Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SNORT2PFCD(8)		  BSD System Manager's Manual		 SNORT2PFCD(8)

NAME
     snort2pfcd	-- provides real-time blocking of ip addresses from snort
     alerts via	packet filter firewall tables.

SYNOPSIS
     snort2pfcd	[-e External_Interface]	[-w Whitelist_File]
		[-b Blacklist_File] [-W] [-B] [-D] [-F]	[-Z] [-l Log_File]
		[-a Alert_File]	[-p Priority] [-r Repeat_Offenses]
		[-t Seconds] [-d Pf_device] [-q	Seconds] [-m Thr_max] [-v]
		[-h]

DESCRIPTION
     snort2pfcd	monitors snort alert output and	blocks ip addresses for	a
     given snort priority using	packet filter table entries for	a specified
     period of time. A whitelist is specified to exclude local and trusted ip
     addresses from being blocked.  snort2pfcd also preloads the community
     maintained	and supplied snort blacklist by	default. The whitelist and
     blacklist files are monitored and snort2pfcd automatically	reloads	and
     updates the tables	when changes are made to these files.

     The options are as	follows:

     -e	External_Interface
	     external interface	e.g. eth0 or "all" to whitelist	all inter-
	     faces, default is to whitelist all	interfaces.

     -w	Whitelist_File
	     whitelist file, default is	/usr/local/etc/snort/rules/iplists/de-
	     fault.whitelist.

     -W	     If	set, will prevent loading of any whitelist file.

     -b	Blacklist_File
	     blacklist file, default is	/usr/local/etc/snort/rules/iplists/de-
	     fault.blacklist.

     -B	     If	set, will prevent loading of the snort blacklist file.

     -D	     If	set, will disable the DNS lookup functionality.

     -F	     Foreground	mode. If set, will not daemonize.

     -Z	     If	set, will prevent the whitelisting of entries in the /etc/re-
	     solv.conf file.

     -l	Log_File
	     log file location,	default	is /var/log/snort2pfcd.log.

     -a	Alert_File
	     snort alert file location,	default	is /var/log/snort/alert.

     -p	Priority
	     The priority level	at which to block an ip	addresses in the snort
	     log. Default is 1.	 Lower priority	includes higher	priority, for
	     example, -p 3 includes priorities 3, 2 and	1.

     -r	Repeat_Offenses
	     Number of times an	ip address may commit an offense before	being
	     added to the packet filter	block table.  Default is 0. For	exam-
	     ple, -p 2 -r 2 specifies that any priority	1 or 2 snort alert for
	     a given network address will be blocked only after	2 repeated
	     snort alerts (3 snort alerts total).

     -t	Seconds
	     The number	of seconds to block an ip address, default is 60*60 or
	     1 hour.

     -d	Pf_device
	     Packet filter device interface. Default is	/dev/pf.

     -q	Seconds
	     The number	of seconds to wait before starting to parse the	snort
	     alert file. Useful	if snort2pfcd is interfering with connection
	     setup, especially shortly after boot. Default is 0.

     -m	thr_max
	     Maximum number of DNS request threads. Default is 100.
	     snort2pfcd	uses a non-blocking design to ensure that waiting for
	     DNS names to resolve in the block log do not interfere with the
	     blocking of snort alerts. Instead of the main program waiting, a
	     new thread	is spawned to do the waiting. Since connection speeds
	     vary widely (100mb/s - >40Gb/s) and servers also vary in terms of
	     processing	capability, the	option exists to increase or decrease
	     the maximum number	of threads waiting for DNS requests. Once the
	     maximum number of threads waiting for a DNS response is reached,
	     logging will stop until an	active thread exits. The main program
	     however will continue its blocking	function with a	cessation in
	     logging until a new thread	can be spawned.

     -v	     Increase verbosity.

     -h	     Show help.

THEORY OF OPERATION
     The snort intrusion detection system monitors network traffic and will
     generate an alert if this traffic matches a rule for a type of noteworthy
     activity.	snort2pfcd monitors this alert file and	can then add the of-
     fending ip	address	to a packet filter block table.	 snort2pfcd provides
     the above options for the user to specify the conditions under which the
     offending address is added	to the packet filter block table.

     Differentiating between benign and	malicious network traffic is difficult
     and, unfortunately, snort generates a fair	amount of false-positives.
     Also, the snort IDS primary function is to	log noteworthy network traffic
     and its authors did not necessarily intend	for the	logged addresses to be
     blocked. This being said, snorts rules are	highly configurable and	can be
     adjusted for more appropriate functioning in this context.	To assist the
     user with filtering network traffic produced by various network entities,
     snort2pfcd	will automatically resolve the offending ip address and	dis-
     play the DNS name in the snort2pfcd block log. Should the user decide
     that the offending	address	is trustworthy,	the user can add the address,
     or	alternatively, research	and add	the entire CIDR	address	block assigned
     to	that network entity, to	the whitelist. Whitelisted addresses or	CIDR
     address blocks generating a snort alert will not be added to the packet
     filter block table.

     snort2pfcd	also loads the snort community supplied	blacklist file into a
     separate packet filter block table	by default. Table entries are named
     "snort2pfcd" for dynamic entries which can	be viewed with "pfctl -t
     snort2pfcd	-T show". Static entries loaded	from the community provided
     snort blacklist are populated within the "snort2pfcd_static" table	which
     can be viewed with	"pfctl -t snort2pfcd_static -T show".

     At	no time	should snort2pfcd need to be restarted.	 snort2pfcd will re-
     populate its packet filter	tables if the packet filter is restarted.
     snort2pfcd	also monitors the whitelist and	blacklist files	for changes.
     Changes applied to	these files are	automatically reloaded and applied to
     the running snort2pfcd processes.

FILES
Whitelist
     Whitelist entries can be single ip	addressess (e.g. 192.168.0.1) or
     blocks of addresses in CIDR format	(e.g. 192.168.0.0/24). Each entry
     should be on a separate line.

Blacklist
     Blacklist entries provided	by the snort community contain a list of sin-
     gle ip addresses and snort2pfcd will only accept entries in this format
     (e.g. 192.168.0.1). Each entry should be on a separate line.

NOTES
     While snort2pfcd will parse the default snort alert file, this can	pro-
     duce less than real-time blocking given the burden	being placed on	snort
     especially	over an	active,	fast or	low-latency connection.	The author
     would strongly recommend using a spooler like barnyard2 to	output the
     text alerts from the snort	unified2 binary	output.

     By	default, the user-supplied whitelist is	prepended with the addresses
     of	all of the local interfaces as the handling of these addresses are
     usually specified by more complex packet filter rules and simply blocking
     these addresses can cause problems	with certain configurations.

     The user-supplied whitelist can also be prepended with the	address	of the
     external interface	only for paranoid configurations. Lo0 is always
     whitelisted.

     snort2pfcd	also automatically whitelists addresses	found within the
     /etc/resolv.conf file as these addresses should also be handled by	spe-
     cific packet filter rules.

     A static blacklist	table is also maintained and populated within the
     packet filter firewall with the addresses found within the	/usr/lo-
     cal/etc/snort/rules/iplists/default.blacklist file. These addresses can
     be	supplied by the	user or	automatically populated	with addresses sup-
     plied by the snort	community.

CREDITS
     This program is based on snort2c written by Antonio Benojar which was
     based on the original snort2pf perl script	written	by Stephan Schmieder.
     Expiration	of entries use Henrik Gustafsson's expiretable functions.
     Blocking functionality based on pfctl and pftabled	functions by Armin
     Wolfermann.

SEE ALSO
     pf(4), pfctl(8), snort(8),	expiretable(1),	libcidr(3),

AUTHORS
     Samee Shahzada <onestsam@gmail.com>

				 May 17, 2017

NAME | SYNOPSIS | DESCRIPTION | THEORY OF OPERATION | FILES | Whitelist | Blacklist | NOTES | CREDITS | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=snort2pfcd&sektion=8&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help