SNORT IDS FAILING TO START ON LAN INTERFACE
I just turned on Snort for the WAN interface and was getting the following DNS alerts from many different IPs:
2017-02-08 22:17:12 1 UDP Attempted User Privilege Gain 18.104.22.168 53 192.168.0.5 62912 3:19187 PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt 2017-02-08 22:17:12 2 UDP Attempted Information Leak 22.214.171.124 53 192.168.0.5 32125 3:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
Nothing is being port forwarded internally at the moment and 192.168.0.5 is the external IP of my pfSense box. I figured I would try using Snort with the internal LAN interface instead to see if I can pin point what IP internally being natted is generating the alert. However when I disable Snort on the WAN and enable it on the LAN, Snort fails to start due to a fatal error. I confirmed that the preprocessor for streams is enabled.
Feb 8 22:28:46 snort 50068 WARNING: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(189) Ignoring invalid Reference spec '2015-0666'. Feb 8 22:28:50 snort 50068 FATAL ERROR: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(6889) Unknown rule option: 'stream_size'. Feb 8 22:28:50 php-fpm 28137 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 57306 -D -l /var/log/snort/snort_fxp057306 --pid-path /var/run --nolock-pidfile -G 57306 -c /usr/local/etc/snort/snort_57306_fxp0/snort.conf -i fxp0' returned exit code '1', the output was ''
Has anyone come across something similar? Is there a simple way to disable snort rule 6889?
Thanks in advance.
![Screen Shot 2017-02-08 at 11.01.45 PM.png](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png)
![Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb)
I managed to circumvent the issue by adding a check mark to the following option under the Snort LAN interface general setting:
Stream Inserts Do not evaluate stream inserted packets against the detection engine
Snort is now running but I find it interesting that the DNS alerts previously mentioned have stopped when using the LAN interface only. I've turned Snort on for both using all the categories and receive these types of entries again. I am guessing these are false positives due to the fact that clicking on the magnifying glass for some of the entries show that the IP resolves to ns1.google.com.
2017-02-08 23:18:10 1 UDP Attempted User Privilege Gain 126.96.36.199 53 192.168.0.5 50136 3:19187 PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
IP address "188.8.131.52" resolves to host "ns1.google.com"
I am still confused however why Snort LAN is not providing me these alerts as it must be an internal host being natted creating the false positives. Any input would be greatly appreciated.