Example – using Snort to block social media sites

In Chapter 4, Using pfSense as a Firewall, we covered several examples of using pfSense firewall rules to block certain websites. It quickly became apparent that blocking websites with this method is easy when the website uses a single IP address, but when the website uses multiple IP addresses, it was problematic. If the website uses a fixed set of IP addresses, it is easy enough to create an alias for them and to make sure the rule blocks all addresses covered by the alias. Some popular social media sites such as YouTube and Facebook, however, are constantly updating the pool of IP addresses they use, thus rendering this method difficult to utilize, because unless we constantly update our list of IP addresses, the rule becomes ineffective.

Snort, however, provides another way of trying to block these sites, and while it is not foolproof, it requires much less overhead than the process outlined in Chapter 4Using pfSense as a Firewall. The process described below assumes the following:

  • Snort has been installed using the Package Manager and has been enabled
  • Snort has been enabled on the WAN interface

If those preconditions are not met and you want to try implementing these rules, make sure Snort is installed and enabled on the WAN interface. No additional configuration is necessary.

To begin, we navigate to Services | Snort and from the Snort Interfaces tab, we find the entry for WAN and click on the Edit icon for it. A second row of tabs will appear controlling different settings for the WAN interface; we click on the WAN rules tab. Make sure Category Selection is set to custom.rules and enter the following rules into the Defined Custom Rules text box:

alert tcp any any <> any any (msg: "YouTube detected"; pcre:"/youtube.com|www.youtube.com/"; sid:4000001)
alert tcp any any <> any any (msg: "Facebook detected"; pcre:"/facebook.com/"; sid:4000002)

Explaining what these rules do requires some exposition on Snort's rule syntax, so now is a good time to cover this subject:

  • alert: This is the rule action. There are five default actions: alert (generate an alert and log the packet); log (log the packet); pass (ignore the packet); activate (alert and turn on another dynamic rule); dynamic (remain idle until turned on by an activate rule, then turn into a log rule). We can block IP addresses that generate an alert, so we choose alert.
  • tcp: This is the protocol field, which can be either tcp, udp, or icmp. Web traffic is TCP, so we choose tcp
  • any any: These fields refer to the source of the traffic. The first field is the IP address, which is formed by a numeric portion and a CIDR. Thus, it can refer to an entire subnet. You can use the negation operator (!) to match any address not in the subnet. any, as you may have guessed, will match any IP address. The second field is the port, which can be any to match any port, or a port number. Two numbers separated by a colon (:) indicates a range of ports; for example, 5000:5010 denotes ports 5000 to 5010. As with IP addresses, you can use the negation operator.
  • <>: This is the direction operator. -> refers to traffic flowing from source to destination; <- refers to traffic flowing from destination to source; <> refers to traffic flowing in both directions. We want to match traffic flowing in both directions, so we choose <>.
  • msg: This prints a message in alerts and packet logs. We are looking for YouTube traffic in the first rule and Facebook traffic in the second rule, as the msg field indicates.
  • pcre: This is the field where we tell Snort what we want to match. pcre stands for Perl-Compatible Regular Expression; another popular option to use for this field is content, but pcre allows us a bit more flexibility in specifying the text we want to match. Note that the regular expression is contained within double quotes (") and is also contained by forward slashes (/). For YouTube, we want to match both youtube.com and www.youtube.com, so we specify both and place an or operator (|) between the two. Note that we have to use the backslash character () as an escape sequence before each dot (.). Other options for this field include nocase (make the match case insensitive) and offset (skip a certain number of bytes before doing the comparison).
  • sid: This is the unique identifier for the rule. Each sid must be unique, and we should use numbers over 4,000,000 to avoid conflicts with popular rule providers.

When we are done adding the rules, we click the Save button to save and force a reload of the rules. The rules we added only generate alerts, however, so to block these sites we must click on the WAN Settings tab scroll down to Alert Settings, and make sure that Block Offenders is enabled. When this option is enabled, Snort will block any host that generates an alert. When we are done, we scroll down and click on the Save button.

After adding these rules to Snort, both YouTube and Facebook should be blocked. To test this out, try to access both sites and click on the Alerts tab in Snort; the log should be filled with YouTube detected and Facebook detected messages. The IP addresses of the hosts that generated alerts should find their way onto the blocked hosts list; you can view this by clicking on the Blocked tab. 

These rules have their shortcomings. For starters, we are looking for users trying to access certain hostnames (www.youtube.com, facebook.com, and youtube.com); if the user types the IP address into the browser, they could circumvent our attempt to block the traffic (that is, assuming that the IP address has not already been added to the blocked hosts list). It should be generally effective in blocking these sites, however, and provides a baseline for further experimentation with Snort rules.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset