From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 11 15:00:39 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9BE7C16A420
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Sep 2007 15:00:39 +0000 (UTC)
	(envelope-from erik@cepheid.org)
Received: from mail.cepheid.org (wintermute.cepheid.org [64.92.165.98])
	by mx1.freebsd.org (Postfix) with ESMTP id 8D55613C480
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Sep 2007 15:00:39 +0000 (UTC)
	(envelope-from erik@cepheid.org)
Received: by mail.cepheid.org (Postfix, from userid 1006)
	id 7B2671710B; Tue, 11 Sep 2007 10:00:38 -0500 (CDT)
Date: Tue, 11 Sep 2007 10:00:38 -0500
From: Erik Osterholm <freebsd-lists-erik@erikosterholm.org>
To: Ovi <ovi@unixservers.us>
Message-ID: <20070911150038.GA23289@idoru.cepheid.org>
Mail-Followup-To: Erik Osterholm <freebsd-lists-erik@erikosterholm.org>,
	Ovi <ovi@unixservers.us>, freebsd-questions@freebsd.org
References: <46E6A5E6.8080504@unixservers.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <46E6A5E6.8080504@unixservers.us>
User-Agent: Mutt/1.4.2.3i
Cc: freebsd-questions@freebsd.org
Subject: Re: Snort with PF as an IPS
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2007 15:00:39 -0000

On Tue, Sep 11, 2007 at 05:27:50PM +0300, Ovi wrote:
> Hello
> 
> I am interested if anybody uses snort with pf to block in realtime ips 
> detected by snort as viruses, scans and so on.
> I saw on mail lists that is working Snort + ipfw (snort_inline) but I 
> need pf for this setup.
> 
> Also I wonder if it is possible to block p2p traffic using such setup, 
> with p2p rules defined from Snort.
> 
> Best Regards,
> ovidiu

We use a simple Perl script to do this with pf.  The basic structure
is that we maintain a pf table of hosts to block, and the Perl script
watches for changes to the snort alert file, parses new entries, adds
those entries to the table, and kills all state to that IP address.

Of course, this is a pretty drastic measure, so we're very careful
about the rules we use in Snort.  I believe that snort-inline just
blocks the offending packets (with the option to block the host
entirely, but there's no way to use snort-inline with pf.
with PF at the moment.

Erik