Snort is not working properly
-
Hello,
I’m a pfsense beginner. I’ve installed pfsense in my private environment and have some trouble with snort.
Pfsense is running on a barebone-system with one network-card. I’ve used vlans to split my network adapter into multiple ones. So, all traffic is physically passing one interface.
Beside an WAN and an LAN-Network I have some networks for guests, home automation and openvpn.Now I would like to use snort to get alerts when something suspicious is going on in my network. I’ve activated instances for the LAN and the Guest network, but I’m only getting matches for dynamic rules. I’ve configured different rule subscriptions, and I’ve activated different rule categories. Snort is loading the activated rules (I have tested snort on command line and I’m getting something about 6.000 rules), but I’m not getting any alerts. Only rules like “(spp_sip) Maximum dialogs within a session reached” or “(http_inspect) TOO MANY PIPELINED REQUESTS” are matching. As I could see these are rules from shared libraries.
Does anyone have an idea what could be wrong?
Thanks
Ben
-
@pfsenseuser2021 This isn't the reason but if you have VLANs it will run on the parent interface anyway so you may not need multiple instances. Did you restart Snort after making changes? It also depends on the traffic...at my home I have very, very few alerts trigger. At times it doesn't log any for a day. At our data center it is every minute or so.
-
With only a single network card, I suggest you give up on running an IDS/IPS package. Snort (or Suricata) is only going to run on the parent interface anyway (meaning the single underlying physical NIC interface). With everything coming and going on the same NIC, and Snort not really understanding VLANs, the HOME_NET and EXTERNAL_NET variables that are critical for rules firing properly can be really hard to get set correctly. It will most certainly take some customizing.
Those rules you see triggering are doing so on basically false positives. The HTTP_INSPECT rules are especially prone to false positives with modern HTTP/HTTPS traffic patterns (what with all the crap flowing back and forth to serve up ads and what not). Most of us disable nearly all the HTTP_INSPECT rules. I certainly have been doing so for a few years.
You really need to seriously consider putting a second NIC in that box. NICs are really super cheap, especially buying used off eBay. But even a brand new NIC can be had for not very much. Two actual NICs would make life a lot simpler for you.
-
Thank you both for you answers. I’ve read some posts about snort and vlans and I can’t understand, why the parent interface is involved. As I know on linux a vlan interface should operate like any other network interface - so I can’t understand, why suricata or snort should have problems with this configuration. Maybe the promiscuous mode could make problems, but I’m sniffing only packages which are delivered on the interface itself, so I don’t need the promiscuous mode.
I have snort configured on 3 vlan interfaces and I can reproduce the rules mentioned before on any of the vlan interface separately. I have also started snort in the verbose mode on the command line (with all parameters taken from pfsense) and I can see only traffic from the specified NIC. Here I can also see that snort has loaded many rules (about 6.000 depending on the category configuration). But when I pickup one of the rules from the file “snort.rules” an I try to reproduce an alert, it is not triggered.
Anyway I have now installed suricata and it works like a charm. I’m able to trigger rules separately on every different vlan.
So thank you again for your answers and have a nice day.
Ben
-
@pfsenseuser2021 said in Snort is not working properly:
I’ve read some posts about snort and vlans and I can’t understand, why the parent interface is involved. As I know on linux a vlan interface should operate like any other network interface - so I can’t understand, why suricata or snort should have problems with this configuration.
I don't understand this either but that is the recommendation. I too have limited NICs on the physical host. I elimnated all vlan configuration within pfsense by virtualising it and making each vlan a member of a separate bridge on the hypervisor. That way, in pfsense, every interface is a assigned regular network adapter, albeit vtnet. Having said that, I've since encountered perfomance issues with suricata 6 (though not with v5) when running in a VM.