RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker
-
Does anyone know https alternative urls for the block lists? The block lists could be modified by man-in-the-middle attacks upstream. While I doubt someone would spend the time messing with the data just to get you to block more sites… it just makes sense to protect the lists.
I tried just changing the url to https but then noticed the hostname on the certificate was different. Changing that results in a file not found. I am surprised that they are not protected by SSL coming from security sites. Any external file pulled via http into the firewall that changes firewall behavior should be protected by SSL IMHO.
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
https://doc.emergingthreatspro.com/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
-
Emerging Threats is not updating that list anymore…
I agree that these lists should all be HTTPS.
-
There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall. That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line. When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.
Bill
Hi Bill,
Is this what you mean about the "SIGHUP" command?
pgrep snort (To collect pid)
kill -SIGHUP <pid>(repeat per interface)2.9.2 Reloading a configuration
First modify your snort.conf (the file passed to the -c option on the command line).
Then, to initiate a reload, send Snort a SIGHUP signal, e.g.$ kill -SIGHUP <snort pid="">Note: If reload support is not enabled, Snort will restart (as it always has) upon receipt of a SIGHUP.
Note: An invalid configuration will still result in a fatal error, so you should test your new configuration before issuing a reload, e.g. $ snort -c snort.conf -T</snort></pid>
-
@BBcan17:
There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall. That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line. When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.
Bill
Hi Bill,
Is this what you mean about the "SIGHUP" command?
pgrep snort (To collect pid)
kill -SIGHUP <pid>(repeat per interface)</pid>Yep, those shell commands will soft-restart Snort. Each Snort instance has its own PID file and you can find them all in /var/run as files named with the interface physical name and a UUID.
My suggestion, if you want to do this via a shell script, is to grab all the Snort PID files in /var/run (they all start with "snort_" in the name) and then iterate through the collection reading the PID from a file and then sending the SIGHUP. This way you could be more specific and only restart certain interfaces. If you want to restart them all (or you have only one in the first place), then a simple```
pkill -HUP snort -
@BBcan17:
I believe that to enter the blocklists into the Snort IP Reputation processor, you will have to do this manually.
Another option is to have a script that copies the pfBlocker text files into the appropriate snort folder after each pfBlocker update.
I have been working on a script that downloads all of the Blacklists, along with .csv and web scrapping methods. It also removes duplication addresses from all of the lists.
It reduces the list by approx 50%. This works in tandem with pfBlocker. I just map pfBlocker to use local files instead.
For the first release of this feature, it is true that a manual update is required for now. You can upload a file (or files) or edit an existing list. There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall. That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line. When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.
Bill
I installed the new Snort package and it looks like you're pulling the compromised IPs .txt file from ETPro automatically during rules updates. Very cool! 8)
-
@jflsakfja:
emerging-web_client > all except
2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
2011507 ET WEB_CLIENT PDF With Embedded File
2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure AttemptDISABLED:13
FYI the following being enabled kept the WAN interface from turning on.
It will show enabled, but it will have that red X next to it and it refused to start.
After troubleshooting, I narrowed it down to this very specific rule (which you need to add to your exception list)2011695 ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt Disclosure Attempt
If I disable that, then the WAN interface is able to show the green play button (running) without issue.
-
@jflsakfja:
emerging-web_client > all except
2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
2011507 ET WEB_CLIENT PDF With Embedded File
2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure AttemptDISABLED:13
FYI the following being enabled kept the WAN interface from turning on.
It will show enabled, but it will have that red X next to it and it refused to start.
After troubleshooting, I narrowed it down to this very specific rule (which you need to add to your exception list)2011695 ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt Disclosure Attempt
If I disable that, then the WAN interface is able to show the green play button (running) without issue.
Yes, there is apparently an issue with that specific rule in the ET OPEN rule set package. I think it throws an error when Snort's pcre (Perl-compatible regular expression) engine tries to decode the content part of the rule. This is an error the ET OPEN rule authors will need to fix. It is a not something directly related to the Snort package.
Bill
-
I installed the new Snort package and it looks like you're pulling the compromised IPs .txt file from ETPro automatically during rules updates. Very cool! 8)
Yes, since the file is there in the ET OPEN and ET PRO rules packages, the new code for the IP Reputation preprocessor grabs and stores it for use if enabled by the user.
Bill
-
IMPORTANT!!!
I'm in the middle of transitioning to a different blacklist management, but for now the pfblocker lists will remain here since I don't have the time to update that part of the guide. Thanks to BBcan17 for his help with the blacklists.
This update brings a couple dozen no longer needed rules, and I have now started adding an explanation of why I deleted a certain rule next to it, after <<<
Enjoy.
In tab "Rules", under "Category" select: (--- means blank table at time of writing) Auto-Flowbit rules > all except: 8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected 23714 FILE-IDENTIFY Microsoft Office Publisher file magic detected >>>DISABLED:2 emerging-activex > all >>>DISABLED:0 emerging-attack_responses > all >>>DISABLED:0 DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt <<< CARE!!! a lot of IRC servers are listed here. Try it first, an IRC network that you need to work, doesn't, then remove it. emerging-chat > all except: 2010784 ET CHAT Facebook Chat (send message) 2010785 ET CHAT Facebook Chat (buddy list) 2010786 ET CHAT Facebook Chat (settings) 2010819 ET CHAT Facebook Chat using XMPP 2002327 ET CHAT Google Talk (Jabber) Client Login 2002334 ET CHAT Google IM traffic Jabber client sign-on 2001241 ET CHAT MSN file transfer request 2001242 ET CHAT MSN file transfer accept 2001243 ET CHAT MSN file transfer reject 2001682 ET CHAT MSN IM Poll via HTTP 2002192 ET CHAT MSN status change 2008289 ET CHAT Possible MSN Messenger File Transfer 2009375 ET CHAT General MSN Chat Activity 2009376 ET CHAT MSN User-Agent Activity 2001595 ET CHAT Skype VOIP Checking Version (Startup) 2002157 ET CHAT Skype User-Agent detected 2003022 ET CHAT Skype Bootstrap Node (udp) 2000355 ET CHAT IRC authorization message [stops IRC from working] 2002024 ET CHAT IRC NICK command [stops IRC from working] 2002028 ET CHAT IRC PONG response [stops IRC from working] 2002025 ET CHAT IRC JOIN command [stops IRC from working] 2002026 ET CHAT IRC PRIVMSG command [stops IRC from working] >>DISABLED:22 DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt emerging-current_events > all >>>DISABLED:0 emerging-deleted > --- emerging-dns > all except: 2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt 2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups 2001117 ET DNS Standard query response, Name Error >>>DISABLED:3 emerging-dos > all >>>DISABLED:0 DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p DO NOT USE! > emerging-dshield > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt emerging-exploit > all except: 2001058 ET EXPLOIT libpng tRNS overflow attempt 2002913 ET EXPLOIT VNC Client response 2002914 ET EXPLOIT VNC Server VNC Auth Offer 2002919 ET EXPLOIT VNC Good Authentication Reply 2002915 ET EXPLOIT VNC Authentication Reply 2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1 2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3 >>>DISABLED:7 emerging-ftp > all 2010731 ET FTP FTP CWD command attempt without login >>>DISABLED:1 emerging-games > all >>>DISABLED:0 emerging-icmp > --- emerging-icmp_info > --- emerging-imap > --- emerging-inappropriate > all except: 2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off 2001608 ET INAPPROPRIATE Likely Porn >>>DISABLED:2 emerging-info > all except: 2014472 ET INFO JAVA - Java Archive Download 2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client 2014819 ET INFO Packed Executable Download 2015016 ET INFO FTP STOR to External Network 2015561 ET INFO PDF Using CCITTFax Filter 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) 2016360 ET INFO JAVA - ClassID 2016361 ET INFO JAVA - ClassID 2016404 ET INFO MPEG Download Over HTTP (1) 2015674 ET INFO 3XX redirect to data URL 2016847 ET INFO Possible Chrome Plugin install 2017669 ET INFO Zip File >>>DISABLED:12 emerging-malware > all except: 2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File 2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related 2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related >>>DISABLED:3 emerging-misc > all >>>DISABLED:0 emerging-mobile_malware > all except: 2012251 ET MOBILE_MALWARE Google Android Device HTTP Request 2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI >>>DISABLED:2 emerging-netbios > all >>>DISABLED:0 emerging-p2p > all except: 2000369 ET P2P BitTorrent Announce 2007727 ET P2P possible torrent download 2008581 ET P2P BitTorrent DHT ping request 2008583 ET P2P BitTorrent DHT nodes reply 2008585 ET P2P BitTorrent DHT announce_peers request 2010144 ET P2P Vuze BT UDP Connection (5) 2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x) 2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts 2014734 ET P2P BitTorrent - Torrent File Downloaded 2003317 ET P2P Edonkey Search Request (any type file) 2009971 ET P2P eMule KAD Network Hello Request (2) 2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82) >>>DISABLED:12 emerging-policy > all except: 2000419 ET POLICY PE EXE or DLL Windows file download 2000428 ET POLICY ZIP file download 2001115 ET POLICY MSI (microsoft installer file) download 2003595 ET POLICY exe download via HTTP - Informational 2001898 ET POLICY eBay Bid Placed 2001907 ET POLICY eBay Placing Item for sale 2001908 ET POLICY eBay View Item 2001909 ET POLICY eBay Watch This Item 2003303 ET POLICY FTP Login Attempt (non-anonymous) 2003410 ET POLICY FTP Login Successful 2003121 ET POLICY docs.google.com Activity 2003597 ET POLICY Google Calendar in Use 2002801 ET POLICY Google Desktop User-Agent Detected 2002838 ET POLICY Google Search Appliance browsing the Internet 2000035 ET POLICY Hotmail Inbox Access 2000036 ET POLICY Hotmail Message Access 2000037 ET POLICY Hotmail Compose Message Access 2000038 ET POLICY Hotmail Compose Message Submit 2000039 ET POLICY Hotmail Compose Message Submit Data 2008238 ET POLICY Hotmail Inbox Access 2008239 ET POLICY Hotmail Message Access 2008240 ET POLICY Hotmail Compose Message Access 2008242 ET POLICY Hotmail Access Full Mode 2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile 2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile 2002330 ET POLICY Google Talk TLS Client Traffic 2002332 ET POLICY Google IM traffic Windows client user sign-on 2002333 ET POLICY Google IM traffic friend invited 2002878 ET POLICY iTunes User Agent 2002722 ET POLICY MP3 File Transfer Outbound 2002723 ET POLICY MP3 File Transfer Inbound 2001114 ET POLICY Mozilla XPI install files download 2001973 ET POLICY SSH Server Banner Detected on Expected Port 2001974 ET POLICY SSH Client Banner Detected on Expected Port 2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port 2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port 2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port 2001978 ET POLICY SSH session in progress on Expected Port 2001979 ET POLICY SSH Server Banner Detected on Unusual Port 2001980 ET POLICY SSH Client Banner Detected on Unusual Port 2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port 2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port 2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port 2001984 ET POLICY SSH session in progress on Unusual Port 2009001 ET POLICY Login Credentials Possibly Passed in URI 2009004 ET POLICY Login Credentials Possibly Passed in POST Data 2003214 ET POLICY Pingdom.com Monitoring detected 2003215 ET POLICY Pingdom.com Monitoring Node Active 2001669 ET POLICY Proxy GET Request 2001670 ET POLICY Proxy HEAD Request 2001674 ET POLICY Proxy POST Request 2001675 ET POLICY Proxy CONNECT Request 2002922 ET POLICY VNC Authentication Successful 2002920 ET POLICY VNC Authentication Failure 2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts 2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts 2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts 2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts 2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts 2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts 2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts 2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts 2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts 2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts 2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts 2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts 2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts 2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS 2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3 2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2 2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3 2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port 2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3 2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port 2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3 2003010 ET POLICY TLS/SSL Server Hello on Unusual Port 2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3 2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port 2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3 2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port 2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3 2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port 2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3 2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port 2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3 2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile 2001449 ET POLICY Proxy Connection detected 2002822 ET POLICY Wget User Agent 2002823 ET POLICY POSSIBLE Web Crawl using Wget 2002824 ET POLICY CURL User Agent 2002934 ET POLICY libwww-perl User Agent 2002828 ET POLICY Googlebot User Agent 2002829 ET POLICY Googlebot Crawl 2002830 ET POLICY Msnbot User Agent 2002831 ET POLICY Msnbot Crawl 2002832 ET POLICY Yahoo Crawler User Agent 2002833 ET POLICY Yahoo Crawler Crawl 2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected 2002948 ET POLICY External Windows Update in Progress 2002949 ET POLICY Windows Update in Progress 2001402 ET POLICY ZIPPED DOC in transit 2001403 ET POLICY ZIPPED XLS in transit 2001404 ET POLICY ZIPPED EXE in transit 2001405 ET POLICY ZIPPED PPT in transit 2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected 2012647 ET POLICY Dropbox.com Offsite File Backup in Use 2012648 ET POLICY Dropbox Client Broadcasting 2013028 ET POLICY curl User-Agent Outbound 2013030 ET POLICY libwww-perl User-Agent 2013031 ET POLICY Python-urllib/ Suspicious User Agent 2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET 2013414 ET POLICY Executable served from Amazon S3 2013458 ET POLICY Facebook Like Button Clicked (1) 2013459 ET POLICY Facebook Like Button Clicked (2) 2013503 ET POLICY OS X Software Update Request Outbound 2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management 2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management 2014297 ET POLICY Vulnerable Java Version 1.7.x Detected 2014313 ET POLICY Executable Download From DropBox 2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1) 2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2) 2017015 ET POLICY DropBox User Content Access over SSL 2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced) 2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed) 2001377 ET POLICY Credit Card Number Detected in Clear (16 digit) 2001378 ET POLICY Credit Card Number Detected in Clear (15 digit) 2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced) 2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed) 2001381 ET POLICY Credit Card Number Detected in Clear (14 digit) 2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced) 2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed) 2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2) 2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2) 2001328 ET POLICY SSN Detected in Clear Text (dashed) 2001384 ET POLICY SSN Detected in Clear Text (spaced) 2007971 ET POLICY SSN Detected in Clear Text (SSN ) 2007972 ET POLICY SSN Detected in Clear Text (SSN# ) 2011854 ET POLICY Java JAR file download 2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets <<<<<<<< handled by ticking block bogon networks in interface settings 2002752 ET POLICY Reserved Internal IP Traffic <<<<<<<<<<<<< handled by ticking block private networks in interface settings 2000418 ET POLICY Executable and linking format (ELF) file download 2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number) 2016877 ET POLICY Unsupported/Fake FireFox Version 2. 2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA) 2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud 2013255 ET POLICY Majestic12 User-Agent Request Inbound 2014726 ET POLICY Outdated Windows Flash Version IE 2012911 ET POLICY URL Contains password Parameter 2011085 ET POLICY HTTP Redirect to IPv4 Address 2009303 ET POLICY MediaFire file download service access 2000356 ET POLICY IRC connection [stops IRC from working, misses a lot of real IRC connections] >>>DISABLED:151 emerging-pop3 > --- DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS DO NOT USE! > emerging-rbn > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS emerging-rpc > --- emerging-scada > all >>>DISABLED:0 emerging-scan > all except 2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack 2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack 2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack 2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack 2011367 ET SCAN TCP Traffic (ET SCAN Malformed Packet SYN FIN) >>>DISABLED:5 emerging-shellcode > all except 2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected 2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String 2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String 2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode 2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt 2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a 2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray String >>>DISABLED:7 emerging-smtp > all >>>DISABLED:0 emerging-snmp > all >>>DISABLED:0 emerging-sql > all >>>DISABLED:0 emerging-telnet > all >>>DISABLED:0 emerging-tftp > all >>>DISABLED:0 DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p emerging-trojan > all except: 2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) 2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) 2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) 2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) 2001046 ET TROJAN UPX compressed file download possible malware >>>DISABLED:5 emerging-user_agents > all except: 2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan >>>DISABLED:1 emerging-voip > all >>>DISABLED:0 emerging-web_client > all except 2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt 2011507 ET WEB_CLIENT PDF With Embedded File 2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source) 2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service 2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt 2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage 2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String 2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding 2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding 2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding 2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source) 2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt 2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt >>>DISABLED:13 emerging-web_server > all except 2003099 ET WEB_SERVER Poison Null Byte 2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound 2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound 2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-) 2016672 ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax) 2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP) >>>DISABLED:5 emerging-web_specific_apps > all except: 2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET) 2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST) 2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET) 2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST) 2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt >>>DISABLED:5 emerging-worm > all >>>DISABLED:0 GPLv2 community rules > all except 254 DNS SPOOF query response with TTL of 1 min. and no authority 384 PROTOCOL-ICMP PING 385 PROTOCOL-ICMP traceroute 399 PROTOCOL-ICMP Destination Unreachable Host Unreachable 402 PROTOCOL-ICMP Destination Unreachable Port Unreachable 408 PROTOCOL-ICMP Echo Reply 540 POLICY-SOCIAL Microsoft MSN message 648 INDICATOR-SHELLCODE x86 NOOP 649 INDICATOR-SHELLCODE x86 setgid 0 1200 INDICATOR-COMPROMISE Invalid URL 1201 INDICATOR-COMPROMISE 403 Forbidden 1292 INDICATOR-COMPROMISE directory listing 1390 INDICATOR-SHELLCODE x86 inc ebx NOOP 1394 INDICATOR-SHELLCODE x86 inc ecx NOOP 1437 FILE-IDENTIFY Microsoft Windows Media download detected 1841 FILE-OTHER Oracle Javascript URL host spoofing attempt 1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt 1852 SERVER-WEBAPP robots.txt access 1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request 1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept 1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected 1990 POLICY-SOCIAL Microsoft MSN user search 1991 POLICY-SOCIAL Microsoft MSN login attempt 2180 PUA-P2P BitTorrent announce request 2181 PUA-P2P BitTorrent transfer 2707 FILE-IMAGE JPEG parser multipacket heap overflow 3463 SERVER-WEBAPP awstats access 25518 OS-OTHER Apple iPod User-Agent detected 25519 OS-OTHER Apple iPad User-Agent detected 25520 OS-OTHER Apple iPhone User-Agent detected 25521 OS-OTHER Android User-Agent detected 25522 OS-OTHER Nokia User-Agent detected 25523 OS-OTHER Samsung User-Agent detected 25524 OS-OTHER Kindle User-Agent detected 25525 OS-OTHER Nintendo User-Agent detected 2417 PROTOCOL-FTP format string attempt 1377 PROTOCOL-FTP wu-ftp bad file completion attempt 1378 PROTOCOL-FTP wu-ftp bad file completion attempt >>>DISABLED:38 IPS Policy - Security > all except 19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt 18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt 16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt 25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious 16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt 15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt 15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt 13360 APP-DETECT failed FTP login attempt 23098 FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt 14772 WEB-CLIENT libpng malformed chunk denial of service attempt 29466 FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt 27948 FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt 17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream. 17154 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream. 19713 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream. 19714 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream. 19321 BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow <<< Affects Firefox v3.5.1-3.6.6. No longer needed, delete upstream. 19292 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 19078 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 19077 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 19076 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 17804 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 25233 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 25232 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 25228 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 25227 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 24994 BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 24188 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1. No longer needed, delete upstream. 24187 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1. No longer needed, delete upstream. 21363 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 20072 BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 16502 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based <<< Affects Firefox v3.6. No longer needed, delete upstream. 16501 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType <<< Affects Firefox v3.6. No longer needed, delete upstream. 29503 BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt <<< Affects Firefox v1.0-5.0. No longer needed, delete upstream. >>DISABLED:34 preprocessor.rules > all except (first_column:second_column details) 119:2 HI_CLIENT_DOUBLE_DECODE 119:4 HI_CLIENT_BARE_BYTE 119:7 HI_CLIENT_IIS_UNICODE 119:14 HI_CLIENT_NON_RFC_CHAR 119:31 HI_CLIENT_UNKNOWN_METHOD 119:32 HI_CLIENT_SIMPLE_REQUEST 120:2 HI_SERVER_INVALID_STATCODE 120:3 HI_SERVER_NO_CONTLEN 120:4 HI_SERVER_UTF_NORM_FAIL 120:6 HI_SERVER_DECOMPR_FAILED 120:8 HI_CLISRV_MSG_SIZE_EXCEPTION 120:9 HI_SERVER_JS_OBFUSCATION_EXCD 120:10 HI_SERVER_JS_EXCESS_WS 122:1 PSNG_TCP_PORTSCAN 122:4 PSNG_TCP_DISTRIBUTED_PORTSCAN 122:17 PSNG_UDP_PORTSCAN 122:20 PSNG_UDP_DISTRIBUTED_PORTSCAN 124:3 SMTP_RESPONSE_OVERFLOW 124:10 SMTP_B64_DECODING_FAILED 125:1 FTPP_FTP_TELNET_CMD 125:2 FTPP_FTP_INVALID_CMD 125:7 FTPP_FTP_ENCRYPTED 125:9 FTPP_FTP_EVASIVE_TELNET_CMD 137:1 SSL_INVALID_CLIENT_HELLO 141:1 IMAP_UNKNOWN_CMD <<< pending upstream update 141:2 IMAP_UNKNOWN_RESP <<< pending upstream update 145:2 DNP3_DROPPED_FRAME DISABLED>>>27 DO NOT USE! > sensitive-data.rules > NONE enabled Suppression list: #GLOBAL # gen_id 1 suppress gen_id 1, sig_id 536 suppress gen_id 1, sig_id 653 suppress gen_id 1, sig_id 2452 suppress gen_id 1, sig_id 11192 suppress gen_id 1, sig_id 15306 suppress gen_id 1, sig_id 16313 suppress gen_id 1, sig_id 17458 suppress gen_id 1, sig_id 20583 suppress gen_id 1, sig_id 2000334 suppress gen_id 1, sig_id 2008120 suppress gen_id 1, sig_id 2010516 suppress gen_id 1, sig_id 20122758 suppress gen_id 1, sig_id 2014518 suppress gen_id 1, sig_id 2014520 suppress gen_id 1, sig_id 2100366 suppress gen_id 1, sig_id 2100368 suppress gen_id 1, sig_id 2100651 suppress gen_id 1, sig_id 2101390 suppress gen_id 1, sig_id 2101424 suppress gen_id 1, sig_id 2102314 suppress gen_id 1, sig_id 2103134 suppress gen_id 1, sig_id 2500056 suppress gen_id 1, sig_id 100000230 suppress gen_id 3, sig_id 14772 #(IMAP) Unknown IMAP4 command suppress gen_id 141, sig_id 1 pfBlocker extra lists: TYPE LIST txt http://www.spamhaus.org/drop/drop.txt txt http://www.spamhaus.org/drop/edrop.txt
-
Since you have changed the format of how you are posting the updates in this post, is this a repost of the March 15th update or something new?
Rick
-
Since you have changed the format of how you are posting the updates in this post, is this a repost of the March 15th update or something new?
Rick
See quote and rule sample:
@jflsakfja:This update brings a couple dozen no longer needed rules, and I have now started adding an explanation of why I deleted a certain rule next to it, after <<<
17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream. 17154 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream. 19713 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream. 19714 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream. 19321 BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow <<< Affects Firefox v3.5.1-3.6.6. No longer needed, delete upstream. 19292 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 19078 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 19077 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 19076 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 17804 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 25233 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 25232 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 25228 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 25227 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 24994 BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 24188 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1. No longer needed, delete upstream. 24187 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1. No longer needed, delete upstream. 21363 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9. No longer needed, delete upstream. 20072 BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt <<< Affects Firefox v1.0-3.6.9. No longer needed, delete upstream. 16502 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based <<< Affects Firefox v3.6. No longer needed, delete upstream. 16501 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType <<< Affects Firefox v3.6. No longer needed, delete upstream. 29503 BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt <<< Affects Firefox v1.0-5.0. No longer needed, delete upstream.
-
I have a quick question about mechanics of what exactly this rule is detecting.
@jflsakfja:
2017015 ET POLICY DropBox User Content Access over SSL
The source IP is an AWS address. The source port is 443. The destination IP is a local computer that does not (or should not) have drop box installed. The destination port is in 15-thousands (15067, 15068).
What is triggering this rule? Would simply clicking on a link, to download a file in web browser, or accessing a page with hot-linked https dropbox content, allow the AWS hosted computer to send traffic back on a port already opened by the browser? Or is this an indication of a secret drop box client installed by a hacker, and then used to send payload to the compromised computer?
Could it be one, or another, or both?
Thank you.
-
@G.D.:
2017015 ET POLICY DropBox User Content Access over SSL
The source IP is an AWS address. The source port is 443. The destination IP is a local computer that does not (or should not) have drop box installed. The destination port is in 15-thousands (15067, 15068).
What is triggering this rule? Would simply clicking on a link, to download a file in web browser, or accessing a page with hot-linked https dropbox content, allow the AWS hosted computer to send traffic back on a port already opened by the browser? Or is this an indication of a secret drop box client installed by a hacker, and then used to send payload to the compromised computer?
Could it be one, or another, or both?
This is the rule
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,from_server; content:"|55 04 03|"; content:"|18|*.dropboxusercontent.com"; nocase; distance:1; within:25; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:6;)
This is the reference URL in the rule https://www.dropbox.com/help/201/en which doesn't say too much.
There is a lot of Crap on AWS. I found the following reference -
"Data uploaded by the Dropbox client software is also encrypted before it is uploaded to Dropbox servers. Dropbox stores files on Amazon's S3 service. The company encrypts files with 256-bit AES before transmitting them to Amazon's servers via an SSL connection. However, Dropbox employees can decrypt these files, as can the Dropbox system."
Maybe posting on the Snort forum would get the right information for this type of question.
-
@G.D.:
I have a quick question about mechanics of what exactly this rule is detecting.
@jflsakfja:
2017015 ET POLICY DropBox User Content Access over SSL
The source IP is an AWS address. The source port is 443. The destination IP is a local computer that does not (or should not) have drop box installed. The destination port is in 15-thousands (15067, 15068).
What is triggering this rule? Would simply clicking on a link, to download a file in web browser, or accessing a page with hot-linked https dropbox content, allow the AWS hosted computer to send traffic back on a port already opened by the browser? Or is this an indication of a secret drop box client installed by a hacker, and then used to send payload to the compromised computer?
Could it be one, or another, or both?
Thank you.
In addition to what user BBcan177 stated and provided above with regards to this alert, my guess is a client computer on your network clicked on a web link that downloads Dropbox content. You do not have to have the Dropbox client installed to download and view someone else's content. I don't have Dropbox on my LAN, but my family has sent me links to photos hosted on their Dropbox accounts. So my bet is one of your LAN users clicked a link in an e-mail or even a web page that then connects via https:// to Dropbox to grab the content. The Snort rule is simply alerting on that action.
Bill
-
Thank you for the explanation. I appreciate it. It seems somewhat counter-intuitive to me that Snort would ignore the outgoing request for the prohibited resource, and only catch it on the way back, when the remote server starts transmitting to the local port.
I have much to learn about Snort.
-
Warning: This post may contain rage directed at the snort/suricata rule writers. It does NOT contain rage directed at any of the poor souls trying to make a usable product of the mess that is The Rules.
And rule writers have an order of magnitude more than you to learn about writing rules and/or using snort. (translation-and-a-fact-actually:MOST rule writers have no idea what a rule is and what a rule does)
Snippet from the upcoming blueprint for suricata:
2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected <<< so WTF is windows 7 then???Since nobody on the entire internet reads this topic, that brutal FP rule will never be corrected. Trillions upon quadrillions of man hours will be wasted to disable that rule, after thousands upon thousands of debates on whether Windows 7 is version 7 or version 6 (hint:it's 6.1 and the rule fires up after a clean install's first time updates).
The Golden Standards for Rule Writing
- Rules should detect what they are designed to detect (most rules actually do this)
- A rule to detect a successful ftp login is not only idiotic, it's an insult of my intelligence. Applies to apt-get rule as well.
- A rule set up on an abacus then carried over to snort should REALLY be dropped. No arguments, no what-ifs, no think-of-the-children, no terrorism (includes cyberterrorism). Just build up the courage and delete old rules already. Nobody needs them.
Most rules meet only point 1. There are exceptions of course.
I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.Note to those that say "ZOMG!!!oneeleven WHAT ABOUT DETECTING WINDOWS 7 WHEN YOU ARE ON AN ALL LINUX NETWORK????".
- THERE IS NOTHING SUSPICIOUS ABOUT A VALID WINDOWS RELEASE! (other than the three-letter-agencies backdoors of course)
- If you don't know what os each host runs, please consider a career change.
- If a host whose OS you don't know managed to get on "The Internet", then you have bigger problems. Please see 2.
-
@jflsakfja:
I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.
First off, thank you for your efforts in this thread, I have found it most useful and the more I understand about it, most clever in its use and implementation of pfSense/pfBlocker/Snort as a system
I don't know that this is a question or just a curiosity… what I have read, questioned and talked to friends about in the Snort/Suricata debate, points to the big advantage of Suricata is its true "inline" functionality. At this time, it is my understanding that this true "inline" functionality can not be invoked under pfSense due to changes needed in pfSense itself. Given those two pieces of the puzzle, what would be the impetus for moving to Suricata "at this time"?
To further obfuscate the curiosity, the Snort fanboys insist that by the time pfSense gets "fixed" for the inline functionality that Snort will be updated to also offer this ability. My question then was whether an inline Snort would also require its own pfSense core change?… to which I got blank stares and silence.
Rick
-
@G.D.:
Thank you for the explanation. I appreciate it. It seems somewhat counter-intuitive to me that Snort would ignore the outgoing request for the prohibited resource, and only catch it on the way back, when the remote server starts transmitting to the local port.
I have much to learn about Snort.
The outgoing request from your LAN client may well not contain all the "triggers" needed by the rule. Only the data coming back contained everything necessary (and in the right order) to trigger the rule.
Bill
-
@jflsakfja:
I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.
First off, thank you for your efforts in this thread, I have found it most useful and the more I understand about it, most clever in its use and implementation of pfSense/pfBlocker/Snort as a system
I don't know that this is a question or just a curiosity… what I have read, questioned and talked to friends about in the Snort/Suricata debate, points to the big advantage of Suricata is its true "inline" functionality. At this time, it is my understanding that this true "inline" functionality can not be invoked under pfSense due to changes needed in pfSense itself. Given those two pieces of the puzzle, what would be the impetus for moving to Suricata "at this time"?
To further obfuscate the curiosity, the Snort fanboys insist that by the time pfSense gets "fixed" for the inline functionality that Snort will be updated to also offer this ability. My question then was whether an inline Snort would also require its own pfSense core change?… to which I got blank stares and silence.
Rick
There are (well, actually, "will be") two ways to implement in-line mode in Snort and Suricata. One utilizes ipfw. This is the part of pfSense that today does not fully function in IPS mode. It's also the mode, that even if fixed to work, will still offer very poor performance throughput due to the swaps back and forth between kernel space and user land for packets. The other mechanism that really offers promise is Netmap. This is now part of FreeBSD 10, and I assume (but have not verified) it is in pfSense 2.2. There is a feature request that is currently showing as 50% complete in the Suricata source tree to add a Netmap API module so that Suricata can use it. I'm not sure why the feature is not 100% finished yet.
Back to Snort. Snort's DAQ module that does all the packet acquisition can utilize ipfw on BSD systems to do in-line drops. I have not seen anything about Netmap support in Snort yet, though. Somebody may be contemplating it, but I did not see any links in my initial searches.
So to summarize – the ideal way forward is to use the Netmap support in FreeBSD 10 as the architecture for implementing inline IPS in Suricata (and maybe even Snort). However, we are now in a waiting game while those two upstream source trees fully incorporate Netmap support. In my view, ipfw is probably a lost cause due first to the potential performance issues, and second to the fact it would have to be updated in the pfSense code in order to work correctly.
As to liking Suricata over Snort (or vice-versa), that is really mostly personal preference at this time. Maybe if Suricata gets full Netmap support and Snort does not, then the choice becomes more clear cut.
Bill
-
@jflsakfja:
I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.
First off, thank you for your efforts in this thread, I have found it most useful and the more I understand about it, most clever in its use and implementation of pfSense/pfBlocker/Snort as a system
I don't know that this is a question or just a curiosity… what I have read, questioned and talked to friends about in the Snort/Suricata debate, points to the big advantage of Suricata is its true "inline" functionality. At this time, it is my understanding that this true "inline" functionality can not be invoked under pfSense due to changes needed in pfSense itself. Given those two pieces of the puzzle, what would be the impetus for moving to Suricata "at this time"?
To further obfuscate the curiosity, the Snort fanboys insist that by the time pfSense gets "fixed" for the inline functionality that Snort will be updated to also offer this ability. My question then was whether an inline Snort would also require its own pfSense core change?… to which I got blank stares and silence.
Rick
Snort inline is dead. Any hope of resurrecting the project (coming from die hard snort fans, companies funneling trillions of $ into snort inline, fanbois, not related passers by) is nothing more than a hope. As an added nail in snort inline's coffin is that pretty much all development for it has stopped when suricata was born, since most (all?) developers (wrt inline) moved over to that project.
Just to put it in plain sight: snort inline is DEAD. Any future posts mentioning snort inline should be accompanied by "R.I.P. snort inline". If you want that functionality, migrate to suricata. As for all the (inevitably) coming [citation needed] posts, I'm not the one saying snort inline is dead, migrate to suricata. It's actually snort inline's site. Here I'll make everybody's life easier: http://snort-inline.sourceforge.net/
Right now the best course forward is to work as much as we can to get suricata fully functional under pfsense. Even if the inline part doesn't get implemented for another 40 years, the foundations will be there when it does. I know this will upset everybody related to snort, but now that cisco has taken over snort, I'm waiting for the announcement that snort will no longer be supported any day now. Maybe tomorrow. Maybe the day after that. Maybe next week. It WILL be here eventually.