• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort security issue bug within TCP/UDP scan detection blocking tool

Scheduled Pinned Locked Moved IDS/IPS
6 Posts 3 Posters 611 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JonathanLee
    last edited by Aug 25, 2023, 3:25 PM

    I thought I should report this, I have noticed a couple times that the Snort package cannot determine the difference between a decoy scan of the hosts actually WAN IPS IP address, DNS address versus a non-decoy nmpa scan. This is when snort has scan detection and blocking is enabled on the wan interface and it results in a degrading of external DNS resolvers or an offlined system.

    Steps to reproduce use the hosts WAN IP address and perform a decoy TCP/IP scan nmap of the WAN address with it from a external system. Snort will detect the scan and block its own WAN address creating a denial-of-service event. This can also be done with DNS address such as 8.8.8.8 forcing the DNS to be blocked.

    Keep in mind the nmap ran would have to use the hosts wan address for its decoy address.

    I have had this occur several times already.

    Possibly for Resolve: when a nmap scan occurs from your firewall's WANs IP address externally a "decoy" the firewall should black hole it hence creates an auto reply custom TCP response.

    The snort system can be preconfigured to auto reply for when a scan occurs from a decoy address of it's own WAN address.

    This is a concern. I have also showcased this with Palo Alto during my cyber security class at Sierra College.

    How can this be fixed without changing interfaces?

    Jonathan Lee

    Make sure to upvote

    1 Reply Last reply Reply Quote 0
    • J
      JonathanLee
      last edited by Aug 25, 2023, 4:08 PM

      Packet crafting could in theory be used to auto reply to the invasive decoy nmap scan when it is ran with your own WAN ip address.

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • B
        bmeeks
        last edited by bmeeks Aug 25, 2023, 5:45 PM Aug 25, 2023, 5:40 PM

        These types of issues should be reported to Snort upstream. There is nothing to be done on the pfSense end. All pfSense does is take the stock binary from upstream and wrap it with a PHP GUI for ease of administration. All of the actual work of detection is done by the binary daemon running under FreeBSD. That binary daemon code comes directly from Snort upstream.

        I've also mentioned in another thread you visited that the port scan preprocessor in Snort is virtually worthless these days and really should not be used. It is prone to very frequent false positives.

        By the way, the same is true for Suricata as well.

        J M 2 Replies Last reply Aug 25, 2023, 6:26 PM Reply Quote 1
        • J
          JonathanLee @bmeeks
          last edited by Aug 25, 2023, 6:26 PM

          @bmeeks thanks for the reply, how can I submit this upstream to them? I actually use the preprocessors it works for me, again it took a lot to get it right.

          Make sure to upvote

          1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @bmeeks
            last edited by Aug 26, 2023, 12:52 AM

            @bmeeks what do the multiple preprocessors do?

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            B 1 Reply Last reply Aug 27, 2023, 10:16 PM Reply Quote 0
            • B
              bmeeks @michmoor
              last edited by bmeeks Aug 27, 2023, 10:17 PM Aug 27, 2023, 10:16 PM

              @michmoor said in Snort security issue bug within TCP/UDP scan detection blocking tool:

              @bmeeks what do the multiple preprocessors do?

              1. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html.

              2. https://www.informit.com/articles/article.aspx?p=101148&seqNum=2.

              3. https://www.oreilly.com/library/view/snort-cookbook/0596007914/ch04.html.

              https://www.google.com/search?q=snort+preprocessors.

              1 Reply Last reply Reply Quote 1
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received