GUARDIAN : Block internet IP when snort rule is triggered by outbound rule

Questions to IPFire Addons.
Post Reply
vbonne
Posts: 5
Joined: June 7th, 2016, 10:02 pm

GUARDIAN : Block internet IP when snort rule is triggered by outbound rule

Post by vbonne » February 22nd, 2017, 11:53 pm

Hi all,

I have found a similar post talking about that but no solution is explained.
I would like Guardian to ban some internet IP when they are involved in trojan, ramsonware requesting keys, etc..
In my logs I saw many of these :

Code: Select all

Date:	02/22 18:16:29 	Name:	PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection
Priority:	3 	Type:	Misc activity
IP info: 	192.168.X.X:55569 -> 208.91.196.46:80
References:	http://virustotal.com/en/file/c6828c8bcce6786b39427fc5ad9df2f8163d3b8a7b3b5f8a5c5790c4488039f7/analysis/
	SID: 	40356
But guardian never blocks this ip : 208.91.196.46
for information (192.168.X.X) happens to be the IP fire IP address asigned by the optic fiber modem, so for IPfire it is its public ip adress (and of course I have put this IP in the DMZ of the modem)

I have guardian running on all interfaces with priority 3 and I have lowered the Strike Threshold (Snort) to 1 to see if this would do anything, but no...

Did someone ever managed to have Guardian block and external IP adress as consequence of a snort outbound rule being triggered ?
Many thanks !

User avatar
twilson
Posts: 457
Joined: October 31st, 2014, 9:26 am
Location: Germany

Re: GUARDIAN : Block internet IP when snort rule is triggered by outbound rule

Post by twilson » February 23rd, 2017, 1:31 pm

Hello,

as far as I am concerned, Guardian never blocks IP addresses of the firewall or the DNS servers to avoid network breakdowns.

Further, it looks like this is an issue of the Intrusion Detection System (snort) since the originating IP address has already been "masked" by the firewall NAT. If it was the other way round, the IDS would perhaps see the real IP address of the infected computer.

However, only blocking the source IP is quite a limitation here. Maybe Guardian should perform a "lookup" of the source IP and if it's from internal networks, it will be blocked, too. But since my programming skills are very limited, this is an issue for the developers to solve. ::)

Personally, I would be interested to know if Guadian is only blocking network traffic from the IP, but not to it. This might be useful in scenarios like C&C-Servers, which are usually queried by clients, but not sending attacks against the firewall itself. Blocking only inbound connections wouldn't be sufficient here.

Best regards,
Timmothy Wilson

vbonne
Posts: 5
Joined: June 7th, 2016, 10:02 pm

Re: GUARDIAN : Block internet IP when snort rule is triggered by outbound rule

Post by vbonne » February 28th, 2017, 6:36 pm

Hi Timmothy,

I am not sure I have been very clear because what you are saying is exactly what I am looking for.

I am not interested in Snort blocking any internal IP or firewall IP. In the rule I posted above the internet IP that triggers this outbound rule is clearly identified and I would be interested to know why Guardian does not block outbound communications to it...

like you say : "Personally, I would be interested to know if Guadian is only blocking network traffic from the IP, but not to it. This might be useful in scenarios like C&C-Servers, which are usually queried by clients, but not sending attacks against the firewall itself. Blocking only inbound connections wouldn't be sufficient here."

This is exactly what i am trying to investigate...

Anybody ever manage to configure snort and guardian for this ?
A supplier of mine just got his servers infected by ramsonware and I would like to have Ipfire block any suspicious outbound communication in order to prevent those viruses to request the encryption key to their servers...

Thanks again for any idea to progress on this.

Regards

Vincent

User avatar
twilson
Posts: 457
Joined: October 31st, 2014, 9:26 am
Location: Germany

Re: GUARDIAN : Block internet IP when snort rule is triggered by outbound rule

Post by twilson » February 28th, 2017, 7:10 pm

Hello Vincent,

you're right, sorry for the misunderstanding. I have exactly the same question (and don't know a solution to it), perhaps it might be a good idea to file a bug report about this.

The IP address 208.91.196.46 seems to be a very well known one: https://cymon.io/208.91.196.46
It is located on the British Virgin Islands (an offshore location!) and operated by Confluence Networks Inc., which seems to be a bullet-proof hoster.

Code: Select all

GeoIP Country Edition: VG, Virgin Islands, British
GeoIP City Edition, Rev 1: VG, 00, N/A, Road Town, N/A, 18.416700, -64.616699, 0, 0
GeoIP ASNum Edition: AS40034 Confluence Networks Inc
As a temporary solution, I suggest to block all traffic from and to the British Virgin Islands (country code: VG) by setting up an appropriate firewall rule. (I am doing something similar in my networks: Only certain countries are allowed as a destination using a GeoIP group and a firewall rule.)

However, some ransomware seems to work even without an internet connection, so I fear that this might not solve the problem... sorry about it. :-\

Best regards,
Timmothy Wilson

Post Reply