Re: Better Blocking in Snort for pfSense

[B B via Snort-devel <snort-devel () lists snort org>]

Bill,

Could you let us know the approximate timeline for when 2.5-DEVEL will move to stable. I am looking forward to the 
feature-set, especially with Snort that will be available.

Thanks
Bill

> On Feb 4, 2020, at 9:50 AM, Bill - Google Account via Snort-devel <snort-devel () lists snort org> wrote:
>
> 
> Daniel:
>  
> The blocking mechanism used in Snort on pfSense is specialized customization used only on pfSense. It uses a custom 
> plugin module that is compiled into the Snort binary on pfSense. The general Snort team has no knowledge of that 
> module and does not support it in any manner.
>  
> I think I replied to you earlier in a direct thread on the Netgate Forums about the inline IPS mode available in the 
> Snort 4.x package used in pfSense-2.5 DEVEL. You can update to one of those snapshots and install the updated Snort 
> package. Due to issues with supporting libraries in FreeBSD 11.x (which is what pfSense-2.4.4 is based on), the 
> inline IPS operation with Snort is only available for now in pfSense-2.5 DEVEL (it is based on FreeBSD 12.x).
>  
> Bill Meeks
> Vidalia, GA USA
>  
> From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Daniel Fischer
> Sent: Friday, January 31, 2020 3:51 PM
> To: snort-devel () lists snort org
> Subject: [Snort-devel] Better Blocking in Snort for pfSense
>  
> Good day,
>  
> I hope that I am sending this to the appropriate place. We are looking to contribute financially to some development 
> in the Snort package for pfSense. 
>  
> Bearspaw Christian School currently uses Snort in pfSense with OpenAppID as a tool to ensure students comply with our 
> acceptable use policy for technology. This includes blocking proxy and VPN connections, restricting traffic from 
> certain web browsers, and a few other rules. In this way, we aren't so much using Snort as an IDS so much as using it 
> as a web filter. It has worked very well for this and routinely identifies traffic correctly. However, Snort's method 
> of blocking is a bit too heavy handed for what we need. We don't want to block an IP for 15 minutes, we just want to 
> block the traffic that caused the alert. 
>  
> We are using Snort for this purpose because OpenAppID is very good at identifying the traffic we don't want. We 
> considered Suricata which has this type of blocking, but it does not support OpenAppID. We are unable to use another 
> solution which relies on SSL inspection, because we already use a cloud-based filtering solution doing SSL 
> inspection, and to have two devices doing this creates problems.
>  
> To that end, I am writing this email to see if someone could tell me how we might go about paying for someone to add 
> the option to have Snort block only offending traffic and not IP addresses. We fully support open source 
> technologies, and would rather spend our money on developing an already excellent tool than on a proprietary firewall 
> device that may still not meet our needs. 
>  
> Thanks for your time,
>  
> Daniel Fischer
> Network Administrator
> Bearspaw Christian School
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!