• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort blocking - easy DoS if client is behind a proxy

Scheduled Pinned Locked Moved pfSense Packages
4 Posts 2 Posters 2.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    crester
    last edited by May 17, 2013, 11:05 AM May 17, 2013, 10:47 AM

    Hello.
    I have seen this behaivour.

    If I navigate crossing a  proxy server to a remote i.e. website with a pfSense -> snort -> block offenders, I can "offend" snort and it blocks my "PROXY" ip address.
    I think snort takes x-forwarded-for IP instead of real IP address (if it is sent).

    Some cases it is unavoidable if your ISP has a proxy between the client and the Internet.

    So, I can do a easy DoS to the remote web server  to all the people that is connected to this proxy server, simply detecting that snort is blocking my proxy IP.

    is it possible to change the configuration to get the real IP in case of having it?

    Thank you.

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by May 17, 2013, 11:49 AM

      @crester:

      Hello.
      I have seen this behaivour.

      If I navigate crossing a  proxy server to a remote i.e. website with a pfSense -> snort -> block offenders, I can "offend" snort and it blocks my "PROXY" ip address.
      I think snort takes x-forwarded-for IP instead of real IP address (if it is sent).

      Some cases it is unavoidable if your ISP has a proxy between the client and the Internet.

      So, I can do a easy DoS to the remote web server  to all the people that is connected to this proxy server, simply detecting that snort is blocking my proxy IP.

      is it possible to change the configuration to get the real IP in case of having it?

      Thank you.

      There is a new configurable option for this coming in the next Snort package release, 2.5.8, due out soon.  I am performing final testing now.  The new package opens up a large number of new preprocessor options.  I think the option you need to enable for your case is the "enable_xff" option in the HTTP_INSPECT preprocessor.  It is turned off by default in the current Snort package.  Because the Snort configuration file is rewritten at every startup, you can't hand-edit the file successfully.

      If you want to test this parameter now, try the option I offered a user in this post:

      http://forum.pfsense.org/index.php/topic,61887.msg334019.html#msg334019

      Bill

      1 Reply Last reply Reply Quote 0
      • C
        crester
        last edited by May 17, 2013, 1:35 PM May 17, 2013, 12:13 PM

        @bmeeks:

        @crester:

        Hello.
        I have seen this behaivour.

        If I navigate crossing a  proxy server to a remote i.e. website with a pfSense -> snort -> block offenders, I can "offend" snort and it blocks my "PROXY" ip address.
        I think snort takes x-forwarded-for IP instead of real IP address (if it is sent).

        Some cases it is unavoidable if your ISP has a proxy between the client and the Internet.

        So, I can do a easy DoS to the remote web server  to all the people that is connected to this proxy server, simply detecting that snort is blocking my proxy IP.

        is it possible to change the configuration to get the real IP in case of having it?

        Thank you.

        There is a new configurable option for this coming in the next Snort package release, 2.5.8, due out soon.  I am performing final testing now.  The new package opens up a large number of new preprocessor options.  I think the option you need to enable for your case is the "enable_xff" option in the HTTP_INSPECT preprocessor.  It is turned off by default in the current Snort package.  Because the Snort configuration file is rewritten at every startup, you can't hand-edit the file successfully.

        If you want to test this parameter now, try the option I offered a user in this post:

        http://forum.pfsense.org/index.php/topic,61887.msg334019.html#msg334019

        Bill

        Thank you Bill.
        I have read the post and it looks it will be a nice workaround until next release.

        Reading the post, I have understood how pfSense and Snort work together, because I didn't understand very well how was the processes, as I have a 3-way-hands. and flow (and payload) previous the block.
        It has created me a doubt and sorry, I have just landed to pfSense.
        What is then the diference if I check "Use IPS Policy"?

        is in the pfSense roadmap get snort true inline?

        1 Reply Last reply Reply Quote 0
        • B
          bmeeks
          last edited by May 17, 2013, 6:49 PM

          @crester:

          Thank you Bill.
          I have read the post and it looks it will be a nice workaround until next release.

          Reading the post, I have understood how pfSense and Snort work together, because I didn't understand very well how was the processes, as I have a 3-way-hands. and flow (and payload) previous the block.
          It has created me a doubt and sorry, I have just landed to pfSense.
          What is then the diference if I check "Use IPS Policy"?

          is in the pfSense roadmap get snort true inline?

          No, there is no roadmap yet for a true inline IDS on pfSense (at least not that I am aware of).  The Snort VRT folks are actually migrating away from that somewhat and pushing folks over to using Barnyard2 and incorporating plugins there such as snortsam.  My reading of their blog posts leads me to believe they will slowly phase out the Output Plugins API that things like Spoink currently rely on.

          Bill

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received