GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
SNORT2PFCD(8) FreeBSD System Manager's Manual SNORT2PFCD(8)

snort2pfcd
provides real-time blocking of ip addresses from snort alerts via packet filter firewall tables.

snort2pfcd [-e External_Interface] [-w Passlist_File] [-b Blocklist_File] [-W] [-B] [-C] [-D] [-F] [-Z] [-l Log_File] [-a Alert_File] [-p Priority] [-r Repeat_Offenses] [-t Seconds] [-d Pf_device] [-q Seconds] [-m Thr_max] [-v] [-h]

snort2pfcd monitors snort alert output and blocks ip addresses for a given snort priority using packet filter table entries for a specified period of time. A passlist is specified to exclude local and trusted ip addresses from being blocked. snort2pfcd also preloads the community maintained and supplied snort blocklist by default. The passlist and blocklist files are monitored and snort2pfcd automatically reloads and updates the tables when changes are made to these files.

The options are as follows:

External_Interface
external interface e.g. eth0 or "all" to passlist all interfaces, default is to passlist all interfaces.
Passlist_File
passlist file, default is /usr/local/etc/snort/rules/iplists/default.passlist.
If set, will prevent loading of any passlist file.
Blocklist_File
blocklist file, default is /usr/local/etc/snort/rules/iplists/default.blocklist.
If set, will prevent loading of the snort blocklist file.
If set, will enable debug mode for gdb, lldb, etc.
If set, will disable the DNS lookup functionality.
Foreground mode. If set, will not daemonize.
If set, will prevent the passlisting of entries in the /etc/resolv.conf file.
Log_File
log file location, default is /var/log/snort2pfcd.log.
Alert_File
snort alert file location, default is /var/log/snort/alert.
Priority
The priority level at which to block an ip addresses in the snort log. Default is 1. Lower priority includes higher priority, for example, -p 3 includes priorities 3, 2 and 1.
Repeat_Offenses
Number of times an ip address may commit an offense before being added to the packet filter block table. Default is 0. For example, -p 2 -r 2 specifies that any priority 1 or 2 snort alert for a given network address will be blocked only after 2 repeated snort alerts (3 snort alerts total).
Seconds
The number of seconds to block an ip address, default is 60*60 or 1 hour.
Pf_device
Packet filter device interface. Default is /dev/pf.
Seconds
The number of seconds to wait before starting to parse the snort alert file. Useful if snort2pfcd is interfering with connection setup, especially shortly after boot. Default is 0.
thr_max
Maximum number of DNS request threads. Default is 100. snort2pfcd uses a non-blocking design to ensure that waiting for DNS names to resolve in the block log do not interfere with the blocking of snort alerts. Instead of the main program waiting, a new thread is spawned to do the waiting. Since connection speeds vary widely (100mb/s - >40Gb/s) and servers also vary in terms of processing capability, the option exists to increase or decrease the maximum number of threads waiting for DNS requests. Once the maximum number of threads waiting for a DNS response is reached, logging will stop until an active thread exits. The main program however will continue its blocking function with a cessation in logging until a new thread can be spawned.
Increase verbosity.
Show help.

The snort intrusion detection system monitors network traffic and will generate an alert if this traffic matches a rule for a type of noteworthy activity. snort2pfcd monitors this alert file and can then add the offending ip address to a packet filter block table. snort2pfcd provides the above options for the user to specify the conditions under which the offending address is added to the packet filter block table.

Differentiating between benign and malicious network traffic is difficult and, unfortunately, snort generates a fair amount of false-positives. Also, the snort IDS primary function is to log noteworthy network traffic and its authors did not necessarily intend for the logged addresses to be blocked. This being said, snorts rules are highly configurable and can be adjusted for more appropriate functioning in this context. To assist the user with filtering network traffic produced by various network entities, snort2pfcd will automatically resolve the offending ip address and display the DNS name in the snort2pfcd block log. Should the user decide that the offending address is trustworthy, the user can add the address, or alternatively, research and add the entire CIDR address block assigned to that network entity, to the passlist. Passlisted addresses or CIDR address blocks generating a snort alert will not be added to the packet filter block table.

snort2pfcd also loads the snort community supplied blocklist file into a separate packet filter block table by default. Table entries are named "snort2pfcd" for dynamic entries which can be viewed with "pfctl -t snort2pfcd -T show". Static entries loaded from the community provided snort blocklist are populated within the "snort2pfcd_static" table which can be viewed with "pfctl -t snort2pfcd_static -T show".

At no time should snort2pfcd need to be restarted. snort2pfcd will repopulate its packet filter tables if the packet filter is restarted. snort2pfcd also monitors the passlist and blocklist files for changes. Changes applied to these files are automatically reloaded and applied to the running snort2pfcd processes.

Passlist entries can be single ip addressess (e.g. 192.168.0.1) or blocks of addresses in CIDR format (e.g. 192.168.0.0/24). Each entry should be on a separate line.

Blocklist entries provided by the snort community contain a list of single ip addresses and snort2pfcd will only accept entries in this format (e.g. 192.168.0.1). Each entry should be on a separate line.

While snort2pfcd will parse the default snort alert file, this can produce less than real-time blocking given the burden being placed on snort especially over an active, fast or low-latency connection. The author would strongly recommend using a spooler like barnyard2 to output the text alerts from the snort unified2 binary output.

By default, the user-supplied passlist is prepended with the addresses of all of the local interfaces as the handling of these addresses are usually specified by more complex packet filter rules and simply blocking these addresses can cause problems with certain configurations.

The user-supplied passlist can also be prepended with the address of the external interface only for paranoid configurations. Lo0 is always passlisted.

snort2pfcd also automatically passlists addresses found within the /etc/resolv.conf file as these addresses should also be handled by specific packet filter rules.

A static blocklist table is also maintained and populated within the packet filter firewall with the addresses found within the /usr/local/etc/snort/rules/iplists/default.blocklist file. These addresses can be supplied by the user or automatically populated with addresses supplied by the snort community.

This program is based on snort2c written by Antonio Benojar which was based on the original snort2pf perl script written by Stephan Schmieder. Expiration of entries use Henrik Gustafsson's expiretable functions. Blocking functionality based on pfctl and pftabled functions by Armin Wolfermann.

pf(4), pfctl(8), snort(8), expiretable(1), libcidr(3),

Samee Shahzada <onestsam@gmail.com>
Sept 25th, 2020

Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.