Snort inline mode



  • Hi,
    Can snort drop packets in pfsense? I  don't want to use block hosts option. I want to add this rate filter configuration to mitigate some DDOS attacks. Ca i do this?

    rate_filter \
    gen_id 1, sig_id 469, \
    track by_dst, \
    count 15, seconds 2, \
    new_action drop, timeout 30 
    


  • Snort inline is currently not possible. It may be available in some form in the future (TM) as it would need changes both to base pfSense and the Snort package. Various posts by bmeeks have more information on this.


  • Banned

    Suricata is the way to go and I believe inline will be available for that package before Snort.


  • Moderator

    Both Snort and Suricata are currently in a Quasi-inline mode. They use a "copy" of the packets for inspection so " a small " amount of traffic can get through before an "alert" generates a Block in the snort2c file for a malicious IP address.

    We expect pfSense to upgrade to using NetAPP which will allow a more True Inline operation in the future.

    The only way to have Snort or Suricata to drop packets but not block is if the IP is in your pass list. So it can drop both src and dst packets. But I don't think that it can do the rate limiting that you are looking for. Maybe Bill Meeks will see this and post a suggestion?



  • @cutler:

    Hi,
    Can snort drop packets in pfsense? I  don't want to use block hosts option. I want to add this rate filter configuration to mitigate some DDOS attacks. Ca i do this?

    rate_filter \
    gen_id 1, sig_id 469, \
    track by_dst, \
    count 15, seconds 2, \
    new_action drop, timeout 30 
    

    No, right now this is not possible due to limitations at the kernel network stack level.  Neither Snort nor Suricata can truly "drop" packets in pfSense.  They inspect a copy of every packet passing through the interface where Snort (or Suricata) is running.  When an alert is triggered, a block rule is inserted into the packet filter firewall table.  However, packets up to and including the one that triggered the alert, "leaked through" the quasi-IPS.  Thus neither package is currently a true IPS.  It's more of a hybrid that is mostly IDS with a touch of IPS functionality (the ability to insert a block for future traffic, for example).

    Hopefully this situation will improve in the future if the pfSense kernel incorporates the Netmap API technology.

    Bill


  • Moderator

    While the packet can't be dropped, any open states in the firewall can be killed.

    I hope the devs implement those changes.