Blocking IPs automatically based on certain alerts
-
So I have started into the Snort world and I have read documents, tutorials and posts!
I've created my first rule, and it works!. It just basically alerts me when someone tries to connect on SSH
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH from WAN";classtype:attempted-recon;sid:1000001; rev:1;)The next thing I tried to do is to detect several logins to SSH in a certain time. I found this rule on internet which it actually works as well, I tested it myself
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH from WAN several logins";flow:to_server;flags:S;threshold:type threshold, track by_src, count 3, seconds 60;classtype:attempted-dos;sid:2001219;rev:4; resp:rst_all;)I don't completely understand all of its variables, but I'm working on it. In any case, what I would like to achieve is that when a IP triggers this alert, to be able to automatically block it. I have read about activate/dynamic but dynamic rules are just like log rules, so they don't block anything.
And if I enable "Block offenders" on General Settings, then I will block all offenders from the alerts (if I understood correctly) but I would like to keep some alerts as just alerts while block IPs from others!. Can anyone please point me in the right direction to achieve what I would like to do?
Thanks!
-
And if I enable "Block offenders" on General Settings, then I will block all offenders from the alerts (if I understood correctly) but I would like to keep some alerts as just alerts while block IPs from others!. Can anyone please point me in the right direction to achieve what I would like to do?
Correct, right now thats the way it works on pfsense. When chosing block offenders, no matter if the rule is DROP or ALERT, the offender triggering the rule is move into a block pf table of the firewall.
But you are trying too hard :)
alert tcp ![1.1.1.1,2.2.2.2] -> $HOME_NET 22Replace 1.1.1.1 and 2.2.2.2 with the IP allowed to SSH, all other will get blocked. Those IP could be on your LAN or External, doesnt matter, only allow specific IP to SSH and block all others…
F.
-
And if I enable "Block offenders" on General Settings, then I will block all offenders from the alerts (if I understood correctly) but I would like to keep some alerts as just alerts while block IPs from others!. Can anyone please point me in the right direction to achieve what I would like to do?
Correct, right now thats the way it works on pfsense. When chosing block offenders, no matter if the rule is DROP or ALERT, the offender triggering the rule is move into a block pf table of the firewall.
But you are trying too hard :)
alert tcp ![1.1.1.1,2.2.2.2] -> $HOME_NET 22Replace 1.1.1.1 and 2.2.2.2 with the IP allowed to SSH, all other will get blocked. Those IP could be on your LAN or External, doesnt matter, only allow specific IP to SSH and block all others…
F.
thanks for your reply!
Your example alert won't work in my case as my IP will be dynamic :( -
For Suricata 3.0 and forward (and probably Snort 3.0 when it becomes available), I am looking to alter the old "default block" behavior for alerts to more accurately conform to IDS/IPS standards found elsewhere. This means rules with the ALERT keyword will just alert, and only rules with the DROP keyword would block traffic. That's NOT how it works today, though. Today, any alert equals a block (when "block offenders" is enabled).
Bill
-
Yep! Any ideas about what I'm trying to achieve? Thanks!
-
Yep! Any ideas about what I'm trying to achieve? Thanks!
Right now, until a true "DROP" action is supported and differentiated from the "ALERT" action, I don't know of a way to achieve what you want.
Bill
-
Ummm, maybe it can be achieved with other IDS? Like Suricata or some other package available in the package list?
-
You can add fail2ban or ossec to the Servers behind pfSense, and collect those banned IPs into a blocklist. Afterwards, import those into pfBlockerNG on a specified frequency.
-
That's not really ideal to be honest :(, but thank for the idea!
It's really really annoying that Snort can't do this easily
