Snort - Please help



  • I'm having real problems getting Snort to work on pfsense 1.0.

    The service is showing as running and I have the following rules enabled:

    Attack-response
    backdoor
    bad traffic
    ddos exploit
    porn
    spyware-put
    virus
    web attacks

    But I get no warnings or blocks, except for the VERY occasional port scan alert.

    To test the porn rules, I downloaded the headers from a.b.pictures.erotica (as it was explicitly blocked in the rules), but the data came through as per usual, and http porn sites are still browsable.

    I also turned on the chat rules and again, was able to open mIRC, connect and chat without anything being flagged up in SNORT

    What can I do in order to enable SNORT?

    I've tried stopping and starting the service, uninstalling then reinstalling, changing the rules I run, but nothing seems to make it actually block the sites I believe it should.

    Looking around the forum it looks like a fairly common problem, is SNORT broken?



  • ??? Switching from ac to lowmem has made alerts FINALLY start popping up (god gnows why, I wasn't out of memory), however nothing is actually blocked despite the fact that SNORT says it has blocked the IPs concerned.

    I have got block offenders ticked



  • Are you using the shell and running top to see how much ram/cpu is being used or that gui page?  I know when I had issues, it was due lack of resources



  • I'm looking on the resources page (I'm new to linux so have no idea how to do anything else!), but my cpu and memory use is ~3% cpu and 18% -24% mem

    Immediately on starting snort, this shoots up to ~97%cpu and ~88%mem, but settles down to the figures above fairly quickly

    Does the Maxing of the cpu and mem on load indicate that the load is failing somewhere along the line?



  • If you hit 100% mem processes will be killed. Check status>systemlogs for terminating processes.



  • That doesn't seem to be the case :

    Oct 25 15:45:40 	snort[4906]: Snort initialization completed successfully (pid=4906)
    Oct 25 15:45:40 	snort[4906]: Snort initialization completed successfully (pid=4906)
    Oct 25 15:45:40 	snort[4906]: Not Using PCAP_FRAMES
    Oct 25 15:45:40 	snort[4906]: Not Using PCAP_FRAMES
    Oct 25 15:48:14 	snort2c[4909]: attack detected non-whitelisted ip: 194.109.21.230 blocked !
    Oct 25 15:48:14 	snort2c[4909]: attack detected non-whitelisted ip: 194.109.21.230 blocked !
    Oct 25 15:48:14 	snort2c[4909]: attack detected non-whitelisted ip: 194.159.164.195 blocked !
    Oct 25 15:48:14 	snort2c[4909]: attack detected non-whitelisted ip: 194.159.164.195 blocked !
    

    the blocked IP's refer to these intrusions :

     [ ** ] [ 1:6182:1 ] CHAT IRC channel notice [ ** ]  
    [ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ]  
    10/25-15:48:14.827532 xxx.xxx.131.153:65507 -> 194.159.164.195:6666 
    TCP TTL:127 TOS:0x0 ID:2329 IpLen:20 DgmLen:94 DF 
    ***AP*** Seq: 0x9526AB21 Ack: 0x13230EA5 Win: 0xFFFF TcpLen: 20 
    
    [ ** ] [ 1:1729:6 ] CHAT IRC channel join [ ** ]  
    [ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ]  
    10/25-15:48:15.093922 xxx.xxx.131.153:65507 -> 194.159.164.195:6666 
    TCP TTL:127 TOS:0x0 ID:30017 IpLen:20 DgmLen:73 DF 
    ***AP*** Seq: 0x9526AB57 Ack: 0x13230EA5 Win: 0xFFFF TcpLen: 20 
    

    The IP's are showing as blocked In the "Blocked screen" :

    194.159.164.195 	 CHAT IRC dns response
    

    and yet I'm still merrily chatting away in IRC

    The logs show nothing terminating and I am using the "blocked" IPs for IRC AFTER the warning / block.

    This is me reloading mirc and rejoining

     [ ** ] [ 1:1729:6 ] CHAT IRC channel join [ ** ]  
    [ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ]  
    10/25-15:53:56.555003 xxx.xxx.131.153:61684 -> 194.159.164.195:6666 
    TCP TTL:127 TOS:0x0 ID:12741 IpLen:20 DgmLen:127 DF 
    ***AP*** Seq: 0x19193DC9 Ack: 0x24BFD0BE Win: 0xFFB9 TcpLen: 20 
    

    The ip is the same one that was banned previously and it was definately showing as blocked at the time, so why am I able to rejoin the server and chat?

    What I'm most concerned about is that if it's not blocking that IP, is it blocking any of them?



  • I just commited a fix to snort2c to kill states, too.

    Reinstall the package after 9:25PM EST.



  • I am experiencing this issue as well. Not everything that is reportedly blocked is actually being blocked. Chat rules do appear to be blocking, however porn is not. If you type in nudeceleb.com, and you have porn to be blocked, it will still show. However, the site will appear in the blocked list. (I reinstalled the package just a few minutes ago. It does not block it still).



  • Still not working, using the nudeceleb test above :(



  • I think the porn rule in general does not work. None of the keywords successfully block the websites.



  • Neither does the chat (see the logs above), the problem is though is that the keywords DO pick up the alert, the alert is then logged and the hosts IP address added to the blocked hosts list, but it's not really blocked.

    The question is, if the porn rules don't block and the chat rules don't block, do any of them?



  • Hmm…odd. My chat rules used to block messenger. Now when I enabled chat rules it does not block it. I have been able to verify that running a port/vulnerability scan on my firewall will detect it and block it for an hour. Maybe snort is only blocking activity inbound from the WAN interface.



  • @PC_Arcade:

    Neither does the chat (see the logs above), the problem is though is that the keywords DO pick up the alert, the alert is then logged and the hosts IP address added to the blocked hosts list, but it's not really blocked.

    The question is, if the porn rules don't block and the chat rules don't block, do any of them?

    Snort isn't an IPS, it's an IDS.  It's not going to PREVENT the bad traffic, just detect it.  However, we do monitor for the bad traffic and block it after the fact so it can't happen again.  But if it's already in flight, it's not going to block it.

    –Bill



  • I realise that, BUT it isn't blocked and does allow visits after the "block" is in place.

    I can visit a site which triggers the block, close the browser, then restart the browser later (within the hour obviously) and browse to the site which shows as being blocked

    In the IRC example above, I opened IRC, joined a chat room (at 15:48:14.827532) which caused snort to detect and SAY that it had blocked the ip (194.159.164.195:6666) I then closed mIRC, waited 5 mins and rejoined the SAME host at (15:53:56.555003).

    If it blocks after the fact, then how was I able to log on again 5 minutes later?

    I may be misunderstanding the usage of the term blocked in this context, how should it work?



  • @PC_Arcade:

    I realise that, BUT it isn't blocked and does allow visits after the "block" is in place.

    I can visit a site which triggers the block, close the browser, then restart the browser later (within the hour obviously) and browse to the site which shows as being blocked

    In the IRC example above, I opened IRC, joined a chat room (at 15:48:14.827532) which caused snort to detect and SAY that it had blocked the ip (194.159.164.195:6666) I then closed mIRC, waited 5 mins and rejoined the SAME host at (15:53:56.555003).

    If it blocks after the fact, then how was I able to log on again 5 minutes later?

    I don't know, maybe you hit a bug that the package maintainer hasn't hit yet.  I didn't catch that you'd reloaded mirc in your previous email.  OTOH, maybe snort only blocks people port scanning, I dunno.  Guess we'll have to wait for the maintainer to chime in.

    –Bill



  • Try this.

    Use the Diagnostics Edit program to edit /tmp/rules.debug and find:

    block in quick from <snort2c>to any label "Block snort2c hosts"

    Change to:

    block quick from <snort2c>to any label "Block snort2c hosts"

    Save the file and then in Diagnostics, Command Prompt, Execute Shell command run:

    pfctl -f /tmp/rules.debug

    Does the block rule work correctly now?</snort2c></snort2c>



  • No, I'm afraid not :(



  • From a shell, issue:

    fetch -o /etc/inc/filter.inc http://www.pfsense.com/~sullrich/filter.inc
    /etc/rc.filter_configure_sync

    Now try to trigger a block and test again.



  • I just tried all those procedures and nothing was blocked, or logged for that matter. Could this have something to do with running in lowmem performance?



  • Yes, it could.



  • I've found that lowmem doesn't work at all, switching to ac-sparsebands did the trick for me

    AND I've just tried the fix above and SNORT is now working as I would expect it to :)

    Thank you VERY much sullrich, much appreciated.

    Out of interest, what was the change?



  • A number of changes have happened:

    • Snort2c now issues pfctl -k

    • The filter rules now block items in the snort2c table in both directions



  • @PC_Arcade:

    I've found that lowmem doesn't work at all, switching to ac-sparsebands did the trick for me

    AND I've just tried the fix above and SNORT is now working as I would expect it to :)

    So keeping up with this post, should all of us that are having issues do the following:

    *Reinstall the package if we have not done so in the past day or two?
    *Change to ac-sparsebands from whatever other scheme was selected?
    *Run  Use the Diagnostics Edit program to edit /tmp/rules.debug ….?
    *Run the scripts/commands that Sullrich just posted right before this post?
    *Cross fingers?

    Thanks... I just want to clarify steps to correct/enhance this very useful package



  • @unforeseen:

    So keeping up with this post, should all of us that are having issues do the following:

    *Reinstall the package if we have not done so in the past day or two?
    *Change to ac-sparsebands from whatever other scheme was selected?
    *Run  Use the Diagnostics Edit program to edit /tmp/rules.debug ….?
    *Run the scripts/commands that Sullrich just posted right before this post?
    *Cross fingers?

    Thanks... I just want to clarify steps to correct/enhance this very useful package

    That sounds about right.  I should note that the filter changes will be included with 1.0.1 which is scheduled for release sometime this weekend.



  • As a matter of interest, what are the memory requirements for snort in it's various mode (ac, sparsebands, lowmem etc).

    I'm running with 256mb and it seems like it's not enough (nowhere near enough?)

    I'll upgrade the ram if needs be, but I'd like to make sure I get enough :)



  • Depends on which rules you use. In general it's "just snort" so you should check out requirements at the snort homepage/mailinglists.



  • 512 megs of ram or above.  The release notes for pfSense mention a GIG.

    Snort is really a hog.



  • Thanks, I'll upgrade then :)



  • Hi all,

    sorry for my 'noobiness' with all these snort business.
    But I'm having problem with snort+pfsense combination.

    some detail:
    pfsense-1.0-RC3
    download and install snort package from pfsense :
    snort
    BETA
    2.6.0.2.4
    platform: 1.0

    Got the oinkcode from snort.org and then it started downloading
    some of the rules.

    Have NOT messed with the setting after that ( not ticking
    any rules etc )
    though It generates alerts, ever since it's activated with the oink code
    Next day, I found it blocked some IPs ( my IP too )

    Tried to put my IP in the whitelist. But I couldn't go through.

    Had to de-install snort and revert to the original config.

    What would be the 'minimal' setup setting for snort in pfsense ?
    Originally, I intend to put DNS rule in snort

    ps : you can't sort of disable snort once it's installed and activated
          with oink code, can you ?

    Thanks for the help.
    -networknoob



  • @networknoob:

    pfsense-1.0-RC3

    You have to upgrade. Snort won't work properly with that version.



  • Hoba : Thx for the quick reply. will try that one and we'll see how it goes


Log in to reply