Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort analyze traffic before or after firewall rules?

    IDS/IPS
    2
    7
    1850
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ckuecker last edited by

      Based on alerts from snort I have setup an alias called "blocked" and under that alias I have IPs.  Under the firewall rules I have a blocked rule for that alias.

      So if I understand that correctly the firewall should block any traffic from those IPs under that alias.  However, they still show up as new alerts in snort.

      Does snort analyze traffic before the firewall rules take place?

      1 Reply Last reply Reply Quote 0
      • C
        ckuecker last edited by

        I wish there was an option under source IP or destination IP to add to the blocked list similar to the suppress list.

        1 Reply Last reply Reply Quote 0
        • bmeeks
          bmeeks last edited by

          Snort puts interfaces in promiscuous mode and it also sees traffic before any firewall rules are processed.  So putting your IPs in that blocked alias really is not accomplishing much at all if you already have Snort running in blocking mode.  It will add the IPs to a special hidden firewall table itself.

          Bill

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @ckuecker:

            I wish there was an option under source IP or destination IP to add to the blocked list similar to the suppress list.

            Why would you need this?  If you have blocking enabled, Snort automatically inserts IPs from alerts into a hidden firewall table for blocking anyway.  What you see on the BLOCKED tab in Snort is the current list of IP addresses that have been added to that table.

            Bill

            1 Reply Last reply Reply Quote 0
            • C
              ckuecker last edited by

              I dont have blocking enabled at the moment.  I plan on enabling it after some time once I get my rules massaged the way I want them.  Instead of using the auto-blocking feature of snort it would be nice to be able to manually add to the blocked list.

              1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks last edited by

                @ckuecker:

                I dont have blocking enabled at the moment.  I plan on enabling it after some time once I get my rules massaged the way I want them.  Instead of using the auto-blocking feature of snort it would be nice to be able to manually add to the blocked list.

                I suppose that could be added, but the way blocking currently works anything added would be lost upon a reboot or complete restart of the packet filter.  This is because the pf table used for blocking (<snort2c>) is automatically cleared out by the packet filter upon a restart.  So blocks would not be persistent across reboots.

                Bill</snort2c>

                1 Reply Last reply Reply Quote 0
                • C
                  ckuecker last edited by

                  @bmeeks:

                  @ckuecker:

                  I dont have blocking enabled at the moment.  I plan on enabling it after some time once I get my rules massaged the way I want them.  Instead of using the auto-blocking feature of snort it would be nice to be able to manually add to the blocked list.

                  I suppose that could be added, but the way blocking currently works anything added would be lost upon a reboot or complete restart of the packet filter.  This is because the pf table used for blocking (<snort2c>) is automatically cleared out by the packet filter upon a restart.  So blocks would not be persistent across reboots.

                  Bill</snort2c>

                  Interesting.. I didn't know that.  However, I rarely reboot so I think that would be acceptable.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense Plus
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy