SNORT FALSE POSITIVE



  • I have done just about anything and everything I can think of with trying to stop SNORT from not blocking a certain public IP that is used for VPN access on a site-to-site connection. I am running PFsense 1.2.3 Release and using SNORT 2.8.5.3 pkg v. 1.25

    Basically if I install snort and not even enable any categories this public IP will still get blocked. Even if I don't enable any of the processors the IP will still get blocked. Even if I whitelist all LAN, WAN, and VPN connections, "the freaking IP still gets blocked"!!! I have other tunnels that don't get blocked. Only the one specific IP. Note: I am using IPsec VPN site-to-site tunnels.

    The IP will get blocked only when traffic traffic travels accross the tunnel. The type of traffic is a DVR remote cameras system. I have another remote camera system that travels down a different tunnel on the same PF box and nothing is ever alerted or blocked????

    I have reinstalled the PFsense box 6 times and deleted and reinstalled snort more times than I have of fingers and toes. I have checked and reconfigured the VPN to make sure all is well.

    The Alert I am getting is (spp_frag3) Fragmentation overlap. I am getting this message alert in snort almost exactly ever 60 seconds. But it only happens when traffic is going accross the tunnel. The SID ID states 123:8:1.

    I cannot find that ID anywhere in the categories, which should not even matter if I never enable any of them just to see if that was causing the block issue. Now if I uncheck block offenders, it will still alert me but it will not block the IP. But hey, I am trying to block offenders not watch them attack the heck out of my network.

    Anyways, I can barely find out in info when I google. I see that some people have had this error as well, but no one has an answer for it that I can see.

    Any help would really be appreciated. I have used pfsense since it's dawn and have always had issues with the SNORT package when it first came avalible as an add on.

    Thanks,

    MDP



  • @darklogic

    The issue you have is that you do not know how to stop "(spp_frag3) Fragmentation overlap" alerts.
    The alert you are seeing is caused by a misconfiguration on your part and because WHITELIST cidrs do not work on snort as of right now.
    (I'll fix it when I have free time)

    By the way the alert you are seeing is not a signature alert but a preprocessor alert.

    I have built the snort gui so that there are many different ways to quite down noisy alerts.

    1, The first way is to adjust the snort signature that is causing that alert.
    (In your case you can not do this because, the alert you are seeing is a preprocessor alert)

    2, The second way is to disable the snort signature.
    (Again, in your case you can not do this because, the alert you are seeing is a preprocessor alert)

    3. The third way is to create a NETLIST adding your IP or CIDR to that NETLIST. Finally, add that newly created NETLIST to the snort rule Home net.

    4, The fourth way is to create a Suppression rule.

    5. The fifth way is to add that ip to the WHITELIST.
    (You will still see alerts but they will not be blocked)

    It is important that you restart the snort rule interface when your done making changes.
    It took me a long time to build the snort package to this point I hope you guys appreciate the thousand or so lines of code and the countless hours of my free time.

    James



  • James,

    Thanks for the reply. I am sorry if I came off critical in any shape or form. My words are based off of frustration right now because I am not able to utilize the snort package because of this issue I am having with the (spp_frag3) Fragmentation overlap. I realize that is not in any category after doing some digging. I tried adding it to the white list under the var/db/white list, I also tried the local user list as well. I restarted the security interface and I was still receiving the errors as you stated, but the IP is still getting blocked over this alert.

    I am not certain on how to do suggestions 3 and 4. Would you have time to maybe write a procedure to do this?

    Again I apologize if I came off like I was being critical of the snort package. I know it is easy for one to sit back and pick something apart, but in all means that is not what I am doing. I appreciate everything you have contributed to the snort package, that is why I am so frustrated that I can't utilize it right now over my issue.

    Something else. The VPN tunnel is configured as all my other tunnels. They are also rock solid and never go down. Could you please point out what I did wrong to get the (spp_frag3) Fragmentation overlap error. Because I can't seem to find an issue?

    Again, thanks for all you do, and I hope you find time to help me on these issues.

    Thanks,

    Matt



  • Check this reply http://forum.pfsense.org/index.php/topic,23647.msg130208.html#msg130208 on how I THINK I was able to whitelist an IP. As far as you VPN issue in global settings do you have Automatically whitelist VPNs checked in global settings? I would using suggest removing the CIDR from the whitelist tab if you have then in there. This is a shot in the dark but you can try to lookup how to add your VPN as an interface in pfsense 1.2.3 then enable it in snort with no rules enabled.



  • I tried a few things with the suppresion and whitelist as suggested and I am having no luck. I decided to open up some ports and run the service over the net allowing connections from only certain static public IP's using the firewall rules. I would prefer to continue using the IPsec tunnels for transmitting the DVR video stream, but I am not able to because SNORT keeps blocking the IP's of from the connecting host even though I put them in whitelist and create suppression rules. Maybe I am doing something wrong with the suppresion rules. The SNORT package works great with everything else, just having issues with this data being tranmitted over the tunnels. Again, it only blocks the IP of the other end node when DVR data is transmitted, all other data is perfectly fine??? I also upgraded to SNORT 2.8.6 pkg v. 1.26

    I have one other question on SNORT. I just purchased premium SNORT rules VRT and selected the SNORT premium rules radio button. Now I never changed my oinkedmaster code or anything like that, and did not recieve any erros when clicking update. According to snort.org there is something that needed to be done in a config file to start recieving premium rules over the basic rules. My question is does slecting that radio button make those changes and how do I know if I am reciving premium rules?

    Thanks,

    Matt



  • Please post the exact alert you are having problems with.

    Remember it is not enough to create a suppression list or a white list, you also have to select those lists from the interface edit tab.

    James



  • James I have tried the same with snort 1.25 and pf 1.2.3

    I posted screenshots below of my configuration. Here is the alert http://www.snortid.com/snortid.asp?QueryId=1:11969

    Edit: As a side note the snort package doesn't get along with chrome. Stumped me for a bit why things weren't working lol.





Locked