Better Blocking in Snort for pfSense

[Daniel Fischer <dfischer () bearspawschool com>]

Good day,

I hope that I am sending this to the appropriate place. We are looking to
contribute financially to some development in the Snort package for
pfSense.

Bearspaw Christian School currently uses Snort in pfSense with OpenAppID as
a tool to ensure students comply with our acceptable use policy for
technology. This includes blocking proxy and VPN connections, restricting
traffic from certain web browsers, and a few other rules. In this way, we
aren't so much using Snort as an IDS so much as using it as a web filter.
It has worked very well for this and routinely identifies traffic
correctly. However, Snort's method of blocking is a bit too heavy handed
for what we need. We don't want to block an IP for 15 minutes, we just want
to block the traffic that caused the alert.

We are using Snort for this purpose because OpenAppID is very good at
identifying the traffic we don't want. We considered Suricata which has
this type of blocking, but it does not support OpenAppID. We are unable to
use another solution which relies on SSL inspection, because we already use
a cloud-based filtering solution doing SSL inspection, and to have two
devices doing this creates problems.

To that end, I am writing this email to see if someone could tell me how we
might go about paying for someone to add the option to have Snort block
only offending traffic and not IP addresses. We fully support open source
technologies, and would rather spend our money on developing an already
excellent tool than on a proprietary firewall device that may still not
meet our needs.

Thanks for your time,

Daniel Fischer
Network Administrator
Bearspaw Christian School

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!