Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
On the WAN side, I am blocking destination addresses only (because offenders are typically coming from the inside, and I want to block their outside contact on the WAN interface, but there is a corresponding handling on the LAN side to vet my clients :(). Of course this depends on what you actually want to block and which rules are active.
You need to look at each rule, if the source is s.th. like $HOME_NET, then you might have to do the blocking on the LAN side, maybe sometimes you could simply suppress the alert.
I agree with you but, this is the alert trigger right before snort blocked the wan ip.
Jul 17 13:28:04 snort[40189]: [1:2500062:2570] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32) [Classification: Misc Attack] [Priority: 2] {TCP} 59.175.218.166:31157 -> nn.nn.nn.nnn
This clearly show the source is 59.175.218.166 but snort blocked the wan ip instead.
-
Fixed on 2.0.x you can just upgrade in 10 minutes.
You need a new binary.
The match of the ip against a CIDR net specification was being done wrong.Other than that it should behave now and you WAN shouold not be blocked.
The only thing i am not sure is since HOME_NET contents are used for whitelist of alert_pf maybe that is a bit wide as whitelist by default?
Probably just put listening interface IP all gateway/dns/vpns(what was clicked) and no include the CIDR and theother interfaces!EDIT: 2.1 is still building.
EDIT2: There is a method to specify that the binary should be reinstalled but it would mean for us to keep a copy of each and every freebsd port that pfSense has pkg. -
The only thing i am not sure is since HOME_NET contents are used for whitelist of alert_pf maybe that is a bit wide as whitelist by default?
Yes, I see what you mean. You need to be able to block entries from the HOME_NET. E.g. if a company policy says no to eMule, Bittorrent, etc., then it makes sense to block local machines on the LAN side, which is sometimes better than reporting with subsequent hard consequences… So, I'd say HOME_NET is not necessarily white.
UPDATE: ... but gateways, DNS servers, WAN side ips probably should.
-
@ermal:
but i did another (de)install, saved every paged.. then rebooted
That is not necessary anymore Cino :)
Everything will just get magically applied.Good to know!!! Old habit from the old days
@ermal:
Fixed on 2.0.x you can just upgrade in 10 minutes.
You need a new binary.
The match of the ip against a CIDR net specification was being done wrong.Other than that it should behave now and you WAN shouold not be blocked.
The only thing i am not sure is since HOME_NET contents are used for whitelist of alert_pf maybe that is a bit wide as whitelist by default?
Probably just put listening interface IP all gateway/dns/vpns(what was clicked) and no include the CIDR and theother interfaces!EDIT: 2.1 is still building.
EDIT2: There is a method to specify that the binary should be reinstalled but it would mean for us to keep a copy of each and every freebsd port that pfSense has pkg.i'm leaning to agree also.. interface IPs/gw/dns/vnps are the way to go.. If we need to add the subnet, then we manually do that via a whitelist. With the added Alias feature in snort, shouldnt be a big issue… Unless whitelist can't accept CIDR (which it noted it can't, haven't really tested that)... then there would be issue if you want to exclude a whole subnet (VPN, IPv6 Subnet)..
idk, maybe by default HOME_NET would just be interfaces, then add a couple of options within whitelist/netlist page to add interface subnets also.
-
Fired up 2.5.0 on two different installations (AMD64, 2.0.1) So far, so good.
Ermal, can you sort blocked IPs the same as in the alerts? Alerts on both interfaces are listed so the most recent is at the top of the page (perfecto), however blocked IPs are randomly sorted.
Question: With all the new suppression entries required, is there a way to add a descriptor above each suppress entry? I notice the add feature from the alerts list leaves a space between each entry added to the suppress list. Could find nothing on this one in the docs.
Cheers,
Dennis. -
Question: With all the new suppression entries required, is there a way to add a descriptor above each suppress entry? I notice the add feature from the alerts list leaves a space between each entry added to the suppress list. Could find nothing on this one in the docs.
sure:
# **** Main Suppress List **** # **************************** # # HTTP INSPECT Suppress # # DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 # suppress gen_id 119, sig_id 3 # NON-RFC DEFINED CHAR suppress gen_id 119, sig_id 14 # suppress gen_id 119, sig_id 19 # suppress gen_id 119, sig_id 32 # suppress gen_id 119, sig_id 31 # NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 # HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 # INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8
-
If I disable all my suppression rules I'm able to reproduce the WAN IP blocking on the fly.. I did notice that new snort binary was built at 2012-Jul-17 21:37:45. Did this include the changes you made or will the next will?
-
What happened to the snort Whitelist UI screen? It used to allow you to input into unique dialog boxes a description and IP or CIDR. No all Alias IPs are crammed into a single, narrow dialog box. This seems like a step backward.
-
Thanks Cino :-) Just what I was looking for.
Miles, create an Alias list for your IPs. (under Firewall - Aliases). Then reference that alias in your whitelist. As soon as you start typing the name of your alias it will autofill in the whitelist box.
-
Thanks Cino :-) Just what I was looking for.
Miles, create an Alias list for your IPs. (under Firewall - Aliases). Then reference that alias in your whitelist. As soon as you start typing the name of your alias it will autofill in the whitelist box.
Thanks so much dwood. This is a great tip. I didn't realize it changed and that you can use these alias lists.
-
Miles, no worries. Ermal is the guy you need to thank for cooking up the code :-)
Ermal, I've noticed that when using the Alerts - Add to Suppress List feature, the signature is correctly added to the suppress list, but with a blank line preceding it. I've also observed that Snort will fail to start if there is a blank line in the suppress list. A bug?
Cheers,
Dennis. -
After an automated update:
Jul 18 01:05:10 php: /snort/snort_interfaces.php: Interface Rule START for CABLE(re1)…
Jul 18 01:05:10 snort[46927]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
Jul 18 01:05:10 snort[46927]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
Jul 18 01:05:10 snort[46927]: Initializing rule chains…
Jul 18 01:05:10 snort[46927]: Initializing rule chains…and with sensitive data rules toggled off, starting snort fails with this:
Jul 18 01:08:35 snort[219]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/preprocessor.rules(201) Unknown ClassType: sdf
Jul 18 01:08:35 snort[219]: Initializing rule chains… -
@dwood: had the same problem.
Just removed and reinstalled with the latest binary and all is working again.
@ermail: is it possible to add the snort build number/date somewhere in the GUI? This way everybody nows exactly where they are.
-
@ermal:
Same thing here..had to remove 2.5.0. WAN IP x.x.x.0 network was being blocked. PFsense log than alerted on WAN down, and removed it from routing group (dual wan).
Cheers,
Dennis.As i put in the other thread.
There is an issue that was solved with blocking not parsing correctly the whitelist.
Just re-install the binary.Hi Ermal,
well, unfortunately it's still doing that, I upgraded the package few hours ago. It is blocking IPs that are in the whitelist alias, and also CARP VIPs.Btw, managing the whitelist with an alias is awesome!
Thanks,
Michele -
how do i use alias?
-
I pushed a fix to the sensitive data rules.
Please test it after 30 minutes.@ermail: is it possible to add the snort build number/date somewhere in the GUI? This way everybody nows exactly where they are.
I would prefer not since its not needed and you are just reporting bugs here.
-
Fired up 2.5.0 on two different installations (AMD64, 2.0.1) So far, so good.
Ermal, can you sort blocked IPs the same as in the alerts? Alerts on both interfaces are listed so the most recent is at the top of the page (perfecto), however blocked IPs are randomly sorted.
Normally youcan click on the headers to sort them
Question: With all the new suppression entries required, is there a way to add a descriptor above each suppress entry? I notice the add feature from the alerts list leaves a space between each entry added to the suppress list. Could find nothing on this one in the docs.
Added the description
-
how do i use alias?
Go to the Firewall Tab and select Aliases. There you can add them for ports, servers, netlists, host, etc.
-
No sensitive data preproc errors, snort starts again. Though I had to go to if settings -> categories and save settings again before I got snort to actually load rules. Instead of loading rules and end up using about 1.5 GB of ram, Snort just stayed at 400 MB'ish of memory usage.
-
After an automated update:
Jul 18 01:05:10 php: /snort/snort_interfaces.php: Interface Rule START for CABLE(re1)…
Jul 18 01:05:10 snort[46927]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
Jul 18 01:05:10 snort[46927]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
Jul 18 01:05:10 snort[46927]: Initializing rule chains…
Jul 18 01:05:10 snort[46927]: Initializing rule chains…and with sensitive data rules toggled off, starting snort fails with this:
Jul 18 01:08:35 snort[219]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/preprocessor.rules(201) Unknown ClassType: sdf
Jul 18 01:08:35 snort[219]: Initializing rule chains…I reported this yesterday and same thing happen again when I woke up this morning.. it failed the auto update…manual update after deleting the md5 files did the trick.