Snort doesn't block all I ask it to
-
Hello. I've got snort working and blocking porn, icmp traffic, spyware etc… But it doesn't block P2P even though I've enabled the p2p rules. It generates an alert though... Like this:
[**] [1:1432:6] P2P GNUTella client request [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 04/14-20:04:32.298408 xx.xx.xx.xx:58972 -> 82.233.116.188:19104 TCP TTL:63 TOS:0x0 ID:41808 IpLen:20 DgmLen:432 DF ***AP*** Seq: 0x60B364B8 Ack: 0xAA30476C Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1470059254 125029884My routers IP is replaced by xx.xx.xx.xx
But it doesn't block it. How do I get it to block this as well?
-
I have the same problem. It is because snort is only blocking the IP that generated the alert. In the case of p2p it is your wan side ip that is generating the alert. What we need is for snort to block both the src and dst ip in the alert. I have mentioned this in other posts but so far no one has come forward to tell me how to do this.
-
Do the items shows up in the snort blocked page but they are just not being "blocked" correctly?
-
They show up on the snort alert page but not on the block page. I assume this is because the alerts are always for outgoing p2p connections. Therefor the ip that is generating the alert is my own public ip. And I have that ip whitelisted.
-
Try this from a shell after a block occurs:
pfctl -t snort2c -T show
Do you see the host in the table?
Also try:
ps awux | grep snort2c
Is snort2c running?
-
No the host is not in the block list and yes snort2c is running.
Here is the snort alert I used as a test. 66.230.xxx.xxx is my IP
[ ** ] [ 1:2181:3 ] P2P BitTorrent transfer [ ** ]
[ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ]
04/22-14:44:01.392800 66.230.xxx.xxx:65313 -> 68.151.192.237:16881
TCP TTL:126 TOS:0x0 ID:9735 IpLen:20 DgmLen:108 DF
AP Seq: 0x1C6DA3AA Ack: 0xBC8FC1E2 Win: 0x4204 TcpLen: 20Here is the block list after this alert occers.
pfctl -t snort2c -T show
8.152.164.215
12.162.175.177
24.64.39.159
24.64.62.40
24.64.120.71
24.64.250.62
58.19.183.42
58.246.86.109
59.112.85.33
60.11.125.52
60.11.125.53
60.11.125.54
60.12.166.152
60.12.166.199
60.12.166.201
60.12.192.37
62.214.198.4
65.75.82.249
66.231.133.164
66.233.27.228
68.85.145.235
69.25.40.50
69.111.84.79
71.128.249.77
77.178.84.221
77.179.174.139
77.181.204.62
77.182.214.188
80.133.145.199
80.143.116.9
80.144.234.13
81.203.169.43
82.83.223.10
82.149.191.227
83.245.170.195
84.132.102.85
84.133.221.212
84.134.175.230
84.134.228.13
84.136.78.202
84.136.184.112
84.142.91.50
84.151.135.179
84.151.246.29
84.157.21.19
84.157.169.82
84.162.145.103
84.165.74.198
84.170.109.94
84.171.187.249
84.172.166.127
84.184.110.123
84.190.37.112
85.113.169.253
85.127.180.245
85.181.11.135
86.122.170.217
87.79.243.90
87.160.250.79
87.165.62.142
87.166.198.74
87.168.173.140
87.207.135.41
87.230.112.59
89.12.198.249
89.12.217.9
89.14.61.57
89.15.64.68
89.48.6.15
89.49.40.1
89.53.206.137
89.54.20.14
89.55.22.153
89.57.60.28
89.61.153.91
89.62.25.80
89.105.240.48
91.4.201.117
91.5.193.254
91.6.133.16
91.6.229.101
91.34.39.74
128.252.195.16
129.143.1.42
172.173.15.20
172.174.111.151
172.174.186.72
172.177.90.75
190.47.83.20
200.175.183.230
200.177.24.168
202.97.238.202
202.97.238.203
204.16.209.14
204.16.210.235
204.16.211.19
211.140.138.43
213.212.194.6
217.80.106.204
217.80.205.70
217.94.252.164
217.187.90.238
217.225.119.136
217.234.248.107
217.238.78.77
217.238.233.57
218.10.137.131
218.27.148.78
221.12.113.237
221.12.113.238
221.12.113.239
221.12.113.242
221.12.113.243
221.12.113.247
221.12.113.248
221.12.113.249
221.130.192.55
221.130.192.72
221.130.192.89
221.130.192.106
221.208.208.83
221.208.208.87
221.208.208.89
221.208.208.90
221.208.208.93
221.208.208.94
221.208.208.95
221.208.208.96
221.208.208.97
221.208.208.101
221.208.208.212
221.209.110.50And here are the results of ps awux | grep snort2c
ps awux | grep snort2c
root 23953 0.0 0.4 3820 3500 ?? Ss Sat01PM 0:16.56 snort2c -w /var/db/whitelist -a /var/log/snort/alert
root 20602 0.0 0.0 348 228 p0 R+ 2:45PM 0:00.00 grep snort2cI believe that when the alert has the format
04/22-14:44:01.392800 xxx.xxx.xxx.xxx:65313 -> yyy.yyy.yyy.yyy:16881
That it is only the xxx.xxx.xxx.xxx that gets blocked
-
Strange… Can you tell if it is adding the wrong entry or just not adding an entry at all for the host?
-
As far as I can tell nothing is being added to the block list. Am I correct in assuming that snort only blocks the source ip? Because the source IP is my IP. (which is in the white list) If snort blocked both the source AND destination IPs then I think it would work properly. Am I missing something? Is snort supposed to block the destination IP? (if so I apologize for repeating myself)
-
As far as I know it should block the destination IP.
Do you see anything in system logs from snort2c when the snort alert occurs. snort2c should report that it is blocking one of the two ip's.
-
No I don't see anything. I also checked other alerts i.e. spyware-put and icmp rules. It defiantly seems that it is only blocking the source ip and not the destination. I checked 4-5 different non-p2p alerts. The only ones that resulted in a blocked ip are those who's source IP was not my own (i.e. non whitelisted src ips). Can anyone else verify this behaviour?
-
Interesting. I'll have to dive into the snort2c code.
-
Just wondering if there was any news on snort bloking?
-
No, sorry there is not.
-
I see there is still no word on proper snort blocking. This is badly needed on our network. Is this the sort of thing I should post a bounty for? Mostly I just need a GOOD way to block most common P2P. I think (based on the alerts we get) That snort would be great for this IF it actualy blocked the traffic.
BTW….thanks for the incredible firewall software.
-
Snort has been blocking things just fine here. Too much in fact at times.
-
Yes SNORT seems to do a very good at blocking based on alerts as long as they are generated by a remote host. Where it seems to not be affective is when my public ip is the one generating the alert. Which is almost always the case with p2p traffic. When a user on my network uses a p2p app it generates a snort alert that looks like this (07/06-18:42:03.794734 "my public ip address":58701 -> "remote host's ip":22264 ) In this situation my public IP is in the white list (for obvious reasons) and I need it to block the remote host's ip. But it does not. I have also noticed this same behavior with spyware and other filters. If the source ip is something other than my ip it blocks that host. however when my ip generates the alert I need it to block the dst ip instead. But it does not. It seems this should be a fairly easy thing to fix but it is beyond my realm or expertise. I just need some one to believe me ;)
If I am completely wrong then I apologize and humbly ask for your assistance in making it work. :)
-
I REALLY need to find a way to get snort to block these p2p clients. If not Snort then something else. I am willing to spend money to make this happen. I contacted the company who is providing commercial support but they do not offer support for packages. Is this something that would be suitable for the bounty section? I am sure that this would be a valuable feature. It is very easy to demonstrate that this does NOT currently work. Snort blocks src ips but not dst ips which makes it virtually worthless when it comes to blocking p2p running snort on the WAN interface. If there is any one who can help we will pay any REASONABLE amount to make this feature work in this situation.
Also I don't want to omit…....I really love pfsense I think what you guys are doing is great and I hope it pays off for you.
-
Yes its a suitable for a bounty but keep in mind this bounty will require C skills and that it will be harder to find someone interested in it. But money can motivate anyone, or thats what they say.
-
One way I have been able to successfully block P2P traffic on my networks is by explicitly denying any udp traffic outbound, and only allowing DNS traffic from servers outbound. Egress filtering is another method I use. turn off the default lan to any and allow only specific traffic outbound
ie ftp (port 21 TCP and you will need to allow port 20/UDP outbound for data ) http https pop3 imap Let me know if this helps