Snort stupid question: whitelists and Suppress lists.
-
Thank you, very clear and precise!
After Snort installation I'm seeing a lot of firewall logs including IPv6 addresses; is this normal?
Snort has nothing to do with what shows up in the firewall logs. That is purely up to pfSense. Snort actually inserts any IP address it wishes to block into an Alias table in the pfSense firewall, but there is no logging on the firewall side of IP addresses in that table. Instead, Snort shows IPs it blocked on its own BLOCKED tab.
As for being normal, the new 2.1 and up versions of pfSense seem to be quite "chatty" with IPv6 link local traffic (at least in my VMware test environment I've noticed that.
Bill
-
Disabling Snort on the LAN interface stops that firewall IPv6 log entries. This is quite strange!
-
Disabling Snort on the LAN interface stops that firewall IPv6 log entries. This is quite strange!
Oh…I remember why now. Snort puts interfaces it runs on in promiscuous mode, so the interface sees all traffic. You can choose not to log that since it's all link local stuff anyway.
Bill
-
I was trying to follow your instructions from this post
https://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417
so: how do I log Snort LAN activity to fully achieve the scope of that advice?
-
I was trying to follow your instructions from this post
https://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417
so: how do I log Snort LAN activity to fully achieve the scope of that advice?
Not sure I fully understand your question. Snort will log naturally to its own alert file (and to Barnyard2 if you enable that option and have a remote MySQL database
or syslog server where Barnyard2[edit: output to syslog is coming in next Snort update] can send the data). Bad things (or potentially bad things) Snort finds in traffic will be visible on the ALERTS tab. You can also configure Snort to log events to the system log. Snort does not, and cannot, log events to the firewall log.If you are asking more of a philosophy question for how to see which particular internal hosts on a LAN might be infected, then here is why I suggested the method you linked. Most home networks (and in fact, most corporate networks) use NAT to allow internal hosts to communicate with the Internet. So if you put Snort only on the WAN interface, it will see all the traffic, but the only "internal address" it will ever see is the WAN interface's IP address. So the logs for Snort would always show just your firewall's WAN IP address for any internal host. This is because Snort sees stuff "pre-NAT' on the way in and "post-NAT" on the way out. So you would get an alert if an internal host triggered a Snort alert when some malware phoned home, but the only two IP addresses you would have are the external CC BOT on the Internet and your firewall's WAN IP. Neither of those will help you find which internal host is infected. However, if you run Snort on the LAN side of your firewall, now it sees the real LAN hosts' internal IP addresses. It will also still see the external target IP addresses. So you get a much better picture in your logs of which internal host might be a problem.
The last thing you want to do (IMHO) is run the exact same rules on the WAN and LAN. That just wastes resources. I run a fairly comprehensive rule set on my LAN interface, and then just a rudimentary set of ET COMPROMISED and ET DROP rules on the WAN side.
If I failed to adequately answer your question in my rambling response, rephrase it and hit me again… ;D
Bill
-
Understood. ;)
So, to review all the alerts generated by Snort for the LAN interface I should simply go to Snort –> Alerts --> "Instance to inspect" and choose the LAN interface.
Then I should look at the SRC column and there are my internal machines and their activity. Is this correct?
Second (and important) question: how do I setup "just a rudimentary set of ET COMPROMISED and ET DROP rules on the WAN side"?
I have a paid subscription for personal use of VRT rules.
Thank you, I'm learning A LOT!
-
Understood. ;)
So, to review all the alerts generated by Snort for the LAN interface I should simply go to Snort –> Alerts --> "Instance to inspect" and choose the LAN interface.
Then I should look at the SRC column and there are my internal machines and their activity. Is this correct?
Second (and important) question: how do I setup "just a rudimentary set of ET COMPROMISED and ET DROP rules on the WAN side"?
I have a paid subscription for personal use of VRT rules.
Thank you, I'm learning A LOT!
Correct on where to look – the ALERTS tab and select the LAN instance to view. As for SRC or DST, that depends on whether for a particular exchange your LAN machine was the originator or receiver of the traffic. Either way, if you see a LAN host in either the SRC or DST column, you will want to investigate the alert. Right away let me say, in case you are new to Intrusion Detection Systems like Snort, that false positives are unfortunately quite common. That means Snort (and other tools as well) will sometimes mistake perfectly OK traffic as something bad and generate an alert. Worse, if block offenders is also enabled, legitimate traffic can get blocked. There are some threads here on the Packages sub-forum from users who have created some good Suppress Lists to try an minimize the occurrence of false positives.
The particular rules I was referring to (ET COMPROMISED and ET DROP) are part of the Emerging Threats rule set. They are totally free and require no registration. Just enable Emerging Threats Open Rules on the GLOBAL SETTINGS tab in Snort. Then download a fresh set using the UPDATE RULES tab. You can then choose some of them to compliment your Snort VRT rules on the LAN, and run some of the lists of known bad IP addresses (that's what ET COMPROMISED, ET DROP and ET CINS are) on the WAN.
Bill
-
I'm a bit confused about how the Interface tabs present the rules (or maybe I'm ignoring the principles).
Where do I setup / exclude / include the rules? I can't read along the Snort docs and the pfSense Package interface (my limitation, of course).
So, the TAb to take into consideration is the WAN Rules or the WAN Categories?
I'm asking this because the rules you mentioned (e.g. "compromised") are listed in the WAN Categories, but I thought I had to choose the rules using the WAN Rules TAB.
I hope I'm not bothering you with these questions :)
-
I'm a bit confused about how the Interface tabs present the rules (or maybe I'm ignoring the principles).
Where do I setup / exclude / include the rules? I can't read along the Snort docs and the pfSense Package interface (my limitation, of course).
So, the TAb to take into consideration is the WAN Rules or the WAN Categories?
I'm asking this because the rules you mentioned (e.g. "compromised") are listed in the WAN Categories, but I thought I had to choose the rules using the WAN Rules TAB.
I hope I'm not bothering you with these questions :)
The rules that Snort uses are really just signatures (similar to AV signatures). They tell Snort what patterns to look for when identifying malicious traffic. These rules (or signatures) are grouped into collections called rule sets. These rule sets are called Categories in the Snort package. A Category is simply a collection of rules (or signatures) that all detect similar kinds of malicious activity. So on the Categories tab you enable groups of rules when you check one of the checkboxes. Once you click a rule category and save it, the category name becomes a hyperlink on the Categories tab. You can click that hyperlink to open a pop-up window where you can view all the rules grouped into that category. Grouping rules into categories makes it easier to select rules relevant for your network. If you don't run a web server, then you have no need of all the rules for protecting a web server. You can save CPU cycles by not selecting that category of rules. Similarly, if you don't have a mail server, then you probably have no need for the SMTP rule category.
The Rules tab lets you manage the individual rules within the selected category. You select a category in the drop-down box on the Rules tab, and then all the individual rules (or signatures) assigned to that category show up in the bottom. You can then selectively enable or disable the individual rules. It is quite normal for some of the rules in a category to be disabled by default while others are enabled. The rule set creators determine which rules they default to enabled or disabled. An admin can then choose to tweak the rules to fit their specific networking needs. On the Rules tab, the small icon on the far left beside each rule indicates its current 'enabled' or 'disabled' state. A grayed-out icon means the rule is by default disabled in the category. You can click on the X icon to toggle the rule to either 'force enable' or 'force disable' (depends on what it's default state is). The icon changes color to indicate the state. It also has a pop-up tool-tip you can see if you hover your mouse over the icon for a few seconds.
If you run the Snort VRT rules (and you said you had a subscription for those), then you have an additional option available on the Categories tab. You can choose from one of three pre-set IPS Policies in a drop-down. When you enable a policy, Snort automatically selects a collection of rules from all the various Snort VRT categories that match the policy definition. The assignment of a rule to a given IPS Policy definition is done by the VRT rule creators at Snort.org. They tag each rule with special metadata to indicate which of the three IPS policies the rule is assigned to (and a given rule can be in more than one policy). When you enable an IPS Policy, then all of the Snort VRT rule categories are grayed-out since the policy selection takes precedence. You can still, though, go to the Rules tab, select the IPS Policy from the category drop-down, and manually disable any of the rules automatically added by the policy. You might do this, for example, if one of those rules was generating a lot of false positives in your environment.
One last point. There are currently three "vendors" of rules available in the Snort package: (1) Snort VRT, (2) Emerging Threats, and (3) Snort GPLv2 Community Rules. The Emerging Threats rules are divided into categories (collections of related rules) just like the Snort VRT rules are. The GPLv2 Community Rules all come in a single huge package (no grouping into categories within GPLv2). This means that you can, if you choose, run a Snort IPS policy and then combine some Emerging Threats rules (or even several categories of rules) with it. That's what I do. I use the IPS Balanced policy on my LAN and then supplement by selecting some of the Emerging Threats rule categories like ET Malware, ET Mobile Malware and ET Trojan (I'm pulling these off the top of my head at the moment and may not have the names exactly correct). By the way, as it says on the Global Settings tab, if you have a Snort VRT paid subscription, then all of the relevant GPLv2 Community Rules are in your VRT subscription package. So if you have a paid VRT subscription, you do not need to enable the GPLv2 Community Rules separately.
One of the things long on my TODO list that I have just not made time for is to update the Help files on the pfSense documentation Wiki for Snort. I also want to fix all the Help icons in the Snort package so they correctly link to the documentation Wiki.
Bill
-
Bill,
with your last post you opened my eyes!
Now I'm starting to understand this thing much better.
Many, many, many thanks for doing such a great job and for your kindness.
Snort is now working on my system in conjunction with pfblocker
(pfblocker is doing some raw filtering using Bluetack PIP Filter (.gz), ET blockrules compromised IPs and ET Block-IPs (.txt))I enriched Snort LAN rules with your suggestions (balanced policy in use) while leaving the WAN instance set to Connectivity IPS policy.
I'm using a suppress list by @asterix found here:
https://forum.pfsense.org/index.php?topic=56267.15
Speaking of the "SNORT GPLv2 COMMUNITY RULES": you suggested not to tick the checkbox "Install Snort Community rules".
Unfortunately this was ticked before I purchased the VRT subscription and now the tab Updates shows that GPLv2 COMMUNITY RULES are installed (and I don't know how to uninstall them). Un-ticking the checkbox in Global Settings doesn't get rid ot them. Hope this is not a problem.
Now testing, testing, testing…
-
Bill,
with your last post you opened my eyes!
Now I'm starting to understand this thing much better.
Many, many, many thanks for doing such a great job and for your kindness.
Snort is now working on my system in conjunction with pfblocker
(pfblocker is doing some raw filtering using Bluetack PIP Filter (.gz), ET blockrules compromised IPs and ET Block-IPs (.txt))I enriched Snort LAN rules with your suggestions (balanced policy in use) while leaving the WAN instance set to Connectivity IPS policy.
I'm using a suppress list by @asterix found here:
https://forum.pfsense.org/index.php?topic=56267.15
Speaking of the "SNORT GPLv2 COMMUNITY RULES": you suggested not to tick the checkbox "Install Snort Community rules".
Unfortunately this was ticked before I purchased the VRT subscription and now the tab Updates shows that GPLv2 COMMUNITY RULES are installed (and I don't know how to uninstall them). Un-ticking the checkbox in Global Settings doesn't get rid ot them. Hope this is not a problem.
Now testing, testing, testing…
Uncheck the GPLv2 Community Rules in two places. Unchecking them on the Global Settings tab means they will no longer be included in automatic updates. Unchecking them on the Categories tab for an interface, and then saving the configuration, means they will no longer be included in the enforcing rules for that Snort instance. I can add some code into the current update I'm working on to automatically remove them from the other places when the Global Settings box is unchecked. So long as they are unchecked on the Categories tab (and when unchecked and saved, they will be hidden on that tab anyway), they are not actually in the enforcing rules set Snort is using to inspect traffic. Oh, and no real harm if they are included. It would just mean some duplication in your rules. If you have plenty of CPU and RAM (and most setups these days do have plenty of extra CPU and RAM), then this duplication is no big deal.
Bill
-
I can't find where to uncheck the GPLv2 Community Rules in the Categories tab, probably because I did it in the past without the "awareness" I have today ;)
This is a screenshot
(and know I'm going to study what does this sentence mean "Note: Auto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface.)
-
I can't find where to uncheck the GPLv2 Community Rules in the Categories tab, probably because I did it in the past without the "awareness" I have today ;)
Snort:Global Settings - Install Snort Community Rules
-
@BBcan17:
I can't find where to uncheck the GPLv2 Community Rules in the Categories tab, probably because I did it in the past without the "awareness" I have today ;)
Snort:Global Settings - Install Snort Community Rules
No, no I was trying to get rid of them because they're included in the paid VRT subscription. Now the only place I can see them is in the Updates tab. For me is resolved.
-
@BBcan17:
I can't find where to uncheck the GPLv2 Community Rules in the Categories tab, probably because I did it in the past without the "awareness" I have today ;)
Snort:Global Settings - Install Snort Community Rules
No, no I was trying to get rid of them because they're included in the paid VRT subscription. Now the only place I can see them is in the Updates tab. For me is resolved.
Yes, that is a GUI display bug I need to fix. It does not mean they are being included in your rules. Just means the old MD5 file is still there for the code to see and display.
Bill
-
Bill,
I'd like to better understand the concept of Add auto-generated IP Addresses in the Whitelists.
I setup two default whitelists: one for the LAN and the other for the WAN.
As you can see I haven't setup any Aliases because – after the setup of the Suppress list by @asterix – I'm not getting any false positives.
-
First question: Have I to setup the same suppress list on the WAN and the LAN?
-
Second question: are these whitelists ok? (see attached screenshots)
I'm asking this because, in the LAN whitelist, I unchecked the entry «Add WAN interface IPs to the list» to get the Alerts to work (blindly following and advice found in the fora).
-
-
Bill,
I'd like to better understand the concept of Add auto-generated IP Addresses in the Whitelists.
I setup two default whitelists: one for the LAN and the other for the WAN.
As you can see I haven't setup any Aliases because – after the setup of the Suppress list by @asterix – I'm not getting any false positives.
-
First question: Have I to setup the same suppress list on the WAN and the LAN?
-
Second question: are these whitelists ok? (see attached screenshots)
I'm asking this because, in the LAN whitelist, I unchecked the entry «Add WAN interface IPs to the list» to get the Alerts to work (blindly following and advice found in the fora).
First up, go back and check that box for the WAN interface IP. You never want to "block it", so you always want it in the whitelist. Unchecking that box is a good way to get your network tied up in knots, and even more so if you have to remotely administer the firewall and don't have a backdoor network. If your WAN IP is blocked by Snort, then no traffic comes or goes. That's generally not a good thing.
The default whitelist is composed of the entries shown with checkboxes on that page. It includes the WAN interface IP, the next-hop gateway on the WAN, and all locally attached networks. It also includes your DNS servers (the ones either you manually configured when setting up pfSense, or the ones supplied by the DHCP server on the WAN if you have that kind of configuration). As you surmised, you have the option of adding more addresses to the whitelist by creating an Alias and populating it with the addresses. Then on the whitelist tab you can add it to the Addresses: alias box at the bottom of the page. It is perfectly fine to leave that blank, though, if you have no other IPs to whitelist. Your typical home network would not have need of any more, for example.
Here is what I recommend in terms of blocking setups for the LAN. First, leave all the default checkboxes checked on the Whitelist. Actually, in most situations, you don't need to create a whitelist at all. The automatic default one will be fine. You get the automatic default one when the whitelist drop-down on the Interface Settings tab is set to "default". Next, on the same Interface Settings tab in the blocking section, configure it to block BOTH and check the Kill States checkbox. By choosing block BOTH (that means SRC and DST addresses) for a bad packet, you are sure to block communication between an infected LAN host and whomever it is trying to talk to on the Internet. So whether your LAN host is the SRC or DST of the traffic, a block will be inserted. Here is why BOTH is the best choice. Remember the default whitelist will not block LAN host IP addresses, so that would mean if you choose only SRC or only DST, and one of those is your LAN host, that bad traffic would not get blocked. However, by telling Snort to block BOTH ends of the conversation (the SRC and DST simultaneously, you are guaranteed to block the bad traffic even when one of them (either SRC or DST) is on the whitelist. What literally happens in this scenario is as follows. Assume the blocking plugin within Snort sees bad traffic from a LAN host to a BOT CC server. In this example, your LAN host is the SRC while the BOT CC server is the DST. The blocking plugin sees the LAN host IP range is on the whitelist, so it won't insert a block for SRC address. If all you had selected was to block SRC, then you see how the LAN host could still phone home to the evil IP. However, since you chose BOTH as the blocking instructions, the Snort blocking plugin will also insert a block for the DST IP (the BOT CC server). So your LAN host's traffic can't get to the BOT CC server. If the roles were reversed so that the LAN host was the DST instead, the traffic would still get blocked if you have BOTH chosen. This is why BOTH is the new default choice for this parameter. It was formerly just SRC.
Bill
-
-
A fine read indeed! Thanks for taking the time :)
-
Disabling Snort on the LAN interface stops that firewall IPv6 log entries. This is quite strange!
Oh…I remember why now. Snort puts interfaces it runs on in promiscuous mode, so the interface sees all traffic. You can choose not to log that since it's all link local stuff anyway.
Bill
Actually you can only stop logging that ipv6 link local traffic if you enable ipv6 on pfsense 2.1 which seems backwards. You would then need to create a rule to block all ipv6 on the floating tab and not log it.
With 2.0.3, ipv6 disabled in advanced settings, and default drop logging enabled (the default setting), all ipv6 is dropped without logging. There was a change though in 2.1 where now if default block logging is enabled (the default setting) ipv6 will be logged and you can not change that with ipv6 disabled. I can understand why the change was made because it seems logical to do with ipv6 the same as you do with ipv4 with the default block logging enabled. With ipv6 disabled in advanced settings though it just doesn't make sense to log ipv6 IMHO even with default drop logging enabled.
With pfsense 2.0.3:
if(!isset($config['system']['ipv6allow'])) {
$ipfrules .= "# Block all IPv6\n";
$ipfrules .= "block in quick inet6 all\n";
$ipfrules .= "block out quick inet6 all\n";
}With pfsense 2.1:
if(!isset($config['system']['ipv6allow'])) {
$ipfrules .= "# Block all IPv6\n";
$ipfrules .= "block in {$log} quick inet6 all label "Block all IPv6"\n";
$ipfrules .= "block out {$log} quick inet6 all label "Block all IPv6"\n";These are implicit rules with 'quick' that come before any user rules so you can not override them and set them to not log.
I would love to see ipv6 not logged if ipv6 is disabled. The packets are blocked and since you have disabled ipv6 why would you care about them?.
-
A fine read indeed! Thanks for taking the time :)
I really need to make time to update the HELP pages on the pfSense Wiki for Snort. I will commit to doing that immediately after I post the upcoming Snort 2.9.6.0 update. Having all of the complexity of the Snort package adequately documented is way overdue.
Bill