Block P2P Traffic with pfSense using Suricata IPS

With the introduction of Suricata IPS in pfSense, we have better control over   application filtering.  Suricata has better performance with its multi-threaded approach.Also with pfSense version 2.3, it can work on either legacy mode or on in-line mode.In-line mode gives better performance result as it need not to copy the packets for inspection. Also it can drop the packets before processed by pfSense ‘pf’ rules.That really is an advantage over Snort and  legacy modes of Suricata itself.

Below are the steps required to make Suricata working with pfSense.

  1.  a. Make sure the pre-requirement for the Suricata is in place. Suricata works with most of the standard network cards which supports ‘netmap’ functionality.  Most intel cards with  ’em’ or ‘igb’ interface names will support this.

b. Make sure the following options are selected on  System > Advanced >

     Networking.

i) Disable hardware checksum offload.

ii) Disable hardware TCP segmentation offload.

iii) Disable hardware large receive offload.

2.  Install Suricata IPS  through the Package Manager.

3. Once this is enabled, the ‘Suricata’ sub-menu will appear under Services

drop-down menu. First we need to set the Global Settings of Suricata as below.

 

Please note that Oinkmaster code is the auto-generated  api key code   under

your snort.org login profile.  After pasting the content, enable logging  and select

update interval as 1 day.

 

4.  After this you need to manually update the rule-set from updates menu to

make sure the updates are getting loaded to rule-sets. A working updates will be

looking as below.

5. Next is our important configuration options to enable IPS on interfaces which

we required. I would suggest you to enable on both LAN and WAN Interfaces

to have better control over the traffic.

 

6. On each interface, make sure that you select ‘Block Offenders’ and select

   IPS mode as ‘Inline Mode’. Other settings can be the default options.

7. Make sure that default IPS policy selection is unchecked to enable only the

required category. In our case we want to do only p2p inspection as below.

 

8.  Under  ‘ WAN/LAN  Rules’  Select all categories other than Emerging P2P rules

and select the ‘Disable All’ to avoid any false positive traffic blocking. This step is

very important  If you are  testing this on production environment.

 

9. Select  Emerging P2P Rules and  select  Enable All. You also need to go

through each  rules and make rule action from default Alert to Drop as below.

10. Repeat this changes on all the interfaces. Other settings on the interfaces

can be default.  Apply the rules and restart Suricata service to make sure

changes are applied and service is running with new changes.

 

11. Now you can start the Torrent client and try downloading any files. You may

notice that Suricata drops it from the first packet itself.

12.  Under the Alerts tab, you would be able to see that packets are getting dropped

Since we run it  on inline mode, both the alerts and dropped packets will be visibile

only on the ‘Alerts’ menu as below.

13.  Once we enable logs on each interface, a detailed logs out put is visible under

logs view.

 

 

 

 

 

 

Leave a Reply