Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.4.6 pkg v2.6.1

    Scheduled Pinned Locked Moved pfSense Packages
    59 Posts 9 Posters 14.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      Screen shot didnt attach. Please see attached jpg file.

      snort.jpg
      snort.jpg_thumb

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @BBcan17:

        Hello Bill,

        If I block both the SRC and DST wont that kill the ability for the alerted LAN address to access the Net?

        If you need any further details please let me know.

        No, the auto-whitelist will keep it from actually blocking the LAN addresses.  This is because locally attached networks like the LAN are automatically added to the whitelist.  By choosing BOTH for the block parameter, this catches an offending IP no matter which way the traffic is flowing.  However, this setting is only for blocking.  The alerting in the logs is not dependent on that setting.

        Bill

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @BBcan17:

          Screen shot didnt attach. Please see attached jpg file.

          Looking at the attached images (the JPG was cut off a bit in my browser window), it appears the traffic was alerted and blocked by Snort.  Or least an entry was put in the pf table (snort2c).  That's all Snort can do.  After that it is up to the packet filter engine in FreeBSD to do the rest.  Where exactly is the Security Onion appliance in the network traffic path as compared to Snort on the pfSense firewall?  Could it be they are both seeing the traffic in parallel?  I'm asking how exactly the Onion appliance is wired into the network such that it is seeing WAN traffic.

          Bill

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            Thanks Bill,

            I will try to block/kill the SRC/DST and see if that fixes the issue.

            The Lan side of pfSense goes to a Switch which span/mirrors the traffic to Security Onions sensor port.

            On another note - Would it be possible to Add a comment line to the Suppression process when we select "Add this alert to the suppress list" or "Add this alert to the suppress list .. DST/SRC" This way you can record the reasoning behind some of the Suppressions?

            Thanks

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @BBcan17:

              I will try to block/kill the SRC/DST and see if that fixes the issue.

              The Lan side of pfSense goes to a Switch which span/mirrors the traffic to Security Onions sensor port.

              I don't think this will necessarily fix the issue, but it's worth a try.  Can I assume from your reply about the sensor location that one of those IP addresses is in your LAN and you are not using NAT?

              @BBcan17:

              On another note - Would it be possible to Add a comment line to the Suppression process when we select "Add this alert to the suppress list" or "Add this alert to the suppress list .. DST/SRC" This way you can record the reasoning behind some of the Suppressions?

              That might be possible.  I will file it away for some future feature adds.  The next big release is already packaged (version 3.0.0) and it's too late to add more features.  That version, when released, will add support in the GUI for multiple target engine configurations for five of the preprocessors (frag3, stream5, http_inspect, ftp_server and ftp_client).

              Bill

              1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator
                last edited by

                Great stuff. I dont know what i would do without pfsense and snort.

                I also notice that when I am viewing the alert list and select the "+" or "x' buttons for suppression that the refresh of the screen brings me to another snort interface alert list.

                Yes the alert was for an IP on the same network (10.1.xx.xxx) as the pfsense LAN port.

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  Hello Bill,

                  I changed the Blocking to both SRC/DST but I noticed that this one alert was blocked in pfSense but Security Onion picked it up.

                  See the jpg attached.

                  snort2.jpg
                  snort2.jpg_thumb

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @BBcan17:

                    Hello Bill,

                    I changed the Blocking to both SRC/DST but I noticed that this one alert was blocked in pfSense but Security Onion picked it up.

                    See the jpg attached.

                    Is this routine or more random?  What I mean by that is does it seem to leak all the packets that should have been blocked, or is it more like randomly it does this?  I'm asking to see if this might be tied in any way to the random clearing of the block table.  I doubt it is, but just checking all possibilities.

                    It certainly does appear from your captures that the packet is supposedly "blocked", but it leaks by anyway to the LAN.  I do notice a 5 hour time discrepancy in the Snort log entry versus the Security Onion entry.  The times match on the minute and second, but the hour is off.  I'm assuming this maybe is a time zone issue with one of the devices.

                    This is obviously not supposed to happen, so I would like to get to the bottom of it.  Unfortunately this is likely to require some pfSense uber-geek magic to figure out.  The packet filter and all the network stack stuff in pfSense is not my area of expertise.  Perhaps we can get one of the Core Team developers to take a look.  I will ping them with a link to this thread to see if one will weigh in.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • BBcan177B
                      BBcan177 Moderator
                      last edited by

                      Hi Bill,

                      Activity has been fairly low today, but I would say that most alerts are passing thru unblocked. The things that I dont see in Security Onion are the DROP/DShield/ET RBN's alerts in snort but  that activity could also be drooped by the router.

                      I am in EST and Security Onion is configured in UTC time so that is your time difference.

                      I have three NICs installed on this router. I have two WAN addresses but only one GW. I have been trying to get Multiwan to work without success.
                      http://forum.pfsense.org/index.php/topic,64682.msg374930.html#msg374930

                      I have the second WAN Disabled for several weeks and I also had disabled the Snort Interface for this 2nd Wan port. However, today i noticed activity in this disabled Wan2 port Snort interface. It didnt match the snort alerts from Wan1.

                      So this afternoon, I deleted the WAN2 interface and also deleted the snort interface and Rebooted pfSense.

                      This didnt fix the issue but I thought I would share that with you just in case,

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • BBcan177B
                        BBcan177 Moderator
                        last edited by

                        Bill,

                        The router is set for Automatic Outbound Nat but there were 4 entries from the Manual Outbound NAT that I was working with a few weeks ago. I have since cleared the Manual rules and restarted pfSense.

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @BBcan17:

                          Bill,

                          The router is set for Automatic Outbound Nat but there were 4 entries from the Manual Outbound NAT that I was working with a few weeks ago. I have since cleared the Manual rules and restarted pfSense.

                          I sent a request via e-mail to the pfSense Core Team asking for one of them to take a look at this thread and see if they had any thoughts about what might be going on.  It's weird that the blocks are getting set in the packet filter table, but yet some traffic still seems to get through.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks
                            last edited by

                            @BBcan17:

                            Hi Bill,

                            …The things that I dont see in Security Onion are the DROP/DShield/ET RBN's alerts in snort but  that activity could also be drooped by the router.

                            Can you elaborate a bit more on this statement.  Are you saying you have some of the ET RBN and ET CIARMY rules enabled on the WAN side of pfSense in Snort, and those are all getting blocked but traffic matching other rules is not being reliably blocked?

                            Bill

                            1 Reply Last reply Reply Quote 0
                            • BBcan177B
                              BBcan177 Moderator
                              last edited by

                              Yes It was blocking DROP/Dshield/ET RBNs/CINS but i didnt see any CIARMY.

                              There were also blocked port scan sweeps and ET SCAN Sipvicious.

                              I didnt see any of that in Security Onion. I dont think I have ever seen one of those alerts.

                              https://code.google.com/p/security-onion/wiki/ManagingAlerts  (They do have them as part of the rulesets.)

                              "Experience is something you don't get until just after you need it."

                              Website: http://pfBlockerNG.com
                              Twitter: @BBcan177  #pfBlockerNG
                              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                              1 Reply Last reply Reply Quote 0
                              • BBcan177B
                                BBcan177 Moderator
                                last edited by

                                Hi Bill,

                                I removed all of my suppression lists to try to get something to come in and get an alert and I got an alert and a block but Security Onion still picked the blocked packets up even after my changes. Could there be some other setup/config issue that I could check?

                                The blocked ip is in the snort2c table.

                                I also found this interesting. I set a block on sig 1:2013504 (ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management)

                                I requested apt-get updates on the Security Onion Box and part of the updates came thru before pfSense/Snort kicked in and blocked the remaining.
                                See attached Jpg.

                                snort3.jpg
                                snort3.jpg_thumb

                                "Experience is something you don't get until just after you need it."

                                Website: http://pfBlockerNG.com
                                Twitter: @BBcan177  #pfBlockerNG
                                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  A Former User
                                  last edited by

                                  Without reading the previous replies to this thread (just glanced at the above couple of posts tbh), you are seeing the intended behaviour of snort. Snort in pfsense is not running drop rules, but alert rules. The reason you might see traffic behind the snort box is that (as I said in the past) snort doesn't actually block any packets. I'll reuse a previous analogy I used:
                                  Snort in pfsense (an IDS):guy sitting in a room, watching the CCTV feeds. He picks up the radio and radios to a security person "hey, guy in the red jacket, pick him up". The downside is that while the guy is watching the guy in the red jacket, the one in the blue jacket gets through. They later decide that no jacket guys are allowed, which prevends this from happening again (until pfsense decides to flush the block table,out of nowhere, of course).
                                  Snort running drop rules (or any IPS): You wall off part of the corridor, and set up a metal detector, a security guard padding you down, full body search and all that. Everyone has to go through this to be let through.

                                  Summary: Snort will allow some packets through until the whole analyze/alert/ban cycle completes.

                                  If I missed something, or I'm not making any sense, please do ignore me. It's too early in the morning and I haven't had the mandatory cafeine boost yet. Or the sleep.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Supermule Banned
                                    last edited by

                                    Not if the one in the blue jacket gets blocked as well due to the "ET no jacket in the building" rule ;)

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      A Former User
                                      last edited by

                                      @Supermule:

                                      Not if the one in the blue jacket gets blocked as well due to the "ET no jacket in the building" rule ;)

                                      What if the person observing them has a monitor in front of him, on which he watches the guy in the red jacket, while at the same time, the person in the blue jacket shows up on the monitor behind him? ;-)

                                      What I was getting at is that some packets "leak through", I've seen it more than enough times by now. Sometimes, depending on the processing the snort box has to do, less packets get through before the eventual ban.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned
                                        last edited by

                                        Snort strips him naked and scan his clothes without him noticing that… while stripping him naked, Snort discovers his jacket...and blocks him. ;)

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          A Former User
                                          last edited by

                                          So, to be perfectly clear, are you arguing that snort (as running in pfsense) should block packets (act as an IPS), or are you saying that snort should allow some packets through, while scanning them (act as an IDS)?
                                          Because from what I've seen in multiple production environments, snort (as running in pfsense) acts as an IDS. Packets leak through, as I've said.

                                          1 Reply Last reply Reply Quote 0
                                          • BBcan177B
                                            BBcan177 Moderator
                                            last edited by

                                            What logs can I look at to see if Snorts performance ie-dropping packets or CPU/Memory issues?

                                            From the main pfsense:Dashboard I never see any performance issues that would cause any concerns.

                                            I have Snort blocking on the WAN SRC/DST and killing states. I also have Security Onion running immediately after pfSense performing Full Packet Capture and I am seeing every blocked alert from pfSenses Snort in my Security Onion Alert System.  Both Running the same rulesets (Snort and ET)

                                            "Experience is something you don't get until just after you need it."

                                            Website: http://pfBlockerNG.com
                                            Twitter: @BBcan177  #pfBlockerNG
                                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.