Snort: generates alerts but won't block them
-
I installed Snort on my Pfsense box today, I ran it before and it always did okay.
This install however is a little different.After installing I set the memory performance to AC-STD (is this ok for 1 gb on a atom board?).
After updating and adding some catagories I started the service, which runs fine.
Snort is enabled on the WAN interface.
It generates some alerts but doesn't automatically block them, Block Offenders box is checked.
Http inspect and all preprocessors are checked. All others settings are default.
Below an example of the alerts log:1 2 TCP (ssp_ssl) Invalid Client HELLO after Server HELLO Detected Potentially Bad Traffic 10.10.10.10 38347 -> 20.20.20.20 443 137:1:1 10/06-12:03:17
2 2 TCP (ssp_ssl) Invalid Client HELLO after Server HELLO Detected Potentially Bad Traffic 10.10.10.10 38347 -> 20.20.20.20 443 137:1:1 10/06-12:03:17
3 2 TCP (ssp_ssl) Invalid Client HELLO after Server HELLO Detected Potentially Bad Traffic 10.10.10.10 42292 -> 20.20.20.20 443 137:1:1 10/06-12:00:53
4 2 TCP (ssp_ssl) Invalid Client HELLO after Server HELLO Detected Potentially Bad Traffic 10.10.10.10 42292 -> 20.20.20.20 443 137:1:1 10/06-12:00:53
5 3 TCP (http_inspect) DOUBLE DECODING ATTACK Not Suspicious Traffic 10.10.10.10 43096 -> 20.20.20.20 3 80 119:2:1 10/06-10:42:0310.10.10.10 is my WAN IP (i changed it to that for privacy reasons), 20.20.20.20 (also changed) is the ip of someone on the internet.
I noticed the arrow in the logs flowing from my IP to an outside internet IP? What is wrong here?
-
Same problem here with the 64 bit .
-
Anyone having a bright idea?
-
Have you set HOME_NET var to your private network?
Default is:
###################################################
Step #1: Set the network variables. For more information, see README.variables
###################################################
Setup the network addresses you are protecting
ipvar HOME_NET any
Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
Sometimes rules wont work because HOME_NET and EXTERNAL_NET are both set to any.
You should set HOME_NET to:
Setup the network addresses you are protecting
ipvar HOME_NET 192.168.100.0/24 (one subnet)
ORSetup the network addresses you are protecting
ipvar HOME_NET any [192.168.100.0/24,192.168.200.0/24] (two subnets or more)
To configure snort you have to ssh to Pfsense (putty or similar).
Then go to snort.conf and edit file (path: /usr/local/etc/snort/snort.conf). Change var HOME_NET any
to HOME_NET your.private.network.is/class (described on beginning).*For editing you have to use VI editor.
And restart service after editing.
And also snort wont block your WAN IP. Your alert is triggered by lan IP not WAN.
You should set new snort sensor to lan interface to block that kind of traffic that is going
from your lan to internet. But be careful because you can quickly lock yourself out. You should
suppress that kind of alerts (false alerts). Create new suppress list and add sig_id and gen_id.
Dont forget to set suppress list on snort interface.Example of suppression:
ALERT TCP (ssp_ssl) Invalid Client HELLO after Server HELLO Detected/Potentially Bad Traffic 10.10.10.10 38347 -> 20.20.20.20 443 137:1:1 10/06-12:03:177suppress gen_id 137, sig_id 1 (this will suppress all alert that are triggered by this snort rule)
Hope that helps…
-
These alerts are generated [at least in my environment] when using Outlook 2007 using RPC over HTTPS to an Exchange 2003 server.
suppress gen_id 137, sig_id 1
That in the Advanced configuration pass through fixed it.
-
Hi,
i also want to suppress these messages in the snort log. When i'm on the page and i insert the
suppress gen_id 137, sig_id 1
i'm getting an error after i press the save button:
Fatal error: Call to undefined function mb_convert_encoding() in /usr/local/www/snort/snort_interfaces_suppress_edit.php on line 126
How do i activate the mbstring module in php? Do i need to recompile php?
Greetings from Germany
Steve
-
I installed the php5-mbstring Module but the problem isn't gone :-(
Can anyone help me please?