OpenBSD Journal

Snort2Pf 3.1 Available

Contributed by jose on from the active-defenses dept.

ssc writes: "Snort2Pf, a small perl daemon that parses snort's logfile
and blocks the 'attackers' with pf, is available now.
This way, you can turn your openbsd boxen easily
into an Intrusion Detection and Prevention System.
+ can unblock hosts after X seconds
+ small footprint
+ easy installation

New in this version:
+ idpsinfo(1) tool (displays a list of currently blocked hosts)
+ super cool script
+ performance improvements
Download: "

(Comments are closed)

  1. By Darian Lanx () on

    This is excellent indeed. Maybe this is the right step toward building a sensible Intrusion Detection system which can react proactively against attacks while avoiding false positives,


    1. By djm () on

      I don't see how this achieves either of the items you mention: It doesn't "react proactively" (a complete oxymoron) - it blocks hosts after the attacks have been seen. It doesn't even prevent the initial attack from passing. Second, this doesn't do anything to reduce false positives.

      Personally, I don't think that reactively blocking hosts does any good anyway.

      1. By Strog () on

        I'd have to agree that this could be used against you with a little creative spoofing. It would be trivial to spoof the IP of several legit sites and get your firewall.

        I would tread lightly with this and wouldn't get very agressive at all. I've been manually blocking the boneheaded code red, buffer overflow, etc. idiots with a table in an external file. That works pretty good but I don't I'd do more than that without some intervention.

        1. By petr () on

          jesus, realy want to choose,uat attacks to block and not blindly block every alert. i would like to see 'trivial' spoofing,where tcp is involved.ever tried that?to establish blind tcp connection with host on the internet and launch exploit? nonsence..
          i do not like presence of ids on firewall either,but is nice to have such tool.better way would be second box with snort and modify pf table over ssh connection.

    2. By Luiz Gustavo () on

      I don't want to block hosts based in snort information, unless you want people cause havoc in your firewall.

  2. By Anonymous Coward () on

    How about just killing the state entry of that particular packet (tcp/udp)? Can that be done as a first step before blocking the host?

    1. By ssc () on

      indeed, that sounds like a great idea.
      there will be a command line switch to decide between 'add block rule' and 'kill state entry' in v3.2, maybe.

      i have to oversleep that, I guess.

      1. By Clint () on

        The only usable IPS system is one that only drops the actual packets which the IDS deems malicious. Many of the commercial ones do it this way. Otherwise, some 13 year old who spoofs all the DNS root server IP's and throws some dumb exploit at your box is taking down dns services for your network.

        Killing the particular state entry may allow you to block the traffic that the snort sig alerts to, but still alow legit traffic from that source IP; lowering the risk of denial of service from spoofed packets.

        Another cool feature would be to set a probability rating. Something to say "these snort sigs have xyz rating that the packet is actually malicious. anything over xyz%, kill state, otherwise just log"

    2. By Anonymous Coward () on

      Snort does do that already by itself

  3. By Anonymous Coward () on

    "- removed "never block these IPs"-feature This can and should be done via pf.conf(5)."

    How do you set this up for firewalls connected to the internet using DHCP?

    1. By Anonymous Coward () on

      Specifically the gateway.

    2. By djm () on

      man pf.conf

      1. By Anonymous Coward () on

        Thanks, I found some great things I missed or were added since the last time I read pf.conf. But I still don't see a way to specify the default gateway of a system that uses DHCP.

        1. By Anonymous Coward () on

          Oh yeah, I'm I'm still trying to figure out this part:

          "port 2000 __ 2004
          means `all ports > 2000 and 2004', hence ports 1-1999 and 2005-65535."

          Looks the same to me :P

          1. By Anonymous Coward () on


            port 2000 __ 2004
            means `all ports > 2000 and 2004', hence ports 1-1999
            and 2005-65535.

  4. By Daren () on

    Awesome, please import it in the port tree.

  5. By Anonymous Coward () on

    ..but wouldn't using ioctls on /dev/pf be faster than using the pfctl command line tool?

    1. By Dave Steinberg () on

      Its not faster in terms of programmer time. Think of all the work that pfctl does that you'd have to duplicate (and probably get wrong), then keep up with as it changed.

      1. By Anonymous Coward () on

        Good arguments I guess, but admittedly I was mainly interested in execution time, not programmeing time or maintenance effort.

        1. By Dave Steinberg () on

          You might notice it if you were running it on my 486 DX2/66, but not on a modern computer. Is pfctl really too slow for you?

  6. By Anonymous Coward () on

    This project doesn't have a homepage? Just an ftp? I want to read more about it...

    1. By Anonymous Coward () on

      I found :/
      I should look at google before post :/

      1. By ssc () on

        actually, it is

        the information on is outdated at the moment due to technical problems with the hosting company

  7. By Anonymous Coward () on

    What about hogwash? Maybe not too closely tied to OpenBSD, or that maintained anymore - but it did work on OpenBSD once, I think.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]