Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Quick Snort Setup Instructions for New Users

    Scheduled Pinned Locked Moved IDS/IPS
    147 Posts 46 Posters 268.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wcrowder
      last edited by

      Feel for you bhawk6901.

      Sometimes required by law.

      http://en.wikipedia.org/wiki/Air_gap_%28networking%29

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        lol.. Just when you think your secure… Your not!  :o :o

        http://thehackernews.com/2014/10/airhopper-hacking-into-isolated.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • W
          wcrowder
          last edited by

          Yeah, Thanks. Now they'll require a Faraday Cage around the MDF and all the IDF's… LMAO...

          @BBcan177:

          lol.. Just when you think your secure… Your not!  :o :o

          http://thehackernews.com/2014/10/airhopper-hacking-into-isolated.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29

          1 Reply Last reply Reply Quote 0
          • W
            whitexp
            last edited by

            how to configure pfsense for multi wan setup ?
            thanks

            other thing ..
            how i can test my server security ? ( how to "hack" my server for testing .. )

            1 Reply Last reply Reply Quote 0
            • D
              darrenkdean
              last edited by

              Good Evening,

              I am running into a fatal error when starting Snort on the WAN.  Has anyone run into this before &/or have any suggestions on how to fix it?  I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.

              Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''

              Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

              Best-

              Darren

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @darrenkdean:

                Good Evening,

                I am running into a fatal error when starting Snort on the WAN.  Has anyone run into this before &/or have any suggestions on how to fix it?  I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.

                Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''

                Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

                Best-

                Darren

                This is a broken Emerging Threats rule that has had broken syntax for almost a year.  Several attempts at getting it fixed at the source have been unsuccessful.  Folks here just disable that rule.  You can find its GID:SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules in a text editor (such as vi) and going to line 11872.  That is the rule that is malformed.

                I don't have the rule SID in my head at the moment, but you can search this forum for similar errors and will find multiple posts about this rule.

                Bill

                1 Reply Last reply Reply Quote 0
                • D
                  darrenkdean
                  last edited by

                  @bmeeks:

                  @darrenkdean:

                  Good Evening,

                  I am running into a fatal error when starting Snort on the WAN.  Has anyone run into this before &/or have any suggestions on how to fix it?  I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.

                  Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''

                  Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

                  Best-

                  Darren

                  This is a broken Emerging Threats rule that has had broken syntax for almost a year.  Several attempts at getting it fixed at the source have been unsuccessful.  Folks here just disable that rule.  You can find its GID:SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules in a text editor (such as vi) and going to line 11872.  That is the rule that is malformed.

                  I don't have the rule SID in my head at the moment, but you can search this forum for similar errors and will find multiple posts about this rule.

                  Bill

                  Thank you Bill!  That was very helpful.  For anyone else that runs into this, the rule that needs to be disabled is:

                  emerging-web_client.rules

                  SID: 2011695
                  ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt

                  Best-

                  Darren

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • D
                      darrenkdean
                      last edited by

                      Good Morning,

                      Has anyone had success in configuring Snort to allow apple devices to communicate with the Apple Store & iCloud?  I have followed the quick setup guide, rule configuration, & everything appears to be working great, with the exception of iPad's & iPhone's not being able to communicate with the Apple Store & not able to restore from iCloud Backup.  Any direction on how best to allow this connectivity would be greatly appreciated.

                      Best-

                      Darren

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @BBcan177:

                        Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?

                        I am leery of permanently disabling a rule within the GUI code.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @darrenkdean:

                          Good Morning,

                          Has anyone had success in configuring Snort to allow apple devices to communicate with the Apple Store & iCloud?  I have followed the quick setup guide, rule configuration, & everything appears to be working great, with the exception of iPad's & iPhone's not being able to communicate with the Apple Store & not able to restore from iCloud Backup.  Any direction on how best to allow this connectivity would be greatly appreciated.

                          Best-

                          Darren

                          I have no problem with this working in my home network using Snort and pfSense 2.2.  Have you checked to see if some particular alert is firing and generating a block?  You can check the ALERTS or BLOCKED tabs to see what Snort is doing.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • ?
                            A Former User
                            last edited by

                            @BBcan177:

                            Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?

                            What, you mean ET actually disabling a non functioning rule? Come on it's ET we are talking about here.  ;)

                            I'm on bmeek's side here. Permanently disabling a rule shouldn't be the solution. Not unless we can get a premade list out anyway (hint:new guide).

                            1 Reply Last reply Reply Quote 0
                            • D
                              darrenkdean
                              last edited by

                              Good Day,

                              I'm running into an issue with the Ooma IP Telephone Service whereby anytime a telephone call is made or received, it trips the following rule in Snort:

                              ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)

                              I created a Firewall Alias called Ooma with the following data for the Ooma Servers:
                              70.42.139.0/24         Ooma
                              208.83.244.0/22 Ooma, Inc.

                              I then added the Alias to the Snort Pass List, checking the Ooma Alias, & leaving all other boxes unchecked.  I've clearly missed something, as the alerts are still being triggered & blocked, inspite of having added the correct Ooma Servers.  Any thoughts?

                              Best-

                              Darren

                              1 Reply Last reply Reply Quote 0
                              • ?
                                A Former User
                                last edited by

                                Did you stop/start the snort interface after adding that to the passlist?

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @darrenkdean:

                                  Good Day,

                                  I'm running into an issue with the Ooma IP Telephone Service whereby anytime a telephone call is made or received, it trips the following rule in Snort:

                                  ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)

                                  I created a Firewall Alias called Ooma with the following data for the Ooma Servers:
                                  70.42.139.0/24         Ooma
                                  208.83.244.0/22 Ooma, Inc.

                                  I then added the Alias to the Snort Pass List, checking the Ooma Alias, & leaving all other boxes unchecked.  I've clearly missed something, as the alerts are still being triggered & blocked, inspite of having added the correct Ooma Servers.  Any thoughts?

                                  Best-

                                  Darren

                                  Also make sure the new Pass List is actually assigned to your Snort interface by choosing it in the PASS LIST drop-down box on the INTERFACE SETTINGS tab.  Save the change and then restart Snort on the interface as @jflsakfja suggested.

                                  Additionally, I don't recommend unchecking the other Pass List checkboxes.  You generally don't ever want to do that except in very unusual situations.  Yours does not sound like one where I would uncheck those default-checked boxes.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    darrenkdean
                                    last edited by

                                    Excellent, thank you both!  I went back & changed the settings per your guidance & the telephone service is now working.  Can't thank you enough for your help!  Alerts are still being generated, but no longer blocked.  Is there any reason why I would not want to suppress these alerts?

                                    Best-

                                    Darren

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      @darrenkdean:

                                      Excellent, thank you both!  I went back & changed the settings per your guidance & the telephone service is now working.  Can't thank you enough for your help!  Alerts are still being generated, but no longer blocked.  Is there any reason why I would not want to suppress these alerts?

                                      Best-

                                      Darren

                                      You can suppress them if you wish, but depending on how you do it you may expose yourself to a real attack (as opposed to the false positive you are likely seeing now).  Here is what I would do:

                                      You know the IP address in question (your phone system), so create a suppress list rule by IP address.  The easiest way to accomplish this is on the ALERTS tab.  Click the plus (+) icon beside the IP address you don't want to block on one of the alert rows.  This will create a suppress list entry of type "track by IP".  It will be either source (SRC) or destination (DST) depending on which address column you clicked.  The entry will be for that specific IP.  If you want to suppress by an IP block instead, then after creating the entry as described previously, go to the SUPPRESS LIST tab, find the newly created list and edit it.  Change the IP address to a CIDR block.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        darrenkdean
                                        last edited by

                                        Good Afternoon,

                                        I have configured Snort according to the guide & everything works great on the WAN.  I have created a LAN Interface & mirrored the rules for both.  When I go to start Snort on the LAN, I am getting the following error:

                                        snort[93176]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating …snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

                                        I have searched for documentation on this, but have been unable to find out what it is &/or why Snort will not start on the LAN interface.  Any guidance or suggestions would be greatly appreciated.

                                        Best-

                                        Darren

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          Mr. Jingles
                                          last edited by

                                          @darrenkdean:

                                          Good Afternoon,

                                          I have configured Snort according to the guide & everything works great on the WAN.  I have created a LAN Interface & mirrored the rules for both.  When I go to start Snort on the LAN, I am getting the following error:

                                          snort[93176]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating …snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

                                          I have searched for documentation on this, but have been unable to find out what it is &/or why Snort will not start on the LAN interface.  Any guidance or suggestions would be greatly appreciated.

                                          Best-

                                          Darren

                                          Confirmed. My system log is filled with this too:

                                          snort[4022]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating ...snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil
                                          

                                          Snort starts on all interfaces 'though, yet it is cluttering up the logs with this constantly repeating message.

                                          pfSense 2.1.5 X64, Snort 2.9.7.0 pkg 3.2.3

                                          6 and a half billion people know that they are stupid, agressive, lower life forms.

                                          1 Reply Last reply Reply Quote 0
                                          • bmeeksB
                                            bmeeks
                                            last edited by

                                            @darrenkdean:

                                            Good Afternoon,

                                            I have configured Snort according to the guide & everything works great on the WAN.  I have created a LAN Interface & mirrored the rules for both.  When I go to start Snort on the LAN, I am getting the following error:

                                            snort[93176]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating …snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

                                            I have searched for documentation on this, but have been unable to find out what it is &/or why Snort will not start on the LAN interface.  Any guidance or suggestions would be greatly appreciated.

                                            Best-

                                            Darren

                                            It would be better if you start a new thread in the IDS/IPS sub-forum.  This thread was designed to contain just the how-to instructions.

                                            The answer to your problem is also posted in a previous thread here: https://forum.pfsense.org/index.php?topic=89393.msg495651#msg495651, but I will repeat it here.  This is a known syntax error in the OpenAppID rules package from the Snort VRT.  They committed to fix it in a mailing list post about two weeks ago.  It appears they have not yet.  You can disable the OpenAppID preprocessor to make the error go away.  Unless you have also written your own custom rules to use the OpenAppID signatures, they aren't working anyway.

                                            Bill

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.