Snort 2.9.5.5 pkg. v3.0.0 – Update Released
-
I'm also having some issues with the sensitive data feature. I enabled it for credit card data, set the threshold to 1, and told it to mask the card numbers, but it doesn't seem to be alerting or replacing the text when I email a bunch of test CC numbers to a Gmail account. Is there something I'm missing?
-
I'm also having some issues with the sensitive data feature. I enabled it for credit card data, set the threshold to 1, and told it to mask the card numbers, but it doesn't seem to be alerting or replacing the text when I email a bunch of test CC numbers to a Gmail account. Is there something I'm missing?
If you're sending via ssl, snort will not be able to "decode" it.
-
Starting rules update... Time: 2013-12-13 00:03:01 Starting rules update... Time: 2013-12-13 10:43:23 Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... The Rules update has finished. Time: 2013-12-13 10:44:30This is the update log called package update.
The scripts gets the right version, I'll try to update again and feedback.
-
@BBcan17:
I had these two this morning
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
(http_inspect) UNESCAPED SPACE IN HTTP URIThese are already in my WAN suppress for too many false positives.
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6All bottom ones are false positives, don't worry about them. I'll be updating my recommended lists in a couple of days, since I'm waiting for the FPs to settle down.
The two I'm not sure are these:
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
(http_inspect) UNESCAPED SPACE IN HTTP URI
can't say if they are FPs unless you have a gen_id and sig_id to go with them. -
The scripts gets the right version, I'll try to update again and feedback.
Via gui, I'm getting 504 erro but via snort_check_for_rule_updates.php it worked.
I've tried via gui using chrome and firefox.
I'll check the code to see if I find something.
Starting rules update... Time: 2013-12-13 16:04:22 Downloading Snort VRT rules md5 file snortrules-snapshot-2955.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2955.tar.gz'... Snort VRT rules md5 download failed. Server returned error code 504. Snort VRT rules will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules are up to date. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-12-13 16:04:48 Done downloading rules file. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules are up to date. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-12-13 16:06:34
-
I am not receiving errors from pfSense Snort but I have been seeing 504 on Security Onion. Errors are around the time of 7:00AM UTC or 2:00AM EST. Maybe there is too much traffic hitting www.snort.org?
jflsakfja - http Inspect -
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
120:11(http_inspect) UNESCAPED SPACE IN HTTP URI
119:33 -
@BBcan17:
I am not receiving errors from pfSense Snort but I have been seeing 504 on Security Onion. Errors are around the time of 7:00AM UTC or 2:00AM EST. Maybe there is too much traffic hitting www.snort.org?
jflsakfja - http Inspect -
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
120:11(http_inspect) UNESCAPED SPACE IN HTTP URI
119:33I, too, occasionally get 504 errors from Snort.org. I cut those down to a tiny trickle by changing my update time to 01:30 and 13:30 from the default of 00:03. I notice I did get a 504 error last night, but when I manually tried this morning it worked.
Bill
-
The scripts gets the right version, I'll try to update again and feedback.
Via gui, I'm getting 504 erro but via snort_check_for_rule_updates.php it worked.
I've tried via gui using chrome and firefox.
I'll check the code to see if I find something.
Starting rules update... Time: 2013-12-13 16:04:22 Downloading Snort VRT rules md5 file snortrules-snapshot-2955.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2955.tar.gz'... Snort VRT rules md5 download failed. Server returned error code 504. Snort VRT rules will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules are up to date. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-12-13 16:04:48 Done downloading rules file. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules are up to date. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-12-13 16:06:34In non-GUI mode, output is suppressed because it interferes with the XMLRPC sync process. I discovered this when I was incorporating the sync feature code you contributed. The XMLRPC process would error with something about "invalid response" if anything was written to the console during the XML sync calls. The old rules update code would spew some output to the console.
From the log entry, it is attempting to download the correct file. I think the snort.org servers had some problems earlier today. I also got a 504 error during the night.
Bill
-
https://groups.google.com/forum/#!forum/mailing.unix.snort
-
I'm also having some issues with the sensitive data feature. I enabled it for credit card data, set the threshold to 1, and told it to mask the card numbers, but it doesn't seem to be alerting or replacing the text when I email a bunch of test CC numbers to a Gmail account. Is there something I'm missing?
As Marcelloc mentioned, many e-mail clients and servers now use TLS (a form of SSL) to communicate, so Snort cannot see anything in the packets except the IP headers. That may be what is happening. Does your e-mail system use TLS? One tell-tale sign is using ports 995 for POP3 and 465 for SMTP.
Bill
-
@BBcan17:
I am not receiving errors from pfSense Snort but I have been seeing 504 on Security Onion. Errors are around the time of 7:00AM UTC or 2:00AM EST. Maybe there is too much traffic hitting www.snort.org?
jflsakfja - http Inspect -
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
120:11(http_inspect) UNESCAPED SPACE IN HTTP URI
119:33These are two new configuration parameters added to the http_inspect preprocessor in this release. Perhaps the defaults are not suitable for your environment. Try adjusting them. If several folks can help come up with a suggested set of "good defaults" for some of these settings, I will incorporate them into the package. Right now, when I add a new GUI configuration for a parameter, I set the defaults to match what is in the posted snort.conf files on snort.org for the current version.
Bill
-
@BBcan17:
I am not receiving errors from pfSense Snort but I have been seeing 504 on Security Onion. Errors are around the time of 7:00AM UTC or 2:00AM EST. Maybe there is too much traffic hitting www.snort.org?
jflsakfja - http Inspect -
(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
120:11(http_inspect) UNESCAPED SPACE IN HTTP URI
119:33504 could be due to the server being overloaded, it's a gateway (proxy, php failing to respond to nginx/apache) timeout if I'm not mistaken.
Dunno about 120:11, 119:33 is definately not a false positive. If it's getting triggered the uri is not getting parsed correctly, or it's actually triggering on a bad location (eg This is a file.pdf) (should be handled server side, not your side). I haven't come across any of those 2 yet, but I'll keep an eye out for them.
-
I'm also having some issues with the sensitive data feature. I enabled it for credit card data, set the threshold to 1, and told it to mask the card numbers, but it doesn't seem to be alerting or replacing the text when I email a bunch of test CC numbers to a Gmail account. Is there something I'm missing?
If you're sending via ssl, snort will not be able to "decode" it.
TLS negotiation is enabled in Exchange, so yeah, it might be connecting to other servers with STARTTLS. That really limits the usefulness. Damn…
Should this work on HTTP traffic as well?
-
Thank you for the positive feedback, and that is a good idea. Supermule also suggested some time back a sort of "template" system for Snort where you could create a set of configuration templates and then assign one to a specific pfSense box or group of boxes. The template would have all the settings preset. I have that idea in my list of future enhancements. I could probably incorporate your disablesid.conf idea into the same template design. I'm thinking maybe this would be an add-on package for Snort much like the Snort Dashboard Widget is today.
Bill
Bill,
Does the snort pfsense package use the disablesid.conf file? Are we able to edit the file thru the Diagnostics Edit File or Command Prompt?
-
@BBcan17:
Thank you for the positive feedback, and that is a good idea. Supermule also suggested some time back a sort of "template" system for Snort where you could create a set of configuration templates and then assign one to a specific pfSense box or group of boxes. The template would have all the settings preset. I have that idea in my list of future enhancements. I could probably incorporate your disablesid.conf idea into the same template design. I'm thinking maybe this would be an add-on package for Snort much like the Snort Dashboard Widget is today.
Bill
Bill,
Does the snort pfsense package use the disablesid.conf file? Are we able to edit the file thru the Diagnostics Edit File or Command Prompt?
No, but it does offer a similar feature in the GUI. On the RULES tab for an interface, you can click the little X icons next to rules to selectively enable or disable them (basically you are toggling them from their default state in the rule set). Snort will then permanently remember your choices. Scroll down to the bottom of the page and there is legend on the left-hand side showing how the icons next to the rules will change as you disable default enabled rules, or enable default disabled rules. (Hope I typed that correctly…it's confusing to even think about ;D)
This is not as easy at the moment as say using REGEX in something like PulledPork. I have an item on my TODO list to add a support package to accomplish this as well as let you create Snort protection "templates" that could then be mass-applied to multiple firewalls. Some users who manage lots of similarly-configured firewalls have requested such a feature.
Bill
-
I'm also having some issues with the sensitive data feature. I enabled it for credit card data, set the threshold to 1, and told it to mask the card numbers, but it doesn't seem to be alerting or replacing the text when I email a bunch of test CC numbers to a Gmail account. Is there something I'm missing?
If you're sending via ssl, snort will not be able to "decode" it.
TLS negotiation is enabled in Exchange, so yeah, it might be connecting to other servers with STARTTLS. That really limits the usefulness. Damn…
Should this work on HTTP traffic as well?
I believe so. As far as I know, the Sensitive Data preprocessor inspects all traffic regardless of protocol.
Bill
-
I'm also having some issues with the sensitive data feature. I enabled it for credit card data, set the threshold to 1, and told it to mask the card numbers, but it doesn't seem to be alerting or replacing the text when I email a bunch of test CC numbers to a Gmail account. Is there something I'm missing?
If you're sending via ssl, snort will not be able to "decode" it.
TLS negotiation is enabled in Exchange, so yeah, it might be connecting to other servers with STARTTLS. That really limits the usefulness. Damn…
Should this work on HTTP traffic as well?
I believe so. As far as I know, the Sensitive Data preprocessor inspects all traffic regardless of protocol.
Bill
Ok, then maybe something else is wrong here too as it's not tripping on PayPal's test card page.
http://www.paypalobjects.com/en_US/vhelp/paypalmanager_help/credit_card_numbers.htm
I've also got another box that I just upgraded and snort refuses to start on this one.
Unknown rule option: 'stream_size'
-
Ok, then maybe something else is wrong here too as it's not tripping on PayPal's test card page.
http://www.paypalobjects.com/en_US/vhelp/paypalmanager_help/credit_card_numbers.htm
Make sure that PayPal is not flipping over to a HTTPS connection on you. Many times they will redirect an HTTP URL to an HTTPS one for security. My personal opinion on the SDF preprocessor (aka Sensitive Data) is that it is sort of pointless. I do not enable in my setup.
One other point – from your other error message about an unknown rule option, it would appear at least one of your firewalls has the Stream5 preprocessor disabled. Disabling Frag3 and Stream5 really cripples Snort, and can lead to detections not happening because session traffic is not properly reassembled. Not saying that is necessarily your SDF problem, but it could be if you have Stream5 disabled. SDF depends on Stream5 being enabled in order to function correctly.
Attached to this reply is a screenshot I captured from one of my virtual machine test firewalls when browsing to the PayPal link you provided. Note that it fired on the SDF for me.
I've also got another box that I just upgraded and snort refuses to start on this one.
Unknown rule option: 'stream_size'
This means you do not have a required preprocessor enabled. Any time you see an error message about an "unknown rule option", that means Snort is parsing a rule that requires a specific preprocessor be enabled, but that preprocess is disabled. With the required preprocessor not enabled, then Snort does not know how to interpret the rule option. This particular rule option requires the Stream5 preprocessor be enabled. Do you have all the default preprocessors enabled on the Preprocessors tab, or have you disabled some? There is really never a good reason with today's hardware capability to disable the preprocessors enabled by default in Snort. Any performance gain will be miniscule at best, and then you open yourself up to the "unknown rule option" errors. And these can get really aggravating because they will come and go as rules are enabled and disabled in the nightly updates from the rule maintainers. They frequently enable new rules that expect the preprocessors to be enabled.
Bill
-
This means you do not have a required preprocessor enabled. Any time you see an error message about an "unknown rule option", that means Snort is parsing a rule that requires a specific preprocessor be enabled, but that preprocess is disabled. With the required preprocessor not enabled, then Snort does not know how to interpret the rule option. This particular rule option requires the Stream5 preprocessor be enabled. Do you have all the default preprocessors enabled on the Preprocessors tab, or have you disabled some? There is really never a good reason with today's hardware capability to disable the preprocessors enabled by default in Snort. Any performance gain will be miniscule at best, and then you open yourself up to the "unknown rule option" errors. And these can get really aggravating because they will come and go as rules are enabled and disabled in the nightly updates from the rule maintainers. They frequently enable new rules that expect the preprocessors to be enabled.
Bill
All the preprocessors are enabled on the two interfaces. I uninstalled and reinstalled the package, then setup the interfaces again and now it's fine. Must have been something in the upgrade process. Thanks.
-
I am working on my next pfSense package. I have a very early Beta of Suricata working in IDS mode at the moment.
This would be an amazing addition.
