Snort Rule Actions
-
I know its been discussed in the past, but it would be incredidle if pfSense Snort could support all the rule actions.
1. alert - generate an alert using the selected alert method, and then log the packet
2. log - log the packet
3. pass - ignore the packet
4. activate - alert and then turn on another dynamic rule
5. dynamic - remain idle until activated by an activate rule , then act as a log rule
6. drop - block and log the packet
7. reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
8. sdrop - block the packet but do not log it.In a small contribution, Im willing to test any beta intensively if the dev go this way.
F.
-
Several of these actions are only applicable when Snort is running in inline mode. As of right now, there is no way to run it that way on pfSense. All it can do today is call a system function to insert an IP address in the packet filter firewall rules when it "alerts" on traffic. It actually simply inserts the IP address into a pre-existing pf table called <snort2c>. All alerts are treated as blocks within the current plugin.
Bill</snort2c>
-
Several of these actions are only applicable when Snort is running in inline mode. As of right now, there is no way to run it that way on pfSense.
Will it be possible to run Snort in inline mode in the future?
-
Several of these actions are only applicable when Snort is running in inline mode. As of right now, there is no way to run it that way on pfSense.
Will it be possible to run Snort in inline mode in the future?
Snort is in Quasi - Inline mode now… Snort/Suricata is viewing a "Copy" of each packet. And when an Alert is triggered, the IP is placed into a pfSense Alias table called "snort2c". So this table will block all future activity from that IP. There are settings to determine how long the IP remains in the Snort2c file.
A distant future, we expect to see NetMap API which will allow for a better inline mode… but overall the package as is is almost there...
-
Several of these actions are only applicable when Snort is running in inline mode. As of right now, there is no way to run it that way on pfSense.
Will it be possible to run Snort in inline mode in the future?
There are problems today with attempting inline mode with either Snort or Suricata. There appear to be some conflicts with ipfw patches done for traffic shaping in pfSense. I tried testing inline mode a little over a year ago, but was unsuccessful. As BBcan177 mentioned, the goal is to make use of the Netmap API in the future in packages that can work with it. Suricata should be able to, but I'm not positive about Snort. I have not looked into it in as much detail as I have Suricata.
Bill
-
talking of snort2c, since its possible to run both Suricata and Snort (lets say one on WAN and the other on LAN), can we use another table, like virusprot to run both in "block mode"
F.
-
talking of snort2c, since its possible to run both Suricata and Snort (lets say one on WAN and the other on LAN), can we use another table, like virusprot to run both in "block mode"
F.
You can do this by manually changing a constant in one of the PHP source files if you want to try. Here are the instructions –
1. Open /usr/local/pkg/suricata/suricata_defs.inc in your editor of choice and find this section of code:
// Define the name of the pf table used for IP blocks if (!defined('SURICATA_PF_TABLE')) define('SURICATA_PF_TABLE', 'snort2c');
2. Change the 'snort2c' value to whatever valid alias table you want to use. Save the file and then restart Suricata on all interfaces.
I have not tried this personally, but it should work. I purposely coded the Suricata GUI so that it uses this defined SURICATA_PF_TABLE constant when referring to the alias block table. Of course if you reinstall Suricata or download a future update, you will have to repeat this manual edit.
Bill
-
Working like a charm. Thanks Bill.
Alot of fun to see which engine catches what when the other doesnt
F.
-
Working like a charm. Thanks Bill.
Alot of fun to see which engine catches what when the other doesnt
F.
Thanks for the feedback. Glad to know it works like I intended. I just had never tested it, though. Since one day the plan is to implement inline mode that will not require an alias table, I never pushed the pfSense guys about adding a new built-in alias table just for Suricata. The Snort table was added well before I ever even knew pfSense existed.
Bill