SNORT IDS FAILING TO START ON LAN INTERFACE



  • Hello Everyone,

    I just turned on Snort for the WAN interface and was getting the following DNS alerts from many different IPs:

    2017-02-08
    22:17:12	1	UDP	Attempted User Privilege Gain	205.251.194.22
      	53	192.168.0.5
      	62912	3:19187
      	PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
    
    2017-02-08
    22:17:12	2	UDP	Attempted Information Leak	205.251.193.195
      	53	192.168.0.5
      	32125	3:21355
      	PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
    
    

    Nothing is being port forwarded internally at the moment and 192.168.0.5 is the external IP of my pfSense box. I figured I would try using Snort with the internal LAN interface instead to see if I can pin point what IP internally being natted is generating the alert. However when I disable Snort on the WAN and enable it on the LAN, Snort fails to start due to a fatal error. I confirmed that the preprocessor for streams is enabled.

    Feb 8 22:28:46	snort	50068	WARNING: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(189) Ignoring invalid Reference spec '2015-0666'.
    Feb 8 22:28:50	snort	50068	FATAL ERROR: /usr/local/etc/snort/snort_57306_fxp0/rules/snort.rules(6889) Unknown rule option: 'stream_size'.
    Feb 8 22:28:50	php-fpm	28137	/snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 57306 -D -l /var/log/snort/snort_fxp057306 --pid-path /var/run --nolock-pidfile -G 57306 -c /usr/local/etc/snort/snort_57306_fxp0/snort.conf -i fxp0' returned exit code '1', the output was ''
    
    

    Has anyone come across something similar? Is there a simple way to disable snort rule 6889?

    Thanks in advance.

    E
    ![Screen Shot 2017-02-08 at 11.01.45 PM.png](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png)
    ![Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-08 at 11.01.45 PM.png_thumb)



  • I managed to circumvent the issue by adding a check mark to the following option under the Snort LAN interface general setting:

    Stream Inserts Do not evaluate stream inserted packets against the detection engine
    

    Snort is now running but I find it interesting that the DNS alerts previously mentioned have stopped when using the LAN interface only. I've turned Snort on for both using all the categories and receive these types of entries again. I am guessing these are false positives due to the fact that clicking on the magnifying glass for some of the entries show that the IP resolves to ns1.google.com.

    2017-02-08
    23:18:10	1	UDP	Attempted User Privilege Gain	216.239.32.10
      	53	192.168.0.5
      	50136	3:19187
      	PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
    

    IP address "216.239.32.10" resolves to host "ns1.google.com"

    I am still confused however why Snort LAN is not providing me these alerts as it must be an internal host being natted creating the false positives. Any input would be greatly appreciated.

    Cheers.

    E