Re: Better Blocking in Snort for pfSense

[Bill - Google Account via Snort-devel <snort-devel () lists snort org>]

Daniel:

 

The blocking mechanism used in Snort on pfSense is specialized customization used only on pfSense. It uses a custom 
plugin module that is compiled into the Snort binary on pfSense. The general Snort team has no knowledge of that module 
and does not support it in any manner.

 

I think I replied to you earlier in a direct thread on the Netgate Forums about the inline IPS mode available in the 
Snort 4.x package used in pfSense-2.5 DEVEL. You can update to one of those snapshots and install the updated Snort 
package. Due to issues with supporting libraries in FreeBSD 11.x (which is what pfSense-2.4.4 is based on), the inline 
IPS operation with Snort is only available for now in pfSense-2.5 DEVEL (it is based on FreeBSD 12.x).

 

Bill Meeks

Vidalia, GA USA

 

From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Daniel Fischer
Sent: Friday, January 31, 2020 3:51 PM
To: snort-devel () lists snort org
Subject: [Snort-devel] Better Blocking in Snort for pfSense

 

Good day,

 

I hope that I am sending this to the appropriate place. We are looking to contribute financially to some development in 
the Snort package for pfSense. 

 

Bearspaw Christian School currently uses Snort in pfSense with OpenAppID as a tool to ensure students comply with our 
acceptable use policy for technology. This includes blocking proxy and VPN connections, restricting traffic from 
certain web browsers, and a few other rules. In this way, we aren't so much using Snort as an IDS so much as using it 
as a web filter. It has worked very well for this and routinely identifies traffic correctly. However, Snort's method 
of blocking is a bit too heavy handed for what we need. We don't want to block an IP for 15 minutes, we just want to 
block the traffic that caused the alert. 

 

We are using Snort for this purpose because OpenAppID is very good at identifying the traffic we don't want. We 
considered Suricata which has this type of blocking, but it does not support OpenAppID. We are unable to use another 
solution which relies on SSL inspection, because we already use a cloud-based filtering solution doing SSL inspection, 
and to have two devices doing this creates problems.

 

To that end, I am writing this email to see if someone could tell me how we might go about paying for someone to add 
the option to have Snort block only offending traffic and not IP addresses. We fully support open source technologies, 
and would rather spend our money on developing an already excellent tool than on a proprietary firewall device that may 
still not meet our needs. 

 

Thanks for your time,

 

Daniel Fischer

Network Administrator

Bearspaw Christian School

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!