WAN Snort Alert 128:4 (spp_ssh) Protocol mismatch



  • Hoping someone can help me figure out what this snort alert is and how to back it to it's origin.

    The alerts below are originating from my WAN public IP and have a destination of Amazon AWS and Twitter.  The originating port is assocated with SSH in PFSense.  The destination ports are 443.    I doubt that PFSense SSH is communicating out through the WAN to AWS or Twitter.

    I do get alerts when I remote into PFSense via SSH.  Same 128:4, but I recognize the Source IP (Verizon).  So this one makes total sense.

    I am considering suppressing this alert, as it seems benign, but I am not sure.  How would one track this back to it's origin on my LAN?  The LAN interface doesn't have a similar alert.  I wonder if it is even possible to track this down to a source IP on the LAN.

    Anyway, I would appreciate if a knowledgeable soul would take a look and give me some ideas.

    Thank you,

    Jerold

    ![Screen Shot 2016-06-14 at 7.09.08 PM.png](/public/imported_attachments/1/Screen Shot 2016-06-14 at 7.09.08 PM.png)
    ![Screen Shot 2016-06-14 at 7.09.08 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-06-14 at 7.09.08 PM.png_thumb)



  • I am doing a packet capture for the WAN interface for ports 10022.  Hoping if I run this long enough, I can see what the source is on the LAN.\

    Jerold



  • For home users (if this is a home network), my recommendation is to run Snort on the LAN and not the WAN.  Snort sits outside of any NAT rules, so it sees traffic before the NAT rules are applied.  This is why you see your external WAN public IP in all the alerts instead of your actual internal host addresses.  Snort is seeing the traffic before pfSense "un-NATs" it and translates back to the local IP.  Running Snort on the LAN gets around this and you will see your internal LAN addresses and then the actual external Internet addresses for any hosts they talk to.

    Bill



  • Bill,

    Thank you very much for taking the time to respond to my post.  I am running pfsense on my home network.  So snort is running on both my Wan and Lan.  What is odd, in my mind at least, is there is not an entry on the LAN side.    Sounds like snort blocked it before getting to the LAN interface.

    My other question is what would stop intrusion attempts from the Internet to my home network if I cease monitoring my WAN interface.  I had thought it was best to block this stuff at the WAN to keep bad guys out of my home network.  By monitoring only the LAN, bad guys would be blocked before they could get to a host; is that correct?

    Thank you very much.



  • @jpvonhemel:

    Bill,

    Thank you very much for taking the time to respond to my post.  I am running pfsense on my home network.  So snort is running on both my Wan and Lan.  What is odd, in my mind at least, is there is not an entry on the LAN side.    Sounds like snort blocked it before getting to the LAN interface.

    My other question is what would stop intrusion attempts from the Internet to my home network if I cease monitoring my WAN interface.  I had thought it was best to block this stuff at the WAN to keep bad guys out of my home network.  By monitoring only the LAN, bad guys would be blocked before they could get to a host; is that correct?

    Thank you very much.

    EDIT:  I went back and read your post again after my reply below, and I need to modify my response a bit.  I missed a key piece of information in my earlier quick review of the original post.  I will leave my original reply below because it still applies for many users – just not 100% in your case.

    You state that you sometimes remote SSH into your firewall.  If that is done from an external network (in other words, you are performing SSH into your WAN side), then that would explain why your external IP is the target and it did not show up on the LAN side.  If you have an exposed SSH port on the WAN, then most certainly you will get probes to it from the Internet.  I don't know what your exact setup may be, but an open SSH port is inviting nothing but trouble.  I would use a VPN with the OpenVPN server and client software in pfSense.  At the very least make sure your SSH daemon is locked down to only accept public/private key pairs and never a password.  Prohibit password logins from SSH on the WAN side.

    Yes, Snort blocked the attempt on the WAN side is my assumption and thus the LAN never saw it.

    As for your second question, generally in home networks the WAN is default-deny for all unsolicited inbound traffic.  Stated another way, the default WAN rules block any inbound traffic except that coming back as part of established session states.  So unless you are running a public facing host, there is generally no great benefit to running Snort on the WAN unless you are curious about all the Internet noise and want to see it.  Snort will be quite noisy on the WAN becuase it sees traffic prior to the firewall, so the firewall rules can't filter out stuff inbound from the WAN interface.  This means Snort will alert on stuff your firewall is going to drop anyway.

    So I usually suggest running Snort on the LAN side just so you can easily identify internal hosts with issues.  I run my home network like that.  All my security rules for Snort are on the LAN side, but I do run a couple of the ET rule categories (some of the IP blacklists, but don't recall the exact names at the moment) on the WAN just to generate some traffic to satisfy my curiosity.  There is no valid IT security reason for me doing the WAN, I just do it to watch Snort work.

    Bill



  • Hi Bill,

    I do have SSH enabled with keys and passwords disabled.    I thought this was secure and my port is not the typical 22.    I understand that a port scan would reveal my open ports and figured it was secure using the key pair.  I will take your advise and consider closing this port and accessing ssh via openVPN.  That goes for the web admin too.

    I don't block anything with snort, just log and review.  I do see a snort alert on WAN when I ssh in.  What was odd about my AWS/Twitter IP addresses was my public IP and port 10022 were the source and I didn't know how to make sense of it.  Source ports are usually random, or at least I thought they were.    It was odd that my public ip/10022 was sending to AWS/Twitter at port 443

    Anyway, I have disabled the WAN interface for Snort and will just watch out for LAN alerts.

    I appreciate your help.

    Jerold



  • Wow, I switched Snort to LAN only and now there is nothing to watch  :-\



  • @AR15USR:

    Wow, I switched Snort to LAN only and now there is nothing to watch  :-\

    Properly configured (the rules that is), Snort should be pretty quite on a LAN – especially a home network.  If you want to just watch it do something, add the ET blacklist rules on the WAN side.  There are two of those categories if I recall.  One is CIARMY and the other is DSHIELD.  You should see several hits per hour from IP addresses on those rules.  Gives you something to see in the logs ...  ;)

    Bill



  • @jpvonhemel:

    Hi Bill,

    I do have SSH enabled with keys and passwords disabled.    I thought this was secure and my port is not the typical 22.    I understand that a port scan would reveal my open ports and figured it was secure using the key pair.  I will take your advise and consider closing this port and accessing ssh via openVPN.  That goes for the web admin too.

    I don't block anything with snort, just log and review.  I do see a snort alert on WAN when I ssh in.  What was odd about my AWS/Twitter IP addresses was my public IP and port 10022 were the source and I didn't know how to make sense of it.  Source ports are usually random, or at least I thought they were.    It was odd that my public ip/10022 was sending to AWS/Twitter at port 443

    Anyway, I have disabled the WAN interface for Snort and will just watch out for LAN alerts.

    I appreciate your help.

    Jerold

    Using SSH with keys is much better than a password.  A key can be OK, but you will see a constant stream of attempts if the bots find the open port.  Without the key they should be kept out.  If all you ever want is SSH, I guess for a home network key-driven logins are OK.  Personally I use the OpenVPN server on pfSense and a client to access my network remotely.  I then open select things from the VPN into my LAN.

    Bill



  • @bmeeks:

    @jpvonhemel:

    Hi Bill,

    I do have SSH enabled with keys and passwords disabled.    I thought this was secure and my port is not the typical 22.    I understand that a port scan would reveal my open ports and figured it was secure using the key pair.  I will take your advise and consider closing this port and accessing ssh via openVPN.  That goes for the web admin too.

    I don't block anything with snort, just log and review.  I do see a snort alert on WAN when I ssh in.  What was odd about my AWS/Twitter IP addresses was my public IP and port 10022 were the source and I didn't know how to make sense of it.  Source ports are usually random, or at least I thought they were.    It was odd that my public ip/10022 was sending to AWS/Twitter at port 443

    Anyway, I have disabled the WAN interface for Snort and will just watch out for LAN alerts.

    I appreciate your help.

    Jerold

    Using SSH with keys is much better than a password.  A key can be OK, but you will see a constant stream of attempts if the bots find the open port.  Without the key they should be kept out.  If all you ever want is SSH, I guess for a home network key-driven logins are OK.  Personally I use the OpenVPN server on pfSense and a client to access my network remotely.  I then open select things from the VPN into my LAN.

    Bill

    Bill,

    Great information! first time I am trying to setup snort.

    I do agree that having OpenVpn open is the best way and access everything else behind it, but is OpenVPN protected against brute force attacks in snort by default or you have to set that up?