Trouble with blocking through snort rules



  • Hello everyone,

    I just set up snort and am trying to test it using the emerging-games.rule to block battle.net
    However, I am not able to get it to block battle.net
    I have my snort interface enabled, and in the alert settings I have everything checked off. (Send Alerts to system log, block offenders, kill states) I also have the Which ip to block set to both.
    In the categories I have the use IPS policy checked off and the IPS policy set as balanced.
    In the rule sets I have Snort community rules and emerging-games.rule checked off too.
    I have also enabled the emerging-games rules in the rules tab. Next to the rules there are little yellow boxes with x's in them.
    The emerging threat rules were also updated recently.

    Could someone advise me on what to do next?
    Please let me know if you need more information or any images for further clarification.
    Thank you for your time!



  • Sounds like your setup is correct.  However, I took a look at the Emerging Threats games rules and every rule except one in the category is already default "enabled", so there is no need to force enable them.  However, there is no harm in doing so.  Just make sure what you see is the darker yellow background with the white X instead of the pale background.  There is an icon legend down at the bottom of the RULES tab.  Take a look and be sure that you didn't actually force disable the rules instead of force enable them.

    I'm no expert on the emerging-games rules, but how exactly are you trying to trigger an alert?  I see a number of different rules for Battle.net, but they trigger off specific events (failed login, connection reset, user joined channel, etc.).  Are you performing an action on a machine that you are confident will trigger one of the rules?

    Second, are you sure the machine you are trying to trigger the rule from is actually routing the traffic through the firewall interface where you have Snort running?

    Bill



  • @bmeeks:

    Sounds like your setup is correct.  However, I took a look at the Emerging Threats games rules and every rule except one in the category is already default "enabled", so there is no need to force enable them.  However, there is no harm in doing so.  Just make sure what you see is the darker yellow background with the white X instead of the pale background.  There is an icon legend down at the bottom of the RULES tab.  Take a look and be sure that you didn't actually force disable the rules instead of force enable them.

    I'm no expert on the emerging-games rules, but how exactly are you trying to trigger an alert?  I see a number of different rules for Battle.net, but they trigger off specific events (failed login, connection reset, user joined channel, etc.).  Are you performing an action on a machine that you are confident will trigger one of the rules?

    Second, are you sure the machine you are trying to trigger the rule from is actually routing the traffic through the firewall interface where you have Snort running?

    Bill

    Thank you for the reply.
    I did check the icon legend and it is the darker yellow box so the rules are all enabled.
    I try to trigger events by going into battle.net and logging into an account. I was under the impression that snort would block my attempts to login. (Please correct me if I am wrong) However, I am able to login without any warnings.
    The machine I am working on is able to block sites through pfsense so I believe that it can also trigger rules. I also get alerts in the snort alerts tab.



  • @Vlee:

    The machine I am working on is able to block sites through pfsense so I believe that it can also trigger rules. I also get alerts in the snort alerts tab.

    Do you see any Battle.net alerts, or do you mean you see other kinds of alerts?  Also, for the alerts you do see, are there corresponding blocks on the BLOCKED tab?

    Bill



  • @bmeeks:

    @Vlee:

    The machine I am working on is able to block sites through pfsense so I believe that it can also trigger rules. I also get alerts in the snort alerts tab.

    Do you see any Battle.net alerts, or do you mean you see other kinds of alerts?  Also, for the alerts you do see, are there corresponding blocks on the BLOCKED tab?

    Bill

    I do not see any Battle.net alerts. The alerts that I do see are marked as "Unknown traffic" class and are not in the blocked tab. I currently do  not have anything in the blocked tab.



  • Any other suggestions?



  • @Vlee:

    Any other suggestions?

    No other suggestions.  I know alerting and blocking do work, so if you are not getting some specific alerts I suspect maybe the conditions needed to trigger the rules you have enabled are not happening in your environment.  Is your pfSense box set up rather conventionally meaning routable WAN IP (probably dynamic one from your ISP) and the LAN is using auto-NAT (the out-of-the-box configuration for pfSense).  You don't have something weird like bridging or some proxy arrangement do you?

    Bill