Snort - block offenders
maybe the question sound a little bit stupid:
what happens with the packet if i dont check the block offenders box?
does snort drop the packet which causes the alert or is it just an alert and the packet
goes through pfsense to it's destination?
You were right with the second one.
The packet is just passed on. When you check the block offenders box it starts a little program that inserts offending IPs into a table in the firewall
that not nice - i always thought that snort automatically drops supicious packets.
so just to get it right:
when block offenders is checked, than the packet is dropped when snort generates an alert?
Snort is an IDS. It strictly detects, the block offenders integrates with it to block what's been detected.
i found this on the snort homepage:
Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of snort_inline into the official Snort project. Snort_inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules.
does this also apply to pfsense's snort package and is there a possibility to activate snort as an IPS?
is snort compiled with flexresp??
This isn't Linux, we don't run iptables. The pf integration is similar to snort_inline.
well i found just a thread that snort_inline is linux only cause it works with iptables, but how about the flexresp?
that sounds like an option from snort itself
p.s.: the problem for example i have, that if i activated block offenders i am not able to access google anymore cause google sends some icmp things and gets on the block list
well after searching and searching, the only things that i find is how to block the offending ip but nothing about just dropping the packet.
the only thing i found refering to droping the packet is the flexresp from snort directly, but enhanced the rule by resp:reset_source; ends up in a startup error from snort.
actually i think there are many out there who like to have the feature of droping the packet insted of blocking the ip. i also must say, that i am completely new to bsd.
well i keep on searching and reading
I'm not really familiar with how our snort package works, but we definitely welcome contributions to improve the package!
well what i have done so far:
i recompiled the version installed with the following options and just changed the snort binarie
./configure –enable-flexresp2 --enable-dynamicplugin --enable-rulestate --enable-perfprofiling --enable-timestats
and guess: snort starts ;D
i enhanced one rule by resp:reset_source; and snort still starts ;D
so far everything looks fine and is as far as i can see working
so now i have to find a way to test if snort really drops the packet and stops passing it on. dont know how but i think i will also manage this.
i think i made it:
for testing i took this rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD …"; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?.../smi"; metadata:service ftp; reference:bugtraq,9237; classtype:bad-unkknown; sid:1229; rev:8;)
and changed it to:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD …"; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?.../smi"; metadata:service ftp; reference:bugtraq,9237; classtype:bad-unkknown; sid:1229; rev:8; resp:reset_dest;)
look whats happening after sending cd … to the ftp server:
ftp> cd ...
550 ...: No such file or directory
421 Service not available, remote server has closed connection
just one thing i want to change:
if cd ... is send the connection should be closed immediatley, so that there isnt even a 550 ...: No such file or directory response from the server, as by now the packet seems to be send to the ftp server as there is a response.
hmmm just found something i dislike:
In order for Flexresp to work, it has to send a RST packet to the hosts in order to stop the
traffic. The problem with that is, Snort has to send an RST packet BEFORE the actual host
responds. 9x out of 10 the host is going to beat the IDS.
If you really are interested in stopping traffic, go for Snort-inline mode.
and as far as i have searched, there is no chance to get snort-inline working with pf on openbsd
on freebsd it is possible :( :( :( :( :( :( :( :( :( :( :(
dont know if its possible to "delay" the packet before delivery
:( GIVING UP :(
no way to get snort inline working with pf
i have made some kind of workaround:
if you have spare hardware left put in 2 nics, install a base debian system and have a look at this:
when you are at the point installing base, take the precompiled debian package acidbase. you will have less troubles and dont forget to add the startup script.
When finished you will have a fine IPS based on snort rules.
just like 1 but:
install 4 nics, after completing installing snort inline, install vmware, install pfsense on vmware
example nic definition:
eth0 and eth1 used for bridge br0 under debian
bridge vmnet0 to eth2 = LAN pfsense
bridge vmnet2 to eth3 = WAN pfsense
bridge vmnet3 to eth2 = OPT1 pfsense
You now have a firewall, an IDS and an IPS on one machine