My suppress list and Sid mgmt are not working



  • Here is my list

    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
    suppress gen_id 119, sig_id 7
    #(http_inspect) NON-RFC DEFINED CHAR [**]
    suppress gen_id 119, sig_id 14
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #(http_inspect) SIMPLE REQUEST
    suppress gen_id 119, sig_id 32
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 2
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
    suppress gen_id 120, sig_id 4
    #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
    suppress gen_id 120, sig_id 6
    #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
    suppress gen_id 120, sig_id 8
    #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
    suppress gen_id 120, sig_id 9

    I have added the list to suppress list and SID mgmt disable list, but it looks like I can still see they are blocked by snort. I have enabled the interface, reload snort...... Is there anything missing.....

    Thank you!



  • Let me ask the obvious question first. When you say "still blocked by Snort", do you mean you are still receiving new alerts from those rules or do you mean the IP addresses are still blocked? If the latter, then you need to go to the BLOCKS tab and clear out all the blocked IP addresses. Restarting Snort does not clear blocked IP addresses as the responsibility for IP blocking is handed off to the firewall once a Snort rule fires.

    If you are still receiving alerts from the rules you have suppressed, then read on.

    Almost every time I've seen a suppress list not working it's due to one of these two things:

    1. The interface does not actually have the Suppress List assigned to it on the INTERFACE SETTINGS tab in the Suppress drop-down, or the assigned list does not contain the content the admin thinks is there. Verify the content of the list that is actually assigned on the interface using the View List button. If this checks out, then proceed to step #2 below.

    2. There is a duplicate Snort process running on the same interface (what I call a zombie process). To see if this is the case, execute this command from a shell prompt on the firewall:

    ps -ax | grep snort
    

    You should see only a single instance of Snort for each configured interface. If you see any duplicate lines in the output of the command above, then stop Snort on all interfaces in the GUI and then repeat the command listed above. For any lingering Snort processes, kill them using this command:

    kill -9 <pid>
    

    where <pid> is the Process ID of the Snort process.

    Now restart Snort in the GUI and things should work properly. I can guarantee you that Suppress Lists and rule state forcing (via SID MGMT or other methods) both work fine in the package. I have a number of suppressed and disabled rules in my personal firewall setup using Snort.



  • Hi Bmeeks,

    You are right! There is a duplicated process. I have killed that Zombie and everything is good so far.

    Thank you very much!



  • @seantree said in My suppress list and Sid mgmt are not working:

    Hi Bmeeks,

    You are right! There is a duplicated process. I have killed that Zombie and everything is good so far.

    Thank you very much!

    Glad you got it sorted out. That duplicate process thing happens occasionally to some folks. Both me and the package maintainer before me have tried to stop it from happening, but neither of us have had 100% success. It has to do with the mechanism inside the pfSense plumbing that sends a "restart all packages" command every time certain things occur on interfaces. When these triggers occur multiple times in quick succession, multiple copies of Snort can get started.


Log in to reply