Block P2P Traffics with pfSense using Snort IPS – FCOOS Blogs http://blogs.fcoos.

net/block-p2p-traffics-with-pfsense-using-snort-ips/

FCOOS Blogs

PFSENSE, TECHNICAL

Block P2P
Traffic with
pfSense by Sandeep Athiyarath • September 30, 2017 • 0
using Comments
AWS, LINUX,
Suricata PFSENSE,
IPS Our customers demand for p2p blocking for their
SYSADMIN,
Block P2P network infrastructure. Typical TECHNICAL

Traffics
question is that whether pfSense can block P2P
with traffic?. Whether it can do L7 filtering.?
pfSense
Advantage with pfSense is that it can achieve this
using Snort
p2p filtering in three ways.
IPS
Loadbalanc 1. Block all other ports other than required
er with SSL browsing ports like DNS, HTTP and
Client HTTPS using firewall rules
Authenticat 2. Limit p2p traffic to lowest speed with traffic
ion using shaping bandwidth limiter option.
pfSense 3. Use an IDS/IPS like snort or surikata to
and detect and block p2p traffic.
HAProxy
The third option is more fool proof and this article
Hortonwork
is about the that option. Blocking network p2p
s Ambari
traffic with snort IPS.
Installation
on Ubuntu Assuming that you already have a working pf
14.04 Sense installation. Below are the steps
Content
to be followed.Install snort package from the

1 sur 7 07/02/2018 à 17:34

Block P2P Traffics with pfSense using Snort IPS – FCOOS Blogs http://blogs.fcoos.net/block-p2p-traffics-with-pfsense-using-snort-ips/

Delivery package manager as follows: by Sandeep

Athiyarath • Sept
Network ember 24, 2017
(CDN) for
Ruby on Recently I
Rails with stuck with a
Nginx dearth of
using AWS Amazon Web
CloudFront Services
After this one click installation, we will have snort
Elastic Load-
sub-menu from services.
Balancer.(ELB
Now, we need to get the Oinkcode for getting the ) My setup
snort signatures or rule sets. required SSL
Mutual /Client
Oinkcode is nothing but api key for ruleset
authentication.
access.For this we need to register an account
Checked with
with http://www.snort.org. You can find your
AWS support
Oinkcode from your account profile as below:
and they
clarified that,
as of now
AWS ELB
won’t support
SSL client
certificate
You can enter the Oinkcode as below in the
authentication.
Global settings.
I looked…

Read more
→

With the free subscription, you should be able to

enable use both Snort GPLV2

rules and Emerging threats open rules( ET

Open). For ETpro , we need

paid subscription. Below is the screen-shot for

reference.

2 sur 7 07/02/2018 à 17:34

Block P2P Traffics with pfSense using Snort IPS – FCOOS Blogs http://blogs.fcoos.net/block-p2p-traffics-with-pfsense-using-snort-ips/

After this step, update the rule-set from the

updates menu. The updates may take

a little time. After the updates the rules list should

be similar as below.

Next task is to enable snort on the required

interfaces. I would prefer to select

both WAN and LAN interfaces to have better

impact. Make sure to select block offenders and
kill states to block the p2p peer IPs.

Also you may select both source and destination

(BOTH) IP for blocking. Make sure that, you have
a proper pass-list is in place to enable this. Your
pass-list will be by-passed from the rule sets.
After this we need to enable the categories on
each enabled interface. By default ‘Resove
Flowbits’ is selected. Keep this as it is. Uncheck

3 sur 7 07/02/2018 à 17:34

Block P2P Traffics with pfSense using Snort IPS – FCOOS Blogs http://blogs.fcoos.net/block-p2p-traffics-with-pfsense-using-snort-ips/

‘Use IPS policy’if you are only particular about

blocking p2p traffice, as that will enable other
default rule set and may not be required. Also if
you select ‘Use IPS policy’ we wont be able to
manually select rule-set from ‘Snort Text Rules’
and ‘Snort SO Rules’.

Select the relevant p2p traffic from all the Snort

rule sets.

I didn’t find any rules under ‘Snort p2p rules’

under ‘Snort text rules’ category.

So I didn’t select that one. After saving the

categories section, you will get

granular control over each category under

Interface’s Rules menu. For WAN it

is ‘WAN Rules’ as below. You will get more

customization options under ‘Emerging

p2p rules’ set. You may have to make custom

selections based on requirements.

4 sur 7 07/02/2018 à 17:34

Block P2P Traffics with pfSense using Snort IPS – FCOOS Blogs http://blogs.fcoos.net/block-p2p-traffics-with-pfsense-using-snort-ips/

Applying the changes will reload the rules to

memory with changes. Update

the similar changes on all the required interfaces.

I kept the other parameters

default. At this point if everything is fine, you will

start getting the alerts under alerts menu.Alerts is
the right place to know status of your Snort
setup. Start any of the p2pclient on your LAN
computer and watch the alerts page, you will get
similar alerts.

Since, we configured to block the IPs from p2p

connections, by this time we should

have got blocked IPs on the blocked page as

below.

Any false positive can be removed from the

above IP list by clicking on ( ‘x’ )

remove option. While testing with a torrent client

(Deluge), we should get

5 sur 7 07/02/2018 à 17:34

Block P2P Traffics with pfSense using Snort IPS – FCOOS Blogs http://blogs.fcoos.net/block-p2p-traffics-with-pfsense-using-snort-ips/

connection timeout error for new downloads.

And see that your blocked IP entries are growing,

and as it

grows snort becomes more and more efficient to

block P2P traffic.

6 sur 7 07/02/2018 à 17:34

Block P2P Traffics with pfSense using Snort IPS – FCOOS Blogs http://blogs.fcoos.net/block-p2p-traffics-with-pfsense-using-snort-ips/

Tags: IDS snort

← Loadbalancer with Block P2P Traffic

SSL Client with pfSense using
Authentication using Suricata IPS →
pfSense and
HAProxy

You must be logged in to post a comment.

Copyright © 2018 FCOOS Blogs. All Rights Reserved. The Magazine Basic Theme by bavotasan.com.

7 sur 7 07/02/2018 à 17:34