Snort IPS/IDS



  • Hello Everyone,
    I would like ask add timer (in minutes) for blocked IP in snort.
    That timer will drop the drop rule after mention amount of time in minutes.

    This will allow minimize attempts block good traffic and false positive as well.

    Example:
    Where in webui check mark for "Checking this option will ….." add another small text box which will be possible specify for how long offender will be blocked in minutes.

    Feature #3768

    Thank you in advance.


  • Moderator

    Hello volga629,

    This feature is already in Snort and Suricata.

    Global Settings: General Settings: Remove Blocked Hosts Interval  (Please select the amount of time you would like hosts to be blocked.)

    I hope this answers your question.



  • Hello Everyone,
    Thank you for reply, I found and it working.
    Is possible use snort based on firewall rules ? It will be narrow down which probes to use and it will be allow be very specific on which traffic to filter instead whole interface.
    For example:

    If I need protect http server, I like to create firewall rule which allow connect to the port and in advance settings select snort profile in this case will be HTTP ( contain checks for HTTP, and web languages) and action instead default pass will be pass with IDS/IPS.



  • @volga629:

    Hello Everyone,
    Thank you for reply, I found and it working.
    Is possible use snort based on firewall rules ? It will be narrow down which probes to use and it will be allow be very specific on which traffic to filter instead whole interface.
    For example:

    If I need protect http server, I like to create firewall rule which allow connect to the port and in advance settings select snort profile in this case will be HTTP ( contain checks for HTTP, and web languages) and action instead default pass will be pass with IDS/IPS.

    No, Snort is not that tightly integrated with the firewall.  However, you can configure what the Snort package on pfSense calls "engines" on the PREPROCESSORS tab for each interface.  An "engine" is a single host or multiple hosts, or network block or multiple network blocks, that are used to target the Snort inspection.  For example, for web servers, you might have all of them in a specific subnet.  On the PREPROCESSORS tab in the section for the HTTP_INSPECT preprocessor, you would create an engine for the subnet containing your web servers.  You first need to create an alias under Firewall…Aliases, then use that alias as the "destination" address for the engine.  Once the engine is created, you can edit many parameters associated with it including which ports to inspect as HTTP.  This way Snort does not waste time and energy inspecting all the ports for web traffic if only say ports 80 and 443 are actually listening.

    Read up on preprocessor configuration details in the online manual at snort.org.  Then play around with the setting on the PREPROCESSOR tab for the various engines (frag3, stream5 and http_inspect, etc.).

    Bill


Log in to reply