Snort blocking - easy DoS if client is behind a proxy

crester · May 17, 2013, 11:05 AM

Hello.
I have seen this behaivour.

If I navigate crossing a proxy server to a remote i.e. website with a pfSense -> snort -> block offenders, I can "offend" snort and it blocks my "PROXY" ip address.
I think snort takes x-forwarded-for IP instead of real IP address (if it is sent).

Some cases it is unavoidable if your ISP has a proxy between the client and the Internet.

So, I can do a easy DoS to the remote web server to all the people that is connected to this proxy server, simply detecting that snort is blocking my proxy IP.

is it possible to change the configuration to get the real IP in case of having it?

Thank you.

bmeeks · May 17, 2013, 11:49 AM

@crester:

Hello.
I have seen this behaivour.

If I navigate crossing a proxy server to a remote i.e. website with a pfSense -> snort -> block offenders, I can "offend" snort and it blocks my "PROXY" ip address.
I think snort takes x-forwarded-for IP instead of real IP address (if it is sent).

Some cases it is unavoidable if your ISP has a proxy between the client and the Internet.

So, I can do a easy DoS to the remote web server to all the people that is connected to this proxy server, simply detecting that snort is blocking my proxy IP.

is it possible to change the configuration to get the real IP in case of having it?

Thank you.

There is a new configurable option for this coming in the next Snort package release, 2.5.8, due out soon. I am performing final testing now. The new package opens up a large number of new preprocessor options. I think the option you need to enable for your case is the "enable_xff" option in the HTTP_INSPECT preprocessor. It is turned off by default in the current Snort package. Because the Snort configuration file is rewritten at every startup, you can't hand-edit the file successfully.

If you want to test this parameter now, try the option I offered a user in this post:

http://forum.pfsense.org/index.php/topic,61887.msg334019.html#msg334019

Bill

crester · May 17, 2013, 1:35 PM

@bmeeks:

@crester:

Hello.
I have seen this behaivour.

If I navigate crossing a proxy server to a remote i.e. website with a pfSense -> snort -> block offenders, I can "offend" snort and it blocks my "PROXY" ip address.
I think snort takes x-forwarded-for IP instead of real IP address (if it is sent).

Some cases it is unavoidable if your ISP has a proxy between the client and the Internet.

So, I can do a easy DoS to the remote web server to all the people that is connected to this proxy server, simply detecting that snort is blocking my proxy IP.

is it possible to change the configuration to get the real IP in case of having it?

Thank you.

There is a new configurable option for this coming in the next Snort package release, 2.5.8, due out soon. I am performing final testing now. The new package opens up a large number of new preprocessor options. I think the option you need to enable for your case is the "enable_xff" option in the HTTP_INSPECT preprocessor. It is turned off by default in the current Snort package. Because the Snort configuration file is rewritten at every startup, you can't hand-edit the file successfully.

If you want to test this parameter now, try the option I offered a user in this post:

http://forum.pfsense.org/index.php/topic,61887.msg334019.html#msg334019

Bill

Thank you Bill.
I have read the post and it looks it will be a nice workaround until next release.

Reading the post, I have understood how pfSense and Snort work together, because I didn't understand very well how was the processes, as I have a 3-way-hands. and flow (and payload) previous the block.
It has created me a doubt and sorry, I have just landed to pfSense.
What is then the diference if I check "Use IPS Policy"?

is in the pfSense roadmap get snort true inline?

bmeeks · May 17, 2013, 6:49 PM

@crester:

Thank you Bill.
I have read the post and it looks it will be a nice workaround until next release.

Reading the post, I have understood how pfSense and Snort work together, because I didn't understand very well how was the processes, as I have a 3-way-hands. and flow (and payload) previous the block.
It has created me a doubt and sorry, I have just landed to pfSense.
What is then the diference if I check "Use IPS Policy"?

is in the pfSense roadmap get snort true inline?

No, there is no roadmap yet for a true inline IDS on pfSense (at least not that I am aware of). The Snort VRT folks are actually migrating away from that somewhat and pushing folks over to using Barnyard2 and incorporating plugins there such as snortsam. My reading of their blog posts leads me to believe they will slowly phase out the Output Plugins API that things like Spoink currently rely on.

Bill