Snort selective blocking



  • Hi All,
    Just installed and configured 2.0.1 pfsense FW With SNORT 2.9.2.3 pkg v. 2.5.2
    All works great.

    Now I'm trying to configure SNORT.
    I want to have 3 types of action for every alert:
    1. Inform me (log)
    2. Block intruder
    3. Ignore alert

    The "inform me (log)" should be the default!
    (log everything, but block only if you are sure about it)

    Do I have to write my own code to do this? Or is there an integrated working solution?
    (Either as a SNORT plugin like SnortSam or as a log analyzer, parsing SNORT logs)
    Hope that I'm missing something and there is a simpler solution.

    Thanks!



  • I figure no one know a way to do it, so I will try a different approach.

    SNORT have a Priority field.
    Can I set blocking only for Priority greater than 3?

    Do you guys just block everything? always? none fears the CEO?
    From what I'm getting up to now, the SNORT pfSense Package allows me to:

    • Just use SNORT as IDS and not as IPS

    – OR --

    • Block everything on all relevant categories, hope that any new rule introduce to a category won't have too many false positive

    – OR --

    • Block few alerts you feel sure about and ignore any new/changed alerts coming by (because you won't have them in the logs)

    Am I right?



  • As far as I can determine by looking at the code, Snort on pfSense either blocks all alerts (detections) or none.  If you check "block offenders", then any logged event seems to result in either the SRC or DST IP address of the offender getting blocked with a temp firewall rule.  Depending on the setting you choose in the Snort configuration interface, this block times out and is then cleared (one hour is the default).

    Like you, I would like to have the ability to select which Priority of Snort alerts results in a blocked offender.  Or stated another way, be able to set a minimum Priority threshold for offender blocking.  Events with a Priority below that setting would get logged but not institute a "block offender" response.

    This might be possible, but would require changing the code that does the temp firewall rule generation.  I think that's part of the snort2c code (if my memory is recalling correctly).



  • Hi bmeeks, thanks for your reply.
    I know that SNORT have those abilities (selective blocking) using a plug-in.

    Actually, based on http://doc.pfsense.org/index.php/Setup_Snort_Package#Alert_Thresholding_and_Suppression,
    pfSense Snort Package used to have those abilities too!!!
    If you look at the pfSense screens, you can see that there is a place to put sig_ids for threshold and much more.
    I believe that this is from the time that the pfSense Package used the SnortSam plugin, but maybe I'm wrong.

    So it looks like those abilities went away somehow.
    I know that I would love to see them coming back.

    If anyone know why those features went away, I would love to hear.


Locked