[Snortsam-discussion] Seeking "Best Way" to use PF2 plugin and Pfsense

[Paul Tatarsky]

I have hacked together a basic way to use Snortsam with PfSense 
firewalls. Now I would like to see if I'm an idiot on a couple of topics 
and if I've re-invented the wheel or missed something easier in the 
module or somebody else doing this better.

For starters, Pfsense is this pup if you've not seen it: 
http://www.pfsense.com/

Its not all pretty and wrapped yet, but not being a PF expert I had a 
question about "anchors" and the PF2 snortsam plugin. Can anyone more PF 
literate than me validate my plan here?

Pfsense already has included in its default configuration a table to 
block via the snort2c project.

http://snort2c.sourceforge.net/

As far as I can tell its a global table created at boot by these PF 
commands:

# snort2c
table <snort2c> persist
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"

But I like issuing snortsam "blocks" from a set of correlation sensors 
to other devices...

So I built snortsam and deployed it on some pfSense sensors "by hand" 
and allowed the "command station" access to the snortsam port.

Then I used the pf2 module to do the following with this config:

/etc/snortsam.conf:
pf2 anchor=none table=snort2c

And I've slightly tweaked ssp_pf2.c to drop the "_in" and "_out" added 
table names because right now I just want to block IP's regardless of 
direction (Am I foolish here?) . I am working on making that cleaner but 
for now this is a "quick shun" style solution.

Then I've wrapped the section in change_table with a strncpy to not set 
an anchor if the anchor is "none". Yeah thats lame (the code defaults to 
a anchor of "snortsam" if not set in the config), but the end result is 
when I issue from my central location a request to block an IP I get 
entries in the proper global table:

samtool -b -ip 99.99.99.99 -dur "1 min" (cred)

#  pfctl -t snort2c -T show
    99.99.99.99

And that IP is blocked since its already configured to do so "out of the 
box"

Questions:

Should I change Pfsense to use an anchor?

Should I alter the defaulting of the anchor and just detect a NULL 
string for the anchor? (Compared to my silly "none" = skip anchor)

Is this is use to anyone besides me with my small farm of pfSense firewalls?

And, with a grin, does anybody understand Pfsense packages very well so 
I could add it to the web gui the basic configuration of snortsam.conf.

Many thanks to Olaf Schreck for the pf2 module and the fine maintainers 
of Snortsam regardless.

I can post a diff with my "hack" but wanted to see if anybody has better 
ideas or interest.

-- 
----------------------------------------------------------
Paul Tatarsky                            paul at tatarsky.com
              http://www.tatarsky.com/
----------------------------------------------------------