Hello

I have been trying to use Snort 1.8.6 and 1.8.7 (www.snort.org) on my OpenBSD 3.1 firewall. Snort is working fine except for FlexResp functions that allows snort to send packets if certain alert conditions are set off. I want to use this functionality to block some of the folks from browsing web pages with certain kinds of content (we are under new management). I have libnet installed and seems to working OK.

If anyone could help with getting snort working or can recommend another way of doing the same thing without breaking the bank I would appreciate it.

Check out Hogwash for snort. Great program.

http://hogwash.sourceforge.net/ :roll:

What specifically are you trying to block? pr0n?

You might be better served with a invisible proxy, which serves to only cache and filter web content such as squid. I have snort with flexresp installed at work to monitor pr0n requests over a given sensor it has lots of false alarms.

Check out Hogwash for snort. Great program.

http://hogwash.sourceforge.net/ :roll:

I have tried Hogwash and have the same problem. I said originally that LibNet was working, but I was wrong,,,kind of.

Snort and its derivatives seem to look for LibNet in the wrong place. I have not figured out where yet.

Not sure off hand, but is there a ./configure option in snort to make it look where your libnet is installed?

What specifically are you trying to block? pr0n?

You might be better served with a invisible proxy, which serves to only cache and filter web content such as squid. I have snort with flexresp installed at work to monitor pr0n requests over a given sensor it has lots of false alarms.

Yeah, pr0n. It is OK for users to spend hours checking mortgage rates and their stock portfolio's, but pr0n has become a hot button topic. :roll:

I have been logging for a couple of weeks now and the falsies have been low enough that blocking will not cause any serious hardships. Mostly web based e-mail sites where people accumulate a lot of SPAM.

An invisible proxy is an attractive solution, but I have 6 sites with different Internet feeds and I don't want to have to set up 6 proxy boxes. All the connections are DSL so it would be to slow to force all sites to one proxy.

If I cannot get FlexResp to work, then I can be satisfied with logging.

If all your sites are VPNed with IPsec you could always force them to leave from one site to the internet, thus having only one proxy, although, this might be god awful slow, with DSL i'm not really sure.

If all your sites are VPNed with IPsec you could always force them to leave from one site to the internet, thus having only one proxy, although, this might be god awful slow, with DSL i'm not really sure.

squid's dead simple to set up (takes longer to make than to config :) and there's no reason you couldn't put it on the firewall's your nat'ing the DSL through if you're trying to avoid building more boxes... I like to keep my firewalls as clean as possible, but in your situation it might not hurt.

[quote:b32ae2dfc1="elmore"]If all your sites are VPNed with IPsec you could always force them to leave from one site to the internet, thus having only one proxy, although, this might be god awful slow, with DSL i'm not really sure.

squid's dead simple to set up (takes longer to make than to config :) and there's no reason you couldn't put it on the firewall's your nat'ing the DSL through if you're trying to avoid building more boxes... I like to keep my firewalls as clean as possible, but in your situation it might not hurt.[/quote:b32ae2dfc1]

All my sites are VPNed with IPSec, but the upload speeds on DSL are prohibitory.

I too like to keep my firewalls as clean as possible but I am going to try Squid and see what the impact is. I have wanted to try Squid anyway.

Thanks for the input folks.