Snort and internal DNS issues



  • I am running pfSense 2.0-RELEASE (i386) built on Tue Sep 13 17:28:43 EDT 2011 and Snort 2.9.1 pkg v. 2.0.

    I am running the following Snort categories:

    emerging-imap.rules
    emerging-pop3.rules
    emerging-scan.rules
    emerging-smtp.rules
    emerging-snmp.rules
    emerging-sql.rules
    emerging-trojan.rules
    emerging-virus.rules
    snort_attack-responses.rules
    snort_backdoor.rules
    snort_botnet-cnc.rules
    snort_ddos.rules
    snort_exploit.rules
    snort_exploit.so.rules
    snort_imap.rules
    snort_imap.so.rules
    snort_local.rules
    snort_mysql.rules
    snort_phishing-spam.rules
    snort_pop3.rules
    snort_scan.rules
    snort_smtp.rules
    snort_smtp.so.rules
    snort_snmp.rules
    snort_specific-threats.rules
    snort_spyware-put.rules
    snort_sql.rules
    snort_telnet.rules
    snort_virus.rules
    snort_web-attacks.rules
    snort_web-cgi.rules
    snort_web-client.rules
    snort_web-client.so.rules
    snort_web-misc.rules
    snort_web-misc.so.rules
    snort_web-php.rules

    The bulk of my Snort alerts are:

    PRI PROTO DESCRIPTION CLASS SRC SPORT FLOW DST DPORT SID Date

    1 2 PROTO:255 PSNG_UDP_FILTERED_DECOY_PORTSCAN Attempted Information Leak 24.143.200.7 empty -> xxx.xxx.xxx.xxx empty 122:22:1

    The problem I am experiencing is that my local (internal) DNS server eventually stops receiving DNS responses from the root DNS servers on the Internet.  If I shut Snort down or clear the blocked list it starts working again.

    Somewhere for some reason Snort is stopping incoming DNS responses from the root servers, and I have no idea why.  This started under pfSense 2.0 and Snort 2.9.

    I have since shut Snort down and will probably remove the package altogether.  Is there a setting I am missing or a whitelist I need to create and maintain?  I would have assumed that Snort would allow root DNS responses to come in, but for one reason or another they are triggering alerts and shutting down my internal DNS server.

    Any thoughts?  Is this a bug I need to report or is it a setting I didn't tweak?



  • @tim.mcmanus:

    The bulk of my Snort alerts are:

    PRI PROTO DESCRIPTION CLASS SRC SPORT FLOW DST DPORT SID Date

    1 2 PROTO:255 PSNG_UDP_FILTERED_DECOY_PORTSCAN Attempted Information Leak 24.143.200.7 empty -> xxx.xxx.xxx.xxx empty 122:22:1

    The problem I am experiencing is that my local (internal) DNS server eventually stops receiving DNS responses from the root DNS servers on the Internet.  If I shut Snort down or clear the blocked list it starts working again.

    Somewhere for some reason Snort is stopping incoming DNS responses from the root servers, and I have no idea why.  This started under pfSense 2.0 and Snort 2.9.

    I have since shut Snort down and will probably remove the package altogether.  Is there a setting I am missing or a whitelist I need to create and maintain?  I would have assumed that Snort would allow root DNS responses to come in, but for one reason or another they are triggering alerts and shutting down my internal DNS server.

    Any thoughts?  Is this a bug I need to report or is it a setting I didn't tweak?

    Snort is blocking hosts that generate a Snort alert.
    To Suppress this alert go to Services: Snort: Suppression tab.

    1- In the Suppression Tab add this:

    suppress gen_id 122, sig_id 22

    2- And a important step is to go to the snort_interfaces_edit.php tab and select the suppress list you have just created in the Suppression and filtering drop down option.

    3- Go to Services: Snort Blocked Hosts tab and remove the blocked host.

    You must restart the interface when there is changes to this rule.

    Check Q: Do you have a quick example on how to use the Suppression Tab? Snort package FAQ



  • Thanks for the suggestion.

    I have been using a whitelist for other IPs, but I find it very odd that with pfSense 1.2.3 this doesn't occur.  Additionally, I don't know why Snort would flag the root DNS servers as port scanning me.

    I am beginning to see a lot of false-positives and Snort's port scanner alert.  More than I ever had under pfSense 1.2.3.

    I had to remove snort as a result.



  • The Snort rules set are created for every Snort version.
    Version change will trigger different alerts. You need to adjust accordingly



  • @RonpfS:

    The Snort rules set are created for every Snort version.
    Version change will trigger different alerts. You need to adjust accordingly

    Thanks, good to know.

    I just find it odd that queries from internal DNS servers to the root DNS servers and the replies are being flagged as port scans.

    I might reinstall Snort if I have the time to do testing.  More than likely theres something in default snort_scan.rules that's triggering the alert.



  • Just reloaded Snort and whitelisted all of the root DNS servers.  Within 15 minutes of running it I see this:

    2 2 PROTO:255 PSNG_UDP_FILTERED_DECOY_PORTSCAN Attempted Information Leak 192.33.4.12 empty -> xxx.xxx.xxx.xxx 122:22:1 12/05-00:39:58

    The Cogent root server.

    Now I have to fine the rule in the category that's causing this…



  • Even with the root servers whitelisted Snort still blocks incoming DNS queries.  I had to subsequently remove Snort because my internal DNS would fail over to pfSense and all internal DNS queries failed.

    I'm hoping this is fixed in an upgrade.



  • I get these as well and are blocked, but can reach the root DNS servers. With the following suppress:
    suppress gen_id 3, sig_id 19187

    Make sure you follow johnnybe's instructions.


Locked