SNORT stopped generating alerts
-
Hello,
I'm currently running Snort on two pfSense VMs (version 2.7.2) with Snort version 4.1.6_17. Both instances stopped generating reports back in November—on different days but within the same month.
At present, Snort is configured on the LAN interface. I'm aware that on the LAN there are much less noisy alerts than WAN, but I still think something is wrong since it did generate lots of alerts up until it stopped. Yes, mostly alerts that can be ignored such as (http_inspect), however, because I did disable or suppress those alerts, I do believe there is something wrong with Snort.
Where should I begin troubleshooting to identify the root cause of this issue?
I have already re-installed the Snort package, with no success.Additionally, I have a question regarding the 'Suppress' menu. I noticed a list titled "lansuppress_xxxxxxx" with the description "Auto-generated list for Alert suppression." Does Snort generate these suppression lists automatically? If so, what criteria are these lists based on?
To rule out this suppression list as the cause of the missing alerts, I removed it entirely, but the issue persists.
Thank you.
-
@Enso_ said in SNORT stopped generating alerts:
Additionally, I have a question regarding the 'Suppress' menu. I noticed a list titled "lansuppress_xxxxxxx" with the description "Auto-generated list for Alert suppression." Does Snort generate these suppression lists automatically? If so, what criteria are these lists based on?
This is an auto-generated file that gets created whenever someone presses the Suppress icon on the ALERTS tab and there is no assigned Suppress List. If there is no currently assigned Suppress List for the interface, then when the user clicks the icon to suppress an alert shown on the ALERTS tab, a file is automatically created and given a name using the pattern you posted.
As for why Snort is not generating alerts, you should check that the instance is actually running by using this command from a shell prompt obtained either directly on the firewall console or via SSH (do NOT use the commands in the GUI):
ps -ax | grep snortYou should see one Snort instance listed for each configured and running Snort interface. If you see running instances, then you can use a tool such as
nmapto purposefully send penetration test traffic into a Snort protected interface to see if any rules trigger. -
Running via ssh:
ps -ax | grep snortOutputs:
19345 - SNs 1:12.37 /usr/local/bin/snort -R _38742 -M -D -q --suppress-config-log --daq pcap --daq-mode passive
92385 0 S+ 0:00.00 grep snortI'll try to run nmap against it to see if it triggers any alerts.
-
@Enso_ said in SNORT stopped generating alerts:
Running via ssh:
ps -ax | grep snortOutputs:
19345 - SNs 1:12.37 /usr/local/bin/snort -R _38742 -M -D -q --suppress-config-log --daq pcap --daq-mode passive
92385 0 S+ 0:00.00 grep snortI'll try to run nmap against it to see if it triggers any alerts.
Yes, that indicates a Snort process is running. My favorite quick functional test is to make sure the ET Scan rules category is enabled and loaded, then use
nmapand execute this scan:nmap -sS <ip_of_LAN_interface>That should generate several alerts. You need to be sure the ET Scan rules are enabled and loaded before running the scan. The best method is to enable that category on the CATEGORIES tab, save the change, then restart Snort on the interface. It won't generate any actual blocks because the LAN IP space is on the automatic Pass List, but it will generate alerts if things are working properly (unless you have suppressed the alerts).
-
Awesome! That worked. After running nmap -sS, alerts have been triggered.
Is it generally a good idea to have all ET scan rules active? I currently have active:
IPS Policy : Balanced
Snort GPLv2 Community Rules
FEODO Tracker Botnet
All ET Open RulesAlso, kinda off topic, but it does make sense to have Snort active on the LAN interface since the WAN generates tons of noise. Is this still accurate? I've read this a couple years ago, and just stuck with it.
Thanks again!
-
@Enso_ said in SNORT stopped generating alerts:
Awesome! That worked. After running nmap -sS, alerts have been triggered.
Is it generally a good idea to have all ET scan rules active? I currently have active:
IPS Policy : Balanced
Snort GPLv2 Community Rules
FEODO Tracker Botnet
All ET Open RulesAlso, kinda off topic, but it does make sense to have Snort active on the LAN interface since the WAN generates tons of noise. Is this still accurate? I've read this a couple years ago, and just stuck with it.
Thanks again!
Great!
As for the rules, I would not generally have ET Scan active. They do make handy "test rules", though.
Looking at your rules, you can disable the Snort GPLv2 Community Rules if you have either a free registered or paid Snort VRT rules account. All of the Community Rules are already present in the subscriber packages. Or stated in another manner, the Community Rules are simply a public subset of the larger VRT Subscriber rules package.
I do recommend running the IDS/IPS on the LAN and possibly other internal interfaces precisely because of the Internet "noise" problem. It also results in the CPU being needlessly busy analyzing traffic the default deny firewall rules are going to block anyway.
Edit: to follow up some more about the ET Scan rules -- nothing wrong with having them enabled, especially if you have plenty of RAM and available CPU. They are not too taxing in terms of resources. I was just saying I don't typically consider enabling those on internal interfaces because they are only going to trigger if something scans the firewall's interface directly from that internal interface's netblock. As that is not typical, you usually will never see alerts from them.
-
Looking at your rules, you can disable the Snort GPLv2 Community Rules if you have either a free registered or paid Snort VRT rules account. All of the Community Rules are already present in the subscriber packages. Or stated in another manner, the Community Rules are simply a public subset of the larger VRT Subscriber rules package.
If by 'a free registered VRT rules account' you are talking about an Oinkcode, yes I do have a free Oinkcode.
EDIT
I can use the same Oinkcode for multiple instances of Snort, correct? -
@Enso_ said in SNORT stopped generating alerts:
Looking at your rules, you can disable the Snort GPLv2 Community Rules if you have either a free registered or paid Snort VRT rules account. All of the Community Rules are already present in the subscriber packages. Or stated in another manner, the Community Rules are simply a public subset of the larger VRT Subscriber rules package.
If by 'a free registered VRT rules account' you are talking about an Oinkcode, yes I do have a free Oinkcode.
Yes, if you have an Oinkcode then you are already getting the Community GPLv2 rules in the VRT rules you are downloading.
There are two Snort VRT subscriptions available. One is free and simply requires registering with an email address and you get an Oinkcode. The other is paid and also gets an Oinkcode. The Cisco/Talos/Snort servers know which type of Oinkcode you have and send you the proper rules when you login and download them (or the pfSense Snort package does that for you using the Oinkcode you provide). The difference in the paid versus free is the age of the rules. Paid users get any new rules immediately when they are published. But those rules will not appear in the rules packages available to "free registered" users until at least 30 days after they appeared in the paid version.
The GPLv2 Community Rules package is a collection of rules pulled out of the VRT Subscriber Rules package and made available to the public without any registration being required. In other words, totally free and open. But since the Community Rules consist of rules already in the Subscriber package, there is no need for VRT subscribers to add the Community package.
-
Thank you for all your help.
One last question, which I have edited in above.
Can I use the free Oinkcode for multiple instances? I'm reading different information about this.
I'm running a few pfsense boxes running Snort and have the same free Oinkcode on all three of them, which I will remove if this is not allowed. -
@Enso_ said in SNORT stopped generating alerts:
Thank you for all your help.
One last question, which I have edited in above.
Can I use the free Oinkcode for multiple instances? I'm reading different information about this.
I'm running a few pfsense boxes running Snort and have the same free Oinkcode on all three of them, which I will remove if this is not allowed.Here are the actual Terms and Conditions from Snort: https://www.snort.org/snort_license.
They state your license is "per sensor" if using the paid license.
The license for Registered Users appears a bit more permissive. Here is the direct wording:
If You are a Registered User, then subject to the terms and conditions of this Agreement, Cisco grants You a world-wide and non-exclusive license to: (a) download, install and use the Rules on Sensors that You manage (or over which You have administrative control);
So, it appears from the above that Registered Users can use their Oinkcode on all sensors that they manage and have administrative control over. But Paid Subscribers can only use the Oinkcode on a single device (sensor). If you need to manage multiple devices on a Paid Subscriber plan you must purchase a license for each sensor.
And there are different rules (and a much higer cost) for commercial use of the Paid Subcriber rules.
