @weselko:

                      First of all PfSense is not a L7 firewall.

                      It is in 2.0 :-)

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received