pfSense » pfSense Packages

Hello,
this request follows this post on the Forum: http://forum.pfsense.org/index.php/topic,41895.0.html.

Summarizing, at the moment Spoink blocks only 50% of the attacker IPs, since when it receives an alert from Snort, it goes straight to block the source IP address. Unfortunately many rules intercept the answer to an attack, in this case the source IP address is our server, and the destination is the attacking IP address. This rules are defined in snort with the property "flow:from_server".

In order to fix this problem, Spoink should identify and parse the rule that is generating the alert, and consider the "flow" parameter of that rule. According to this parameter:

• Not specified => the attacker IP is the source
• "to_server" or "from_client" => the attacher IP is the source
• "to_client" or "from_server" => the attacker IP is the destination

Unfortunately this is very complex and requires a big effort to integrate in Spoink.

Maybe the following workaround can be considered. I am assuming that all the local IPs of the pfSense box are included in the "white-list" that Spoink is reciving (+ the ones manually included).
The change that we could apply to the Spoink code is to make it consider to ban both the source and the destination IP addresses if they are not included in the white list. In this case the change is very easy to apply (I guess only few lines of code in spo_pf.c, function AlertPf), in order to evaluate also the destination IP address, if it is not in the white-list just block it.

In this way the result is achived in an easy way. I don't see any side effect of this policy (but of course this must be evaluated by the development team), and this will solve a problem that looks like it is dragging since years in pfSense (I found old posts in the forum about this).

Thanks,
Michele