Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker

    Scheduled Pinned Locked Moved pfSense Packages
    171 Posts 26 Posters 186.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      @fearnothing:

      A little help with the snort configuration you suggested on the first page - just how much memory does it need? I threw 4GB at the setup thinking that would be plenty but whenever I try to enable one of the larger groups like ET-trojan.rules or ET-malware.rules, snort turns itself off for that interface.

      Jun 9 16:29:21 	check_reload_status: Syncing firewall
      Jun 9 16:29:21 	php: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: LAN ...
      Jun 9 16:29:23 	php: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: LAN...
      Jun 9 16:29:23 	php: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for LAN...
      Jun 9 16:29:27 	php: /snort/snort_interfaces.php: Toggle (snort starting) for LAN(LAN)...
      Jun 9 16:29:27 	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
      Jun 9 16:29:27 	php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
      Jun 9 16:29:27 	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
      Jun 9 16:29:27 	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN ...
      Jun 9 16:29:29 	php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN...
      Jun 9 16:29:29 	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for LAN...
      Jun 9 16:29:30 	check_reload_status: Syncing firewall
      Jun 9 16:29:30 	php: /snort/snort_interfaces.php: [Snort] Snort START for LAN(em1)...
      

      And that's the last line - no actual error, just snort no longer running on the interface. Is it memory? If not, what else is going on?

      I found some posts via a Google search on the Snort mailing lists (or maybe it was Google Groups…) about the 2.9.6.0 version gobbling up memory fairly aggressively in higher traffic situations.  This could also happen with lots of rules enabled.  The ET-Trojan and ET-Malware rules groups are a bit large.  There are settings for memory caps for the various preprocessors on the PREPROCESSORS tab.  Adjusting those may help.  It's also not outside the realm of possibility the Snort binary for this version (2.9.6.0) has a hidden bug.  Signal 11 means a SEGFAULT occurred (or in less geeky terms, some piece of code tried to write to or access memory outside of its assigned address space).  At least one other user had some "snort exited on signal 11" messages in their log during rule updates.

      Bill

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        With regards to RAM usage, I've never seen snort go above 40% on a 2GB system.set up identical to this topic.

        1 Reply Last reply Reply Quote 0
        • F
          fearnothing
          last edited by

          OK some more info here:
          Using the Connectivity ruleset, 17% of 3051MB usage. And that's without most of the EmergingThreats rules.
          Using the Security ruleset, 82%.

          I was amused to see this in my log one of the times it failed…

          Jun 9 19:27:50 	php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 60190 -D -q -l /var/log/snort/snort_em160190 --pid-path /var/run --nolock-pidfile -G 60190 -c /usr/pbi/snort-i386/etc/snort/snort_60190_em1/snort.conf -i em1' returned exit code '255', the output was 'Spawning daemon child... My daemon child 35849 lives... Daemon parent exiting (-1)'
          

          Is there some way to export the config file so you can have a look to see what I might have done wrong?

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by

            Let me take a wild guess that you are using AC. Use AC-BNFA.

            EDIT: Actually AC-BNFA-NQ

            1 Reply Last reply Reply Quote 0
            • F
              fearnothing
              last edited by

              Actually, AC-STD. However I seem to have solved it with the following process:

              • Set the search method to AC-BNFA - this brought memory usage down to 10%
              • Enable the desired rules - memory usage 13%
              • Change search method back to AC-STD - memory usage 14%.
                Voila!
              1 Reply Last reply Reply Quote 0
              • ?
                A Former User
                last edited by

                And it will choke on the next rule update. Please use AC-BNFA-NQ. AC-BNFA-NQ replaced AC-BNFA, which in turn replaced AC*. Trust me, I was running AC-BNFA-NQ on multiple production networks, and I haven't created a black hole while doing so.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @jflsakfja:

                  And it will choke on the next rule update. Please use AC-BNFA-NQ. AC-BNFA-NQ replaced AC-BNFA, which in turn replaced AC*. Trust me, I was running AC-BNFA-NQ on multiple production networks, and I haven't created a black hole while doing so.

                  jflsakfja is correct.  AC-BNFA-NQ is the best these days.  Some of the other pattern matchers can gobble memory like crazy.  And Suricata can be worse than Snort in this regard.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    @bmeeks:

                    @jflsakfja:

                    And it will choke on the next rule update. Please use AC-BNFA-NQ. AC-BNFA-NQ replaced AC-BNFA, which in turn replaced AC*. Trust me, I was running AC-BNFA-NQ on multiple production networks, and I haven't created a black hole while doing so.

                    jflsakfja is correct.  AC-BNFA-NQ is the best these days.  Some of the other pattern matchers can gobble memory like crazy.  And Suricata can be worse than Snort in this regard.

                    Bill

                    Not if you have a lot of RAM lol…

                    EDIT:

                    I have been using "AC" on a 32GB box and "AC-SPLIT" on all others.

                    I will try to see if changing the "AC-SPLIT" to "AC-BNFA-NQ" fixes the crashing at rule updates sometimes.

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • ?
                      A Former User
                      last edited by

                      AC-BNFA-NQ.

                      AC-NQ is about 30% more ram efficient than AC-SPLIT, with an increased CPU usage.

                      AC (plain) is like killing a fly with a deathstar. AC-NQ replaced it, as in AC (plain) is now obsolete, you get no added benefits from AC over AC-NQ.

                      The best balance between RAM usage (more interfaces/more rules) and CPU is AC-BNFA-NQ. It's a single dropdown change, and an interface restart. Just try it, it will not bite.

                      On a side note, 32GB RAM is suricata's 10Gbps territory.

                      1 Reply Last reply Reply Quote 0
                      • BBcan177B
                        BBcan177 Moderator
                        last edited by

                        Not that I don't believe you, but Its hard to find some good docs on this.. Do you have any links?

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        1 Reply Last reply Reply Quote 0
                        • ?
                          A Former User
                          last edited by

                          If memory serves right, ac-bnfa-nq is the default if no method is specified. In order to be the default, it's probably the best, unless pushing snort to its limits, which unless you are in multiple-1Gbps territory, is nowhere near close to them.

                          A quick search gives this: http://sourceforge.net/p/snort/mailman/message/27113364/

                          A quick re-read of the entire thread will show that there are persons that think this topic is the absolute best way to set up snort on the entire internet. It might even give the hint to a certain group of people that want to build a statue of me, thinking I'm the messiah or something. A quick search around the forums will show others even going out of their way and lying that an i3 is faster than a p4 for a regular home connection while running snort.

                          If it meant completely tearing down your existing system and rebuilding it from scratch, then I understand the skepticism. As I said, it's a simple dropdown selection. Just try it, if you see that under your use case it chokes  then try another method.

                          1 Reply Last reply Reply Quote 0
                          • R
                            Ramosel
                            last edited by

                            @jflsakfja:

                            A quick re-read of the entire thread will show that there are persons that think this topic is the absolute best way to set up snort on the entire internet. It might even give the hint to a certain group of people that want to build a statue of me, thinking I'm the messiah or something. A quick search around the forums will show others even going out of their way and lying that an i3 is faster than a p4 for a regular home connection while running snort.

                            I guess I am one of those people who sing your praise here… on my home system using your methodology and cookbook to get there, I cut my memory usage by more than half and CPU usage rarely comes off idle (AMD athlon 64 x2 with 4GB).  I'm retired now but I spent enough years in the IT community (I was around before IT was IT) both as a worker bee and GOD that I can spot those who get it... vs. those who really understand it, live it, breathe it.  I also learned not to argue with success until the next bright boy comes up with something better - and I've been on both sides of that coin.      So yeah, I'd chip in a few coins towards your statue....BUT, considering you are still holding out on some of the rules that would be pretty helpful to us home users… we're talking "Winged Victory" here, not "David"  (hint, one is missing their head)  <wink>Rick</wink>

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User
                              last edited by

                              The upcoming suricata topic will include a long section dedicated to creating suricata rules specific to a network gateway. There is no need to release my custom rules, since it will be explained how to create those rules on your own.

                              If most of the stuff I've written so far is considered short by me, then you'll realize what long means when you see the topic ;)

                              I'm actually putting the finishing touches (writing entire paragraphs here and there) on the first part, the firewalling part right now.

                              1 Reply Last reply Reply Quote 0
                              • M
                                Mr. Jingles
                                last edited by

                                @jflsakfja:

                                that want to build a statue of me, thinking I'm the messiah or something.

                                ;D ;D ;D

                                6 and a half billion people know that they are stupid, agressive, lower life forms.

                                1 Reply Last reply Reply Quote 0
                                • SoloamS
                                  Soloam
                                  last edited by

                                  Hello all, I tried Suricata, but it's not yet compatible with my system, so back again to Snort. Just a quick question that I can't seem to find the answer in the topic. What should we do with the rules that are disabled by default? In the Suricata guide I see that it's recommended to activate all first and then disable the unwanted rules. Should we take the same approach in snort?

                                  I tried once this and Snort would not boot on the interface, probably some rule that should not be set on. I looked on the system log and no error. I uninstalled all and started from scratch.

                                  Thank you
                                  Best Regards

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    A Former User
                                    last edited by

                                    Yes, the recommended way to set snort/suricata is to enable all then disable the rules suggested in the topics/list.

                                    1 Reply Last reply Reply Quote 0
                                    • SoloamS
                                      Soloam
                                      last edited by

                                      Thank you!

                                      Any one had problems with rule  "ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
                                      suppress"  1:2019416? I looked at both this tutorial and the suricata version, and both have this rule enabled! The problem is that if I leave this rule several google ip's are blocked, including play store and hangouts!

                                      Best regards
                                      soloam

                                      1 Reply Last reply Reply Quote 0
                                      • ?
                                        A Former User
                                        last edited by

                                        The rule is valid, you just need to completely disable SSLv3 (and v2 and v1). See your browser's documentation on how to do it.

                                        1 Reply Last reply Reply Quote 0
                                        • W
                                          Wepee
                                          last edited by

                                          Sorry if I ask a silly question here, as I very new to SNORT.

                                          I have been reading a lot, some I do understand but most I don't here.

                                          Ok, here I begin the silly question ;D

                                          Let take an example here, let's look the ET rules shown below:

                                          
                                          emerging-botcc > all
                                          
                                          emerging-chat > all except:
                                          2010784 ET CHAT Facebook Chat (send message)
                                          2010785 ET CHAT Facebook Chat (buddy list)
                                          2010786 ET CHAT Facebook Chat (settings)
                                          2010819 ET CHAT Facebook Chat using XMPP
                                          2002327 ET CHAT Google Talk (Jabber) Client Login
                                          2002334 ET CHAT Google IM traffic Jabber client sign-on
                                          2001241 ET CHAT MSN file transfer request
                                          2001242 ET CHAT MSN file transfer accept
                                          2001243 ET CHAT MSN file transfer reject
                                          2001682 ET CHAT MSN IM Poll via HTTP
                                          2002192 ET CHAT MSN status change
                                          2008289 ET CHAT Possible MSN Messenger File Transfer
                                          2009375 ET CHAT General MSN Chat Activity
                                          2009376 ET CHAT MSN User-Agent Activity
                                          
                                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                          
                                          Question here is the exception rules that I need to disable,
                                          for example: 2010784 ET CHAT Facebook Chat (send message)
                                          
                                          For the above rule if I need to do the exception, I need search the Signature ID
                                          which shown above = 2010784, I need to a search on this rule and disable it
                                          
                                          As you know this is a PAINSTAKING task of finding each and every Signature ID
                                          2009376, 2009375…...etc and disable each and every one.
                                          
                                          Question:
                                          
                                          1) Is there a short-cut method of doing this mundane task faster? :(
                                          
                                          2) This process of disabling each exception will start all over again since,
                                          whenever there a new updated Snort package is released, and if updated,
                                          then snort is completely unassigned to the WAN interface, and I have to
                                          manually reassign snort to run on my WAN interface, and hence I need
                                          to do the exception rules ALL over again, right? :(
                                          
                                          Thank you.
                                          1 Reply Last reply Reply Quote 0
                                          • ?
                                            A Former User
                                            last edited by

                                            1. there is a new guide coming (work in progress) which should greatly simplify initial setup. For now I'm afraid that it's the clickety-click process :-)

                                            2. That's not expected behavior. Did you contact bmeeks about it? I've never had to redo a setup, even after removing the package (keep settings on removal MUST be ticked) and reinstalling

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.