Snort - block offenders



  • hi all!

    maybe the question sound a little bit stupid:

    what happens with the packet if i dont check the block offenders box?

    does snort drop the packet which causes the alert or is it just an alert and the packet
    goes through pfsense to it's destination?

    greets

    cc



  • You were right with the second one.

    The packet is just passed on. When you check the block offenders box it starts a little program that inserts offending IPs into a table in the firewall



  • hmmmm

    that not nice - i always thought that snort automatically drops supicious packets.

    so just to get it right:

    when block offenders is checked, than the packet is dropped when snort generates an alert?

    regards

    cc



  • Snort is an IDS. It strictly detects, the block offenders integrates with it to block what's been detected.



  • thx :)



  • i found this on the snort homepage:

    Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of snort_inline into the official Snort project. Snort_inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules.

    does this also apply to pfsense's snort package and is there a possibility to activate snort as an IPS?

    regards

    cc



  • hi all!

    is snort compiled with flexresp??

    regards

    cc



  • This isn't Linux, we don't run iptables. The pf integration is similar to snort_inline.



  • well i found just a thread that snort_inline is linux only cause it works with iptables, but how about the flexresp?

    that sounds like an option from snort itself

    regards

    cc

    p.s.: the problem for example i have, that if i activated block offenders i am not able to access google anymore cause google sends some icmp things and gets on the block list



  • hi @all!

    well after searching and searching, the only things that i find is how to block the offending ip but nothing about just dropping the packet.

    the only thing i found refering to droping the packet is the flexresp from snort directly, but enhanced the rule by resp:reset_source; ends up in a startup error from snort.

    actually i think there are many out there who like to have the feature of droping the packet insted of blocking the ip. i also must say, that i am completely new to bsd.

    well i keep on searching and reading

    regards

    cc



  • I'm not really familiar with how our snort package works, but we definitely welcome contributions to improve the package!



  • well what i have done so far:

    i recompiled the version installed with the following options and just changed the snort binarie

    ./configure –enable-flexresp2 --enable-dynamicplugin --enable-rulestate --enable-perfprofiling --enable-timestats

    and guess: snort starts  ;D

    i enhanced one rule by resp:reset_source; and snort still starts  ;D

    so far everything looks fine and is as far as i can see working

    so now i have to find a way to test if snort really drops the packet and stops passing it on. dont know how but i think i will also manage this.

    regards

    cc



  • i think i made it:

    for testing i took this rule:

    alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD …"; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?.../smi"; metadata:service ftp; reference:bugtraq,9237; classtype:bad-unkknown; sid:1229; rev:8;)

    and changed it to:

    alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD …"; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?.../smi"; metadata:service ftp; reference:bugtraq,9237; classtype:bad-unkknown; sid:1229; rev:8; resp:reset_dest;)

    look whats happening after sending cd … to the ftp server:

    ftp> cd ...
    550 ...: No such file or directory
    ftp> ls
    421 Service not available, remote server has closed connection

    just one thing i want to change:

    if cd ... is send the connection should be closed immediatley, so that there isnt even a 550 ...: No such file or directory response from the server, as by now the packet seems to be send to the ftp server as there is a response.

    regards

    cc



  • hmmm just found something i dislike:

    In order for Flexresp to work, it has to send a RST packet to the hosts in order to stop the
    traffic. The problem with that is, Snort has to send an RST packet BEFORE the actual host
    responds. 9x out of 10 the host is going to beat the IDS.

    If you really are interested in stopping traffic, go for Snort-inline mode.

    and as far as i have searched, there is no chance to get snort-inline working with pf on openbsd
    on freebsd it is possible  :( :( :( :( :( :( :( :( :( :( :(

    dont know if its possible to "delay" the packet before delivery

    regards

    cc



  • :( GIVING UP  :(

    no way to get snort inline working with pf

    sorry folks

    cc



  • hi!

    i have made some kind of workaround:

    2 solutions:

    first one:

    if you have spare hardware left put in 2 nics, install a base debian system and have a look at this:
    http://www.openmaniak.com/inline.php
    when you are at the point installing base, take the precompiled debian package acidbase. you will have less troubles and dont forget to add the startup script.

    When finished you will have a fine IPS based on snort rules.

    second one:

    just like 1 but:
    install 4 nics, after completing installing snort inline, install vmware, install pfsense on vmware

    example nic definition:

    eth0 and eth1 used for bridge br0 under debian

    bridge vmnet0 to eth2 = LAN pfsense

    bridge vmnet2 to eth3 = WAN pfsense

    bridge vmnet3 to eth2 = OPT1 pfsense

    You now have a firewall, an IDS and an IPS on one machine

    regards

    CC


Log in to reply