1. Description.
This plugin is for IP blocking on different versions of
OpenBSD? Operating
System and
FreeBSD? 5.1 with pf4freebsd port installed and working.
Since this lastest release it supports
OpenBSD? 3.3, 3.4 and
FreeBSD? 5.1 using
tables, anchors, and rulesets, who recently made available in pf.
It now uses a new kind of configuration options ( option=value option2=value2
etc. ) Please see 3. Options to obtain a full list of available options.
Note : This is not a pf tutorial, please read the pf documentation to understand
the concepts of anchors, tables, rulesets etc. .
2. Compatibility.
This lastest release supports, compiles, works, and has been tested on the
following OS/Versions :
OpenBSD 3.0
OpenBSD 3.1
OpenBSD 3.2
OpenBSD 3.3
OpenBSD 3.4
OpenBSD current ( 12/02/2003 ).
FreeBSD 5.1-RELEASE ( with http://pf4freebsd.love2party.net port ).
FreeBSD 5.1-CURRENT ( with http://pf4freebsd.love2party.net port ).
Now also:
OpenBSD 3.5
OpenBSD 3.6
3. Options.
This is the list of options that you can set in the configuration file :
auto=0/1
log=0/1
anchor=[string]
eth=[string]
(table=[string] - ignored. Listed for historical purposes only)
auto:
The auto option is used to tell the pf plugin to automatically (auto=1)
initialize all the required anchor/tables/rulesets/rules in the packed
filter (no pf.conf or manual modifications needed in the active ruleset).
log:
The rules created by the pf plugin will get the log option if this option is
set to 1 (log=1), so every time a blocked ip try to make a connection,
the correspont pf rule will generate a log entry on the pflog interface.
anchor:
Sets the anchor name used to hold the rulesets/tables/rules.
table:
Now ignored. Before Snortsam 2.30, it used to set the name of the table to
hold the blocked IPs.
eth:
Sets the interface name used when the anchor is created or when
the rules are added.
Example :
pf auto=1 log=1 anchor=fwsamd table=blockedips eth=le1
All configuration options are parsed, no matter the OS/Version used, but not
all the parsed options are used, that depends on the OS/Version used, see
4. Notes to get a list of used/relevant options in your OS/Version.
4. Notes.
--
OpenBSD? 3.0, 3.1 and 3.2 -- :
Under this OS/Versions only the "log", and "eth" options will be used by the pf
plugin, so on every block call, a new entire rule will be created with the
corresponding "log" and "eth" options at the head of the active ruleset.
--
OpenBSD? 3.3 -- :
Under this OS/Version the "auto", "log", "eth", "table" options will be used
in the following mode :
Under
OpenBSD? 3.3 you will need to create 3 tables in the main ruleset
(unless you use the auto=1 option), one for the IN, one for the OUT,
and one for the INOUT.
For example if you wish to call your table "blockedips", then you will
need to create :
blockedipsIN
blockedipsOUT
blockedipsINOUT
tables and specify auto=0 ( the tables are already created by you ), and
table=blockedips ( without the IN, OUT, INOUT ) in the pf section of your
snortsam config file.
You must also create the rules who point to this tables ( unless you use
the auto=1 option ) :
block in from to any
block out from any to
block in from to any
block out from any to
The "eth" and "log" options are used in auto=1 mode, when the pf plugin is
in charge of creating the rules. If you don't use the auto=1 mode, then this
parameters can specified in the rules that you must create.
So every block call will add an ip entry in the corresponding table, and
automatically gets blocked by the corresponding rule who blocks that table.
Under
OpenBSD? 3.3 all of this takes place in the main ruleset, no anchors or
rulesets are used.
--
OpenBSD? 3.4,
OpenBSD? Current,
FreeBSD? 5.1-RELEASE,
FreeBSD? 5.1-CURRENT -- :
Under this OS/Versions all the options are used by the pf plugin, It creates (
unless you use auto=0 ) one call to the anchor specified by the "anchor"
option in the main ruleset with the optional "eth" name, and 3 rulesets inside
this "anchor" ( "IN", "OUT" and "INOUT" ), each ruleset has Its own table
( specified by the "table" option ) and Its set of rules with the optional
"log" option.
If you dont wish to use the auto=1 option, you must create this sets of
entries in your pf.conf file or by hand ( using pfctl command ) and set the
choosen parameters in the pf section of the snortsam configuration file.
If you got confused while try to create the anchor and rules to not to use the
auto=1 option, try to use the "auto=1" option at first, and see the
rules/rulesets/anchor/tables added automatically by the pf plugin as an example.
Hector A. Paterno
apaterno@dsnsecurity.com
Note by Frank Knobbe:
FreeBSD? support is currently disabled with #ifdef's. If you have loaded the pf
patch under
FreeBSD? 5.x, you need to remove the "#ifdef
OpenBSD?" in ssp_pf.c,
ssp_pf.h and plugins.h. Don't forget to remove the corresponding "#endif".
We need to clean this up later so that it doesn't throw errors on
FreeBSD?
systems without the pf port and Solaris/AIX/whateverix.
(What we really need is a make file...
sigh)
Updated 01-16-05, Note by Olaf Schreck <chakl@syscall.de>
This is based on Hector's code, read above sections first!
Use the following line in snortsam.conf:
pf anchor=fwsam auto=1 [ log=... eth=... table=ignored ]
Choose any anchor name you like, I recommend "fwsam". Use auto=1
unless you really want to do things manually, see below. Use log
and eth as you did before, no changes to this stuff. You may still
specify a table name, but it will be
ignored, see "Changes" below.
Testing
Create snort signatures like this, probably in local.rules:
alert tcp any any -> $your_ip 11110 (msg:"TEST log 11110/tcp"; \
sid:1111110;)
alert tcp any any -> $your_ip 11111 (msg:"TEST block 11111/tcp"; \
sid:1111111; fwsam:src[in],5min;)
- start snort and snortsam, verify the processes are running, check
their logfiles for any errors;
- verify that the test sigs fire and that alerting works before
proceeding. I like to have snort log via syslog, do a "telnet
$your_ip 11110" from any remote machine first, and then
expect
to see the "TEST log 11110/tcp" in syslog. If that doesn't work for
you,
fix your configuration first, it is pointless to continue
without working alerting;
- check that anchor, tables and rules exist after snortsam started,
read the pfctl manpage;
# pfctl -vsA
# pftcl -a fwsam -sT
# pfctl -a fwsam -t blockin -Ts
# pfctl -a fwsam -t blockin -sr
- test snortsam blocking with "telnet $your_ip 11111" from any remote
machine. You should see a "TEST block 11111/tcp" alert in syslog, a
message "Blocking $src_ip" in snortsam.log, and $src_ip listed in the
output from "pfctl -a fwsam -t blockin -Ts". All traffic from $src_ip
to $your_ip should be blocked now. After 5 minutes you should see
"Unblocking $src_ip" in snortsam.log, $src_ip removed from the blockin
table, and traffic from $src_ip to $your_ip should be allowed again.
At least, that would be
expected behavior. Prepare for debugging with
pfctl if it doesn't work out right.
Changes
The last version of ssp_pf was for
OpenBSD? 3.4. In 3.6 a change to the
pf ioctl API was introduced for "nested anchors". Semantically, what
used to be a "named ruleset" within an anchor, is now a sub-anchor to
that anchor, which allows for tree-like ruleset structures. The hard
part of this patch (for me) was figuring out where to put the anchor
references.
Changed some strcpy()s to strncpy(), deal with PF_MAX_*_SIZE correctly.
Hardcoded the table names to "blockin", "blockout" and "blockinout".
Laziness, what's the point of having configurable table names anyway?
My first approach was to convert the named "IN", "OUT" and "INOUT"
rulesets to sub-anchors. Didn't work for other reasons, and it smelled
bloated. After all, we have 4 rules operating on 3 tables, a simple
single anchor should be able to do that job just fine..
Using auto=0
The pf plugin is written for auto=1, if you disable it you'll have to
setup these things manually:
- the pf anchor "fwsam" inside the main ruleset
- 3 tables ("blockin", "blockout", "blockinout") inside the
"fwsam" anchor
- 4 rules like below inside the "fwsam" anchor
block in log quick from
to any
block out log quick from any to
block in log quick from to any
block out log quick from any to
-- MattJonkman - 09 Mar 2007