Block P2P Traffics with pfSense using Snort IPS

Our customers demand for p2p blocking for their network infrastructure. Typical

question is that whether pfSense can block P2P traffic?. Whether it can do L7 filtering.? Advantage with pfSense is that it can achieve this p2p filtering in three ways.

  1. Block all other ports other than required browsing ports like DNS, HTTP and HTTPS using firewall rules
  2. Limit  p2p traffic to lowest speed with traffic shaping bandwidth limiter option.
  3. Use  an IDS/IPS like snort or surikata to detect and block p2p traffic.

The third option is more fool proof and this article is about the that option. Blocking network p2p traffic with snort IPS.

Assuming that you already have a working pf Sense installation. Below are the steps

to be followed.Install snort package from the package manager as follows:

After this one click installation, we will have snort sub-menu from services.

Now, we need to get the Oinkcode for getting the snort signatures or rule sets.

Oinkcode is nothing but api key for ruleset access.For this we need to register an account with http://www.snort.org. You can find your Oinkcode from your account profile as below:

You can enter the Oinkcode as below in the Global settings.

With the free subscription, you should be able to enable use both Snort GPLV2

rules and Emerging threats open rules( ET Open).  For ETpro , we need

paid subscription.  Below is the screen-shot for reference.

 

After this step, update the rule-set from the updates menu. The updates may take

a little time. After the updates the rules list should be similar as below.

 

Next task is to enable snort on the required interfaces. I would prefer to select

both WAN and LAN interfaces to have better impact. Make sure to select block offenders and kill states to block the p2p peer IPs.

 

Also you may select both source and destination (BOTH) IP for blocking. Make sure that, you have a proper  pass-list is in place to enable this. Your pass-list will be by-passed from the rule sets. After this we need to enable the categories on each enabled interface. By default ‘Resove Flowbits’ is selected. Keep this as it is.  Uncheck  ‘Use  IPS policy’if you are only particular about blocking p2p traffice, as that will enable other default rule set and may not be required. Also if you select ‘Use IPS policy’ we wont be able to manually select rule-set from ‘Snort Text Rules’ and ‘Snort SO Rules’.

Select the relevant p2p traffic from all the Snort rule sets.

I didn’t find any rules under ‘Snort p2p rules’ under ‘Snort text rules’ category.

So I didn’t select that one.  After saving the categories section, you will get

granular control over each category under Interface’s Rules menu. For WAN it

is ‘WAN Rules’ as below. You will get more customization options under ‘Emerging

p2p rules’ set.  You may have to make custom selections based on requirements.

 

Applying the changes will reload the rules to memory with changes. Update

the similar changes on all the required interfaces. I kept the other parameters

default. At this point if everything is fine, you will start getting the alerts under alerts menu.Alerts is the right place to know status of your Snort setup.  Start any of the p2pclient on your LAN computer and watch the alerts page, you will get similar alerts.

 

Since, we configured to block the IPs from p2p connections, by this time we should

have got blocked IPs on the blocked page as below.

Any false positive can be removed from the above IP list by clicking on ( ‘x’ )

remove option.  While testing with a torrent client (Deluge), we should get

connection timeout error for new downloads.

And see that your blocked IP entries are growing, and as it

grows snort becomes more and more efficient to block P2P traffic.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply