Correctly configuring SNORT to block limewire from the LAN side

SnoSalmon

Hey guys,

I've got SNORT humming along, but…I can not get it to block P2P/Limewire stuff.

System setup:
P4 2.8Ghz, 1GB DDR-400, 40GB IDE drive.
Software:
PFSense 1.2.3-Release, Snort 2.8.6, 1.27, Squid 2.7.9_1 and Lightsquid 1.7.1, also BandwidthD 2.0.1.2

I've enabled SNORT on the WAN interface, manually updating the rules (thanks for the guide RUNE!!) and I can select rulesets.
Rulesets enabled are emerging-p2p and p2p (along with a handful of others covering virus, spyware, scan, exploit etc)

I'm hoping to build an all-round decent firewall with IPS detection and caching.

Now the problem: Torrenting seems to be blocked now, but I can still fire up Limewire, search and download. I have the block offenders ticked, and when I look in the alerts log I do see things triggered with my WAN port as the source. I get entries in the blocked list if I fire up bitlord and try a download, the hosts are all external IPs, but limewire just keeps going.

Can someone please assist me with this? I'm running out of ideas. Once I get this all working I'm intending to replace a Sonicwall (with the security subscriptions configured), but I need this to do the same base functions first :)

TIA

Joe

SnoSalmon

Bump - Anyone?
Do I need to configure SNORT on the LAN interface instead of the WAN interface?

DigitalJer

Out of curiosity, do you have UPnP disabled ?

SnoSalmon

PNP is disabled in the BIOS of the PFSense box.
Is there another setting I need to disable or change? PFSense is all default with the exception of the Squid, Lightsquid, BandwidthD and SNORT packages installed.

GruensFroeschli

DigitalJer is talking about UPnP http://en.wikipedia.org/wiki/Universal_Plug_and_Play not PNP.

DigitalJer

In pfsense web gui:

Services / UPnP, and ensure the "Enable UPnP" is de-selected.

Not sure why Snort isn't blocking, but if for some reason UPnP is enabled, Limewire will happily open up all the ports it needs to communicate.

SnoSalmon

Ah - yes. uPNP is not enabled.

I have configured SNORT to scan the WAN interface. Is this correct, or should SNORT be checking the LAN interface for Limewire?

Ideally I want things like Limewire (I'm using this as an example, I'd like to block ALL P2P packages) and torrenting etc blocked silently - EG Limewire just doesn't connect without banning the host (Local LAN PC) from the Internet.

Any more ideas?

weselko

First of all PfSense is not a L7 firewall. Completly blocking P2P will probably be mission imposible. You can run a tight outgoing policy set with only allowing port 80 and a few other to the outside, but P2P uses http ports as much as any other. What you can do, is use the trafic shaper to slow down P2P to a minimal or use a trafic quota for the users.

What I do is allow my users full access, log the trafic and penalize them if theyre breaking the rules. Never had any need to block anything for them since I run that kind of policy.

Hope it helps.

DigitalJer

Sorry for the OT, but that's a good point; and that's how we treat our users in our office - like adults.  The new hires usually get a brief speech from one of us, to the effect of; we're all adults - complete and unfettered Internet usage isn't a problem unless it becomes a problem and/or we hear something from management.

aka - gaming, slacking, surfing YouTube all day isn't our issue - it's a management issue.  Sure, we know who the slackers are - but usually keep quiet unless it's supremely excessive (causes bottlenecks or otherwise becomes disruptive), or management asks.  Sometimes we'll drop hints to a manager…and the problem quickly fixes itself.  Five years of this philosophy has resulted in only ONE person receiving discipline, no viruses, and only token spyware.

We're not the Internet police :)  ...every office is different, but it's sure nice to be free of this stuff.

jimp

@weselko:

First of all PfSense is not a L7 firewall.

It is in 2.0 :-)