1. Home
  2. pfSense Packages
  3. IDS/IPS
  4. SNORT IDS FAILING TO START ON LAN INTERFACE

SNORT IDS FAILING TO START ON LAN INTERFACE

  • S

    Hello Everyone,

    I just turned on Snort for the WAN interface and was getting the following DNS alerts from many different IPs:

    2017-02-08
22:17:12	1	UDP	Attempted User Privilege Gain	205.251.194.22
  	53	192.168.0.5
  	62912	3:19187
  	PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

2017-02-08
22:17:12	2	UDP	Attempted Information Leak	205.251.193.195
  	53	192.168.0.5
  	32125	3:21355
  	PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid

    Nothing is being port forwarded internally at the moment and 192.168.0.5 is the external IP of my pfSense box. I figured I would try using Snort with the internal LAN interface instead to see if I can pin point what IP internally being natted is generating the alert. However when I disable Snort on the WAN and enable it on the LAN, Snort fails to start due to a fatal error. I confirmed that the preprocessor for streams is enabled.

    Feb 8 22:28:46	snort	50068	WARNING: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(189) Ignoring invalid Reference spec '2015-0666'.
Feb 8 22:28:50	snort	50068	FATAL ERROR: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(6889) Unknown rule option: 'stream_size'.
Feb 8 22:28:50	php-fpm	28137	/snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 57306 -D -l /var/log/snort/snort_fxp057306 --pid-path /var/run --nolock-pidfile -G 57306 -c /usr/local/etc/snort/snort_57306_fxp0/snort.conf -i fxp0' returned exit code '1', the output was ''

    Has anyone come across something similar? Is there a simple way to disable snort rule 6889?

    Thanks in advance.

    E
    ![Screen Shot 2017-02-08 at 11.01.45 PM.png](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png)
    ![Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb)

    0
  • S

    I managed to circumvent the issue by adding a check mark to the following option under the Snort LAN interface general setting:

    Stream Inserts Do not evaluate stream inserted packets against the detection engine

    Snort is now running but I find it interesting that the DNS alerts previously mentioned have stopped when using the LAN interface only. I've turned Snort on for both using all the categories and receive these types of entries again. I am guessing these are false positives due to the fact that clicking on the magnifying glass for some of the entries show that the IP resolves to ns1.google.com.

    2017-02-08
23:18:10	1	UDP	Attempted User Privilege Gain	216.239.32.10
  	53	192.168.0.5
  	50136	3:19187
  	PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

    IP address "216.239.32.10" resolves to host "ns1.google.com"

    I am still confused however why Snort LAN is not providing me these alerts as it must be an internal host being natted creating the false positives. Any input would be greatly appreciated.

    Cheers.

    E

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy