Snort2c + Expiretable

I have mentioned about snort2c previously in this post. Few things I would like to point out would be snort should be compiled with flex-resp in order to perform active response against the threat. Another thing I would like to share would be expiretable which is used to remove entries from the pf table specified by table. Again we look at what is snort2c, snort2c works monitoring snort's alertfile using a kqueue filter and blocking any attacker's ip that not in the whitelist file. It uses a (persist) table and a (block in) rule that blocks any access against our network.

So it's all about pf table now, since snort2c doesn't has feature which auto flush the table's entry(in todo list of snort2c indeed), expiretable is what we need. Since it is in OpenBSD current port, I can just install it through latest packages.

shell>export PKG_PATH=\ ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/

shell>pkg_add ${PKG_PATH}expiretable-0.5.tgz

Then I quickly adding snort2c table in /etc/pf.conf

EXT=pcn0

scrub all

table persist <>

pass in on $EXT from any to $EXT keep state

block in quick on $EXT from <>

Now we can actually specify the age of the table entry to be flushed, it's useful where we don't have to remove the IP addresses that been blocked in the table but autoflush it after certain period, this may ease the job of manually removing IP from the table or maybe flushing the table.

With expiretable installed, I just need to run it as cronjob

shell>crontab -e

Add this line at the end of the file.

*/5 * * * * /usr/local/sbin/expiretable -t 1800 snort2c

So the expiretable will check on every 5 minutes and flushing snort2c table entries that last 30 minutes. The expiretable-0.6 is out and you may try out if you feel adventurous.

Have fun with IPS :]