Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
SNORT2PFCD(8)		FreeBSD	System Manager's Manual		 SNORT2PFCD(8)

     snort2pfcd	-- provides real-time blocking of ip addresses from snort
     alerts via	packet filter firewall tables.

     snort2pfcd	[-e External_Interface]	[-w Passlist_File] [-b Blocklist_File]
		[-W] [-B] [-C] [-D] [-F] [-Z] [-l Log_File] [-a	Alert_File]
		[-p Priority] [-r Repeat_Offenses] [-t Seconds]	[-d Pf_device]
		[-q Seconds] [-m Thr_max] [-v] [-h]

     snort2pfcd	monitors snort alert output and	blocks ip addresses for	a
     given snort priority using	packet filter table entries for	a specified
     period of time. A passlist	is specified to	exclude	local and trusted ip
     addresses from being blocked.  snort2pfcd also preloads the community
     maintained	and supplied snort blocklist by	default. The passlist and
     blocklist files are monitored and snort2pfcd automatically	reloads	and
     updates the tables	when changes are made to these files.

     The options are as	follows:

     -e	External_Interface
	     external interface	e.g. eth0 or "all" to passlist all interfaces,
	     default is	to passlist all	interfaces.

     -w	Passlist_File
	     passlist file, default is /usr/local/etc/snort/rules/iplists/de-

     -W	     If	set, will prevent loading of any passlist file.

     -b	Blocklist_File
	     blocklist file, default is	/usr/local/etc/snort/rules/iplists/de-

     -B	     If	set, will prevent loading of the snort blocklist file.

     -C	     If	set, will enable debug mode for	gdb, lldb, etc.

     -D	     If	set, will disable the DNS lookup functionality.

     -F	     Foreground	mode. If set, will not daemonize.

     -Z	     If	set, will prevent the passlisting of entries in	the /etc/re-
	     solv.conf file.

     -l	Log_File
	     log file location,	default	is /var/log/snort2pfcd.log.

     -a	Alert_File
	     snort alert file location,	default	is /var/log/snort/alert.

     -p	Priority
	     The priority level	at which to block an ip	addresses in the snort
	     log. Default is 1.	 Lower priority	includes higher	priority, for
	     example, -p 3 includes priorities 3, 2 and	1.

     -r	Repeat_Offenses
	     Number of times an	ip address may commit an offense before	being
	     added to the packet filter	block table.  Default is 0. For	exam-
	     ple, -p 2 -r 2 specifies that any priority	1 or 2 snort alert for
	     a given network address will be blocked only after	2 repeated
	     snort alerts (3 snort alerts total).

     -t	Seconds
	     The number	of seconds to block an ip address, default is 60*60 or
	     1 hour.

     -d	Pf_device
	     Packet filter device interface. Default is	/dev/pf.

     -q	Seconds
	     The number	of seconds to wait before starting to parse the	snort
	     alert file. Useful	if snort2pfcd is interfering with connection
	     setup, especially shortly after boot. Default is 0.

     -m	thr_max
	     Maximum number of DNS request threads. Default is 100.
	     snort2pfcd	uses a non-blocking design to ensure that waiting for
	     DNS names to resolve in the block log do not interfere with the
	     blocking of snort alerts. Instead of the main program waiting, a
	     new thread	is spawned to do the waiting. Since connection speeds
	     vary widely (100mb/s - >40Gb/s) and servers also vary in terms of
	     processing	capability, the	option exists to increase or decrease
	     the maximum number	of threads waiting for DNS requests. Once the
	     maximum number of threads waiting for a DNS response is reached,
	     logging will stop until an	active thread exits. The main program
	     however will continue its blocking	function with a	cessation in
	     logging until a new thread	can be spawned.

     -v	     Increase verbosity.

     -h	     Show help.

     The snort intrusion detection system monitors network traffic and will
     generate an alert if this traffic matches a rule for a type of noteworthy
     activity.	snort2pfcd monitors this alert file and	can then add the of-
     fending ip	address	to a packet filter block table.	 snort2pfcd provides
     the above options for the user to specify the conditions under which the
     offending address is added	to the packet filter block table.

     Differentiating between benign and	malicious network traffic is difficult
     and, unfortunately, snort generates a fair	amount of false-positives.
     Also, the snort IDS primary function is to	log noteworthy network traffic
     and its authors did not necessarily intend	for the	logged addresses to be
     blocked. This being said, snorts rules are	highly configurable and	can be
     adjusted for more appropriate functioning in this context.	To assist the
     user with filtering network traffic produced by various network entities,
     snort2pfcd	will automatically resolve the offending ip address and	dis-
     play the DNS name in the snort2pfcd block log. Should the user decide
     that the offending	address	is trustworthy,	the user can add the address,
     or	alternatively, research	and add	the entire CIDR	address	block assigned
     to	that network entity, to	the passlist. Passlisted addresses or CIDR ad-
     dress blocks generating a snort alert will	not be added to	the packet
     filter block table.

     snort2pfcd	also loads the snort community supplied	blocklist file into a
     separate packet filter block table	by default. Table entries are named
     "snort2pfcd" for dynamic entries which can	be viewed with "pfctl -t
     snort2pfcd	-T show". Static entries loaded	from the community provided
     snort blocklist are populated within the "snort2pfcd_static" table	which
     can be viewed with	"pfctl -t snort2pfcd_static -T show".

     At	no time	should snort2pfcd need to be restarted.	 snort2pfcd will re-
     populate its packet filter	tables if the packet filter is restarted.
     snort2pfcd	also monitors the passlist and blocklist files for changes.
     Changes applied to	these files are	automatically reloaded and applied to
     the running snort2pfcd processes.

     Passlist entries can be single ip addressess (e.g. or	blocks
     of	addresses in CIDR format (e.g.	Each entry should be
     on	a separate line.

     Blocklist entries provided	by the snort community contain a list of sin-
     gle ip addresses and snort2pfcd will only accept entries in this format
     (e.g. Each entry should be on a separate line.

     While snort2pfcd will parse the default snort alert file, this can	pro-
     duce less than real-time blocking given the burden	being placed on	snort
     especially	over an	active,	fast or	low-latency connection.	The author
     would strongly recommend using a spooler like barnyard2 to	output the
     text alerts from the snort	unified2 binary	output.

     By	default, the user-supplied passlist is prepended with the addresses of
     all of the	local interfaces as the	handling of these addresses are	usu-
     ally specified by more complex packet filter rules	and simply blocking
     these addresses can cause problems	with certain configurations.

     The user-supplied passlist	can also be prepended with the address of the
     external interface	only for paranoid configurations. Lo0 is always

     snort2pfcd	also automatically passlists addresses found within the
     /etc/resolv.conf file as these addresses should also be handled by	spe-
     cific packet filter rules.

     A static blocklist	table is also maintained and populated within the
     packet filter firewall with the addresses found within the	/usr/lo-
     cal/etc/snort/rules/iplists/default.blacklist file. These addresses can
     be	supplied by the	user or	automatically populated	with addresses sup-
     plied by the snort	community.

     This program is based on snort2c written by Antonio Benojar which was
     based on the original snort2pf perl script	written	by Stephan Schmieder.
     Expiration	of entries use Henrik Gustafsson's expiretable functions.
     Blocking functionality based on pfctl and pftabled	functions by Armin

     pf(4), pfctl(8), snort(8),	expiretable(1),	libcidr(3),

     Samee Shahzada <>

				  Aug 1, 2020


Want to link to this manual page? Use this URL:

home | help