OpenBSD Journal

Snort2PF :: automagically block naughty hosts

Contributed by Dengue on from the pig-by-the-tail dept.

ssc writes : "Here is a little perl-script that might -hopefully- be usefull to some of you. It parses snort's alert file and blocks the "bad" hosts for a specific amount of time using PF and anchors. You can obtain it from http://unix-geek.info/snort2pf.txt . There's a german mini-howto from the "OpenBSD Dokumentations Projekt" containing instructions for installing it together with snort. http://unixscout.bay13.net/uscout/faq_snort2pf.html I'd love to hear some comments / suggestions."

Reactive IDS systems can be quite controversal, and require careful configuration or you can wind up a victim of your own cleverness. Caveats aside, budding BOFH's should give this a try.

(Comments are closed)


Comments
  1. By Lurene () bitkitten at I hate spam ghettohackers dot n3t on mailto:bitkitten at I hate spam ghettohackers dot n3t

    Yay for quick and easy denial of service attacks...

  2. By Anonymous Coward () on

    In other words... Still, no deep packet inspection for PF.

    Comments
    1. By tedu () on

      in other words, the kernel shouldn't be peeking inside packets.

      i can see it now...
      # most websites are ok
      pass out port 80 http content-type=text/html
      # linux sucks
      block out port 80 http site="kernel.org"
      # no IE allowed on our network
      block out port 80 http agent="IE/6.0"
      # allow thumbnails, but no full blown pr0n
      block outbh port 80 http content-type=image/jpeg name="jenna jameson" fuzziness 60k

      Comments
      1. By Anonymous Coward () on

        No, we will not stop before we have regex code in the kernel (supporting backreferences, they are neat to edit payload) and can load our snort rules into the packet filter.

        Once that's been implemented, we'll notice some odd things, learn about TCP segmentation, and conclude that the whole scheme is mostly flawed. Then we'll import snort's TCP stream-assembly into the kernel, mostly duplicating the existing tcp_input functions. And finally, someone will benchmark the bloat and notice that it's only insignificantly faster than a userland implementation, but we'll not have much time to worry about that, as we're busy fixing the security bugs introduced with all the string handling code.

      2. By Anonymous Coward () on

        Who said it needed to be kernel-space? Hey, the OpenBSD developers are the bigest propenents of privlidge seperation.

  3. By lepole () paulfriedrich@mac.com on mailto:paulfriedrich@mac.com

    Has anyone tried this before http://www.snortsam.net I am thinking about useing it on a OpenBSD System.

    Comments
    1. By ssc () on mailto:ssc (at) unix-geek (dot) info

      Last time I looked at it was in april,
      short after the snort 1.9 bug got public.
      SnortSam didn't play well with Snort 2.0 to that time, so I've written snort2pf.
      I consider it to be "stable" now.

  4. By Philip () pm@mp2.at on mailto:pm@mp2.at

    i tried on OpenBSD 3.3 but i havenīt installed "logtail", is this for Debian only?
    greetings and thanks!
    philip

    Comments
    1. By ssc () on mailto:ssc (at) unix-geek (dot) info

      Logtail is the core of the logsentry package/port,
      as mentioned in the section of snort2pf.

    2. By ssc () on mailto:ssc (at) unix-geek (dot) info

      Logtail is the core of the logsentry package/port,
      as mentioned in the section of snort2pf.

  5. By Renteria () reneria@certmx.org on http://www.certmx.org

    somebody with a mirror of the file?
    i need down...

    Tkz

    Comments
    1. By Renteria () renteria@certmx.org on http://www.certmx.org

      My ISP problem DNS.. tkz, im down the file..

  6. By Anonymous Coward () on

    Troll throught the google cache of web server logs to build a complete list of all the world's proxies (including reverse proxies!).

    Find out a portion of the InterWeb (that uses reactive filtering) you want to take down.

    Attack with spoofed (reverse) proxy addresses.

    Well, it's certainly more general but harder to use than the cisco IOS DoS.

    BTW, is it a general rule that reactive IDS systems will unblock reactive filters upon receiving spoofs from either the IDS address space or from internal addresses? I seem to recall a certain problem with a popular commercial IDS system a few years back...

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]