Netgate SG-1000 microFirewall

Author Topic: Snort - prevent blocking self  (Read 121 times)

0 Members and 1 Guest are viewing this topic.

Offline GemeenAapje

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Snort - prevent blocking self
« on: February 07, 2018, 03:56:07 am »
Hi guys

I'm trying to configure snort to add some additional security to be web server.

At the moment I'm running it and monitoring the alerts without blocking.

My web server is within my home network and I'm running snort on pfSense router on the WAN interface only. Is this correct practice?

One thing i see, for example, is when I'm using Deezer that I see my own external IP flag up as accessing iTunes, for example "ET POLICY iTunes User Agent"

Before I enable blocking, I really want to be 2000% sure that my own IP is never going to be added to the banned list, blocking my web server from accessing the outside world.

Any advice greatly welcome.

Thanks
Matt

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: Snort - prevent blocking self
« Reply #1 on: February 08, 2018, 09:06:43 am »
Hi guys

I'm trying to configure snort to add some additional security to be web server.

At the moment I'm running it and monitoring the alerts without blocking.

My web server is within my home network and I'm running snort on pfSense router on the WAN interface only. Is this correct practice?

One thing i see, for example, is when I'm using Deezer that I see my own external IP flag up as accessing iTunes, for example "ET POLICY iTunes User Agent"

Before I enable blocking, I really want to be 2000% sure that my own IP is never going to be added to the banned list, blocking my web server from accessing the outside world.

Any advice greatly welcome.

Thanks
Matt

For home users I recommend running Snort on the LAN.  This lets you see actual LAN host IP addresses in the alerts.  If you run Snort on the WAN, then you can't see local LAN host IP addresses in any alerts.  Instead, all local host IP addresses will be the WAN IP of the firewall.  This is because Snort on the WAN sees inbound traffic from the web before the NAT rules are applied, so the destination IP for inbound Internet traffic is the external IP of the firewall.  When you run Snort on the LAN, it sees traffic after NAT has been removed, so the actual internal IP addresses of LAN hosts appear in the alerts.

Snort has built-in safeguards that prevent the actual IP interface addresses on the firewall from being blocked.  If you get alerts from rules that you know are OK in your environment (such as that ET POLICY rule in your example), then you can disable those rules.  Be careful just enabling all the rule categories!  You will get a lot of noise.  For example, that ET POLICY rule set is mainly there for corporate network admins where corporate IT policies are in place that may forbid employees from accessing iTunes at work.  The admins would want an alert if an employee was attempting to access iTunes.  For a home user, this policy rule is likely not useful unless you really hate Apple and use only Google Play  :D.

Bill