• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker

Scheduled Pinned Locked Moved pfSense Packages
171 Posts 26 Posters 187.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    A Former User
    last edited by Jan 12, 2014, 3:17 PM

    Not him, neither have I read his stuff. Maybe he read mine?

    1 Reply Last reply Reply Quote 0
    • R
      Ramosel
      last edited by Jan 13, 2014, 5:10 PM

      @jflsakfja:

      Not him, neither have I read his stuff. Maybe he read mine?

      Really?!  Although I thought Terrell introduced it… Jim Fleming was quite a proponent of IPv8 back in the 1998-2002 timeframe.  His stuff was all over APNIC and NANOG.  I also think he was involved or maybe even created UNIR.  There are still some archive messages relating to him on RIPE and IETF.  Most were not too kind to him back then.  I thought he was brilliant... but with some limited social skills.  I haven't heard/seen anything from him in over 10 years now.  When you brought up IPv8 it jogged this memory of him.

      Rick

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by Mar 4, 2014, 2:48 PM

        Update

        This is an update to remove redundant suppressions (thanks to Bill for adding the preprocessor rules so we can disable those instead of suppressing them). Some rules added to various categories. As always there were some rules missing in action, didn't note which were those though. Snort needs an update to add commands to the IMAP recognised commands, but I didn't have time to push the list upstream to be included in Snort's code. Those lists are embedded in the code and need updating upstream. If a Snort dev notices this, please consider updating those lists.

        Don't know how much longer this list will be updated, since I'm personally waiting to migrate over to the Suricata package. As soon as the Suricata package is ready for production (hoping for full IPS functionality), this thread will stop being updated.

        In tab "Rules", under "Category" select:
        (–- means blank table at time of writing)

        Auto-Flowbit rules > all except:
        8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
        23714 FILE-IDENTIFY Microsoft Office Publisher file magic detected

        DISABLED:2

        emerging-activex > all

        DISABLED:0

        emerging-attack_responses > all

        DISABLED:0

        DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

        emerging-chat > all except:
        2010784 ET CHAT Facebook Chat (send message)
        2010785 ET CHAT Facebook Chat (buddy list)
        2010786 ET CHAT Facebook Chat (settings)
        2010819 ET CHAT Facebook Chat using XMPP
        2002327 ET CHAT Google Talk (Jabber) Client Login
        2002334 ET CHAT Google IM traffic Jabber client sign-on
        2001241 ET CHAT MSN file transfer request
        2001242 ET CHAT MSN file transfer accept
        2001243 ET CHAT MSN file transfer reject
        2001682 ET CHAT MSN IM Poll via HTTP
        2002192 ET CHAT MSN status change
        2008289 ET CHAT Possible MSN Messenger File Transfer
        2009375 ET CHAT General MSN Chat Activity
        2009376 ET CHAT MSN User-Agent Activity
        2001595 ET CHAT Skype VOIP Checking Version (Startup)
        2002157 ET CHAT Skype User-Agent detected
        2003022 ET CHAT Skype Bootstrap Node (udp)

        DISABLED:17

        DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt

        DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt

        emerging-current_events > all

        DISABLED:0

        emerging-deleted > ---

        emerging-dns > all except:
        2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
        2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
        2001117 ET DNS Standard query response, Name Error

        DISABLED:3

        emerging-dos > all

        DISABLED:0

        DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p

        DO NOT USE! > emerging-dshield > use pfblocker with: (cannot find specific list, but ip listed in pfblocker tables, NEED HELP HERE<<<<) Could be due to ET list used by pfblocker. http://rules.emergingthreats.net/blockrules/compromised-ips.txt <<< includes IP related to different subjects, so its a misc list, likely including the hosts I could not find on specific lists.

        emerging-exploit > all except:
        2001058 ET EXPLOIT libpng tRNS overflow attempt
        2002913 ET EXPLOIT VNC Client response
        2002914 ET EXPLOIT VNC Server VNC Auth Offer
        2002919 ET EXPLOIT VNC Good Authentication Reply
        2002915 ET EXPLOIT VNC Authentication Reply
        2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
        2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3

        DISABLED:7

        emerging-ftp > all
        2010731 ET FTP FTP CWD command attempt without login

        DISABLED:1

        emerging-games > all

        DISABLED:0

        emerging-icmp > ---

        emerging-icmp_info > ---

        emerging-imap > ---

        emerging-inappropriate > all except:
        2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
        2001608 ET INAPPROPRIATE Likely Porn

        DISABLED:2

        emerging-info > all except:
        2014472 ET INFO JAVA - Java Archive Download
        2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
        2014819 ET INFO Packed Executable Download
        2015016 ET INFO FTP STOR to External Network
        2015561 ET INFO PDF Using CCITTFax Filter
        2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
        2016360 ET INFO JAVA - ClassID
        2016361 ET INFO JAVA - ClassID
        2016404 ET INFO MPEG Download Over HTTP (1)
        2015674 ET INFO 3XX redirect to data URL
        2016847 ET INFO Possible Chrome Plugin install
        2017669 ET INFO Zip File

        DISABLED:12

        emerging-malware > all except:
        2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
        2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
        2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related

        DISABLED:3

        emerging-misc > all

        DISABLED:0

        emerging-mobile_malware > all except:
        2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
        2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI

        DISABLED:2

        emerging-netbios > all

        DISABLED:0

        emerging-p2p > all except:
        2000369 ET P2P BitTorrent Announce
        2007727 ET P2P possible torrent download
        2008581 ET P2P BitTorrent DHT ping request
        2008583 ET P2P BitTorrent DHT nodes reply
        2008585 ET P2P BitTorrent DHT announce_peers request
        2010144 ET P2P Vuze BT UDP Connection (5)
        2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
        2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
        2014734 ET P2P BitTorrent - Torrent File Downloaded
        2003317 ET P2P Edonkey Search Request (any type file)
        2009971 ET P2P eMule KAD Network Hello Request (2)
        2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)

        DISABLED:12

        emerging-policy > all except:
        2000419 ET POLICY PE EXE or DLL Windows file download
        2000428 ET POLICY ZIP file download
        2001115 ET POLICY MSI (microsoft installer file) download
        2003595 ET POLICY exe download via HTTP - Informational
        2001898 ET POLICY eBay Bid Placed
        2001907 ET POLICY eBay Placing Item for sale
        2001908 ET POLICY eBay View Item
        2001909 ET POLICY eBay Watch This Item
        2003303 ET POLICY FTP Login Attempt (non-anonymous)
        2003410 ET POLICY FTP Login Successful
        2003121 ET POLICY docs.google.com Activity
        2003597 ET POLICY Google Calendar in Use
        2002801 ET POLICY Google Desktop User-Agent Detected
        2002838 ET POLICY Google Search Appliance browsing the Internet
        2000035 ET POLICY Hotmail Inbox Access
        2000036 ET POLICY Hotmail Message Access
        2000037 ET POLICY Hotmail Compose Message Access
        2000038 ET POLICY Hotmail Compose Message Submit
        2000039 ET POLICY Hotmail Compose Message Submit Data
        2008238 ET POLICY Hotmail Inbox Access
        2008239 ET POLICY Hotmail Message Access
        2008240 ET POLICY Hotmail Compose Message Access
        2008242 ET POLICY Hotmail Access Full Mode
        2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
        2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
        2002330 ET POLICY Google Talk TLS Client Traffic
        2002332 ET POLICY Google IM traffic Windows client user sign-on
        2002333 ET POLICY Google IM traffic friend invited
        2002878 ET POLICY iTunes User Agent
        2002722 ET POLICY MP3 File Transfer Outbound
        2002723 ET POLICY MP3 File Transfer Inbound
        2001114 ET POLICY Mozilla XPI install files download
        2001973 ET POLICY SSH Server Banner Detected on Expected Port
        2001974 ET POLICY SSH Client Banner Detected on Expected Port
        2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
        2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
        2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
        2001978 ET POLICY SSH session in progress on Expected Port
        2001979 ET POLICY SSH Server Banner Detected on Unusual Port
        2001980 ET POLICY SSH Client Banner Detected on Unusual Port
        2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
        2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
        2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
        2001984 ET POLICY SSH session in progress on Unusual Port
        2009001 ET POLICY Login Credentials Possibly Passed in URI
        2009004 ET POLICY Login Credentials Possibly Passed in POST Data
        2003214 ET POLICY Pingdom.com Monitoring detected
        2003215 ET POLICY Pingdom.com Monitoring Node Active
        2001669 ET POLICY Proxy GET Request
        2001670 ET POLICY Proxy HEAD Request
        2001674 ET POLICY Proxy POST Request
        2001675 ET POLICY Proxy CONNECT Request
        2002922 ET POLICY VNC Authentication Successful
        2002920 ET POLICY VNC Authentication Failure
        2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
        2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
        2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
        2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
        2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
        2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
        2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
        2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
        2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
        2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
        2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
        2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
        2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
        2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
        2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
        2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
        2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
        2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
        2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
        2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
        2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
        2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
        2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
        2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
        2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
        2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
        2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
        2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
        2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
        2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
        2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
        2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
        2001449 ET POLICY Proxy Connection detected
        2002822 ET POLICY Wget User Agent
        2002823 ET POLICY POSSIBLE Web Crawl using Wget
        2002824 ET POLICY CURL User Agent
        2002934 ET POLICY libwww-perl User Agent
        2002828 ET POLICY Googlebot User Agent
        2002829 ET POLICY Googlebot Crawl
        2002830 ET POLICY Msnbot User Agent
        2002831 ET POLICY Msnbot Crawl
        2002832 ET POLICY Yahoo Crawler User Agent
        2002833 ET POLICY Yahoo Crawler Crawl
        2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
        2002948 ET POLICY External Windows Update in Progress
        2002949 ET POLICY Windows Update in Progress
        2001402 ET POLICY ZIPPED DOC in transit
        2001403 ET POLICY ZIPPED XLS in transit
        2001404 ET POLICY ZIPPED EXE in transit
        2001405 ET POLICY ZIPPED PPT in transit
        2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
        2012647 ET POLICY Dropbox.com Offsite File Backup in Use
        2012648 ET POLICY Dropbox Client Broadcasting
        2013028 ET POLICY curl User-Agent Outbound
        2013030 ET POLICY libwww-perl User-Agent
        2013031 ET POLICY Python-urllib/ Suspicious User Agent
        2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
        2013414 ET POLICY Executable served from Amazon S3
        2013458 ET POLICY Facebook Like Button Clicked (1)
        2013459 ET POLICY Facebook Like Button Clicked (2)
        2013503 ET POLICY OS X Software Update Request Outbound
        2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
        2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
        2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
        2014313 ET POLICY Executable Download From DropBox
        2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
        2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
        2017015 ET POLICY DropBox User Content Access over SSL
        2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
        2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
        2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
        2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
        2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
        2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
        2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
        2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
        2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
        2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
        2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
        2001328 ET POLICY SSN Detected in Clear Text (dashed)
        2001384 ET POLICY SSN Detected in Clear Text (spaced)
        2007971 ET POLICY SSN Detected in Clear Text (SSN )
        2007972 ET POLICY SSN Detected in Clear Text (SSN# )
        2011854 ET POLICY Java JAR file download
        2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets  <<<<<<<< handled by ticking block bogon networks in interface settings
        2002752 ET POLICY Reserved Internal IP Traffic    <<<<<<<<<<<<< handled by ticking block private networks in interface settings
        2000418 ET POLICY Executable and linking format (ELF) file download
        2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
        2016877 ET POLICY Unsupported/Fake FireFox Version 2.
        2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
        2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
        2013255 ET POLICY Majestic12 User-Agent Request Inbound
        2014726 ET POLICY Outdated Windows Flash Version IE
        2012911 ET POLICY URL Contains password Parameter
        2011085 ET POLICY HTTP Redirect to IPv4 Address

        DISABLED:149

        emerging-pop3 > ---

        DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt

        DO NOT USE! > emerging-rbn > use pfblocker with: http://rules.emergingthreats.net/blockrules/rbn-ips.txt

        emerging-rpc > ---

        emerging-scada > all

        DISABLED:0

        emerging-scan > all except
        2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
        2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
        2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
        2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack

        DISABLED:4

        emerging-shellcode > all except
        2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
        2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
        2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
        2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
        2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
        2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
        2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray String

        DISABLED:7

        emerging-smtp > all

        DISABLED:0

        emerging-snmp > all

        DISABLED:0

        emerging-sql > all

        DISABLED:0

        emerging-telnet > all

        DISABLED:0

        emerging-tftp > all

        DISABLED:0

        DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p

        emerging-trojan > all except:
        2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
        2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
        2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
        2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
        2001046 ET TROJAN UPX compressed file download possible malware

        DISABLED:5

        emerging-user_agents > all except:
        2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan

        DISABLED:1

        emerging-voip > all

        DISABLED:0

        emerging-web_client > all except
        2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
        2011507 ET WEB_CLIENT PDF With Embedded File
        2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
        2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
        2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
        2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
        2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
        2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
        2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
        2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
        2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
        2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
        2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt

        DISABLED:13

        emerging-web_server > all except
        2003099 ET WEB_SERVER Poison Null Byte
        2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
        2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
        2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
        2016672 ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
        2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)

        DISABLED:5

        emerging-web_specific_apps > all except:
        2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
        2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
        2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
        2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
        2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt

        DISABLED:5

        emerging-worm > all

        DISABLED:0

        GPLv2 community rules > all except
        254 DNS SPOOF query response with TTL of 1 min. and no authority
        384 PROTOCOL-ICMP PING
        385 PROTOCOL-ICMP traceroute
        399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
        402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
        408 PROTOCOL-ICMP Echo Reply
        540 POLICY-SOCIAL Microsoft MSN message
        648 INDICATOR-SHELLCODE x86 NOOP
        649 INDICATOR-SHELLCODE x86 setgid 0
        1200 INDICATOR-COMPROMISE Invalid URL
        1201 INDICATOR-COMPROMISE 403 Forbidden
        1292 INDICATOR-COMPROMISE directory listing
        1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
        1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
        1437 FILE-IDENTIFY Microsoft Windows Media download detected
        1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
        1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
        1852 SERVER-WEBAPP robots.txt access
        1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
        1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
        1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
        1990 POLICY-SOCIAL Microsoft MSN user search
        1991 POLICY-SOCIAL Microsoft MSN login attempt
        2180 PUA-P2P BitTorrent announce request
        2181 PUA-P2P BitTorrent transfer
        2707 FILE-IMAGE JPEG parser multipacket heap overflow
        3463 SERVER-WEBAPP awstats access
        25518 OS-OTHER Apple iPod User-Agent detected
        25519 OS-OTHER Apple iPad User-Agent detected
        25520 OS-OTHER Apple iPhone User-Agent detected
        25521 OS-OTHER Android User-Agent detected
        25522 OS-OTHER Nokia User-Agent detected
        25523 OS-OTHER Samsung User-Agent detected
        25524 OS-OTHER Kindle User-Agent detected
        25525 OS-OTHER Nintendo User-Agent detected
        2417 PROTOCOL-FTP format string attempt
        1377 PROTOCOL-FTP wu-ftp bad file completion attempt
        1378 PROTOCOL-FTP wu-ftp bad file completion attempt

        DISABLED:38

        IPS Policy - Security > all except
        19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
        18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
        16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
        25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
        16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
        15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
        15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
        13360 APP-DETECT failed FTP login attempt
        23098 FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
        14772 WEB-CLIENT libpng malformed chunk denial of service attempt
        29466 FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt

        DISABLED:11

        preprocessor.rules > all except (first_column:second_column details)
        119:2 HI_CLIENT_DOUBLE_DECODE
        119:4 HI_CLIENT_BARE_BYTE
        119:7 HI_CLIENT_IIS_UNICODE
        119:14 HI_CLIENT_NON_RFC_CHAR
        119:31 HI_CLIENT_UNKNOWN_METHOD
        119:32 HI_CLIENT_SIMPLE_REQUEST
        120:2 HI_SERVER_INVALID_STATCODE
        120:3 HI_SERVER_NO_CONTLEN
        120:4 HI_SERVER_UTF_NORM_FAIL
        120:6 HI_SERVER_DECOMPR_FAILED
        120:8 HI_CLISRV_MSG_SIZE_EXCEPTION
        120:9 HI_SERVER_JS_OBFUSCATION_EXCD
        120:10 HI_SERVER_JS_EXCESS_WS
        122:1 PSNG_TCP_PORTSCAN
        122:4 PSNG_TCP_DISTRIBUTED_PORTSCAN
        122:17 PSNG_UDP_PORTSCAN
        122:20 PSNG_UDP_DISTRIBUTED_PORTSCAN
        124:3 SMTP_RESPONSE_OVERFLOW
        125:1 FTPP_FTP_TELNET_CMD
        125:2 FTPP_FTP_INVALID_CMD
        125:7 FTPP_FTP_ENCRYPTED
        125:9 FTPP_FTP_EVASIVE_TELNET_CMD
        137:1 SSL_INVALID_CLIENT_HELLO
        141:1 IMAP_UNKNOWN_CMD <<< pending upstream update
        141:2 IMAP_UNKNOWN_RESP <<< pending upstream update
        145:2 DNP3_DROPPED_FRAME
        DISABLED>>>26

        DO NOT USE! > sensitive-data.rules > NONE enabled

        Suppression list:

        #GLOBAL

        gen_id 1

        suppress gen_id 1, sig_id 536
        suppress gen_id 1, sig_id 653
        suppress gen_id 1, sig_id 2452
        suppress gen_id 1, sig_id 11192
        suppress gen_id 1, sig_id 15306
        suppress gen_id 1, sig_id 16313
        suppress gen_id 1, sig_id 17458
        suppress gen_id 1, sig_id 20583
        suppress gen_id 1, sig_id 2000334
        suppress gen_id 1, sig_id 2008120
        suppress gen_id 1, sig_id 2010516
        suppress gen_id 1, sig_id 20122758
        suppress gen_id 1, sig_id 2014518
        suppress gen_id 1, sig_id 2014520
        suppress gen_id 1, sig_id 2100366
        suppress gen_id 1, sig_id 2100368
        suppress gen_id 1, sig_id 2100651
        suppress gen_id 1, sig_id 2101390
        suppress gen_id 1, sig_id 2101424
        suppress gen_id 1, sig_id 2102314
        suppress gen_id 1, sig_id 2103134
        suppress gen_id 1, sig_id 2500056
        suppress gen_id 1, sig_id 100000230
        suppress gen_id 3, sig_id 14772
        #(IMAP) Unknown IMAP4 command
        suppress gen_id 141, sig_id 1

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by Mar 15, 2014, 6:38 PM

          Emerging threats has stopped updating the RBN related lists, hence a new update to this topic. That and a couple of added rules.

          In tab "Rules", under "Category" select:
          (–- means blank table at time of writing)

          Auto-Flowbit rules > all except:
          8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
          23714 FILE-IDENTIFY Microsoft Office Publisher file magic detected

          DISABLED:2

          emerging-activex > all

          DISABLED:0

          emerging-attack_responses > all

          DISABLED:0

          DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

          emerging-chat > all except:
          2010784 ET CHAT Facebook Chat (send message)
          2010785 ET CHAT Facebook Chat (buddy list)
          2010786 ET CHAT Facebook Chat (settings)
          2010819 ET CHAT Facebook Chat using XMPP
          2002327 ET CHAT Google Talk (Jabber) Client Login
          2002334 ET CHAT Google IM traffic Jabber client sign-on
          2001241 ET CHAT MSN file transfer request
          2001242 ET CHAT MSN file transfer accept
          2001243 ET CHAT MSN file transfer reject
          2001682 ET CHAT MSN IM Poll via HTTP
          2002192 ET CHAT MSN status change
          2008289 ET CHAT Possible MSN Messenger File Transfer
          2009375 ET CHAT General MSN Chat Activity
          2009376 ET CHAT MSN User-Agent Activity
          2001595 ET CHAT Skype VOIP Checking Version (Startup)
          2002157 ET CHAT Skype User-Agent detected
          2003022 ET CHAT Skype Bootstrap Node (udp)

          DISABLED:17

          DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt

          DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt

          emerging-current_events > all

          DISABLED:0

          emerging-deleted > ---

          emerging-dns > all except:
          2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
          2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
          2001117 ET DNS Standard query response, Name Error

          DISABLED:3

          emerging-dos > all

          DISABLED:0

          DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p

          DO NOT USE! > emerging-dshield > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt

          emerging-exploit > all except:
          2001058 ET EXPLOIT libpng tRNS overflow attempt
          2002913 ET EXPLOIT VNC Client response
          2002914 ET EXPLOIT VNC Server VNC Auth Offer
          2002919 ET EXPLOIT VNC Good Authentication Reply
          2002915 ET EXPLOIT VNC Authentication Reply
          2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
          2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3

          DISABLED:7

          emerging-ftp > all
          2010731 ET FTP FTP CWD command attempt without login

          DISABLED:1

          emerging-games > all

          DISABLED:0

          emerging-icmp > ---

          emerging-icmp_info > ---

          emerging-imap > ---

          emerging-inappropriate > all except:
          2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
          2001608 ET INAPPROPRIATE Likely Porn

          DISABLED:2

          emerging-info > all except:
          2014472 ET INFO JAVA - Java Archive Download
          2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
          2014819 ET INFO Packed Executable Download
          2015016 ET INFO FTP STOR to External Network
          2015561 ET INFO PDF Using CCITTFax Filter
          2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
          2016360 ET INFO JAVA - ClassID
          2016361 ET INFO JAVA - ClassID
          2016404 ET INFO MPEG Download Over HTTP (1)
          2015674 ET INFO 3XX redirect to data URL
          2016847 ET INFO Possible Chrome Plugin install
          2017669 ET INFO Zip File

          DISABLED:12

          emerging-malware > all except:
          2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
          2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
          2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related

          DISABLED:3

          emerging-misc > all

          DISABLED:0

          emerging-mobile_malware > all except:
          2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
          2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI

          DISABLED:2

          emerging-netbios > all

          DISABLED:0

          emerging-p2p > all except:
          2000369 ET P2P BitTorrent Announce
          2007727 ET P2P possible torrent download
          2008581 ET P2P BitTorrent DHT ping request
          2008583 ET P2P BitTorrent DHT nodes reply
          2008585 ET P2P BitTorrent DHT announce_peers request
          2010144 ET P2P Vuze BT UDP Connection (5)
          2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
          2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
          2014734 ET P2P BitTorrent - Torrent File Downloaded
          2003317 ET P2P Edonkey Search Request (any type file)
          2009971 ET P2P eMule KAD Network Hello Request (2)
          2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)

          DISABLED:12

          emerging-policy > all except:
          2000419 ET POLICY PE EXE or DLL Windows file download
          2000428 ET POLICY ZIP file download
          2001115 ET POLICY MSI (microsoft installer file) download
          2003595 ET POLICY exe download via HTTP - Informational
          2001898 ET POLICY eBay Bid Placed
          2001907 ET POLICY eBay Placing Item for sale
          2001908 ET POLICY eBay View Item
          2001909 ET POLICY eBay Watch This Item
          2003303 ET POLICY FTP Login Attempt (non-anonymous)
          2003410 ET POLICY FTP Login Successful
          2003121 ET POLICY docs.google.com Activity
          2003597 ET POLICY Google Calendar in Use
          2002801 ET POLICY Google Desktop User-Agent Detected
          2002838 ET POLICY Google Search Appliance browsing the Internet
          2000035 ET POLICY Hotmail Inbox Access
          2000036 ET POLICY Hotmail Message Access
          2000037 ET POLICY Hotmail Compose Message Access
          2000038 ET POLICY Hotmail Compose Message Submit
          2000039 ET POLICY Hotmail Compose Message Submit Data
          2008238 ET POLICY Hotmail Inbox Access
          2008239 ET POLICY Hotmail Message Access
          2008240 ET POLICY Hotmail Compose Message Access
          2008242 ET POLICY Hotmail Access Full Mode
          2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
          2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
          2002330 ET POLICY Google Talk TLS Client Traffic
          2002332 ET POLICY Google IM traffic Windows client user sign-on
          2002333 ET POLICY Google IM traffic friend invited
          2002878 ET POLICY iTunes User Agent
          2002722 ET POLICY MP3 File Transfer Outbound
          2002723 ET POLICY MP3 File Transfer Inbound
          2001114 ET POLICY Mozilla XPI install files download
          2001973 ET POLICY SSH Server Banner Detected on Expected Port
          2001974 ET POLICY SSH Client Banner Detected on Expected Port
          2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
          2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
          2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
          2001978 ET POLICY SSH session in progress on Expected Port
          2001979 ET POLICY SSH Server Banner Detected on Unusual Port
          2001980 ET POLICY SSH Client Banner Detected on Unusual Port
          2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
          2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
          2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
          2001984 ET POLICY SSH session in progress on Unusual Port
          2009001 ET POLICY Login Credentials Possibly Passed in URI
          2009004 ET POLICY Login Credentials Possibly Passed in POST Data
          2003214 ET POLICY Pingdom.com Monitoring detected
          2003215 ET POLICY Pingdom.com Monitoring Node Active
          2001669 ET POLICY Proxy GET Request
          2001670 ET POLICY Proxy HEAD Request
          2001674 ET POLICY Proxy POST Request
          2001675 ET POLICY Proxy CONNECT Request
          2002922 ET POLICY VNC Authentication Successful
          2002920 ET POLICY VNC Authentication Failure
          2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
          2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
          2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
          2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
          2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
          2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
          2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
          2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
          2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
          2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
          2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
          2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
          2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
          2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
          2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
          2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
          2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
          2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
          2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
          2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
          2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
          2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
          2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
          2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
          2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
          2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
          2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
          2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
          2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
          2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
          2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
          2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
          2001449 ET POLICY Proxy Connection detected
          2002822 ET POLICY Wget User Agent
          2002823 ET POLICY POSSIBLE Web Crawl using Wget
          2002824 ET POLICY CURL User Agent
          2002934 ET POLICY libwww-perl User Agent
          2002828 ET POLICY Googlebot User Agent
          2002829 ET POLICY Googlebot Crawl
          2002830 ET POLICY Msnbot User Agent
          2002831 ET POLICY Msnbot Crawl
          2002832 ET POLICY Yahoo Crawler User Agent
          2002833 ET POLICY Yahoo Crawler Crawl
          2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
          2002948 ET POLICY External Windows Update in Progress
          2002949 ET POLICY Windows Update in Progress
          2001402 ET POLICY ZIPPED DOC in transit
          2001403 ET POLICY ZIPPED XLS in transit
          2001404 ET POLICY ZIPPED EXE in transit
          2001405 ET POLICY ZIPPED PPT in transit
          2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
          2012647 ET POLICY Dropbox.com Offsite File Backup in Use
          2012648 ET POLICY Dropbox Client Broadcasting
          2013028 ET POLICY curl User-Agent Outbound
          2013030 ET POLICY libwww-perl User-Agent
          2013031 ET POLICY Python-urllib/ Suspicious User Agent
          2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
          2013414 ET POLICY Executable served from Amazon S3
          2013458 ET POLICY Facebook Like Button Clicked (1)
          2013459 ET POLICY Facebook Like Button Clicked (2)
          2013503 ET POLICY OS X Software Update Request Outbound
          2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
          2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
          2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
          2014313 ET POLICY Executable Download From DropBox
          2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
          2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
          2017015 ET POLICY DropBox User Content Access over SSL
          2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
          2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
          2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
          2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
          2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
          2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
          2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
          2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
          2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
          2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
          2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
          2001328 ET POLICY SSN Detected in Clear Text (dashed)
          2001384 ET POLICY SSN Detected in Clear Text (spaced)
          2007971 ET POLICY SSN Detected in Clear Text (SSN )
          2007972 ET POLICY SSN Detected in Clear Text (SSN# )
          2011854 ET POLICY Java JAR file download
          2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets  <<<<<<<< handled by ticking block bogon networks in interface settings
          2002752 ET POLICY Reserved Internal IP Traffic    <<<<<<<<<<<<< handled by ticking block private networks in interface settings
          2000418 ET POLICY Executable and linking format (ELF) file download
          2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
          2016877 ET POLICY Unsupported/Fake FireFox Version 2.
          2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
          2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
          2013255 ET POLICY Majestic12 User-Agent Request Inbound
          2014726 ET POLICY Outdated Windows Flash Version IE
          2012911 ET POLICY URL Contains password Parameter
          2011085 ET POLICY HTTP Redirect to IPv4 Address
          2009303 ET POLICY MediaFire file download service access

          DISABLED:150

          emerging-pop3 > ---

          DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS

          DO NOT USE! > emerging-rbn > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS

          emerging-rpc > ---

          emerging-scada > all

          DISABLED:0

          emerging-scan > all except
          2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
          2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
          2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
          2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
          2011367 ET SCAN TCP Traffic (ET SCAN Malformed Packet SYN FIN)

          DISABLED:5

          emerging-shellcode > all except
          2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
          2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
          2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
          2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
          2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
          2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
          2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray String

          DISABLED:7

          emerging-smtp > all

          DISABLED:0

          emerging-snmp > all

          DISABLED:0

          emerging-sql > all

          DISABLED:0

          emerging-telnet > all

          DISABLED:0

          emerging-tftp > all

          DISABLED:0

          DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p

          emerging-trojan > all except:
          2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
          2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
          2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
          2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
          2001046 ET TROJAN UPX compressed file download possible malware

          DISABLED:5

          emerging-user_agents > all except:
          2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan

          DISABLED:1

          emerging-voip > all

          DISABLED:0

          emerging-web_client > all except
          2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
          2011507 ET WEB_CLIENT PDF With Embedded File
          2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
          2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
          2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
          2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
          2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
          2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
          2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
          2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
          2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
          2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
          2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt

          DISABLED:13

          emerging-web_server > all except
          2003099 ET WEB_SERVER Poison Null Byte
          2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
          2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
          2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
          2016672 ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
          2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)

          DISABLED:5

          emerging-web_specific_apps > all except:
          2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
          2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
          2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
          2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
          2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt

          DISABLED:5

          emerging-worm > all

          DISABLED:0

          GPLv2 community rules > all except
          254 DNS SPOOF query response with TTL of 1 min. and no authority
          384 PROTOCOL-ICMP PING
          385 PROTOCOL-ICMP traceroute
          399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
          402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
          408 PROTOCOL-ICMP Echo Reply
          540 POLICY-SOCIAL Microsoft MSN message
          648 INDICATOR-SHELLCODE x86 NOOP
          649 INDICATOR-SHELLCODE x86 setgid 0
          1200 INDICATOR-COMPROMISE Invalid URL
          1201 INDICATOR-COMPROMISE 403 Forbidden
          1292 INDICATOR-COMPROMISE directory listing
          1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
          1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
          1437 FILE-IDENTIFY Microsoft Windows Media download detected
          1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
          1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
          1852 SERVER-WEBAPP robots.txt access
          1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
          1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
          1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
          1990 POLICY-SOCIAL Microsoft MSN user search
          1991 POLICY-SOCIAL Microsoft MSN login attempt
          2180 PUA-P2P BitTorrent announce request
          2181 PUA-P2P BitTorrent transfer
          2707 FILE-IMAGE JPEG parser multipacket heap overflow
          3463 SERVER-WEBAPP awstats access
          25518 OS-OTHER Apple iPod User-Agent detected
          25519 OS-OTHER Apple iPad User-Agent detected
          25520 OS-OTHER Apple iPhone User-Agent detected
          25521 OS-OTHER Android User-Agent detected
          25522 OS-OTHER Nokia User-Agent detected
          25523 OS-OTHER Samsung User-Agent detected
          25524 OS-OTHER Kindle User-Agent detected
          25525 OS-OTHER Nintendo User-Agent detected
          2417 PROTOCOL-FTP format string attempt
          1377 PROTOCOL-FTP wu-ftp bad file completion attempt
          1378 PROTOCOL-FTP wu-ftp bad file completion attempt

          DISABLED:38

          IPS Policy - Security > all except
          19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
          18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
          16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
          25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
          16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
          15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
          15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
          13360 APP-DETECT failed FTP login attempt
          23098 FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
          14772 WEB-CLIENT libpng malformed chunk denial of service attempt
          29466 FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt
          27948 FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt
          17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1

          DISABLED:13

          preprocessor.rules > all except (first_column:second_column details)
          119:2 HI_CLIENT_DOUBLE_DECODE
          119:4 HI_CLIENT_BARE_BYTE
          119:7 HI_CLIENT_IIS_UNICODE
          119:14 HI_CLIENT_NON_RFC_CHAR
          119:31 HI_CLIENT_UNKNOWN_METHOD
          119:32 HI_CLIENT_SIMPLE_REQUEST
          120:2 HI_SERVER_INVALID_STATCODE
          120:3 HI_SERVER_NO_CONTLEN
          120:4 HI_SERVER_UTF_NORM_FAIL
          120:6 HI_SERVER_DECOMPR_FAILED
          120:8 HI_CLISRV_MSG_SIZE_EXCEPTION
          120:9 HI_SERVER_JS_OBFUSCATION_EXCD
          120:10 HI_SERVER_JS_EXCESS_WS
          122:1 PSNG_TCP_PORTSCAN
          122:4 PSNG_TCP_DISTRIBUTED_PORTSCAN
          122:17 PSNG_UDP_PORTSCAN
          122:20 PSNG_UDP_DISTRIBUTED_PORTSCAN
          124:3 SMTP_RESPONSE_OVERFLOW
          124:10 SMTP_B64_DECODING_FAILED
          125:1 FTPP_FTP_TELNET_CMD
          125:2 FTPP_FTP_INVALID_CMD
          125:7 FTPP_FTP_ENCRYPTED
          125:9 FTPP_FTP_EVASIVE_TELNET_CMD
          137:1 SSL_INVALID_CLIENT_HELLO
          141:1 IMAP_UNKNOWN_CMD <<< pending upstream update
          141:2 IMAP_UNKNOWN_RESP <<< pending upstream update
          145:2 DNP3_DROPPED_FRAME
          DISABLED>>>27

          DO NOT USE! > sensitive-data.rules > NONE enabled

          Suppression list:

          #GLOBAL

          gen_id 1

          suppress gen_id 1, sig_id 536
          suppress gen_id 1, sig_id 653
          suppress gen_id 1, sig_id 2452
          suppress gen_id 1, sig_id 11192
          suppress gen_id 1, sig_id 15306
          suppress gen_id 1, sig_id 16313
          suppress gen_id 1, sig_id 17458
          suppress gen_id 1, sig_id 20583
          suppress gen_id 1, sig_id 2000334
          suppress gen_id 1, sig_id 2008120
          suppress gen_id 1, sig_id 2010516
          suppress gen_id 1, sig_id 20122758
          suppress gen_id 1, sig_id 2014518
          suppress gen_id 1, sig_id 2014520
          suppress gen_id 1, sig_id 2100366
          suppress gen_id 1, sig_id 2100368
          suppress gen_id 1, sig_id 2100651
          suppress gen_id 1, sig_id 2101390
          suppress gen_id 1, sig_id 2101424
          suppress gen_id 1, sig_id 2102314
          suppress gen_id 1, sig_id 2103134
          suppress gen_id 1, sig_id 2500056
          suppress gen_id 1, sig_id 100000230
          suppress gen_id 3, sig_id 14772
          #(IMAP) Unknown IMAP4 command
          suppress gen_id 141, sig_id 1

          1 Reply Last reply Reply Quote 0
          • C
            cogumel0
            last edited by Mar 28, 2014, 4:22 PM

            Hi jflsakfja,

            Quite like your idea of disabling the rule rather than adding suppresses.

            However, if you have the time, I think it would be nice to separate things into categories.

            e.g., things "everyone" is likely to want, things required for Facebook, things required for GMail, things required for Skype, things required for downloading files, etc etc.

            Using a real scenario as an example, I want Skype to be allowed. I currently have my rules set only to log and thought I had previously allowed all Skype related rules. Today after a Skype call I came back to see hundreds of alerts for:

            1:2007637 ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack
            1:2007635 ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Connect Ack

            (This might be something you want to add to your exception list).

            Both alerts started exactly when my Skype call started and ended exactly when my Skype call ended. This rule is only triggered by SkypeOut calls (calls from Skype to physical numbers, not Skype-to-Skype calls). SkypeOut uses port 12340, which is exactly the port that traffic was coming in on when these rules got triggered.

            Just looking at the description of the rule, I would say that anything with the name "TROJAN" on it should definitely be blocked, and if someone tells me I should unblock it without justifying it I would just leave it blocked until the alerts show me a genuine reason to unblock it. Having a list that says this is related to Skype and without it Skype will not work will give me enough confidence to enable it without needing to test it myself. It also means I then know that if I want to enable Skype I have to enable this one too, but I can quite happily leave others still enabled.

            For example, if the following two rules do exactly what their name suggests, I have no need for them since I do not use Microsoft Office Publisher:

            8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
            23714 FILE-IDENTIFY Microsoft Office Publisher file magic detected

            However, if you tell me that iPhone AppStore (crazy example) triggers that rule, I'll quite happily enable it.

            I know there is a massive amount of work involved in assigning every single rule to a category, but if that's done, it will also be a lot easier for the community to later maintain it…

            Just my two cents.

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by Mar 30, 2014, 12:28 PM Mar 30, 2014, 12:24 PM

              Thought about putting a reason for disabling a particular rule next to the rule. Then sat down and thought. If a rule produces false positives, it's not a "I don't use skype (for example) so I'll leave active all rules related to skype that generate false positives" scenario, it's more of a "I don't use skype, but other persons do".
              This particular list is in use at a site that provides internet connectivity to clients, and hosts a couple of servers behind it. If something ends up on my list it's a)the rule should be removed upstream (coughsimple HTTP requestcough) b)client's requirements (stuff they use, I don't use) c)company requirements (stuff nobody but me uses, but causes a false positive). In all cases, the rule is required to be disabled, since nobody wants to get a call at 3am to get up and unblock an IP that was blocked by mistake.

              Personally I would like to see a simple explanation next to the rule for the reason why it's disabled. I would prefer it though if the false positive (or overly-paranoid rules coughsimple HTTP requestcough) get removed upstream. Rules "protecting" from 5 year vulnerabilities in a program shouldn't be used, but instead the program in question should be fixed. Yes there is the chance of a regression in a future update. I'll take my chances with that, instead of dropping connectivity at random due to false positives.
              Until all, each and every single one, of the past,present and future sysadmins, goes to work with an attitude of "I'll check for updates to software in use daily and co-operate with the community on getting bugs fixed" AND developers adopt the versioning scheme I suggested on a debian list a while back (only 2 versions for programs: stable and testing) then all kinds of these lists will be needed to "watch after" other people's mess.

              Let's take your example, for example (no pun intended). Those two rules caused an alert for something they should not produce. What the entire community is faced with is a simple choice:
              A) update the rule and fix it. If detection for that particular worm is not possible without using an NSA dragnet approach (all traffic to that port,not allowed) then that rule should be removed.
              B) leave the rule as is, and instead put additional effort into maintaining a copy of "This rule should be disabled because it's causing a false positive when you use skype".

              I'll take option A.

              Let's take my example now. SYN (first step to establishing a connection) traffic destined for an HTTP port, directed to a non-HTTP server. In my case, that particular rule is a "WTF?!? traffic directed at a web server is trying to get to a client's computer" type of reaction. This particular rule cannot produce a false positive. The reason is actually in the use case for the rule. HTTP traffic, NOT directed to a webserver. This rule detects attempts to find a webserver faster than all those rules related to detecting this (snort/ET). The reason is simple. There are times you can use a not needed traffic approach. There are other times though that using that approach, could lead to false positives. What if another sysadmin adds a webserver using a client's IP (theoretical scenario, play along)? In that case the system will still see that traffic is trying to get to a client's pc, but block it. It's still NOT a false positive though, since I know that that address block shouldn't have servers in it. It's the sysadmin's responsibility of notifying me to get the IP added to the webservers' list, and my responsibility of adding it. It's not the sysadmin's responsibility of going in and disabling a rule because my rule needs updating. Hope it makes sense.

              PS.
              Re-read the post and saw that I got carried away. Summary: yes, explanations would be nice, people actually doing what they are supposed to do would be nicer.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by Mar 31, 2014, 2:19 AM Mar 30, 2014, 10:45 PM

                You guys using pfBlocker may be interested in the upcoming Snort package update.  It will include support for Snort's IP Reputation preprocessor.  This is a high-speed preprocessor that is the first link in the Snort traffic inspection train (when enabled).  It can use one or more plain text files of IP addresses or CIDR-notation networks that it should block outright.  Traffic is matched on a simple IP and not using the complex regex engines and stuff the text rules use.  This means the inspection is quick and efficient.

                Here is my personal take on this new Snort blacklist approach versus the pfBlocker approach.  Both eventually produce the same result:  offender IPs blocked.  The difference in my opinion is how they get there.  pfBlocker is a sort of shotgun approach where you load your firewall up with all the potential bad-guy addresses.  This can potentially waste lots of memory and packet filter resources protecting against an army of IP addresses when maybe only 50 or 60 of them may actually ever hit your firewall (just an example; busier or high-value networks probably see more bad actor IPs than that).  At any rate, it seems more efficient in terms of resources in my view to let Snort sit there with a blacklist and only fill your firewall block tables with those blacklisted IPs that actually hit your box.

                The new Snort package will have a new top-level tab for managing IP Lists used by the new preprocessor, and then a new IP REP tab for each interface where you will assign the blacklist and/or whitelist for the interface and adjust other settings.  Some screenshots are attached below.

                Bill

                SnortIPLists.png
                SnortIPLists.png_thumb
                SnortIPReputationPreproc.png
                SnortIPReputationPreproc.png_thumb

                1 Reply Last reply Reply Quote 0
                • C
                  cogumel0
                  last edited by Mar 31, 2014, 12:04 AM

                  @jflsakfja:

                  Thought about putting a reason for disabling a particular rule next to the rule. Then sat down and thought. If a rule produces false positives, it's not a "I don't use skype (for example) so I'll leave active all rules related to skype that generate false positives" scenario, it's more of a "I don't use skype, but other persons do".
                  This particular list is in use at a site that provides internet connectivity to clients, and hosts a couple of servers behind it. If something ends up on my list it's a)the rule should be removed upstream (coughsimple HTTP requestcough) b)client's requirements (stuff they use, I don't use) c)company requirements (stuff nobody but me uses, but causes a false positive). In all cases, the rule is required to be disabled, since nobody wants to get a call at 3am to get up and unblock an IP that was blocked by mistake.

                  Personally I would like to see a simple explanation next to the rule for the reason why it's disabled. I would prefer it though if the false positive (or overly-paranoid rules coughsimple HTTP requestcough) get removed upstream. Rules "protecting" from 5 year vulnerabilities in a program shouldn't be used, but instead the program in question should be fixed. Yes there is the chance of a regression in a future update. I'll take my chances with that, instead of dropping connectivity at random due to false positives.
                  Until all, each and every single one, of the past,present and future sysadmins, goes to work with an attitude of "I'll check for updates to software in use daily and co-operate with the community on getting bugs fixed" AND developers adopt the versioning scheme I suggested on a debian list a while back (only 2 versions for programs: stable and testing) then all kinds of these lists will be needed to "watch after" other people's mess.

                  Let's take your example, for example (no pun intended). Those two rules caused an alert for something they should not produce. What the entire community is faced with is a simple choice:
                  A) update the rule and fix it. If detection for that particular worm is not possible without using an NSA dragnet approach (all traffic to that port,not allowed) then that rule should be removed.
                  B) leave the rule as is, and instead put additional effort into maintaining a copy of "This rule should be disabled because it's causing a false positive when you use skype".

                  I'll take option A.

                  Let's take my example now. SYN (first step to establishing a connection) traffic destined for an HTTP port, directed to a non-HTTP server. In my case, that particular rule is a "WTF?!? traffic directed at a web server is trying to get to a client's computer" type of reaction. This particular rule cannot produce a false positive. The reason is actually in the use case for the rule. HTTP traffic, NOT directed to a webserver. This rule detects attempts to find a webserver faster than all those rules related to detecting this (snort/ET). The reason is simple. There are times you can use a not needed traffic approach. There are other times though that using that approach, could lead to false positives. What if another sysadmin adds a webserver using a client's IP (theoretical scenario, play along)? In that case the system will still see that traffic is trying to get to a client's pc, but block it. It's still NOT a false positive though, since I know that that address block shouldn't have servers in it. It's the sysadmin's responsibility of notifying me to get the IP added to the webservers' list, and my responsibility of adding it. It's not the sysadmin's responsibility of going in and disabling a rule because my rule needs updating. Hope it makes sense.

                  PS.
                  Re-read the post and saw that I got carried away. Summary: yes, explanations would be nice, people actually doing what they are supposed to do would be nicer.

                  Umm, it does sound like you got slightly carried away, but I understand what you mean.

                  However, I would question your logic for not putting reasons next to the disabled rules. You said you didn't do it because if a rule produces false positives it should be disabled, regardless of whether I as a user uses skype or not (as other might).

                  This doesn't take a few things into account though:

                  A) The pfSense environment might be at home, not in a workplace (in which case it would make sense to block as many things as possible to reduce the attack surface - even if that's being overly careful in 99% of the cases)

                  B) Corporate policy says that skype cannot be used.

                  In either of those scenarios, the end result is that the user wants to actively block Skype. Having a list of what rules go with what helps to identify whether this is something that the person setting up pfSense should disable, leave as default or make sure it gets enabled.

                  As for how to resolve the particular rules causing false positives I posted, I completely agree with your way of looking at it: the rule should be fixed, not disabled in an ideal world.

                  However, I would raise the same question about other rules you have disabled on your config, such as:

                  2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
                  2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
                  2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
                  2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)

                  Why are those being disabled rather than fixing the rule?

                  Don't get me wrong, I'm not trying to bust your balls or anything and I really really appreciate what you are doing here, but I think it would be a much better effort if more people could help you with generating a list that actually works and I feel that for that to work we need to have reasons behind why a certain rule is disabled.

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User
                    last edited by Mar 31, 2014, 6:19 PM

                    The conficker rules (if memory serves right) FP on applications using UDP to get data transfered. Those were disabled because they were FPing when using viber (calls if I remember correctly). That was the second time they produced FPs and I decided I don't want to use them anymore. In the past they FPed when downloading torrents (if I remember correctly).

                    Those were disabled because I'm not in the position to get them fixed. Ideally rule developers should be aware of this list and have a closer look at the rules in question. There are several rules that were present on my lists but were later removed upstream (as seen in a couple of my posts, noted as Missing In Action rules). That should confirm that at least something's fishy with those rules.

                    As always, gasoline is sold to be put into your car. Nothing stops you from drinking it, apart from common sense. The same applies here. If you see a rule for skype, and you don't want to or can't use skype, then don't bother with it until it produces a genuine FP for you.

                    With that said, I'll try to put a reason next to a rule that is disabled from now on. Would appreciate some help with the already existing list.

                    1 Reply Last reply Reply Quote 0
                    • D
                      digdug3
                      last edited by Apr 1, 2014, 12:42 PM

                      @bmeeks:

                      You guys using pfBlocker may be interested in the upcoming Snort package update.  It will … ... other settings.  Some screenshots are attached below.

                      Bill

                      This is great!  ;D

                      If you could add .gz and .csv files than it can replace pfBlocker.
                      Will a blocked ip be listed in the Snort Widget? And will this option also be available in the final Suricata package?

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by Apr 1, 2014, 7:16 PM Apr 1, 2014, 7:14 PM

                        @digdug3:

                        @bmeeks:

                        You guys using pfBlocker may be interested in the upcoming Snort package update.  It will … ... other settings.  Some screenshots are attached below.

                        Bill

                        This is great!  ;D

                        If you could add .gz and .csv files than it can replace pfBlocker.
                        Will a blocked ip be listed in the Snort Widget? And will this option also be available in the final Suricata package?

                        Yes on displaying blocks in the Widget (and I've fixed the Snort Widget so it updates correctly and also absorbed it into the base Snort package, so when you install the next update it will silently absorb previous widget settings and then remove the separate widget package).

                        Snort itself can only take text files.  This is not a package limitation but rather a limitation of the binary itself.

                        And finally, yes, this is coming to Suricata. I'm holding off a bit because Suricata has more options in this area and I think one of the major Suricata backers in the industry is working on their own IP reputation lists custom-tailored for Suricata's abilities.  They have offered to let me have a sample for testing and implementing in the Suricata package.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • T
                          t3rmin
                          last edited by Apr 2, 2014, 5:45 PM

                          @bmeeks:

                          You guys using pfBlocker may be interested in the upcoming Snort package update.  It will include support for Snort's IP Reputation preprocessor.  This is a high-speed preprocessor that is the first link in the Snort traffic inspection train (when enabled).  It can use one or more plain text files of IP addresses or CIDR-notation networks that it should block outright.  Traffic is matched on a simple IP and not using the complex regex engines and stuff the text rules use.  This means the inspection is quick and efficient.

                          Very cool! Any thoughts on auto-update for the IP lists? ie: Give it a URL to fetch the IP list from periodically, like with pfBlocker.

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by Apr 2, 2014, 6:35 PM

                            I believe that to enter the blocklists into the Snort IP Reputation processor, you will have to do this manually.

                            Another option is to have a script that copies the pfBlocker text files into the appropriate snort folder after each pfBlocker update.

                            I have been working on a script that downloads all of the Blacklists, along with .csv and web scrapping methods. It also removes duplication addresses from all of the lists.

                            It reduces the list by approx 50%. This works in tandem with pfBlocker. I just map pfBlocker to use local files instead.

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by Apr 2, 2014, 8:51 PM

                              @BBcan17:

                              I believe that to enter the blocklists into the Snort IP Reputation processor, you will have to do this manually.

                              Another option is to have a script that copies the pfBlocker text files into the appropriate snort folder after each pfBlocker update.

                              I have been working on a script that downloads all of the Blacklists, along with .csv and web scrapping methods. It also removes duplication addresses from all of the lists.

                              It reduces the list by approx 50%. This works in tandem with pfBlocker. I just map pfBlocker to use local files instead.

                              For the first release of this feature, it is true that a manual update is required for now.  You can upload a file (or files) or edit an existing list.  There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall.  That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line.  When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • A
                                adam65535
                                last edited by Apr 2, 2014, 10:10 PM Apr 2, 2014, 10:09 PM

                                Does anyone know https alternative urls for the block lists?  The block lists could be modified by man-in-the-middle attacks upstream.  While I doubt someone would spend the time messing with the data just to get you to block more sites… it just makes sense to protect the lists.

                                I tried just changing the url to https but then noticed the hostname on the certificate was different.  Changing that results in a file not found.  I am surprised that they are not protected by SSL coming from security sites.  Any external file pulled via http into the firewall  that changes firewall behavior should be protected by SSL IMHO.

                                http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

                                https://doc.emergingthreatspro.com/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

                                1 Reply Last reply Reply Quote 0
                                • BBcan177B
                                  BBcan177 Moderator
                                  last edited by Apr 2, 2014, 10:13 PM

                                  Emerging Threats is not updating that list anymore…

                                  I agree that these lists should all be HTTPS.

                                  "Experience is something you don't get until just after you need it."

                                  Website: http://pfBlockerNG.com
                                  Twitter: @BBcan177  #pfBlockerNG
                                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                  1 Reply Last reply Reply Quote 0
                                  • BBcan177B
                                    BBcan177 Moderator
                                    last edited by Apr 3, 2014, 2:32 AM

                                    @bmeeks:

                                    There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall.  That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line.  When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.

                                    Bill

                                    Hi Bill,

                                    Is this what you mean about the "SIGHUP" command?

                                    pgrep snort            (To collect pid)
                                    kill -SIGHUP <pid>(repeat per interface)

                                    2.9.2 Reloading a configuration

                                    First modify your snort.conf (the file passed to the -c option on the command line).
                                    Then, to initiate a reload, send Snort a SIGHUP signal, e.g.

                                    $ kill -SIGHUP <snort pid="">Note:  If reload support is not enabled, Snort will restart (as it always has) upon receipt of a SIGHUP.

                                    Note:  An invalid configuration will still result in a fatal error, so you should test your new configuration before issuing a reload, e.g. $ snort -c snort.conf -T</snort></pid>

                                    "Experience is something you don't get until just after you need it."

                                    Website: http://pfBlockerNG.com
                                    Twitter: @BBcan177  #pfBlockerNG
                                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by Apr 3, 2014, 1:03 PM

                                      @BBcan17:

                                      @bmeeks:

                                      There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall.  That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line.  When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.

                                      Bill

                                      Hi Bill,

                                      Is this what you mean about the "SIGHUP" command?

                                      pgrep snort            (To collect pid)
                                      kill -SIGHUP <pid>(repeat per interface)</pid>

                                      Yep, those shell commands will soft-restart Snort.  Each Snort instance has its own PID file and you can find them all in /var/run as files named with the interface physical name and a UUID.

                                      My suggestion, if you want to do this via a shell script, is to grab all the Snort PID files in /var/run (they all start with "snort_" in the name) and then iterate through the collection reading the PID from a file and then sending the SIGHUP.  This way you could be more specific and only restart certain interfaces.  If you want to restart them all (or you have only one in the first place), then a simple```
                                      pkill -HUP snort

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        t3rmin
                                        last edited by Apr 9, 2014, 5:26 PM

                                        @bmeeks:

                                        @BBcan17:

                                        I believe that to enter the blocklists into the Snort IP Reputation processor, you will have to do this manually.

                                        Another option is to have a script that copies the pfBlocker text files into the appropriate snort folder after each pfBlocker update.

                                        I have been working on a script that downloads all of the Blacklists, along with .csv and web scrapping methods. It also removes duplication addresses from all of the lists.

                                        It reduces the list by approx 50%. This works in tandem with pfBlocker. I just map pfBlocker to use local files instead.

                                        For the first release of this feature, it is true that a manual update is required for now.  You can upload a file (or files) or edit an existing list.  There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall.  That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line.  When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.

                                        Bill

                                        I installed the new Snort package and it looks like you're pulling the compromised IPs .txt file from ETPro automatically during rules updates. Very cool!  8)

                                        1 Reply Last reply Reply Quote 0
                                        • Z
                                          zonian18
                                          last edited by Apr 13, 2014, 7:59 PM

                                          @jflsakfja:

                                          emerging-web_client > all except
                                          2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
                                          2011507 ET WEB_CLIENT PDF With Embedded File
                                          2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
                                          2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
                                          2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
                                          2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
                                          2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
                                          2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
                                          2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
                                          2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
                                          2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
                                          2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
                                          2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt

                                          DISABLED:13

                                          FYI the following being enabled kept the WAN interface from turning on.
                                          It will show enabled, but it will have that red X next to it and it refused to start.
                                          After troubleshooting, I narrowed it down to this very specific rule (which you need to add to your exception list)

                                          2011695 ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt Disclosure Attempt

                                          If I disable that, then the WAN interface is able to show the green play button (running) without issue.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received