Suricata and/or Snort categories on schedule
-
Hello, friendly firewallers and intruder seekers! :D
How can I turn on/off some Snort/Suricata categories on schedule, I wonder? The purpose is quite obvious - to restrict P2P and online gaming during worktime. Right now I didn't found anything concerning schedule inside Suricata and I don't remember anything concerning it in Snort. I have only relatively stupid idea to replace the whole pfsense XML config file by cron job and restart PFsense…
-
Hello, friendly firewallers and intruder seekers! :D
How can I turn on/off some Snort/Suricata categories on schedule, I wonder? The purpose is quite obvious - to restrict P2P and online gaming during worktime. Right now I didn't found anything concerning schedule inside Suricata and I don't remember anything concerning it in Snort. I have only relatively stupid idea to replace the whole pfsense XML config file by cron job and restart PFsense…
Neither package works that way and such an option is not currently available. If you want to restrict P2P and online gaming, why not just enable those rules and leave them enabled in Suricata? For a business environment, when would it ever be acceptable to enable P2P (can anyone say potential copyright violations?) and online gaming?
Bill
-
I guess real busyness environments will use Cisco solutions anyway in most cases ::)
My case is much more similar to educational organization campus. Do you like to explain to x00 linuxoids why they can't download at lightspeed their favorites ubuntus, debians, gentoos and scientific linuxes via bittorrent at least after worktime? 8) The same thing with online gaming… ;D -
I guess real busyness environments will use Cisco solutions anyway in most cases ::)
My case is much more similar to educational organization campus. Do you like to explain to x00 linuxoids why they can't download at lightspeed their favorites ubuntus, debians, gentoos and scientific linuxes via bittorrent at least after worktime? 8) The same thing with online gaming… ;DWhy don't you create a Guest Wireless Network and give greater freedom there, but restrict its access to your school LAN? Do you let the folks install and run P2P clients and games on your business or school machines? If so, I would say that is a bad policy.
At any rate, the answer to your original question is that currently neither IDS/IPS package offers such scheduling (it is not present in the underlying binaries anyway), and such a feature is not currently on the long-term planning radar. You can schedule firewall rules within pfSense itself, but using those will be problematic because you would need to capture all the IP addresses of the potential P2P and gaming sites. That is hard because the IPs can change frequently.
Bill
