Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - ARPSpoof preprocessor signal 11

    Scheduled Pinned Locked Moved IDS/IPS
    13 Posts 2 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mkcharlie
      last edited by

      Hi Bill,

      Thanks for looking into this. If I can be of any help, please give a shout!

      enabled services:

      • snort
      • pfblockerNG
      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        @mkcharlie:

        Hi Bill,

        Thanks for looking into this. If I can be of any help, please give a shout!

        I think I found and fixed the problem.  I'm testing now in my virtual machine test setup.  The original code author's patch to the CSV output plugin was a little over-coded (IMHO) for the relatively simple task it needed to.  The code just needed to add the ability to specify and print two additional fields (CLASSIFICATION and PRIORITY) via the CSV output plugin.  I greatly simplified the patch and added extra checking for NULL pointers.  Originally the NULL pointer checks were non-existent for the two added fields.  Sometime back I had added some NULL pointer checking, but failed to check deep enough.  I needed to check a couple of layers deep in a structure and was not doing so.  I think that was the root of the issue.

        I am also going to fix a few bugs in the GUI package, so while I'm at it I will add the ability to configure the ARP preprocessor to the PREPROCESSORS tab in the GUI.  That will eliminate the need to use the Advanced Pass-Through stuff.

        Bill

        1 Reply Last reply Reply Quote 0
        • M Offline
          mkcharlie
          last edited by

          Great work! Any idea when this will become available?

          enabled services:

          • snort
          • pfblockerNG
          1 Reply Last reply Reply Quote 0
          • bmeeksB Offline
            bmeeks
            last edited by

            @mkcharlie:

            Great work! Any idea when this will become available?

            UPDATE – August 21

            The bug is apparently still there for the ARP Spoof preprocessor.  Got to dig a little more to find out what's happening.  I don't think it is in the logging code after I realized it is correctly logging the event.  Must be someplace else.

            I posted the pull request last night and it was merged this morning.  Nothing will show up in the Package Manager because I have not yet bumped the version for the GUI package the Package Manager keys off of.  I am working on some GUI updates first.

            However, if you are game, you can uninstall Snort and then reinstall it on your system that was giving the Signal 11.  You should see it show on the binary package on the Package Manger tab as 2.9.9.0_2.  It will be shown in small print as one of the dependencies along with Barnyard2.  I have not checked, but I think when Renato merged the update he put it in both the 2.4-DEVEL tree and the 2.3.4-RELEASE tree.  If you don't see the 2.9.9.0_2 binary listed, send me an IM and I can show you how to find it and manually install it.

            Bill

            1 Reply Last reply Reply Quote 0
            • bmeeksB Offline
              bmeeks
              last edited by

              OK.  Finally found the root cause of this Signal 11 bug.  It was in the custom blocking module.  The Signal 11 was actually happening when the custom blocking module attempted to block based on the alert.  For these ARP spoof alerts the IP address information is frequently missing, and thus the blocking module got tripped up trying to insert a block for a NULL address.  The fix was to have the blocking module ignore packets with no IP address data, since it can't block them anyway.

              Details on the fix can be found in this pull request:  https://github.com/pfsense/FreeBSD-ports/pull/398.  As soon as the pfSense developer team can approve and merge the request, an updated binary package will be available with version 2.9.9.0_3 as the tag.  I tested this out on a virtual machine and was able to reliably produce the Signal 11 without the patch with ARP spoofing enabled.  With the patch, I got the ARP spoof alerts but no Signal 11.

              Bill

              1 Reply Last reply Reply Quote 0
              • M Offline
                mkcharlie
                last edited by

                That makes sense.

                I'd be happy to try it out when the update becomes available.

                enabled services:

                • snort
                • pfblockerNG
                1 Reply Last reply Reply Quote 0
                • bmeeksB Offline
                  bmeeks
                  last edited by

                  @mkcharlie:

                  That makes sense.

                  I'd be happy to try it out when the update becomes available.

                  I was sort of hoping it might become available today, but perhaps the developer team is busy with stuff from the release of 2.4.0-RC yesterday morning.  The binary fix and a GUI package update are both posted and just waiting on their approval and merging into package repository.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB Offline
                    bmeeks
                    last edited by

                    @mkcharlie:

                    I'd be happy to try it out when the update becomes available.

                    The package update was posted today.  Please check it out and see if it corrects the Signal 11 issue.  Remember to remove Snort first, then reinstall the package.  This will make sure the binary is updated as well along with the GUIcode.  There have been some problems where GUI package updates run using the "UPDATE" command on the Package Manager failed to update the underlying binary.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      mkcharlie
                      last edited by

                      Hi Bill,

                      Everything seems to work exactly the way it should be for the moment. Thanks for taking the time to do the changes.

                      enabled services:

                      • snort
                      • pfblockerNG
                      1 Reply Last reply Reply Quote 0
                      • bmeeksB Offline
                        bmeeks
                        last edited by

                        @mkcharlie:

                        Hi Bill,

                        Everything seems to work exactly the way it should be for the moment. Thanks for taking the time to do the changes.

                        Thanks for the feedback.  Glad to have found that particular bug and the related one in the logging code that caused Snort to die when logging a rule with no CLASSTYPE defined.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.