FreeBSD Manual Pages
NAME snort2pfcd -- provides real-time blocking of ip addresses from snort alerts via packet filter firewall tables. SYNOPSIS snort2pfcd [-e External_Interface] [-w Passlist_File] [-b Blocklist_File] [-W] [-B] [-C] [-D] [-F] [-Z] [-l Log_File] [-a Alert_File] [-p Priority] [-r Repeat_Offenses] [-t Seconds] [-d Pf_device] [-q Seconds] [-m Thr_max] [-v] [-h] DESCRIPTION snort2pfcd monitors snort alert output and blocks ip addresses for a given snort priority using packet filter table entries for a specified period of time. A passlist is specified to exclude local and trusted ip addresses from being blocked. snort2pfcd also preloads the community maintained and supplied snort blocklist by default. The passlist and blocklist files are monitored and snort2pfcd automatically reloads and updates the tables when changes are made to these files. The options are as follows: -e External_Interface external interface e.g. eth0 or "all" to passlist all inter- faces, default is to passlist all interfaces. -w Passlist_File passlist file, default is /usr/lo- cal/etc/snort/rules/iplists/default.passlist. -W If set, will prevent loading of any passlist file. -b Blocklist_File blocklist file, default is /usr/lo- cal/etc/snort/rules/iplists/default.blocklist. -B If set, will prevent loading of the snort blocklist file. -C If set, will enable debug mode for gdb, lldb, etc. -D If set, will disable the DNS lookup functionality. -F Foreground mode. If set, will not daemonize. -Z If set, will prevent the passlisting of entries in the /etc/re- solv.conf file. -l Log_File log file location, default is /var/log/snort2pfcd.log. -a Alert_File snort alert file location, default is /var/log/snort/alert. -p Priority The priority level at which to block an ip addresses in the snort log. Default is 1. Lower priority includes higher prior- ity, for example, -p 3 includes priorities 3, 2 and 1. -r Repeat_Offenses Number of times an ip address may commit an offense before be- ing added to the packet filter block table. Default is 0. For example, -p 2 -r 2 specifies that any priority 1 or 2 snort alert for a given network address will be blocked only after 2 repeated snort alerts (3 snort alerts total). -t Seconds The number of seconds to block an ip address, default is 60*60 or 1 hour. -d Pf_device Packet filter device interface. Default is /dev/pf. -q Seconds The number of seconds to wait before starting to parse the snort alert file. Useful if snort2pfcd is interfering with con- nection setup, especially shortly after boot. Default is 0. -m thr_max Maximum number of DNS request threads. Default is 100. snort2pfcd uses a non-blocking design to ensure that waiting for DNS names to resolve in the block log do not interfere with the blocking of snort alerts. Instead of the main program wait- ing, a new thread is spawned to do the waiting. Since connec- tion speeds vary widely (100mb/s - >40Gb/s) and servers also vary in terms of processing capability, the option exists to increase or decrease the maximum number of threads waiting for DNS requests. Once the maximum number of threads waiting for a DNS response is reached, logging will stop until an active thread exits. The main program however will continue its block- ing function with a cessation in logging until a new thread can be spawned. -v Increase verbosity. -h Show help. THEORY OF OPERATION The snort intrusion detection system monitors network traffic and will generate an alert if this traffic matches a rule for a type of notewor- thy activity. snort2pfcd monitors this alert file and can then add the offending ip address to a packet filter block table. snort2pfcd pro- vides the above options for the user to specify the conditions under which the offending address is added to the packet filter block table. Differentiating between benign and malicious network traffic is diffi- cult and, unfortunately, snort generates a fair amount of false-posi- tives. Also, the snort IDS primary function is to log noteworthy net- work traffic and its authors did not necessarily intend for the logged addresses to be blocked. This being said, snorts rules are highly con- figurable and can be adjusted for more appropriate functioning in this context. To assist the user with filtering network traffic produced by various network entities, snort2pfcd will automatically resolve the of- fending ip address and display the DNS name in the snort2pfcd block log. Should the user decide that the offending address is trustworthy, the user can add the address, or alternatively, research and add the entire CIDR address block assigned to that network entity, to the passlist. Passlisted addresses or CIDR address blocks generating a snort alert will not be added to the packet filter block table. snort2pfcd also loads the snort community supplied blocklist file into a separate packet filter block table by default. Table entries are named "snort2pfcd" for dynamic entries which can be viewed with "pfctl -t snort2pfcd -T show". Static entries loaded from the community pro- vided snort blocklist are populated within the "snort2pfcd_static" ta- ble which can be viewed with "pfctl -t snort2pfcd_static -T show". At no time should snort2pfcd need to be restarted. snort2pfcd will re- populate its packet filter tables if the packet filter is restarted. snort2pfcd also monitors the passlist and blocklist files for changes. Changes applied to these files are automatically reloaded and applied to the running snort2pfcd processes. FILES Passlist Passlist entries can be single ip addressess (e.g. 192.168.0.1) or blocks of addresses in CIDR format (e.g. 192.168.0.0/24). Each entry should be on a separate line. Blocklist Blocklist entries provided by the snort community contain a list of single ip addresses and snort2pfcd will only accept entries in this format (e.g. 192.168.0.1). Each entry should be on a separate line. NOTES While snort2pfcd will parse the default snort alert file, this can pro- duce less than real-time blocking given the burden being placed on snort especially over an active, fast or low-latency connection. The author would strongly recommend using a spooler like barnyard2 to out- put the text alerts from the snort unified2 binary output. By default, the user-supplied passlist is prepended with the addresses of all of the local interfaces as the handling of these addresses are usually specified by more complex packet filter rules and simply block- ing these addresses can cause problems with certain configurations. The user-supplied passlist can also be prepended with the address of the external interface only for paranoid configurations. Lo0 is always passlisted. snort2pfcd also automatically passlists addresses found within the /etc/resolv.conf file as these addresses should also be handled by spe- cific packet filter rules. A static blocklist table is also maintained and populated within the packet filter firewall with the addresses found within the /usr/lo- cal/etc/snort/rules/iplists/default.blocklist file. These addresses can be supplied by the user or automatically populated with addresses sup- plied by the snort community. CREDITS This program is based on snort2c written by Antonio Benojar which was based on the original snort2pf perl script written by Stephan Schmieder. Expiration of entries use Henrik Gustafsson's expiretable functions. Blocking functionality based on pfctl and pftabled functions by Armin Wolfermann. SEE ALSO pf(4), pfctl(8), snort(8), expiretable(1), libcidr(3), AUTHORS Samee Shahzada <onestsam@gmail.com> Sept 25th, 2020 SNORT2PFCD(8)
NAME | SYNOPSIS | DESCRIPTION | THEORY OF OPERATION | FILES | Passlist | Blocklist | NOTES | CREDITS | SEE ALSO | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=snort2pfcd&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>