• Hello Everyone,

    I just turned on Snort for the WAN interface and was getting the following DNS alerts from many different IPs:

    22:17:12	1	UDP	Attempted User Privilege Gain
      	62912	3:19187
      	PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
    22:17:12	2	UDP	Attempted Information Leak
      	32125	3:21355
      	PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid

    Nothing is being port forwarded internally at the moment and is the external IP of my pfSense box. I figured I would try using Snort with the internal LAN interface instead to see if I can pin point what IP internally being natted is generating the alert. However when I disable Snort on the WAN and enable it on the LAN, Snort fails to start due to a fatal error. I confirmed that the preprocessor for streams is enabled.

    Feb 8 22:28:46	snort	50068	WARNING: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(189) Ignoring invalid Reference spec '2015-0666'.
    Feb 8 22:28:50	snort	50068	FATAL ERROR: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(6889) Unknown rule option: 'stream_size'.
    Feb 8 22:28:50	php-fpm	28137	/snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 57306 -D -l /var/log/snort/snort_fxp057306 --pid-path /var/run --nolock-pidfile -G 57306 -c /usr/local/etc/snort/snort_57306_fxp0/snort.conf -i fxp0' returned exit code '1', the output was ''

    Has anyone come across something similar? Is there a simple way to disable snort rule 6889?

    Thanks in advance.

    ![Screen Shot 2017-02-08 at 11.01.45 PM.png](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png)
    ![Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb)

  • I managed to circumvent the issue by adding a check mark to the following option under the Snort LAN interface general setting:

    Stream Inserts Do not evaluate stream inserted packets against the detection engine

    Snort is now running but I find it interesting that the DNS alerts previously mentioned have stopped when using the LAN interface only. I've turned Snort on for both using all the categories and receive these types of entries again. I am guessing these are false positives due to the fact that clicking on the magnifying glass for some of the entries show that the IP resolves to

    23:18:10	1	UDP	Attempted User Privilege Gain
      	50136	3:19187
      	PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

    IP address "" resolves to host ""

    I am still confused however why Snort LAN is not providing me these alerts as it must be an internal host being natted creating the false positives. Any input would be greatly appreciated.