NOOB - Why IPv6 Alerts?

talaverde

I have IPv6 turned off in pfSense. Why am I getting Snort alerts with IPv6 addresses? This isn't the first one. Probably 20% (if not more) of my alerts are IPv6.

W/O digging through the (mostly unreadable) Snort documentation, my guess is that turning off IPv6 in pfSense doesn't keep outsiders from scanning my firewall with IPv6. Thus, Snort is either doing it's job - OR - it wouldn't go anywhere as I don't have V6 enabled.

If there are OTHER possibilities, then those are the ones I'm asking about, as I'm sure they are more risky.

Thanks!

NogBadTheBad

The router will be seeing IPv6 from the end devices regardless of disabling IPv6.

bmeeks

Snort puts the interface it is running on in promiscuous mode, thus all traffic types and subnets hitting the wire are seen by Snort. That does not mean any corresponding plumbing exists on the network stack to handle the traffic. So IPv6 packets are hitting your physical wire interface from some endpoint device someplace, but that does not mean your firewall will respond to it in any manner. Snort will see the traffic and alert on it, though, because of the promiscuous mode setting.

talaverde

Soooo, if I didn't want to see those IPv6 alerts, what can I do to (easily) make them go away, aside from just suppressing them? I guess there aren't a bunch of addresses so suppress would work. Is that the best solution? Do I just clear and ignore? I've had this happen several times today? Thanks.

johnpoz

You could re evaluate running your IPS on your wan, or even at all for that matter..

talaverde

@johnpoz said in NOOB - Why IPv6 Alerts?:

You could re evaluate running your IPS on your wan, or even at all for that matter..

Maybe I should evaluate running pfSense for that matter, right?

I'm not running it on my WAN. It's only on my LAN. I also have IPv6 turned off in my Advanced/Networking settings.

One thought I just had. I have some VPNs configured (OpenVPN based). I just have IPv4 selected, but it registers both an IPv4 AND an IPv6 address. (Not really sure why/how it would register an IPv6 address when I specifically selected only IPv4 in the OpenVPN settings.) I didn't think much of it as I don't use IPv6 and have it turned off on the global level. Maybe Snort it picking up that OpenVPN IPv6 address.

Back to the original inquiry though. I can't see a way to turn it off.

Thanks.

talaverde

Well damn... I take that back. The IPv6 addresses are NOT registered with the (Open) VPN clients anymore. I wonder if Snort is actually blocking those. I'll have to play around with it to see if that theory is correct.

I'd much rather not have OpenVPN register IPv6 in the first place (which is what I was looking for when I noticed the addresses were now gone). If I figure it out, I'll post the solution.

johnpoz

@talaverde said in NOOB - Why IPv6 Alerts?:

Maybe I should evaluate running pfSense for that matter, right?

Sure you could do that - but its not a pfsense thing of ips reporting alerts.. Its an IPS thing..

Question for you - has you running IPS actually alerted you to a valid concern/issue? If so in what sense? Did it some way prevent X from being compromise.. Did it alert you to a host that was comprised that you were not aware of? etc. etc.

bmeeks

@talaverde said in NOOB - Why IPv6 Alerts?:

Soooo, if I didn't want to see those IPv6 alerts, what can I do to (easily) make them go away, aside from just suppressing them? I guess there aren't a bunch of addresses so suppress would work. Is that the best solution? Do I just clear and ignore? I've had this happen several times today? Thanks.

Which exact rules are firing with those IPv6 addresses? I get no IPv6 alerts even when I had my Hurricane Electric tunnel up and running with IPv6 addresses on all LAN clients. My suspicion is you are running Snort with too many rules enabled and are getting what's essentially nuisance alerts as a result. You can be plenty secure with a reduced rule set. As an example, I've had exactly 8 alerts on my LAN since December 25, 2018. And every one of those 8 were from a single HTTP_INSPECT preprocessor rule (SID 28) which I disabled. Those alerts were caused by my grandson's iPhone while he was here for Easter. They are harmless false positives.

I had 12 alerts in December of 2018 on the LAN and every one of those was caused by a defective ET-Open DNS rule that later got fixed (SID 48668).

I run IPS Policy - Balanced and then enable the following ET-Open rules:

1. emerging-botcc
2. emerging-malware
3. emerging-mobile-malware
4. emerging-trojan

If you enable a ton of rules, then you are going to get nuisance alerts and you will just have to live with them.

talaverde

@johnpoz said in NOOB - Why IPv6 Alerts?:

@talaverde said in NOOB - Why IPv6 Alerts?:

Maybe I should evaluate running pfSense for that matter, right?

Sure you could do that - but its not a pfsense thing of ips reporting alerts.. Its an IPS thing..

Question for you - has you running IPS actually alerted you to a valid concern/issue? If so in what sense? Did it some way prevent X from being compromise.. Did it alert you to a host that was comprised that you were not aware of? etc. etc.

If your house security alarm goes off in the middle of the night and you don't find anyone in your house when you look around, do you automatically assume not one actually set it off? You could dust for fingerprints and interview your neighbors to see if they saw anyone suspicious. Or, you can have a little faith that your security system is helping to make you secure. I have no interest in debating if an IPS/IDS is effective, for me, or just in general. At the moment, I'm just asking a simple question about IPv6 alerts.

I think I might have found a solution. I'm going to let it run for a while before positing, just to be sure it's working like I hope it is.

talaverde

@bmeeks said in NOOB - Why IPv6 Alerts?:

@talaverde said in NOOB - Why IPv6 Alerts?:

Soooo, if I didn't want to see those IPv6 alerts, what can I do to (easily) make them go away, aside from just suppressing them? I guess there aren't a bunch of addresses so suppress would work. Is that the best solution? Do I just clear and ignore? I've had this happen several times today? Thanks.

Which exact rules are firing with those IPv6 addresses? I get no IPv6 alerts even when I had my Hurricane Electric tunnel up and running with IPv6 addresses on all LAN clients. My suspicion is you are running Snort with too many rules enabled and are getting what's essentially nuisance alerts as a result. You can be plenty secure with a reduced rule set. As an example, I've had exactly 8 alerts on my LAN since December 25, 2018. And every one of those 8 were from a single HTTP_INSPECT preprocessor rule (SID 28) which I disabled. Those alerts were caused by my grandson's iPhone while he was here for Easter. They are harmless false positives.

I had 12 alerts in December of 2018 on the LAN and every one of those was caused by a defective ET-Open DNS rule that later got fixed (SID 48668).

I run IPS Policy - Balanced and then enable the following ET-Open rules:

1. emerging-botcc
2. emerging-malware
3. emerging-mobile-malware
4. emerging-trojan

If you enable a ton of rules, then you are going to get nuisance alerts and you will just have to live with them.

Thanks for that feedback. Sounds like you have a fundamental ruleset there. If I were to set up a friend or co-worker, I might use your configuration.

I've been using the 'IPS Policy - Security" and have had no more than a handful of alerts. I think I might have 4-5 suppressions. I decided to play around with AppID. For the most part, it's working exactly as I hoped. If these IPv6 alerts go away, it'll be pretty much quiet again. If I start getting too many false alerts, There are one or two rule sets which are the source for all the alerts I've gotten. I can always just turn those off.

As mentioned, I may have found a way to keep the IPv6 quiet. I'll need to run it for a few days to be (more) sure.

Thanks again.

talaverde

Update - I probably should have started my own thread as situation appears unique.

My original idea was to tweak some of the general pfSense IPv6 settings. That didn't work.

On a closer look, I realized my IPv6 alerts were for port scanning. When I turned on AppID, I also turned on Portscan Detection. I could have turned it off PS Detection completely, but I simply changed the sensitivity from 'medium' to 'low' and I haven't had another alert since.