Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT IDS FAILING TO START ON LAN INTERFACE

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 1 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stress_factory
      last edited by

      Hello Everyone,

      I just turned on Snort for the WAN interface and was getting the following DNS alerts from many different IPs:

      2017-02-08
22:17:12	1	UDP	Attempted User Privilege Gain	205.251.194.22
  	53	192.168.0.5
  	62912	3:19187
  	PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

2017-02-08
22:17:12	2	UDP	Attempted Information Leak	205.251.193.195
  	53	192.168.0.5
  	32125	3:21355
  	PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid

      Nothing is being port forwarded internally at the moment and 192.168.0.5 is the external IP of my pfSense box. I figured I would try using Snort with the internal LAN interface instead to see if I can pin point what IP internally being natted is generating the alert. However when I disable Snort on the WAN and enable it on the LAN, Snort fails to start due to a fatal error. I confirmed that the preprocessor for streams is enabled.

      Feb 8 22:28:46	snort	50068	WARNING: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(189) Ignoring invalid Reference spec '2015-0666'.
Feb 8 22:28:50	snort	50068	FATAL ERROR: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(6889) Unknown rule option: 'stream_size'.
Feb 8 22:28:50	php-fpm	28137	/snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 57306 -D -l /var/log/snort/snort_fxp057306 --pid-path /var/run --nolock-pidfile -G 57306 -c /usr/local/etc/snort/snort_57306_fxp0/snort.conf -i fxp0' returned exit code '1', the output was ''

      Has anyone come across something similar? Is there a simple way to disable snort rule 6889?

      Thanks in advance.

      E
      ![Screen Shot 2017-02-08 at 11.01.45 PM.png](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png)
      ![Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb)

      1 Reply Last reply Reply Quote 0
      • S
        stress_factory
        last edited by

        I managed to circumvent the issue by adding a check mark to the following option under the Snort LAN interface general setting:

        Stream Inserts Do not evaluate stream inserted packets against the detection engine

        Snort is now running but I find it interesting that the DNS alerts previously mentioned have stopped when using the LAN interface only. I've turned Snort on for both using all the categories and receive these types of entries again. I am guessing these are false positives due to the fact that clicking on the magnifying glass for some of the entries show that the IP resolves to ns1.google.com.

        2017-02-08
23:18:10	1	UDP	Attempted User Privilege Gain	216.239.32.10
  	53	192.168.0.5
  	50136	3:19187
  	PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

        IP address "216.239.32.10" resolves to host "ns1.google.com"

        I am still confused however why Snort LAN is not providing me these alerts as it must be an internal host being natted creating the false positives. Any input would be greatly appreciated.

        Cheers.

        E

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.