Snort 2.9.5.5 pkg. v3.0.0 – Update Released
-
In Security Onion, the software can flip between Snort and Suricata with a simple change in a conf file. ENGINE=SNORT or ENGINE=SURICATA and restarting the NSM. Maybe the package should stay the same with just the engine changing behind the scene on pfSense.
I don't know if one is better than the other. My Network speeds will never need PF_Ring or multi-process. I see a lot of False positives and I am always opening up the Ruleset to allow more traffic thru. With the latest patch Tueday, ET PRO sid:2002400, Sid 3:13802 detected windows updates as Malware.
I have 6 routers that I need to maintain and Snort/pfSense in a PFCenter would help in my daily management. (Wishfull thinking)
Having pfSense perform CINS, DROP, Scans, MSSQL, MYSQL IPS are obvious but almost all other alerts that I have seen are false positives. Unless Yahoo is full of malware.
Since I have been running Full Packet Capture after pfSense with Security Onion, I can drill down on an alert and see if it was malicious. Using its others tools like ELSA you can perform a search for a particular IP and see where else it showed up on your network and also view the full packets that were involved.
Another issue is knowing what is malicious and what is not. When an alert is triggered the information presented is limited in scope. A project like https://code.google.com/p/collective-intelligence-framework/
"CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route)."I think having OSSEC installed on all Servers and sensitive Hardware can help detect Intrusions. It will perform log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
I would be thrilled to see someone develop an OSSEC package in pfSense as any Active Response taken on a server could put a block at the pfSense Router level.
A Quote from Doug Burks of Security Onion "A better solution would be to let your firewall be a firewall and leave the IDS functionality to Security Onion."
This link to OSSEC developer/founder Daniel B. Cids Blog, I believe, says it all http://dcid.me/notes/2013-jul-08My two cents …
-
I am using the latest firefox version 26. But its not a big deal since i can make it work the other way. I did check with internet explorer and it does work correctly.
And thanks again for all the work that you put into adding separate engines. Its much easier and cleaner then how i was adding them manually. :)
shinzo:
I tried to reproduce your problem in my VMware environment and could not. I used Firefox 26 on a Windows XP SP3 virtual machine. I connected to a pfSense 2.1-amd64 box with the latest Snort package. I could both import Aliases into the Frag3 engine list, and I could create a new, empty engine and add an Alias from the button in the Details screen. I tried it several times and could not get it to fail for me.
I did a fresh install of Firefox on that VM just before the test. Prior to the test, the VM only had Chrome and the native IE installed. Does your Firefox have any extras installed that might interfere with JavaScript or other stuff?
Bill
So i created another firefox portable and gave it a shot and works fine. So i have to go through the extensions to see which one is causing my issue. Thanks for looking into it And you have my vote on Suricata
-
I've got this after updating two boxes.
Is it a normal behavior?
update log
Starting rules update... Time: 2013-12-13 00:03:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2946.tar.gz'... Done downloading rules file. Downloading Snort GPLv2 Community Rules md5 file 'community-rules.tar.gz.md5'... Checking Snort GPLv2 Community Rules md5. There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Done downloading Snort GPLv2 Community Rules file. Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Emerging Threats Open md5. There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading Emerging Threats Open rules file. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-12-13 00:05:19 Starting rules update... Time: 2013-12-13 10:43:23 Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... The Rules update has finished. Time: 2013-12-13 10:44:30But gui shows no vrt rules downloaded
-
bmeeks:
Thanks for the update. Just skipped the whole "test in a non-production system" part and went straight to an actual production system update. Everything is working as expected. Disabled sync, then re-enabled after the update.
I don't need to post my vote on suricata, since I went crazy over the past months on this :D. Another poster said that snort will soon be a thing of the past, and I strongly believe this. Suricata in IPS mode is the way forward IMNSHO.BBcan17:
The windows updates were detected as malware because that's the early release of the new three letter agency backdoor. Ok not a backdoor, but malware to install a backdoor. It's needed for them to do their job. Let's see what's in the "Keeping You Scared" bag. Terrorists, kids, cyber. I'll go with terrorists this time. This should be taken as a joke. Or not. ;)
Disclaimer: The paragraph above (never mind the indent) contains sarcasm. It should not be interpreted as stating actual facts. Microsoft (Inc) would never release backdoors to three letter agencies.
Disclaimer:The disclaimer above contains sarcasm….etc...etc... ;) -
I've got this after updating two boxes.
Is it a normal behavior?
update log
Starting rules update... Time: 2013-12-13 00:03:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2946.tar.gz'... Done downloading rules file. Downloading Snort GPLv2 Community Rules md5 file 'community-rules.tar.gz.md5'... Checking Snort GPLv2 Community Rules md5. There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Done downloading Snort GPLv2 Community Rules file. Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Emerging Threats Open md5. There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading Emerging Threats Open rules file. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-12-13 00:05:19 Starting rules update... Time: 2013-12-13 10:43:23 Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... The Rules update has finished. Time: 2013-12-13 10:44:30But gui shows no vrt rules downloaded
No, this is not normal. Looks like the update is downloading the wrong rule version. It should be downloading the file snortrules-snapshot-2955.tar.gz instead of snortrules-snapshot-2946.tar.gz.
Look in the snort_check_for_rule_updates.php file, and just a bit down from the top is a section where it parses the Snort version (and thus the rule to download) directly from the Snort binary. Wonder if that part is not working, or you have an old version of the file?
Here is the section of code:
/* Grab the Snort binary version programmatically and use it to construct */ /* the proper Snort VRT rules tarball and md5 filenames. */ exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); // Save the version with decimal delimiters for use in extracting the rules $snort_version = $snortver[0]; // Create a collapsed version string for use in the tarball filename $snortver[0] = str_replace(".", "", $snortver[0]); $snort_filename = "snortrules-snapshot-{$snortver[0]}.tar.gz"; $snort_filename_md5 = "{$snort_filename}.md5"; $snort_rule_url = VRT_DNLD_URL;If your file looks like the above, then try hardcoding the $snort_filename variable to "snortrules-snapshot-2955.tar.gz". Let me know what you find. This should not happen, so I would like to make sure any software bug is fixed.
Bill
-
Another vote for Suricata. Would be great to have real IPS/IDS!
(btw. my VRT rules are updated properly)
-
Has anyone else seen http_inspect going ABSOLUTELY nuts and just blocking pretty much everything after this upgrade? I'm running the "Balanced" policy and none of the alerts below ever showed up under the 2.9.4.6 package.
(http_inspect) UNKNOWN METHOD
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) IIS UNICODE CODEPOINT ENCODING
(http_inspect) DOUBLE DECODING ATTACK -
I had these two this morning
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
(http_inspect) UNESCAPED SPACE IN HTTP URIThese are already in my WAN suppress for too many false positives.
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6 -
I'm also having some issues with the sensitive data feature. I enabled it for credit card data, set the threshold to 1, and told it to mask the card numbers, but it doesn't seem to be alerting or replacing the text when I email a bunch of test CC numbers to a Gmail account. Is there something I'm missing?
-
I'm also having some issues with the sensitive data feature. I enabled it for credit card data, set the threshold to 1, and told it to mask the card numbers, but it doesn't seem to be alerting or replacing the text when I email a bunch of test CC numbers to a Gmail account. Is there something I'm missing?
If you're sending via ssl, snort will not be able to "decode" it.
-
Starting rules update... Time: 2013-12-13 00:03:01 Starting rules update... Time: 2013-12-13 10:43:23 Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... The Rules update has finished. Time: 2013-12-13 10:44:30This is the update log called package update.
The scripts gets the right version, I'll try to update again and feedback.
-
@BBcan17:
I had these two this morning
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
(http_inspect) UNESCAPED SPACE IN HTTP URIThese are already in my WAN suppress for too many false positives.
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6All bottom ones are false positives, don't worry about them. I'll be updating my recommended lists in a couple of days, since I'm waiting for the FPs to settle down.
The two I'm not sure are these:
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
(http_inspect) UNESCAPED SPACE IN HTTP URI
can't say if they are FPs unless you have a gen_id and sig_id to go with them. -
The scripts gets the right version, I'll try to update again and feedback.
Via gui, I'm getting 504 erro but via snort_check_for_rule_updates.php it worked.
I've tried via gui using chrome and firefox.
I'll check the code to see if I find something.
Starting rules update... Time: 2013-12-13 16:04:22 Downloading Snort VRT rules md5 file snortrules-snapshot-2955.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2955.tar.gz'... Snort VRT rules md5 download failed. Server returned error code 504. Snort VRT rules will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules are up to date. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-12-13 16:04:48 Done downloading rules file. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules are up to date. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-12-13 16:06:34
-
I am not receiving errors from pfSense Snort but I have been seeing 504 on Security Onion. Errors are around the time of 7:00AM UTC or 2:00AM EST. Maybe there is too much traffic hitting www.snort.org?
jflsakfja - http Inspect -
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
120:11(http_inspect) UNESCAPED SPACE IN HTTP URI
119:33 -
@BBcan17:
I am not receiving errors from pfSense Snort but I have been seeing 504 on Security Onion. Errors are around the time of 7:00AM UTC or 2:00AM EST. Maybe there is too much traffic hitting www.snort.org?
jflsakfja - http Inspect -
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
120:11(http_inspect) UNESCAPED SPACE IN HTTP URI
119:33I, too, occasionally get 504 errors from Snort.org. I cut those down to a tiny trickle by changing my update time to 01:30 and 13:30 from the default of 00:03. I notice I did get a 504 error last night, but when I manually tried this morning it worked.
Bill
-
The scripts gets the right version, I'll try to update again and feedback.
Via gui, I'm getting 504 erro but via snort_check_for_rule_updates.php it worked.
I've tried via gui using chrome and firefox.
I'll check the code to see if I find something.
Starting rules update... Time: 2013-12-13 16:04:22 Downloading Snort VRT rules md5 file snortrules-snapshot-2955.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2955.tar.gz'... Snort VRT rules md5 download failed. Server returned error code 504. Snort VRT rules will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules are up to date. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-12-13 16:04:48 Done downloading rules file. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules are up to date. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-12-13 16:06:34In non-GUI mode, output is suppressed because it interferes with the XMLRPC sync process. I discovered this when I was incorporating the sync feature code you contributed. The XMLRPC process would error with something about "invalid response" if anything was written to the console during the XML sync calls. The old rules update code would spew some output to the console.
From the log entry, it is attempting to download the correct file. I think the snort.org servers had some problems earlier today. I also got a 504 error during the night.
Bill
-
https://groups.google.com/forum/#!forum/mailing.unix.snort
-
I'm also having some issues with the sensitive data feature. I enabled it for credit card data, set the threshold to 1, and told it to mask the card numbers, but it doesn't seem to be alerting or replacing the text when I email a bunch of test CC numbers to a Gmail account. Is there something I'm missing?
As Marcelloc mentioned, many e-mail clients and servers now use TLS (a form of SSL) to communicate, so Snort cannot see anything in the packets except the IP headers. That may be what is happening. Does your e-mail system use TLS? One tell-tale sign is using ports 995 for POP3 and 465 for SMTP.
Bill
-
@BBcan17:
I am not receiving errors from pfSense Snort but I have been seeing 504 on Security Onion. Errors are around the time of 7:00AM UTC or 2:00AM EST. Maybe there is too much traffic hitting www.snort.org?
jflsakfja - http Inspect -
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
120:11(http_inspect) UNESCAPED SPACE IN HTTP URI
119:33These are two new configuration parameters added to the http_inspect preprocessor in this release. Perhaps the defaults are not suitable for your environment. Try adjusting them. If several folks can help come up with a suggested set of "good defaults" for some of these settings, I will incorporate them into the package. Right now, when I add a new GUI configuration for a parameter, I set the defaults to match what is in the posted snort.conf files on snort.org for the current version.
Bill
-
@BBcan17:
I am not receiving errors from pfSense Snort but I have been seeing 504 on Security Onion. Errors are around the time of 7:00AM UTC or 2:00AM EST. Maybe there is too much traffic hitting www.snort.org?
jflsakfja - http Inspect -
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
120:11(http_inspect) UNESCAPED SPACE IN HTTP URI
119:33504 could be due to the server being overloaded, it's a gateway (proxy, php failing to respond to nginx/apache) timeout if I'm not mistaken.
Dunno about 120:11, 119:33 is definately not a false positive. If it's getting triggered the uri is not getting parsed correctly, or it's actually triggering on a bad location (eg This is a file.pdf) (should be handled server side, not your side). I haven't come across any of those 2 yet, but I'll keep an eye out for them.
