Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - block offenders

    Scheduled Pinned Locked Moved pfSense Packages
    16 Posts 3 Posters 17.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coolcat1975
      last edited by

      hi all!

      maybe the question sound a little bit stupid:

      what happens with the packet if i dont check the block offenders box?

      does snort drop the packet which causes the alert or is it just an alert and the packet
      goes through pfsense to it's destination?

      greets

      cc

      1 Reply Last reply Reply Quote 0
      • M
        morbus
        last edited by

        You were right with the second one.

        The packet is just passed on. When you check the block offenders box it starts a little program that inserts offending IPs into a table in the firewall

        1 Reply Last reply Reply Quote 0
        • C
          coolcat1975
          last edited by

          hmmmm

          that not nice - i always thought that snort automatically drops supicious packets.

          so just to get it right:

          when block offenders is checked, than the packet is dropped when snort generates an alert?

          regards

          cc

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Snort is an IDS. It strictly detects, the block offenders integrates with it to block what's been detected.

            1 Reply Last reply Reply Quote 0
            • C
              coolcat1975
              last edited by

              thx :)

              1 Reply Last reply Reply Quote 0
              • C
                coolcat1975
                last edited by

                i found this on the snort homepage:

                Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of snort_inline into the official Snort project. Snort_inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules.

                does this also apply to pfsense's snort package and is there a possibility to activate snort as an IPS?

                regards

                cc

                1 Reply Last reply Reply Quote 0
                • C
                  coolcat1975
                  last edited by

                  hi all!

                  is snort compiled with flexresp??

                  regards

                  cc

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    This isn't Linux, we don't run iptables. The pf integration is similar to snort_inline.

                    1 Reply Last reply Reply Quote 0
                    • C
                      coolcat1975
                      last edited by

                      well i found just a thread that snort_inline is linux only cause it works with iptables, but how about the flexresp?

                      that sounds like an option from snort itself

                      regards

                      cc

                      p.s.: the problem for example i have, that if i activated block offenders i am not able to access google anymore cause google sends some icmp things and gets on the block list

                      1 Reply Last reply Reply Quote 0
                      • C
                        coolcat1975
                        last edited by

                        hi @all!

                        well after searching and searching, the only things that i find is how to block the offending ip but nothing about just dropping the packet.

                        the only thing i found refering to droping the packet is the flexresp from snort directly, but enhanced the rule by resp:reset_source; ends up in a startup error from snort.

                        actually i think there are many out there who like to have the feature of droping the packet insted of blocking the ip. i also must say, that i am completely new to bsd.

                        well i keep on searching and reading

                        regards

                        cc

                        1 Reply Last reply Reply Quote 0
                        • C
                          cmb
                          last edited by

                          I'm not really familiar with how our snort package works, but we definitely welcome contributions to improve the package!

                          1 Reply Last reply Reply Quote 0
                          • C
                            coolcat1975
                            last edited by

                            well what i have done so far:

                            i recompiled the version installed with the following options and just changed the snort binarie

                            ./configure –enable-flexresp2 --enable-dynamicplugin --enable-rulestate --enable-perfprofiling --enable-timestats

                            and guess: snort starts  ;D

                            i enhanced one rule by resp:reset_source; and snort still starts  ;D

                            so far everything looks fine and is as far as i can see working

                            so now i have to find a way to test if snort really drops the packet and stops passing it on. dont know how but i think i will also manage this.

                            regards

                            cc

                            1 Reply Last reply Reply Quote 0
                            • C
                              coolcat1975
                              last edited by

                              i think i made it:

                              for testing i took this rule:

                              alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD …"; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?.../smi"; metadata:service ftp; reference:bugtraq,9237; classtype:bad-unkknown; sid:1229; rev:8;)

                              and changed it to:

                              alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD …"; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?.../smi"; metadata:service ftp; reference:bugtraq,9237; classtype:bad-unkknown; sid:1229; rev:8; resp:reset_dest;)

                              look whats happening after sending cd … to the ftp server:

                              ftp> cd ...
                              550 ...: No such file or directory
                              ftp> ls
                              421 Service not available, remote server has closed connection

                              just one thing i want to change:

                              if cd ... is send the connection should be closed immediatley, so that there isnt even a 550 ...: No such file or directory response from the server, as by now the packet seems to be send to the ftp server as there is a response.

                              regards

                              cc

                              1 Reply Last reply Reply Quote 0
                              • C
                                coolcat1975
                                last edited by

                                hmmm just found something i dislike:

                                In order for Flexresp to work, it has to send a RST packet to the hosts in order to stop the
                                traffic. The problem with that is, Snort has to send an RST packet BEFORE the actual host
                                responds. 9x out of 10 the host is going to beat the IDS.

                                If you really are interested in stopping traffic, go for Snort-inline mode.

                                and as far as i have searched, there is no chance to get snort-inline working with pf on openbsd
                                on freebsd it is possible  :( :( :( :( :( :( :( :( :( :( :(

                                dont know if its possible to "delay" the packet before delivery

                                regards

                                cc

                                1 Reply Last reply Reply Quote 0
                                • C
                                  coolcat1975
                                  last edited by

                                  :( GIVING UP  :(

                                  no way to get snort inline working with pf

                                  sorry folks

                                  cc

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    coolcat1975
                                    last edited by

                                    hi!

                                    i have made some kind of workaround:

                                    2 solutions:

                                    first one:

                                    if you have spare hardware left put in 2 nics, install a base debian system and have a look at this:
                                    http://www.openmaniak.com/inline.php
                                    when you are at the point installing base, take the precompiled debian package acidbase. you will have less troubles and dont forget to add the startup script.

                                    When finished you will have a fine IPS based on snort rules.

                                    second one:

                                    just like 1 but:
                                    install 4 nics, after completing installing snort inline, install vmware, install pfsense on vmware

                                    example nic definition:

                                    eth0 and eth1 used for bridge br0 under debian

                                    bridge vmnet0 to eth2 = LAN pfsense

                                    bridge vmnet2 to eth3 = WAN pfsense

                                    bridge vmnet3 to eth2 = OPT1 pfsense

                                    You now have a firewall, an IDS and an IPS on one machine

                                    regards

                                    CC

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.