Correctly configuring SNORT to block limewire from the LAN side
I've got SNORT humming along, but…I can not get it to block P2P/Limewire stuff.
P4 2.8Ghz, 1GB DDR-400, 40GB IDE drive.
PFSense 1.2.3-Release, Snort 2.8.6, 1.27, Squid 2.7.9_1 and Lightsquid 1.7.1, also BandwidthD 184.108.40.206
I've enabled SNORT on the WAN interface, manually updating the rules (thanks for the guide RUNE!!) and I can select rulesets.
Rulesets enabled are emerging-p2p and p2p (along with a handful of others covering virus, spyware, scan, exploit etc)
I'm hoping to build an all-round decent firewall with IPS detection and caching.
Now the problem: Torrenting seems to be blocked now, but I can still fire up Limewire, search and download. I have the block offenders ticked, and when I look in the alerts log I do see things triggered with my WAN port as the source. I get entries in the blocked list if I fire up bitlord and try a download, the hosts are all external IPs, but limewire just keeps going.
Can someone please assist me with this? I'm running out of ideas. Once I get this all working I'm intending to replace a Sonicwall (with the security subscriptions configured), but I need this to do the same base functions first :)
Bump - Anyone?
Do I need to configure SNORT on the LAN interface instead of the WAN interface?
Out of curiosity, do you have UPnP disabled ?
PNP is disabled in the BIOS of the PFSense box.
Is there another setting I need to disable or change? PFSense is all default with the exception of the Squid, Lightsquid, BandwidthD and SNORT packages installed.
DigitalJer is talking about UPnP http://en.wikipedia.org/wiki/Universal_Plug_and_Play not PNP.
In pfsense web gui:
Services / UPnP, and ensure the "Enable UPnP" is de-selected.
Not sure why Snort isn't blocking, but if for some reason UPnP is enabled, Limewire will happily open up all the ports it needs to communicate.
Ah - yes. uPNP is not enabled.
I have configured SNORT to scan the WAN interface. Is this correct, or should SNORT be checking the LAN interface for Limewire?
Ideally I want things like Limewire (I'm using this as an example, I'd like to block ALL P2P packages) and torrenting etc blocked silently - EG Limewire just doesn't connect without banning the host (Local LAN PC) from the Internet.
Any more ideas?
First of all PfSense is not a L7 firewall. Completly blocking P2P will probably be mission imposible. You can run a tight outgoing policy set with only allowing port 80 and a few other to the outside, but P2P uses http ports as much as any other. What you can do, is use the trafic shaper to slow down P2P to a minimal or use a trafic quota for the users.
What I do is allow my users full access, log the trafic and penalize them if theyre breaking the rules. Never had any need to block anything for them since I run that kind of policy.
Hope it helps.
Sorry for the OT, but that's a good point; and that's how we treat our users in our office - like adults. The new hires usually get a brief speech from one of us, to the effect of; we're all adults - complete and unfettered Internet usage isn't a problem unless it becomes a problem and/or we hear something from management.
aka - gaming, slacking, surfing YouTube all day isn't our issue - it's a management issue. Sure, we know who the slackers are - but usually keep quiet unless it's supremely excessive (causes bottlenecks or otherwise becomes disruptive), or management asks. Sometimes we'll drop hints to a manager…and the problem quickly fixes itself. Five years of this philosophy has resulted in only ONE person receiving discipline, no viruses, and only token spyware.
We're not the Internet police :) ...every office is different, but it's sure nice to be free of this stuff.
First of all PfSense is not a L7 firewall.
It is in 2.0 :-)