Snort2c and whitelist CIDR
-
Hello!
Thanks a lot to Scott Ullrich for the snort2c package ported to FreeBSD (http://pfsense.org/~sullrich/ported_software)
I'm testing it on my snort system, external to pfSense (I don't like to charge my firewall with snort).
I'm not sure that if snort2c is capable to work with CIDR notation at its whitelist.
I have the following scenario:
snort_sensor# ps -aux | grep snort2c
nobody 1013 0,0 0,1 1320 760 ?? Is 10:29PM 0:00,00 /usr/local/sbin/expiretable -d -t 3600 snort2c
root 1014 0,0 0,1 1284 788 ?? Is 10:29PM 0:00,02 /usr/local/sbin/snort2c -w /var/db/whitelist -a /var/log/snort/alert
root 3981 0,0 0,1 1604 960 p0 S+ 9:46AM 0:00,00 grep snort2csnort_sensor# cat /var/db/whitelist
192.168.XXX.0/24
192.168.YYY.0/24
192.168.ZZZ.0/24
192.168.AAA.1
192.168.AAA.2
192.168.AAA.3
192.168.BBB.1
192.168.BBB.2
192.168.CCC.1
192.168.CCC.2
80.58.###.###
80.58.###.###
213.176.###.###
213.176.###.###
80.58.###.###
80.58.###.###
127.0.0.1XXX, YYY, ZZZ are my LANs
AAA, BBB, CCC are my WANs
followed IPs are my external DNS servers
127.0.0.1 is the obvious localhostSometimes I see blocked machines at 192.168.XXX.0/24 range. Example:
snort_sensor# pfctl -rt snort2c -vT show | grep -vE "In/|Out/"
192.168.XXX.207 (s-207)
Cleared: Wed May 30 09:40:54 2007snort_sensor# tail /var/log/snort/alert
[] [1:7694:1] BACKDOOR exception 1.0 runtime detection - intial connection
server-to-client []
[Classification: A Network Trojan was detected] [Priority: 1]
05/30-09:40:59.688329 192.168.XXX.207:445 -> 192.168.XXX.119:1070
TCP TTL:64 TOS:0x0 ID:3532 IpLen:20 DgmLen:440 DF
AP Seq: 0xC55E038F Ack: 0xB4DD15C Win: 0xFFFF TcpLen: 20
[Xref => http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453077099]
[Xref => http://www.megasecurity.org/trojans/e/exception/Exception1.0b1.html]So, if you are using snort whitelist with pfSense be careful with CIDR notation.
Regards,
Josep Pujadas
