Feature #11243


individual pfctl snort2c tables per interface only blocking IPs for specific interface when a rule triggers in snort/suricata

Added by Felix S over 3 years ago. Updated over 3 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


Feature Request Background:
The snort2c table is used for blocking any connections to any IP address which is put into the table.
Snort as well as suricata create entries for IP addresses that triggered a rule and if blocking has been enabled.
Since different interfaces may have different types of traffic / users this results in the necessity of having different IPS/IDS rules applied resulting in IPs that need blocking only for a specific interface, but not another.
The current central approach results in IP addresses being blocked for all users on all interfaces despite the need to have users from one network segment to continue to connect to that address. With suricata or snort rules where actually traffic content or app_ids are used to block / log / allow connectivity and not a static IP it seems more than necessary to have a feature allowing to distinguish between the different needs of network segments. Since an increase of segmentation in order to achieve isolation of services / equipment and users is more and more common a more individual approach per segment becomes necessary.

The legacy type of operation (snort2c table usage) seems likely to stay for a while as some combinations of features do not allow the usage of the inline mode with netmap, such as lagg devices with vlans.

The easiest approach seems to create individual snort2_intfX tables for each network interface. Then have snort or suricata submit the IPs to be blocked only to the one specific table for the interface where a rules triggered a block.
Then use the different tables only to block respectively the traffic for the specific IPs in the files that are associated with the interface. Hence this should allow to have different sets of blacklists (snort2c tables) which can be managed separately. The GUI could reflect this by having a drop down menu in the suricata blocked hosts section for each interface, allowing to pull the relevant entries for review / removing. Furthermore the Diagnostics - Tables view could include the different tables for the interfaces.

This should be available for physical and logical interfaces, including lagg interfaces with vlans as well as physical vlan trunks and individual vlan interfaces.
Thank you for your consideration.


Also available in: Atom PDF