IDS/IPS

• P

  Snort/Barnyard2 will not connect to MySQL (Snorby) over IPsec Tunnel.
  • piperfect

  4
  0
  Votes
  4
  Posts
  798
  Views

  P

  OK I connected a tunnel from another pfSense box using 2.2.1-RELEASE and another using version 2.0.1-RELEASE ….I get the same result. I can ping from other computers on the remote LAN subnet to computers on the local LAN subnet but not from the pfSense boxes themselves. This should be an IPsec topic not a IDS/IPS topic.  I will start a new thread in the IPsec fourm.
• V

  Snort at home - WAN or LAN?
  • virgiliomi

  5
  0
  Votes
  5
  Posts
  5681
  Views

  W

  @jeffh: In addition to what Bill said, what I do is run Snort on both WAN and LAN interfaces. On the LAN interface I have blocking disabled and quite a few rules enabled so I can get some visibility into what is happening on my network. On the WAN interface I have blocking enabled and only specific security related rules enabled. All rules that are running on the WAN (in blocking mode) are also running on the LAN (in alert mode). This allows me to block security threats, while still seeing what NAT'd local devices are having their traffic blocked, as well as alert on other rules that may not be security threats or that may have higher rates of false positives. This is the exact same thing that I do and it works great.  It does take a bit more memory and processing power, and a lot more if you're doing barnyard.  I ended up turning the barnyard push notifications off because of this…but with this combination, you get the blocking on the WAN and can then trace it to your internal LAN ip address.
• E

  Issue with - Install Snort VRT rules option
  • Evad

  6
  0
  Votes
  6
  Posts
  1621
  Views

  E

  I thought the same as I did find a reference to that while searching the forum. I changed the Web protocol to HTTP but that didn't help… I am not sure what it is.. I have 3 W8.1 machines that do the same thing. If I get some time I'll dig a little deeper. Yes I am very glad and thanks again for your help ...
• F

  Suricata Protocol Anomalies Detection
  • fsansfil

  1
  0
  Votes
  1
  Posts
  1144
  Views

  No one has replied

• J

  Snort - Could not find the libsf_imap_prepoc file
  • jandohrmann

  3
  0
  Votes
  3
  Posts
  680
  Views

  

  Thank you for this feedback.  There are some other posts in the Package forum where the advice for Nano users is to bump up the size of /tmp (and possibly /var) because the default partition sizes are too small to download and unzip the ever larger rules tarballs.  Unfortunately, today there is no mechanism within the pfSense Package Manager system for a package to specify prerequisites that must be satisfied in order for the package to be eligible for installation.  Some example parameters that would be useful are installed RAM and free disk space on critical partitions. As a general statement, Snort or Suricata on a NanoBSD install will require a lot of careful attention and quite possibly some customizations such as you describe of increasing the default partition size for /tmp and also /var. Bill
• S

  Snort: Emerging Threats MD5 fails
  • spittlbm

  4
  0
  Votes
  4
  Posts
  1128
  Views

  S

  I think it was blocking itself, actually.  Fixed.
• 

  Alerts Showing Up, BUT Got Nothing In The Blocked List…
  • ghostshell

  13
  0
  Votes
  13
  Posts
  1656
  Views

  

  set for SRC only @duck - where is the setting you are referring to, I see many preproc's since the upgrade when there was only 1
• J

  Routing multiple sites through a single pfSense running Snort/Suricata
  • jeffhammett

  2
  0
  Votes
  2
  Posts
  485
  Views

  

  Yes, if you put Snort or Suricata on the WAN interface of your main office, then the package would see all traffic.  However, if you use NAT, the usefulness of the IDS is diminished a bit in that the only IP addresses you would ever see in the alerts will be those for the far-end Internet host and the WAN IP of your main office firewall.  It would be difficult in that scenario to track which host on your private LANs might be infected with or the target of malware. If you instead run the IDS on the LAN interfaces, you would see the IP addresses before they were NAT-mangled.  With the site-to-site VPN scenario you linked, I don't if the LAN approach would work. Bill
• E

  Unable to install Snort
  • Evad

  5
  0
  Votes
  5
  Posts
  1248
  Views

  

  @Evad: Bill, After a total reinstall of pfSense from scratch … Snort installed like above .. Failed first time and installed on second try but no GUI... Ran the 'Reinstall Snort's GUI components' to get the GUI. Created a LAN interface and then made a WAN  'Add new interface mapping based on this one' Now it works .... no errors so far..... Thanks.... Glad it's working for you now, but it should not have been that much trouble the install.  Something is up somewhere and I just need to find what it is. As for your failure to start error with this message: snort[9610]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_61288_em1/rules/snort.rules(904) Unknown rule option: 'stream_size That indicates a needed preprocessor was not enabled.  Most likely it was the Stream5 preprocessor.  Don't know why that would be.  It is enabled by default.  The particular rule containing that rule option is on line 904 (that's what the 904 represents) in the file /usr/pbi/snort-i386/etc/snort/snort_61288_em1/rules/snort.rules.  Open that file in a text editor and go to line 904 to find the rule that generated the error. Bill
• N

  Snort - Blocking googlebot's
  • notaduck

  4
  0
  Votes
  4
  Posts
  1311
  Views

  F

  Verifying Googlebot https://support.google.com/webmasters/answer/80553?hl=en Google crawlers https://support.google.com/webmasters/answer/1061943?hl=en F.
• W

  Snort False positive shutterstock.com 192.33.31.57
  • warren.cohn

  2
  0
  Votes
  2
  Posts
  1235
  Views

  

  There will be a description on the ALERTS tab for the alert generated by the IP address.  Post that alert description here.  If you are sure the alert is a false positive, you can either suppress that entire SID, or just suppress the SID when the IP matches the one in question. Post the actual alert description that is printed along with the blocked IP either on the ALERTS tab or the BLOCKS tab. Bill
• J

  Preferred method for modifying existing SID?
  • jeffhammett

  3
  0
  Votes
  3
  Posts
  663
  Views

  F

  You could probably double mod it: 10010 "content:" "content:!" 10010 "xxx" "yyy" But, depending on how many rules you have to mod, I would personnally make a custom rule for your needs and keep the original intact. Who knows, what if the original triggers one day?
• G

  Snort and quickassist
  • grandrivers

  2
  0
  Votes
  2
  Posts
  906
  Views

  P

  I think the answer is not quite yet… I found this information in https://forum.pfsense.org/index.php?topic=86732.0 @gonzopancho: QuickAssist isn't supported in pfSense today, but we are actively working on a driver (with deep assist from Intel) to go back into the FreeBSD tree. I believe this is the last hoop to jump through before it is supported however, since according to this article it has been integrated in Snort since 2010 (Snort 2.9 Beta). http://www.securityweek.com/sourcefire-accelerates-snort-performance-intel-pattern-matching-technology-faster-detection
• G

  Network trogan detected in snort logs
  • godlyatheist

  24
  0
  Votes
  24
  Posts
  6455
  Views

  

  Glad you found it!  Just leave Snort running on the LAN interface.  When using NAT, it will be easier to identify problem LAN hosts when Snort is on the LAN and can see the real IP addresses before they are altered by the NAT engine. Bill
• J

  Column headers for downloaded Snort alert logs
  • jeffhammett

  4
  0
  Votes
  4
  Posts
  754
  Views

  

  @jeffh: Thanks fsansfil, that looks good, but it looks like there might be one more column. Between the DPort and Class columns I have a column with large numbers. These numbers don't appear in the Alerts in the GUI, so I am having a hard time matching them up. Any help would be appreciated. That is the IP Header ID field. Bill
• J

  Snort pcap files
  • jeffhammett

  3
  0
  Votes
  3
  Posts
  1858
  Views

  

  @fsansfil is spot on with his answer.  You will find all the files in the /var/log/snort tree.  In that tree there will be a subdirectory for each configured Snort interface.  The name will be a combination of a GUID and the physical interface name (for example, em0 is one if you have an older Intel NIC). Bill
• R

  Pfsense 2.2 snort install issues
  • rajbps

  7
  0
  Votes
  7
  Posts
  1957
  Views

  

  @RayP: The old firewall didn't load, but didn't give the same error.  I re-downloaded the AMD image and tried to load again.  The previous error is gone, but now it's stopping at "Additional Files…" with a failed message.  Since it's a new problem I'll look for a new thread that is related. Thanks for the help. If it fails at the "additional files…" part, that would indicate some kind of problem downloading files from the package repository server. Bill
• J

  Suricata auto update for custom rules?
  • jackyes89

  5
  0
  Votes
  5
  Posts
  3409
  Views

  

  Oh…and one other small point.  Each time you update the Suricata package (or it gets reinstalled as part of a pfSense update), you will need to repeat the hand-edit of that /usr/local/pkg/suricata/suricata_yaml_template.inc file because it will be overwritten when Suricata is reinstalled. Bill
• V

  Snort.inc missing, install failed
  • virgiliomi

  2
  0
  Votes
  2
  Posts
  790
  Views

  V

  Never mind… looks like it might've been something else... From the system log... Mar 28 14:48:45 php-fpm[44942]: /pkg_mgr_install.php: XML_RPC_Client: Connection to RPC server packages.pfsense.org:443 failed. Operation timed out 103 Mar 28 14:48:45 php-fpm[44942]: /pkg_mgr_install.php: XMLRPC communication error: Operation timed out Another attempt a bit later worked just fine.
• J

  Snort / Suricata for inbound traffic only
  • JasonJoel

  5
  0
  Votes
  5
  Posts
  1327
  Views

  J

  Yeah, I realize if the dual-homed web server is compromised then the LAN is still compromised as well. I was just thinking out loud whether making it dual homed like that with a dedicated 'outside' interface really buys me anything. And I still think it does in terms of making it a lot easier to monitor the traffic, even if it doesn't add much additional security. The other thing it allows me to do is to keep my suricata rules very tight, as there is limited traffic of a specific type going through that one interface. Again, not as good as a real DMZ, but will have to do for now until I rebuild a few things.
• J

  Mass disable Snort rules
  • jeffhammett

  4
  0
  Votes
  4
  Posts
  819
  Views

  

  @jeffh: That worked perfectly, thanks! Glad it worked.  I added that feature a few revisions back, but it has not gotten a lot of use yet so far as I can tell.  It offers an easy way to manage rules using various lines in the enablesid.conf, disablesid.conf and modifysid.conf files.  It can work with just SID values, or you can also use regular expression matching.  This functionality was ported over from the Oinkmaster and PulledPork utilities. Bill
• 

  Snort 2.9.7.2 pkg v3.2.4 – Release Notes
  • bmeeks

  6
  0
  Votes
  6
  Posts
  1180
  Views

  

  @2chemlud: Hi! No, I had an eye on the RAM on the Dashboard, nothing went out of control. And the problem is apparently at the end of the procedure (snort is there and running, only not included in the GUI), while reinstalling the rules sets for the interfaces. It worked fine during the update from 2.1.5 to 2.2 and from 2.2 to 2.2.1 on all three boxes. But this time… Kind regards I don't mean necessarily RAM as in free system memory, but rather free space on the RAM disks used for the various system partitions.  These can be filled during the package download and unpacking process.  You would really have no way of seeing them run out unless you were monitoring them in a shell session while the package installation happened in the GUI.  After Snort starts up during the installation process, it returns control to pfSense where the package manager code of pfSense completes the installation.  This last step, done by pfSense itself and not the Snort package, is where the menu entry is created under SERVICES.  That step frequently dies for some reason on Nano installs.  I think it is because of RAM disk exhaustion.  Some other users have been able to get successful installs by manually increasing their RAM disk partition sizes.  For example, increasing /tmp to 300 MB (or at least 100 MB) in size.  That is the directory partition where the package downloading, unpacking, and other temp file creation happens.  By default it is somewhat small on Nano installs. Bill
• 

  Closed Page During SNORT Upgrade
  • ghostshell

  2
  0
  Votes
  2
  Posts
  538
  Views

  

  @ghostshell: What problems would this cause? I did do an uninstall, reboot and then reinstall. If there maybe any issues at all I would like to know so I can do a fresh install. If your reinstall was successful, then things are OK with Snort.  If it shows up in the SERVICES menu and start normally, then it is OK. Bill
• T

  Snort table is nil error
  • TieT

  13
  0
  Votes
  13
  Posts
  3796
  Views

  

  @trvsecurity: Sorry to be a pain, but where in the pfsense sirectory structure can I find that file so that I can edit it? It will be in /usr/pbi/snort-amd64/etc/snort/appid/odp/libs/DetectorCommon.lua.  This is assuming you have a 64-bit install.  If you are on 32-bit architecture, change the amd64 to i386 instead. Remember that each time the auto-update process brings down a new version of OpenAppID rules, it will wipe that directory and reload it.  So any edit to that file will be lost.  On the other hand, maybe the VRT will actually fix the problem in the next update and hand editing won't be necessary. Bill
• T

  System logs fills up with "table index is nil" errors in Snort 2.9.7.2
  • trvsecurity

  2
  0
  Votes
  2
  Posts
  786
  Views

  

  @trvsecurity: This problem started with the previous version of Snort and forums said that it would be fixed however the pfsense system logs continue to fill up with the following error: snort[12893]: server /usr/pbi/snort-i386/etc/snort/appid/odp/lua/service_EIP.lua: error validating …i/snort-i386/etc/snort/appid/odp/libs/DetectorCommon.lua:318: table index is nil Anyone have a fix for this? Any help would be much appreciated! See temp fix posted by another user here: https://forum.pfsense.org/index.php?topic=89393.msg499494#msg499494
• 2

  Port 6667 - kids brought something home from school
  • 2chemlud

  7
  0
  Votes
  7
  Posts
  1226
  Views

  2

  PPS: Wanted to have a look at the firewall logs, but apparently size is fixed to 500 kB, and the log was filled with nonsense "allow multicast" messages (IGMP 224.0.0.22 and stuff like that, no rule indicated why this nonsense is logged…), so that all relevant info from yesterday is gone. I tried to find the place where I can increase the log-size, but without success... Any suggestion where to increase the size of the log files? Many thanx in advance! chemlud... Found it! Increased log size, but it still logs this 224.0.0.22 IGMP although I have for more than a year now an "allow" rule for that without (!) logging (to stop flooding the logs), but pfSense simply doesn't care and logs this traffic anyway. Don't know what to do with that.... PPPS: Erased the allow rule for IGMP from LAN to 224.0.0.22 and set it up newly, but again this traffic was in the log file. Switched to "block" and now it subsided... Strange....
• 

  Snort 2.9.7.2 update coming soon
  • bmeeks

  7
  0
  Votes
  7
  Posts
  1319
  Views

  

  The update has been approved and posted.  See the Release Notes thread in this forum for information. Bill
• S

  Getting this error on 2.2.1 release
  • Supermule

  10
  0
  Votes
  10
  Posts
  1010
  Views

  S

  After a couple of reboots, Snort started with no errors. Looking forward to 2.2.2 :D
• S

  Snort Fatal Error
  • sparkynerd

  5
  0
  Votes
  5
  Posts
  1295
  Views

  S

  You guys are GENIUS! Just to take a chance, I disabled IPV6 on my WAN, rebooted, and ba-bam! It's working now! Thanks!  ;D
• N

  Snort alert description - explanation?
  • notaduck

  2
  0
  Votes
  2
  Posts
  1225
  Views

  F

  Hello, Well if you are refering to the classtype, these are just pre-defined categories with a priority from 1-4 http://manual.snort.org/node31.html If you want to know what a specific rule is alerting for, youll have to look at the rule it self. In the GUI, go to your snort interface, select the Rules tab, and browse the categories youll be able to select the rule. Most rule have a reference part with a URL or a CVE number, that could give you some info on what the rule in looking for. Example: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2;) See the reference part ? F.
• F

  Suricata $WAN_ADDRESS
  • fsansfil

  3
  0
  Votes
  3
  Posts
  685
  Views

  F

  Cool, Ill do that, thanks for your support Bill. F.
• R

  Barnyard2 high CPU usage
  • romainp

  5
  0
  Votes
  5
  Posts
  3295
  Views

  R

  I have the same feeling as you. I really do not know how barnyard2 perform with several sensors and do some queries/update. I definitively have to put some monitoring on the mysql/mariadb database to know exactly what's going on a do better things than "drop the database and reinstall snorby" :) Maybe barnyard2 itself should produce some alerting info when it sees that there is an issue with the database. Well, I will start to find some good monitoring solution for mysql and keep you updated. Romain
• J

  Can't find the snort package in the list
  • jeanr

  4
  0
  Votes
  4
  Posts
  827
  Views

  

  The latest pfSense stable release is 2.2.  Upgrade to that, and the Snort package will show up in the Packages listing.  The current Snort version is 2.9.7.0 for the binary and 3.2.3 for the GUI package. Bill
• T

  Snort Blocking Whitelisted IP
  • thx2000

  4
  0
  Votes
  4
  Posts
  2185
  Views

  

  @thx2000: Thank you!  The last paragraph was my problem.  For some reason, I assumed when adding the pass list that was modifying the default pass list.  For future reference, what is the recommended procedure for adding hosts to the whitelist?  I'm assuming I just need to update the alias, and restart the daemon on the interface?  Are there any other tricks I should be aware of? Thanks again. Yep, update the assigned alias and restart the interface. I think I will put some notifications and/or extra text on the PASS LIST tab in a future release to make this more clear.  It has tripped up several folks. Bill
• F

  Each snort alerts shows up twice in syslog
  • floz

  7
  0
  Votes
  7
  Posts
  1595
  Views

  F

  Hi Bill, No, no duplicates otherwise, just snort alerts (but not, eg. snort startup notices).
• C

  SNORT - Package does not install - Starting Snort using rebuilt configuration…
  • canyonnetworks

  7
  0
  Votes
  7
  Posts
  2069
  Views

  

  @canyonnetworks: UPDATE: I changed the Performance mode to AC-BFNA and now the interfaces start in 30 seconds. I used the GUI re-install now and it has fully restored everything back to normal now. Thanks again for your assistance. Ah…your Snort process was probably running out of memory and/or using swap and getting super slow.  Any Performance Mode other than AC-BFNA or AC-BFNA-NQ is a problem it seems.  Lots of folks have reported issues when changing it to something else.  Most of the other settings will eat memory like crazy, especially with lots of enabled rules. Bill
• 

  I broke the Snort widget
  • KOM

  4
  0
  Votes
  4
  Posts
  1090
  Views

  

  The fix for this (provided by Phil, thanks  ;)) was merged into production today.  The package version was NOT bumped because the change was so minor and really did not impact Snort itself.  If you want the fix, simply do a GUI Components reinstall of Snort using the XML icon on the System > Packages > Installed Packages tab. Bill