Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort blocking - easy DoS if client is behind a proxy

    pfSense Packages
    2
    4
    2376
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      crester
      last edited by

      Hello.
      I have seen this behaivour.

      If I navigate crossing a  proxy server to a remote i.e. website with a pfSense -> snort -> block offenders, I can "offend" snort and it blocks my "PROXY" ip address.
      I think snort takes x-forwarded-for IP instead of real IP address (if it is sent).

      Some cases it is unavoidable if your ISP has a proxy between the client and the Internet.

      So, I can do a easy DoS to the remote web server  to all the people that is connected to this proxy server, simply detecting that snort is blocking my proxy IP.

      is it possible to change the configuration to get the real IP in case of having it?

      Thank you.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @crester:

        Hello.
        I have seen this behaivour.

        If I navigate crossing a  proxy server to a remote i.e. website with a pfSense -> snort -> block offenders, I can "offend" snort and it blocks my "PROXY" ip address.
        I think snort takes x-forwarded-for IP instead of real IP address (if it is sent).

        Some cases it is unavoidable if your ISP has a proxy between the client and the Internet.

        So, I can do a easy DoS to the remote web server  to all the people that is connected to this proxy server, simply detecting that snort is blocking my proxy IP.

        is it possible to change the configuration to get the real IP in case of having it?

        Thank you.

        There is a new configurable option for this coming in the next Snort package release, 2.5.8, due out soon.  I am performing final testing now.  The new package opens up a large number of new preprocessor options.  I think the option you need to enable for your case is the "enable_xff" option in the HTTP_INSPECT preprocessor.  It is turned off by default in the current Snort package.  Because the Snort configuration file is rewritten at every startup, you can't hand-edit the file successfully.

        If you want to test this parameter now, try the option I offered a user in this post:

        http://forum.pfsense.org/index.php/topic,61887.msg334019.html#msg334019

        Bill

        1 Reply Last reply Reply Quote 0
        • C
          crester
          last edited by

          @bmeeks:

          @crester:

          Hello.
          I have seen this behaivour.

          If I navigate crossing a  proxy server to a remote i.e. website with a pfSense -> snort -> block offenders, I can "offend" snort and it blocks my "PROXY" ip address.
          I think snort takes x-forwarded-for IP instead of real IP address (if it is sent).

          Some cases it is unavoidable if your ISP has a proxy between the client and the Internet.

          So, I can do a easy DoS to the remote web server  to all the people that is connected to this proxy server, simply detecting that snort is blocking my proxy IP.

          is it possible to change the configuration to get the real IP in case of having it?

          Thank you.

          There is a new configurable option for this coming in the next Snort package release, 2.5.8, due out soon.  I am performing final testing now.  The new package opens up a large number of new preprocessor options.  I think the option you need to enable for your case is the "enable_xff" option in the HTTP_INSPECT preprocessor.  It is turned off by default in the current Snort package.  Because the Snort configuration file is rewritten at every startup, you can't hand-edit the file successfully.

          If you want to test this parameter now, try the option I offered a user in this post:

          http://forum.pfsense.org/index.php/topic,61887.msg334019.html#msg334019

          Bill

          Thank you Bill.
          I have read the post and it looks it will be a nice workaround until next release.

          Reading the post, I have understood how pfSense and Snort work together, because I didn't understand very well how was the processes, as I have a 3-way-hands. and flow (and payload) previous the block.
          It has created me a doubt and sorry, I have just landed to pfSense.
          What is then the diference if I check "Use IPS Policy"?

          is in the pfSense roadmap get snort true inline?

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @crester:

            Thank you Bill.
            I have read the post and it looks it will be a nice workaround until next release.

            Reading the post, I have understood how pfSense and Snort work together, because I didn't understand very well how was the processes, as I have a 3-way-hands. and flow (and payload) previous the block.
            It has created me a doubt and sorry, I have just landed to pfSense.
            What is then the diference if I check "Use IPS Policy"?

            is in the pfSense roadmap get snort true inline?

            No, there is no roadmap yet for a true inline IDS on pfSense (at least not that I am aware of).  The Snort VRT folks are actually migrating away from that somewhat and pushing folks over to using Barnyard2 and incorporating plugins there such as snortsam.  My reading of their blog posts leads me to believe they will slowly phase out the Output Plugins API that things like Spoink currently rely on.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post