Snort mailing list archives
Re: Better Blocking in Snort for pfSense
From: B B via Snort-devel <snort-devel () lists snort org>
Date: Tue, 4 Feb 2020 09:58:10 -0800
Bill, Could you let us know the approximate timeline for when 2.5-DEVEL will move to stable. I am looking forward to the feature-set, especially with Snort that will be available. Thanks Bill
On Feb 4, 2020, at 9:50 AM, Bill - Google Account via Snort-devel <snort-devel () lists snort org> wrote: Daniel: The blocking mechanism used in Snort on pfSense is specialized customization used only on pfSense. It uses a custom plugin module that is compiled into the Snort binary on pfSense. The general Snort team has no knowledge of that module and does not support it in any manner. I think I replied to you earlier in a direct thread on the Netgate Forums about the inline IPS mode available in the Snort 4.x package used in pfSense-2.5 DEVEL. You can update to one of those snapshots and install the updated Snort package. Due to issues with supporting libraries in FreeBSD 11.x (which is what pfSense-2.4.4 is based on), the inline IPS operation with Snort is only available for now in pfSense-2.5 DEVEL (it is based on FreeBSD 12.x). Bill Meeks Vidalia, GA USA From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Daniel Fischer Sent: Friday, January 31, 2020 3:51 PM To: snort-devel () lists snort org Subject: [Snort-devel] Better Blocking in Snort for pfSense Good day, I hope that I am sending this to the appropriate place. We are looking to contribute financially to some development in the Snort package for pfSense. Bearspaw Christian School currently uses Snort in pfSense with OpenAppID as a tool to ensure students comply with our acceptable use policy for technology. This includes blocking proxy and VPN connections, restricting traffic from certain web browsers, and a few other rules. In this way, we aren't so much using Snort as an IDS so much as using it as a web filter. It has worked very well for this and routinely identifies traffic correctly. However, Snort's method of blocking is a bit too heavy handed for what we need. We don't want to block an IP for 15 minutes, we just want to block the traffic that caused the alert. We are using Snort for this purpose because OpenAppID is very good at identifying the traffic we don't want. We considered Suricata which has this type of blocking, but it does not support OpenAppID. We are unable to use another solution which relies on SSL inspection, because we already use a cloud-based filtering solution doing SSL inspection, and to have two devices doing this creates problems. To that end, I am writing this email to see if someone could tell me how we might go about paying for someone to add the option to have Snort block only offending traffic and not IP addresses. We fully support open source technologies, and would rather spend our money on developing an already excellent tool than on a proprietary firewall device that may still not meet our needs. Thanks for your time, Daniel Fischer Network Administrator Bearspaw Christian School _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Better Blocking in Snort for pfSense Daniel Fischer (Feb 04)
- Re: Better Blocking in Snort for pfSense Bill - Google Account via Snort-devel (Feb 04)
- Re: Better Blocking in Snort for pfSense B B via Snort-devel (Feb 04)
- Re: Better Blocking in Snort for pfSense Daniel Fischer (Feb 04)
- Re: Better Blocking in Snort for pfSense Bill - Google Account via Snort-devel (Feb 04)