Snort analyze traffic before or after firewall rules?



  • Based on alerts from snort I have setup an alias called "blocked" and under that alias I have IPs.  Under the firewall rules I have a blocked rule for that alias.

    So if I understand that correctly the firewall should block any traffic from those IPs under that alias.  However, they still show up as new alerts in snort.

    Does snort analyze traffic before the firewall rules take place?



  • I wish there was an option under source IP or destination IP to add to the blocked list similar to the suppress list.



  • Snort puts interfaces in promiscuous mode and it also sees traffic before any firewall rules are processed.  So putting your IPs in that blocked alias really is not accomplishing much at all if you already have Snort running in blocking mode.  It will add the IPs to a special hidden firewall table itself.

    Bill



  • @ckuecker:

    I wish there was an option under source IP or destination IP to add to the blocked list similar to the suppress list.

    Why would you need this?  If you have blocking enabled, Snort automatically inserts IPs from alerts into a hidden firewall table for blocking anyway.  What you see on the BLOCKED tab in Snort is the current list of IP addresses that have been added to that table.

    Bill



  • I dont have blocking enabled at the moment.  I plan on enabling it after some time once I get my rules massaged the way I want them.  Instead of using the auto-blocking feature of snort it would be nice to be able to manually add to the blocked list.



  • @ckuecker:

    I dont have blocking enabled at the moment.  I plan on enabling it after some time once I get my rules massaged the way I want them.  Instead of using the auto-blocking feature of snort it would be nice to be able to manually add to the blocked list.

    I suppose that could be added, but the way blocking currently works anything added would be lost upon a reboot or complete restart of the packet filter.  This is because the pf table used for blocking (<snort2c>) is automatically cleared out by the packet filter upon a restart.  So blocks would not be persistent across reboots.

    Bill</snort2c>



  • @bmeeks:

    @ckuecker:

    I dont have blocking enabled at the moment.  I plan on enabling it after some time once I get my rules massaged the way I want them.  Instead of using the auto-blocking feature of snort it would be nice to be able to manually add to the blocked list.

    I suppose that could be added, but the way blocking currently works anything added would be lost upon a reboot or complete restart of the packet filter.  This is because the pf table used for blocking (<snort2c>) is automatically cleared out by the packet filter upon a restart.  So blocks would not be persistent across reboots.

    Bill</snort2c>

    Interesting.. I didn't know that.  However, I rarely reboot so I think that would be acceptable.