How do I figure out what part of SNORT is causing a data xfer to fail?
-
I have an iPad that has an aviation application on it. It has to be updated every 20 something days (I've forgotten the what the actual cycle is -- for those who are pilots, I have to update VFR maps and "data base" and I have to do the same for IFR Low-enroute and approach plates and related.)
I did a system update and loaded snort, with my oinkcode and all seemed to be good until I needed to do an update with my iPad. It would load maybe 4MB of data (out of 1.x GB) and then complain it could not connect with the server.
So we have chased this and by having my droid become a hot spot, the iPad could download data beyond the "sticking point" which effectively proved to me that SNORT was probably the problem. NOTE that NOTHING else had this issue. Anything operating on WiFI (which effectively goes throug VLAN) is able to stream all day long. But not this iPad.
Un-installed SNORT. Attempted to get the iPad to do its update and wham!! it is done with the download and install.
So I am trying to understand what SNORT is doing to cause this. I have been getting a lot of messages/alerts about https and (of course I can't find the message now) something about too many chained commands (as I understood it). So I was trying to figure out how to kill that part of Sort when I decied to just uninstall it and try the xfer... And so now that works, so before I put snort back up, how do I, within PfSense, turn off, kill, or not install certain rules? I just can't seem to find how and where.
Regards,
Wylbur -
@Wylbur check the Alerts tab to see if an IP is blocked.
Do have it set for legacy (default) or inline mode?
-
You should be able to see it blocked in the Snort Alerts list. And you can then disable or suppress that signature to prevent it happening again. Remember to remove the remote server from the blocked hosts list as well.
https://docs.netgate.com/pfsense/en/latest/packages/snort/alerts.html -
@Wylbur Btw- when one uninstalls snort, the reports/alerts are not available (well so far as I can tell). So I am about to re-install snort and find the alert tab....
That was relatively fast.
Meanwhile, I had not realized that this alert area was available. Apparently with the upgrade to 2.7.2?
And I have started telling it to dump rules for "(http_inspect)" since I am not running any web services in my LAN for public consumption (e.g., File server is internal only, pfSense is internal only, etc.).
Now to the iPad problem. Yep, it was Snort, and I marked the 4 diffrent blocks it did to be removed, and the download completed.
All the blocked addresses/servers were removed....
Now I am trying to figure out how to get out in front of this. More reading and another pot of coffee is indicated.
Oh, yeah, I defaulted to Legacy.
-
@Wylbur The Alerts tab's been there a while. :)
I would only enable rules for what you have, e.g. skip the web server category. There is a bit of a trick to do that otherwise they can self-enable after a package upgrade. My note:
Disable categories via dropsid.conf because categories are always re-enabled at every reinstall/upgrade. “events” rules are “designed to simply be "informative" and log particular events the IDS sees. 99% of these events are totally harmless.” disable the stream-events.rules category or it will block lots of traffic on false positives. Consider disabling all *events categories.
add disable-sid.conf file on SID Mgmt tab and assign to “Disable SID List”:# Example of modifying state for specific categories entirely. # "snort_" limits to Snort VRT rules, "emerging-" limits to # Emerging Threats Open rules, "etpro-" limits to ET-PRO rules. # "shellcode" with no prefix would match in any vendor set. # snort_web-iis,emerging-shellcode,etpro-imap,shellcode stream-events.rules,quic-events.rulesThen check “Enable Automatic SID State Management” on SID tab (top of page)
Edit: forgot this was a Snort thread. I don't know if that follows the same rules. The package maintainer has said he won't be releasing a package for a newer version of Snort so consider Suricata.
-
Mmm, the thing to remember with Snort is it's not an enable and forget service.
I usually recommend running in non-blocking mode and checking what alerts are flagged for at least a week. Eveyone's network is different and the signatures you might want/need vary significantly.
-
@Wylbur said in How do I figure out what part of SNORT is causing a data xfer to fail?:
Meanwhile, I had not realized that this alert area was available. Apparently with the upgrade to 2.7.2?
Uhh ... no. The ALERTS tab has been present in the package since the package was created. Snort has never existed on pfSense without an ALERTS tab being present. That goes back more than 12 years.
There is also a Dashboard Widget that can be enabled for Snort. It shows the most recent 5 or so alerts (the exact count is configurable in the widget).
