Snort 2.8.4.1 pkg v. 1.5 blocking hosts even if blocking not set

sicnarf

Hi All,

I would just like to tell everyone that Snort 2.8.4.1 pkg v. 1.5 is blocking hosts even if not set to block hosts generating alerts. I have 4 pfsense boxes running 1.2.1 and 1.2.2 and they all do they same with this new version. This happened by the way after upgrading my snort from Snort 2.8.4.1 pkg v. 1.4 about a few hours ago.

Anyone out there having the same experience? I hope this could reach Jamesdean asap so that we can find a fix for this.

Sicnarf

sreece

Yeah, I am still getting blocked IPs because of the:
[ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] {TCP}

As James Dean suggested, I have even tried editing the threshold.conf file with:
suppress gen_id 125, sig_id 4
suppress gen_id 125, sig_id 2

I haven't had any other rules generate an alert though, so I can't verify that they are blocked as well. How many rules are you using?

jimp

@sreece:

Yeah, I am still getting blocked IPs because of the:
[ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] {TCP}

As James Dean suggested, I have even tried editing the threshold.conf file with:
suppress gen_id 125, sig_id 4
suppress gen_id 125, sig_id 2

I haven't had any other rules generate an alert though, so I can't verify that they are blocked as well. How many rules are you using?

That is a block from the preprocessor which is not the same as a block from an actual alert. I've struggled against that FTP error for a while, and I think I ended up just removing large chunks of code in the end to get rid of it. I need to try it again and see if I can make it behave now.

sicnarf

Hi,

screece, jimp is right, your issue is different from mine but I do get this type of alerts also. This is only a minor problem though, my main problem is on the topic above.

Regardless, to answer your question about how many rules i'm running, I run almost all rules except those recommended by jamesdean to be turned off. Its a pretty powerful box, intel server SR1530HSH with 4GB DDR2 RAM, quad core processor at 2.13GHz and 2x250GB SATA hard drives in raid 1 configuration. Its our ISP gateway router and firewall machine, handling about 25Mbps of bandwidth. I tried full rules before, it consumed about 50% of memory and 30% cpu.

sicnarf

jamesdean

jim-p made some changes to the snort package and as a result snort2c is starting without permission.
I'll fix it tonight….......
jim-p is a way better coder than me so its not his fault.

james

jimp

I'll fix it, I see the problem.

jimp

Fix should be in now. :)

Haven't seen you posting in a while, jamesdean, it's good to see you back around!

jamesdean

Thanx for the nice words jimp

Heres my fix.

$start .= "sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert\n";

But, your code may work better.

Im removing snort2c tonight and replacing it with http://spoink.sourceforge.net/.

Im going to modify the code a little though.

james

jimp

Using ; to pipeline the commands didn't work out too well.

For whatever reason it was causing certain commands to not start or be ignored. It led to snort2c not starting on bootup, due to packages being initialized twice (a more general pfSense problem not specific to snort)

See this redmine entry:
http://redmine.pfsense.org/issues/show/53

It's an issue that needs addressed in pfSense itself and not necessarily in the snort package, at least any more than I've already done, until a fix is made for the larger issue.

The changes I made to the snort package allowed it to more gracefully handle being started twice concurrently. Not as pretty as a real fix, but it did fix the other issue for people who reported it at the time.

jamesdean

jimp, if you could add the patches that you stated (http://redmine.pfsense.org/issues/show/53) to the mainline ASAP that would be great.

James

sicnarf

Hi jimp, jamesdean,

Thanks for all your work. I will gladly offer my time to test the new snort package once the fix is in. Just tell me when the new version is available at the snort packages page and I will install it ASAP and test it.

jamesdean

Jimp fixed the said issue an hour ago. So, you can reinstall the package now if you want.

James

sicnarf

Hi James,

Yup, saw it already. I'll install it now and give you guys feedback about it later.

sicnarf

sicnarf

Hi james,

Downloaded the new package (Its still Snort 2.8.4.1 pkg v. 1.5 but the package installer says 2.8.4.1_2), installed it and now it works. Thanks for all the hard work in this. I and a lot of other snort pfsense package users out there will really benefit from this fix. So much for the auto-blocking, now I have to troubleshoot the CIDR problem i'm having on my other post.

Thanks to jimp too. :)

sicnarf

jimp

@jamesdean:

jimp, if you could add the patches that you stated (http://redmine.pfsense.org/issues/show/53) to the mainline ASAP that would be great.

I need to work on it a bit more, I'm not sure that is the best way to fix the core issue. It may be, though. If I can't come up with a better solution in a few days I will commit that to 2.0.

Roodawakening

This brings up another question: How do you implement Snort2c if one wanted to go that route? I don't see any reference to it on the settings page in Snort.

But thanks for the fix. Snort2c was blocking everything and I found myself having to whitelist everything under the sun.

jamesdean

The Block offenders option on the setting tab.

james