@digidax said in snort: restarting needed if IP list edited?:

@bmeeks
OK, will take a look into the logs to see, if the updates of the list are imported successful.

OT Question: in the blocked tab, I see the "Last 500 Hosts Blocked by Snort ". In the browser, I can use CTRL+f to search for an IP.

a) is it possible, as a future feature, to get a search filed for an IP when the list is larger, > 2000 entries?

I don't really understand why you would want the block list to grow like that. The suggested setup is to enable the automatic cron task (on the GENERAL SETTINGS tab) that clears blocked hosts who have seen no traffic for the interval specified in the parameter on that tab. For example, if you choose 1 hour, then any IP in the block list that has seen no traffic for the last hour will be automatically removed from the block list after the interval has expired.

There is really no point in maintaining huge block lists. If the same host attacks again, then Snort will detect and block it again. It is usually sufficient to block a host for 15 minutes to an hour. If you have not already, I strongly recommend you enable that setting and configure it for either 30 minutes or 1 hour max.

Snort blocks by making a pfSense system call and inserting the offending IP into a pf table called snort2c. That table is created by pfSense during bootup, and it is a RAM construct. So when the firewall is restarted, that table is recreated from scratch.

b) can I use a command line command to search for a blocked IP and remove it from snort's blocklist?

You can manage the pf firewall engine using the pfctl utility. Here is a link to its documentation: https://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8.

Thanks, Frank

Might be a browser caching issue -- maybe with stored credentials and auto-login enabled for the browser.

There is nothing in the Suricata package at all related to logging in to pfSense. The suricata_interfaces.php page is the default landing page when you click Suricata under the SERVICES menu in pfSense.

Did you perhaps have multiple tabs open? Or maybe had an open, but expired, tab on the Suricata Interfaces page and then opened a different tab to login to the firewall GUI?

@enicolau said in suricata not starting:

@bmeeks Thanks for responding, I'm using pfsense, from the gui there is no more data that it doesn't start, there is nothing else, so I start it by ssh but I can't think of much else

I don't think you understand how Suricata works on pfSense. You MUST use the GUI for everything. You CANNOT do things from the command-line -- including starting it by SSH. The suricata.yaml file you see in /usr/local/etc/suricata is not the file used by the Suricata processes on pfSense. Each configured instance (in the GUI) has its own unique subdirectory underneath /usr/local/etc/suricata/, and all of the configuration information for that instance resides in the subdirectory. At startup time, the suricata.yaml file is created from scratch using information stored by the GUI code in the firewall's config.xml file.

The errors in the startup log clearly indicate issues with your NIC driver. It is not playing well with Suricata. I have no idea why, but it is not. Notice these two lines:

27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RX#01-vtnet1" failed to initialize: flags 0145 27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine initialization failed, aborting...

That SC_ERR_FATAL error is why Suricata is not starting, and that error is ocurring when Suricata attempts to initialize that card.

Your second problem is attempting to run Suricata using the UNIX socket. That is not currently supported on pfSense.

27/1/2022 -- 08:46:55 - <Info> - Running in live mode, activating unix socket 27/1/2022 -- 08:46:55 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'

And you appear to be trying to pass BPF parameters via the command-line based on this line in the startup log:

27/1/2022 -- 08:46:55 - <Info> - BPF filter set from command line or via old 'bpf-filter' option.

That option is not supported on pfSense either. And the filter you are providing has a syntax error as evidenced by this line in the log file:

27/1/2022 -- 08:44:41 - <Error> - [ERRCODE: SC_ERR_BPF(127)] - bpf compilation error can't parse filter expression: syntax error

Here is a link with instructions for setting up Suricata on pfSense. It may help you understand how to properly do this.

https://lawrencesystems.com/suricata-network-ids-ips-installation-setup-and-how-to-tune-the-rules-alerts-on-pfsense-2020/

@jcascante said in Snort fails to start:

@bmeeks
Hello, just to let you know the workaround works
I put a higher value in the "overlap-limit", then save the configuration, returned the value to zero, check the snort.conf file and this time it saved the value. Finally, I started the service and now it's working

Thanks for your help

Glad you got it working. That was an unusual issue. Sounds like something weird got saved in the config.xml file for that particular parameter.

Well I'm not smart enough to make a custom feed; but did find good stuff to ease my mind.
Suricata Rules
SID 2527000 and 2527001
The message portion states ET Threatview.io High Confidence Cobalt Strike C2 IP group 1 and group 2. So...that is what I was looking for.
Comes into the system with the emerging-threatview_CS_c2.rules category.

Mystery solved.
Thanks for the brainpower expended.

@patch I am learning how to use Haproxy's reverse proxy and using private domain (secret TLS/SNI) to help make the PBX more secure in the DMZ...very interesting...I'll post in the proxy section questions I may have.

@dooley said in Transparent IPS/IDS:

@bmeeks said in Transparent IPS/IDS:

If you went the bare metal way with inline IPS as I recommend, you would get full line rate with no sweat.

Do you have any suggestions where I can get a start on sourcing info to head in this direction?

I appreciate your input @bmeeks and you taking the time out of your day to give me guidance on this matter.

First, you will need to get comfortable working with either FreeBSD or Linux at the command line interface. Both are more or less the same. I would tilt towards FreeBSD simply because that is what pfSense is based on, and FreeBSD is said to have the better network stack.

Install FreeBSD (or Linux) on suitable hardware. As I mentioned, you will need three NICs to make things easy. One is your managment interface and should get an IP address from your LAN. The other two get no address assigned. They are simply going to be input and output ports running in promiscuous mode.

Next you install Suricata on the machine. On FreeBSD, there is a package in the ports tree. For Linux, there are also suitable packages available for installation.

Here is the official Suricata documentation: https://suricata.readthedocs.io/en/suricata-6.0.4/.

Here is the subsection for configuring IPS Inline Mode on Linux: https://suricata.readthedocs.io/en/suricata-6.0.4/setting-up-ipsinline-for-linux.html.

And here is a link showing how to install Suricata in IPS mode on Ubuntu Linux: https://www.digitalocean.com/community/tutorials/how-to-configure-suricata-as-an-intrusion-prevention-system-ips-on-ubuntu-20-04.

One last thing I will mention is that administering an IPS is a big challenge and requires quite a bit of knowledge and experience. If you are new to this, prepare to be very frustrated initially by false positive blocks. For that reason, you really should run a setup in IDS mode for a month to see what alerts get triggered on your network. You then selectively "tune" your rule set to get rid of false positives. Only then should you turn on the blocking of traffic using IPS mode.

No, Suricata has no feature to allow that. The closest you can get is to create your own cron tasks (two of them) that stop Suricata for the duration of your scan, and then start it again when the scan is complete.

You can stop and start Suricata using the shell script /usr/local/etc/rc.d/suricata.sh.

The commands would be:

/usr/local/etc/rc.d/suricata.sh stop /usr/local/etc/rc.d/suricata.sh start

Those commands will stop and start Suricata on all configured interfaces. It goes without saying that with the Suricata processes stopped, all hosts are unprotected for the duration of your scan.

@bmeeks
Thank you so much for your answers and you too @Cool_Corona

Yeah I have a server (unRAID) with docker containers.
I have a domain name that forwards to my public IP of my WAN.
Then pfSense picks up the domain and provides SSL and allows access to my services behind pfSense.

Normal proxy stuff, nothing really distinct about this setup.

When I rebuild my pfSense I will probably setup VPN and kill publicly accessible stuff and just VPN in instead.

@bmeeks Yes. and I found where to set it. It fixed the drop issue. still getting the message though

That's how it appears. Or at least it "thinks" it can't see the Internet. The connection attempts on port 443 (HTTPS, or SSL connection) is timing out. That means either the remote site is down, or your personal connection is unable to reach the remote site.

Since this is happening for both Snort and Emerging Threats rules, I would think it unlikely for BOTH remote sites to be down at the same time. Thus that would point the finger over to your end of the connection as where the problem is likely to reside.

@jonathanlee

cabfile.JPG

Once cab file is open it has a text file inside.

What can cause this type of issue ?

Your post is not entirely clear. Perhaps it is a language translation issue ???

Are you saying that now your pfSense box is behind some kind of double-NAT? You must eventually have a public IP in order to route traffic (not an RFC 1918 address). However, if your pfSense box now communicates with some upstream host that in turn provides a NAT to some type of public routable IP, then your Snort rules update should still work.

I assume other Internet traffic through the pfSense box works?? Or do you really mean to say you have isolated this pfSense box from the Internet? If that is the case, then there is no method for an offline update in the Snort package. It requires Internet access to update its rules.

If you are 100% certain the origin of the traffic is from a device running the Signal app, and the captured session is from an active Signal session, then I would tend towards ruling it "false positive".

But if there is any doubt, then a thorough virus/malware scan of the machine would be in order to make sure there is no infection. That is an old worm, though. And so far as I know, there never was a mobile app variation of it -- only PC.

You need to learn to use the features on the SID MGMT tab. Go to that tab, enable the feature by checking the box, then read through all the provided sample conf files for hints on how to use the feature.

Be advised, though, that wholesale changes of the rules is not supported. The feature is mainly for selecting which rules to enable or disable using regex matching, and for altering certain rules actions from say "alert" to "drop".

If you want to create your own rules, then use the Custom Rules option on the RULES tab for an interface. On that tab, choose "Custom Rules" in the Category dropdown, and then type (or paste) your own custom rule (or rules) into the text box. Once done, save the change. Those rules will survive any rules update.

This is a limitation of the Suricata binary itself. See the thread here from the upstream Suricata forum: https://forum.suricata.io/t/suricata-behind-proxy-server/419/.

So far as I know, this limitation still exists. Suricata can log the XFF in the EVE output, but XFF cannot be used in detection rules, and thus cannot trigger alerts (which would be required to initiate a block).

Here also. My problem was that I had unchecked that box before so I lost all my setting because I had to un- and reinstall, it wouldn't run anymore.
Anyways, I will have another look if suricata will block my LAN again. 😉

So far so good, although to early to say something definite. What has changed other then the Suricata version is that I don't run any snort rules anymore.

@bmeeks yes you're correct.

sorry about that

@darcey said in Turn on logging for select built-in rules only:

@bmeeks I've taken your advice and switched to inline mode. Thank you for the help.
log4j is still hitting suricata but I no longer see any log4j traffic in the nginx log. So it would seem to have been leakage under legacy mode.
Under inline mode, I'm targetting rules in my dropsid.conf largely by classtype attributes. This seems to be a good compromise between granularity and not having too much config.
What is the significance of the caret in interface names (eve logs and suricata.log)?

26/12/2021 -- 15:10:00 - <Info> -- Using 2 live device(s). 26/12/2021 -- 15:10:00 - <Notice> -- opened netmap:vtnet2/R from vtnet2: 0x81c606000 26/12/2021 -- 15:10:00 - <Notice> -- opened netmap:vtnet2^ from vtnet2^: 0x81c606300 26/12/2021 -- 15:10:00 - <Notice> -- opened netmap:vtnet2^ from vtnet2^: 0x8345fd000 26/12/2021 -- 15:10:00 - <Notice> -- opened netmap:vtnet2/T from vtnet2: 0x8345fd300

The caret interface suffix denotes the OS endpoint of a netmap pipe. In order for Inline IPS Mode to function, two netmap pipes are created- one to send traffic, and one to receive traffic. Each pipe has an OS endpoint (called the host stack endpoint) and a NIC endpoint. Additionally, if your NIC supports multiple queues, you will see more netmap connections created for each supported queue.

So those lines in your log snippet show one netmap connection from host stack to NIC, and another from NIC to host stack. The "R" and "T" values indicate "receive" and "transmit", respectively.