Date: Tue, 11 Sep 2007 10:00:38 -0500 From: Erik Osterholm <freebsd-lists-erik@erikosterholm.org> To: Ovi <ovi@unixservers.us> Cc: freebsd-questions@freebsd.org Subject: Re: Snort with PF as an IPS Message-ID: <20070911150038.GA23289@idoru.cepheid.org> In-Reply-To: <46E6A5E6.8080504@unixservers.us> References: <46E6A5E6.8080504@unixservers.us>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 11, 2007 at 05:27:50PM +0300, Ovi wrote: > Hello > > I am interested if anybody uses snort with pf to block in realtime ips > detected by snort as viruses, scans and so on. > I saw on mail lists that is working Snort + ipfw (snort_inline) but I > need pf for this setup. > > Also I wonder if it is possible to block p2p traffic using such setup, > with p2p rules defined from Snort. > > Best Regards, > ovidiu We use a simple Perl script to do this with pf. The basic structure is that we maintain a pf table of hosts to block, and the Perl script watches for changes to the snort alert file, parses new entries, adds those entries to the table, and kills all state to that IP address. Of course, this is a pretty drastic measure, so we're very careful about the rules we use in Snort. I believe that snort-inline just blocks the offending packets (with the option to block the host entirely, but there's no way to use snort-inline with pf. with PF at the moment. Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070911150038.GA23289>