Snort HOME_NET addrs blocked

  • I'm new to snort, and it's possible I have something misconfigured, but I'm seeing undesirable behavior with HOME_NET hosts getting blocked.

    This is on pfsense 1.2.3, the snort v1.27 package.  I have snort enabled on WAN interface only, and currently using just Emergintthreats rulsets (due to the download issue).  I've created a whitelist with some specific hosts to not block, and I've added a few subnets to a netlist and selected that as HOME_NET.

    What I see as problems are things like a local client (ie. within HOME_NET) sending traffic to a webserver and tripping a Russian Business Network rule.  When this happens, I suspect it's the client being redirected there, ie. they are the one being attacked, and I would expect/like it to block the destination host of that traffic (ie. the web server), but what actually happens is the local client (source host) gets added to the block list.

    As another example, a local client tried to connect to a webserver that is in the Spamhaus list/rules, and they were similarly blocked.

    As mentioned, I'm brand new to snort, so this may be a bad analysis, but in looking at those rules, they use the bidirection operator, eg. "<> $HOME_NET any", to tell it to match traffic in either direction.  I don't know if snort examines only inbound or also outbound traffic (seems like it must do both).  But if there is a match on a bidrectional rule like that, shouldn't pfsense pay attention to the direction of the traffic when blocking?  Eg. if it's inbound on the interface snort it listening on, you'd block the source address; if it's outbound on that interface, you block the destination.

    As far as HOME_NET goes, should those hosts ever be getting blocked?  I can manually add hosts to the whitelist and they stop getting blocked, but without cidr support there it seems painful (eg. right now my HOME_NET has a /20 and a /24 .. that'd take >4300 whitelist entries to accomplish).  It seems like if I wanted to block those HOME_NET hosts I'd be using some different rules/policy, and I'd expect to start a second instance of snort on the interface they're connected to with those settings - ie. I would expect outgoing traffic from HOME_NET hosts to never block them.

    Thanks for any comments/insight.

  • Another example that just just turned up, this time not using the bidirectional operator, is a mail server just got blocked for "ET VIRUS OUTBOUND Suspicious Email Attachment".  It is in SMTP_SERVERS, but I suppose that's a "pfsense thing" not something Emergingthreats knows about.

    Should all the servers you list under Servers tab get put in the whitelist automatically, so this doesn't happen?  Or is my original suspicion correct that HOME_NET should not be getting blocked, and something's wrong?

  • A brief update, to "fix" this I created a large whitelist of IP addrs from HOME_NET (not all 4300+, a subset  of specific ones).  Can anyone confirm that this is normal behavior to block HOME_NET hosts, or if something is wrong?

    (Coincidentally, there's another recent thread where some it trying to block some LAN side hosts and not able to … I'd be willing to trade circumstances.  :)

  • I am not sure the whitelist in the servers tab works in 1.27 or even the latest version of snort

    What IPs are in /usr/local/etc/snort/whitelist/defaultwlist  ?

  • The whitelist seems to work fine, that's what I used to "fix" the problem with HOME_NET hosts getting blocked.

    To answer your question, I don't have a /usr/local/etc/snort/whitelist/defaultwlist, I do have a /usr/local/etc/snort/whitelist/TMPWList (which is the name of the temp whitelist I created/assigned), which contains the LAN and OPT1 cidr subnets, dns server addrs, localhost, and all the ip addrs I added to the whitelist.

  • Well I am running 1.31 since 1.27 is broken so that may be the difference there. I think the default is generated automatically just not sure when. I had a problem with an VLAN/interface being blocked because it wasn't in the default whitelist

  • This exact problem has come to "bite" me again.  I'm setting up a second box (2.0 BETA4 from Aug 31, snort 1.34) on a larger network, and having the same problems with HOME_NET hosts being blocked.  My previous workaround was to create a whitelist of all the addrs in use on the network – that would work again except this is a larger network size and there appears to be a bug/limitation in the whitelist editing gui that only allows 298 hosts.

    Any ideas on how the actual problem here (HOME_NET hosts being blocked) could be fixed?  Secondly, any chance CIDR notation could be added to whitelists?  Or possibly changed to allow Firewall aliases to be members of whitelists.

    I'd really like to run snort in blocking mode, but it's completely unusable on all but a small (<298 hosts) network like this.

Log in to reply