Snort not detecting enabled signature
-
I have had snort running for a while on my pfsense box in blocking mode. In addition I run snort sensors on Ubuntu inside my network. There are a few signatures that are detected by my internal snort sensors that the pfsense snort does not detect. When i dig into the pfsense configuration it shows those signatures are enabled. Any ideas what is going on and how to fix?
-
oh, and I'm running pfsense version 2.3.4. Will be upgrading to 2.4 in the next day or so to see if that has any impact.
-
I have had snort running for a while on my pfsense box in blocking mode. In addition I run snort sensors on Ubuntu inside my network. There are a few signatures that are detected by my internal snort sensors that the pfsense snort does not detect. When i dig into the pfsense configuration it shows those signatures are enabled. Any ideas what is going on and how to fix?
What are some specific examples of alerts detected by the internal sensors and not by Snort on pfSense? Are the HOME_NET and EXTERNAL_NET variables defined the same way on both sensors (internal and pfSense). The IP addresses listed in those variables have a huge impact on how rules trigger based on traffic direction. Difference in the values within HOME_NET and EXTERNAL_NET would be my first thought if received alerts differ on two systems that see the same traffic.
Is it possible the traffic being seen and alerted on by the internal sensors is somehow bypassing the Snort instance on pfSense?
Bill
-
I have been seeing attempts to login to the Wordpress admin page on one of my servers by outside hosts as detected by my DMZ network snort sensor. This signature is 1:2012843. I have snort enabled on my WAN interface (the only ingress point into my network) of the pfsense box. When I check under Snort Interface - WAN Rules - emerging-policy.rules it shows this signature enabled and with source and destination set to any. As a result I would not think the HOME_NET or EXTERNAL_NET settings would matter. However, I will will review and verify those are all set correctly and see.
-
I check and have HOME_NET and EXTERNAL_NET set as default. when I view list on the HOME_NET it shows all the subnets that need to be there.
-
OK, thanks for the info and verification of the HOME_NET and EXTERNAL_NET variables.
One possibility is that the rule was added to a Suppression List on the pfSense box. You can check that quickly by looking on the INTERFACE SETTINGS tab to see if any Suppress List is assigned to the WAN interface. If so, check the contents of that list on the SUPPRESS tab to see if the rule's GID:SID is listed.
I assume the pfSense Snort sensor is seeing other alerts but just not this particular one? If so, that is weird unless there is an errant or accidental suppress list entry for that GID:SID. I can't think of any other reason for the alert to not appear other than possibly a suppress list entry.
Bill
-
I already checked my suppress list to make sure this was not the case. This is odd. my logs show tons of Dshield Block listed and suspicious inbound mySQL alerts among various other ones. I upgraded my box last night to the newest version of pfsense just to see if that solved anything.
-
ok, I feel like a moron now. We have an IP block that is routed to my WAN address which then has NAT mappings to route the traffic to the correct host. That subnet was not in the HOME_NET list. Once I created a new list with that included it has started catching all the traffic. Still I don't think this would solve the Wordpress 1:2012843 signature since it is set for any:any. Will monitor over the next 24 hours to see.
-
so much for that, it is catching more of the same type of signatures now desinted for the IP block I added to the home_net. Still not catching the wordpress signature. I'm going to monitor to see what gets through to my internal sensors and see if I can find a similarity between them on the pfsense.
-
Thanks for the feedback. No idea why it's not catching the Wordpress signature if the internal sensor is catching it. Sort of must be some kind of configuration difference between the two boxes ???
Bill
-
I can't find anything that explains why this is not working. I'm going to setup a test lab to see if I can duplicate. Could there possible be a bug with the snort implementation in pfsense?
-
I can't find anything that explains why this is not working. I'm going to setup a test lab to see if I can duplicate. Could there possible be a bug with the snort implementation in pfsense?
I'm not going to say that is impossible, but it would have to be assumed as unlikely since other rules are firing for you. If I understood you correctly, once you fixed the HOME_NET issue, you have only that single rule that is not firing the same on both sensors.
If it is a bug, it could be in either place (the DMZ sensor may be incorrectly triggering, or the pfSense sensor my be incorrectly missing it). Does the other sensor use libcap? I know that's what Snort is using on pfSense.
Bill