Troubleshooting Snort not blocking

jclausen

Running Pfsense 1.2.3
Snort 2.8.4.1_5 pkg v. 1.6
Snort set to Interface:WAN
Activated: Block offenders
Activated: p2p.rules

I get lots of p2p (bittorrent) Alerts, but nothing is blocked.
How do i troubleshoot this?
i would like to block lan adresses for an hour if an alert is happening.

JClausen

jamesdean

Are the offending IPs on your whitelist ?

James

jclausen

I have no hosts on the whitelist.

In the meantime i updated snort to 2.8.4.1_7 pkg v. 1.8
now i don't get alerts anymore, even if i try to make a bittorrent transfer.

Global settings:
Basic Rule + oink code
Remove blocked hosts every 1 hour
Associate events on blocked tab

Rules updated

Snort Inertfaces (interfaces)
wan, snort enabled, performance ac-bnfa, block enabled, Barnyard2 Disabled

Categories: p2p.rules enabled

Save and start
Services shows snort is running.

btw: When on the snort page and press the PFSense logo to get back to mainscreen, page is linked to /snort/index.php

jamesdean

Please enable all the Preprocessors in the interface tab and restart the snort interface.

Good catch. "press the PFSense logo"

James

@jclausen:

I have no hosts on the whitelist.

In the meantime i updated snort to 2.8.4.1_7 pkg v. 1.8
now i don't get alerts anymore, even if i try to make a bittorrent transfer.

Global settings:
Basic Rule + oink code
Remove blocked hosts every 1 hour
Associate events on blocked tab

Rules updated

Snort Inertfaces (interfaces)
wan, snort enabled, performance ac-bnfa, block enabled, Barnyard2 Disabled

Categories: p2p.rules enabled

Save and start
Services shows snort is running.

btw: When on the snort page and press the PFSense logo to get back to mainscreen, page is linked to /snort/index.php

jclausen

I have now enabled all the Preprocessors, but had to reboot to get snort starting again!
Testing when i get get back to work in eight hours.

Jesper

jclausen

I'm confused.
With snort enabled on WAN interface, i get lots of alerts, but no hosts is blocked.
Changed to LAN interface, lots of internal clients is blocked but no alerts.
on the blocked page all alert descriptions is "n/a"

Jesper

update:

Now alerts and blocking works, but how do i suppress alerts like:

[ 119:1:1 ] (http_inspect) ASCII ENCODING
[ 119:14:1 ] (http_inspect) NON-RFC DEFINED CHAR
[ 119:2:1 ] (http_inspect) DOUBLE DECODING ATTACK

from blocking hosts? -  still only p2p.rule is active!

jamesdean

Jesper

You going to have to be patiant. I am still coding the blocked host tab.
With my new code you can filter alerts by source ip, destination ip, ports, alerts and type of trafic.

You have to use the threshold.conf in your interface directory to suppress http_inspect alerts. Search the forums on howto.

Moreover, http_inspect alerts are preprocessors.

James

@jclausen:

I'm confused.
With snort enabled on WAN interface, i get lots of alerts, but no hosts is blocked.
Changed to LAN interface, lots of internal clients is blocked but no alerts.
on the blocked page all alert descriptions is "n/a"

Jesper

update:

Now alerts and blocking works, but how do i suppress alerts like:

[ 119:1:1 ] (http_inspect) ASCII ENCODING
[ 119:14:1 ] (http_inspect) NON-RFC DEFINED CHAR
[ 119:2:1 ] (http_inspect) DOUBLE DECODING ATTACK

from blocking hosts? -  still only p2p.rule is active!

jclausen

ok, i'm patient (a little)  ;)

I found out how to suppress http_inspect alerts, thanks for the tip.

Saw your mentioned Vlan isolation….. wauu, hopefully some day :-)

Keep up the good work James.

Jesper

jamesdean

I had a bad day, I needed those kind words.

James