Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 289.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      Fesoj
      last edited by

      Cino,

      I do not have any problems with bogus blockings (and I tested new version quit a lot today), but my pfSense box is not an edge router and the "WAN" side has a static address that showed up automatically in the default HOME_NET.

      1 Reply Last reply Reply Quote 0
      • E Offline
        eri--
        last edited by

        Cino,

        please either snort config or snort package xml on config.xml?

        1 Reply Last reply Reply Quote 0
        • D Offline
          dwood
          last edited by

          Ermal, I've been uninstalling Snort, running the command "find /* | grep -i snort | xargs rm -rv" then reinstalling.  I have to assume that this process would always replace the binary files?

          I haven't reinstalled since yesterday in the site that's best for testing (live site!) so not sure if a reinstall will fix the WAN blocking…

          1 Reply Last reply Reply Quote 0
          • C Offline
            Cino
            last edited by

            here is my config, I'm trying see if i re-produce this on-demand… cause now it seems to be working just fine... Go figure right? lol

            but i did another (de)install, saved every paged.. then rebooted

            
            # snort configuration file
            # generated automatically by the pfSense subsystems do not modify manually
            
            # Define Local Network  #
            var HOME_NET [127.0.0.1,10.0.0.0/8,2001:470:x:x::/64,x.x.x.x/22,192.168.0.1/24,2001:470:x:x::1/64,192.168.200.1/32,172.16.50.1/32,2001:470:x:x::2/64,192.168.5.1/24,x.x.x.1,209.18.47.61,209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24]
            var EXTERNAL_NET [!$HOME_NET]
            
            # Define Rule Paths #
            var RULE_PATH /usr/local/etc/snort/snort_60770_em3/rules
            var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
            
            # Define Servers  #
            var DNS_SERVERS [$HOME_NET]
            var SMTP_SERVERS [$HOME_NET]
            var HTTP_SERVERS [$HOME_NET]
            var WWW_SERVERS [$HOME_NET]
            var SQL_SERVERS [$HOME_NET]
            var TELNET_SERVERS [$HOME_NET]
            var SNMP_SERVERS [$HOME_NET]
            var FTP_SERVERS [$HOME_NET]
            var SSH_SERVERS [$HOME_NET]
            var POP_SERVERS [$HOME_NET]
            var IMAP_SERVERS [$HOME_NET]
            var SIP_PROXY_IP [$HOME_NET]
            var SIP_SERVERS [$HOME_NET]
            var RPC_SERVERS [$HOME_NET]
            var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
            
            # Define Server Ports  #
            portvar DNS_PORTS [53]
            portvar SMTP_PORTS [25]
            portvar MAIL_PORTS [25,143,465,691]
            portvar HTTP_PORTS [80]
            portvar ORACLE_PORTS [1521]
            portvar MSSQL_PORTS [1433]
            portvar TELNET_PORTS [23]
            portvar SNMP_PORTS [161]
            portvar FTP_PORTS [21]
            portvar SSH_PORTS [22]
            portvar POP2_PORTS [109]
            portvar POP3_PORTS [110]
            portvar IMAP_PORTS [143]
            portvar SIP_PROXY_PORTS [5060:5090,16384:32768]
            portvar SIP_PORTS [5060:5090,16384:32768]
            portvar AUTH_PORTS [113]
            portvar FINGER_PORTS [79]
            portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
            portvar SMB_PORTS [139,445]
            portvar NNTP_PORTS [119]
            portvar RLOGIN_PORTS [513]
            portvar RSH_PORTS [514]
            portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995]
            portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
            portvar SHELLCODE_PORTS [!80]
            portvar SUN_RPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
            portvar DCERPC_NCACN_IP_TCP [139,445]
            portvar DCERPC_NCADG_IP_UDP [138,1024:]
            portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
            portvar DCERPC_NCACN_UDP_LONG [135,1024:]
            portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
            portvar DCERPC_NCACN_TCP [2103,2105,2107]
            portvar DCERPC_BRIGHTSTORE [6503,6504]
            
            # Configure the snort decoder  #
            config checksum_mode: all
            config disable_decode_alerts
            config disable_tcpopt_experimental_alerts
            config disable_tcpopt_obsolete_alerts
            config disable_ttcp_alerts
            config disable_tcpopt_alerts
            config disable_ipopt_alerts
            config disable_decode_drops
            
            # Configure the detection engine  #
            config detection: search-method ac-bnfa max_queue_events 5
            config event_queue: max_queue 8 log 3 order_events content_length
            
            #Configure dynamic loaded libraries
            dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
            dynamicengine directory /usr/local/lib/snort/dynamicengine
            dynamicdetection directory /usr/local/lib/snort/dynamicrules
            
            # Flow and stream #
            preprocessor frag3_global: max_frags 8192
            preprocessor frag3_engine: policy bsd detect_anomalies
            
            preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes
            preprocessor stream5_tcp: policy BSD, ports both all, max_queued_bytes 10485760, max_queued_segs 26210
            preprocessor stream5_udp:
            preprocessor stream5_icmp:
            
            # Performance Statistics #
            preprocessor perfmonitor: time 300 file /var/log/snort/snort_em360770/em3.stats pktcnt 10000
            
            # HTTP Inspect  #
            preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
            
            preprocessor http_inspect_server: server default \
                                    ports  { 80 }  \
                                    non_strict \
                                    non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                                    flow_depth 300  \
                                    apache_whitespace no \
                                    directory no \
                                    iis_backslash no \
                                    u_encode yes \
            			extended_response_inspection \
            			inspect_gzip \
            			normalize_utf \
            			normalize_javascript \
            			unlimited_decompress \
                                    ascii no \
                                    chunk_length 500000 \
                                    bare_byte yes \
                                    double_decode yes \
                                    iis_unicode no \
                                    iis_delimiter no \
                                    multi_slash no
            
            # Other preprocs #
            preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
            
            # Back Orifice
            preprocessor bo
            
            # ftp preprocessor  #
            preprocessor ftp_telnet: global \
            inspection_type stateless
            
            preprocessor ftp_telnet_protocol: telnet \
               normalize \
               ayt_attack_thresh 200
            
            preprocessor ftp_telnet_protocol: \
                ftp server default \
                def_max_param_len 100 \
                ports { 21 } \
                ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
                ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
                ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
                ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
                ftp_cmds { FEAT CEL CMD MACB } \
                ftp_cmds { MDTM REST SIZE MLST MLSD } \
                ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
                alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
                alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
                alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
                alt_max_param_len 256 { RNTO CWD } \
                alt_max_param_len 400 { PORT } \
                alt_max_param_len 512 { SIZE } \
                chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
                chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
                chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
                chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
                chk_str_fmt { FEAT CEL CMD } \
                chk_str_fmt { MDTM REST SIZE MLST MLSD } \
                chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
                cmd_validity MODE < char ASBCZ > \
                cmd_validity STRU < char FRP > \
                cmd_validity ALLO < int [ char R int ] > \
                cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
                cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
                cmd_validity PORT < host_port >
            
            preprocessor ftp_telnet_protocol: ftp client default \
               max_resp_len 256 \
               bounce yes \
               telnet_cmds yes
            
            # SMTP preprocessor #
            preprocessor SMTP: \
                ports { 25 143 465 691 } \
                inspection_type stateful \
                normalize cmds \
                valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
            CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
                normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
            PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
                max_header_line_len 1000 \ 
                max_response_line_len 512 \
                alt_max_command_line_len 260 { MAIL } \
                alt_max_command_line_len 300 { RCPT } \
                alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
                alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
                alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
                alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
                alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
                xlink2state { enable }
            
            # sf Portscan  #
            preprocessor sfportscan: scan_type { all } \
                                     proto  { all } \
                                     memcap { 10000000 } \
                                     sense_level { medium } \
                                     ignore_scanners { $HOME_NET }
            
            # DCE/RPC 2   #
            preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
            preprocessor dcerpc2_server: default, policy WinXP, \
                detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
                autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
                smb_max_chain 3
            
            # DNS preprocessor #
            preprocessor dns: \
                ports { 53 } \
                enable_rdata_overflow
            
            preprocessor sensitive_data:
            
            # Ignore SSL and Encryption  #
            preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted
            
            # Snort Output Logs #
            output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
            
            output unified2: filename snort_60770_em3.u2, limit 128
            output alert_pf: /usr/local/etc/snort/snort_60770_em3/MainWhiteList,snort2c,src,
            
            # Misc Includes #
            include /usr/local/etc/snort/snort_60770_em3/reference.config
            include /usr/local/etc/snort/snort_60770_em3/classification.config
            include $PREPROC_RULE_PATH/sensitive-data.rules
            include $PREPROC_RULE_PATH/decoder.rules
            include $PREPROC_RULE_PATH/preprocessor.rules
            
            include /usr/local/etc/snort/snort_60770_em3/suppMainSuppressList
            
            # Snort user pass through configuration
            
            # Rules Selection #
            include $RULE_PATH/snort_attack-responses.rules
            include $RULE_PATH/snort_bad-traffic.so.rules
            include $RULE_PATH/emerging-attack_response.rules
            include $RULE_PATH/snort_backdoor.rules
            include $RULE_PATH/emerging-botcc.rules
            include $RULE_PATH/snort_bad-traffic.rules
            include $RULE_PATH/snort_dos.so.rules
            include $RULE_PATH/snort_blacklist.rules
            include $RULE_PATH/snort_exploit.so.rules
            include $RULE_PATH/emerging-ciarmy.rules
            include $RULE_PATH/snort_botnet-cnc.rules
            include $RULE_PATH/emerging-compromised.rules
            include $RULE_PATH/emerging-current_events.rules
            include $RULE_PATH/snort_content-replace.rules
            include $RULE_PATH/snort_misc.so.rules
            include $RULE_PATH/snort_ddos.rules
            include $RULE_PATH/emerging-dos.rules
            include $RULE_PATH/snort_dos.rules
            include $RULE_PATH/emerging-dshield.rules
            include $RULE_PATH/emerging-exploit.rules
            include $RULE_PATH/snort_exploit.rules
            include $RULE_PATH/snort_web-client.so.rules
            include $RULE_PATH/snort_web-misc.so.rules
            include $RULE_PATH/emerging-malware.rules
            include $RULE_PATH/emerging-misc.rules
            include $RULE_PATH/emerging-mobile_malware.rules
            include $RULE_PATH/snort_indicator-compromise.rules
            include $RULE_PATH/snort_indicator-obfuscation.rules
            include $RULE_PATH/snort_misc.rules
            include $RULE_PATH/emerging-rbn-malvertisers.rules
            include $RULE_PATH/emerging-rbn.rules
            include $RULE_PATH/emerging-rpc.rules
            include $RULE_PATH/emerging-scan.rules
            include $RULE_PATH/emerging-shellcode.rules
            include $RULE_PATH/snort_other-ids.rules
            include $RULE_PATH/snort_phishing-spam.rules
            include $RULE_PATH/emerging-trojan.rules
            include $RULE_PATH/emerging-user_agents.rules
            include $RULE_PATH/emerging-virus.rules
            include $RULE_PATH/emerging-web_client.rules
            include $RULE_PATH/snort_rpc.rules
            include $RULE_PATH/emerging-worm.rules
            include $RULE_PATH/snort_scan.rules
            include $RULE_PATH/snort_shellcode.rules
            include $RULE_PATH/snort_specific-threats.rules
            include $RULE_PATH/snort_spyware-put.rules
            include $RULE_PATH/snort_virus.rules
            include $RULE_PATH/snort_web-attacks.rules
            include $RULE_PATH/snort_web-client.rules
            include $RULE_PATH/snort_web-iis.rules
            include $RULE_PATH/snort_web-misc.rules
            
            
            1 Reply Last reply Reply Quote 0
            • M Offline
              mschiek01
              last edited by

              @Cino:

              here is my config, I'm trying see if i re-produce this on-demand… cause now it seems to be working just fine... Go figure right? lol

              but i did another (de)install, saved every paged.. then rebooted

              
              # snort configuration file
              # generated automatically by the pfSense subsystems do not modify manually
              
              # Define Local Network  #
              var HOME_NET [127.0.0.1,10.0.0.0/8,2001:470:x:x::/64,x.x.x.x/22,192.168.0.1/24,2001:470:x:x::1/64,192.168.200.1/32,172.16.50.1/32,2001:470:x:x::2/64,192.168.5.1/24,x.x.x.1,209.18.47.61,209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24]
              var EXTERNAL_NET [!$HOME_NET]
              
              # Define Rule Paths #
              var RULE_PATH /usr/local/etc/snort/snort_60770_em3/rules
              var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
              
              # Define Servers  #
              var DNS_SERVERS [$HOME_NET]
              var SMTP_SERVERS [$HOME_NET]
              var HTTP_SERVERS [$HOME_NET]
              var WWW_SERVERS [$HOME_NET]
              var SQL_SERVERS [$HOME_NET]
              var TELNET_SERVERS [$HOME_NET]
              var SNMP_SERVERS [$HOME_NET]
              var FTP_SERVERS [$HOME_NET]
              var SSH_SERVERS [$HOME_NET]
              var POP_SERVERS [$HOME_NET]
              var IMAP_SERVERS [$HOME_NET]
              var SIP_PROXY_IP [$HOME_NET]
              var SIP_SERVERS [$HOME_NET]
              var RPC_SERVERS [$HOME_NET]
              var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
              
              # Define Server Ports  #
              portvar DNS_PORTS [53]
              portvar SMTP_PORTS [25]
              portvar MAIL_PORTS [25,143,465,691]
              portvar HTTP_PORTS [80]
              portvar ORACLE_PORTS [1521]
              portvar MSSQL_PORTS [1433]
              portvar TELNET_PORTS [23]
              portvar SNMP_PORTS [161]
              portvar FTP_PORTS [21]
              portvar SSH_PORTS [22]
              portvar POP2_PORTS [109]
              portvar POP3_PORTS [110]
              portvar IMAP_PORTS [143]
              portvar SIP_PROXY_PORTS [5060:5090,16384:32768]
              portvar SIP_PORTS [5060:5090,16384:32768]
              portvar AUTH_PORTS [113]
              portvar FINGER_PORTS [79]
              portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
              portvar SMB_PORTS [139,445]
              portvar NNTP_PORTS [119]
              portvar RLOGIN_PORTS [513]
              portvar RSH_PORTS [514]
              portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995]
              portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
              portvar SHELLCODE_PORTS [!80]
              portvar SUN_RPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
              portvar DCERPC_NCACN_IP_TCP [139,445]
              portvar DCERPC_NCADG_IP_UDP [138,1024:]
              portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
              portvar DCERPC_NCACN_UDP_LONG [135,1024:]
              portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
              portvar DCERPC_NCACN_TCP [2103,2105,2107]
              portvar DCERPC_BRIGHTSTORE [6503,6504]
              
              # Configure the snort decoder  #
              config checksum_mode: all
              config disable_decode_alerts
              config disable_tcpopt_experimental_alerts
              config disable_tcpopt_obsolete_alerts
              config disable_ttcp_alerts
              config disable_tcpopt_alerts
              config disable_ipopt_alerts
              config disable_decode_drops
              
              # Configure the detection engine  #
              config detection: search-method ac-bnfa max_queue_events 5
              config event_queue: max_queue 8 log 3 order_events content_length
              
              #Configure dynamic loaded libraries
              dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
              dynamicengine directory /usr/local/lib/snort/dynamicengine
              dynamicdetection directory /usr/local/lib/snort/dynamicrules
              
              # Flow and stream #
              preprocessor frag3_global: max_frags 8192
              preprocessor frag3_engine: policy bsd detect_anomalies
              
              preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes
              preprocessor stream5_tcp: policy BSD, ports both all, max_queued_bytes 10485760, max_queued_segs 26210
              preprocessor stream5_udp:
              preprocessor stream5_icmp:
              
              # Performance Statistics #
              preprocessor perfmonitor: time 300 file /var/log/snort/snort_em360770/em3.stats pktcnt 10000
              	
              # HTTP Inspect  #
              preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
              
              preprocessor http_inspect_server: server default \
                                      ports  { 80 }  \
                                      non_strict \
                                      non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                                      flow_depth 300  \
                                      apache_whitespace no \
                                      directory no \
                                      iis_backslash no \
                                      u_encode yes \
              			extended_response_inspection \
              			inspect_gzip \
              			normalize_utf \
              			normalize_javascript \
              			unlimited_decompress \
                                      ascii no \
                                      chunk_length 500000 \
                                      bare_byte yes \
                                      double_decode yes \
                                      iis_unicode no \
                                      iis_delimiter no \
                                      multi_slash no
              	
              # Other preprocs #
              preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
              
              # Back Orifice
              preprocessor bo
              	
              # ftp preprocessor  #
              preprocessor ftp_telnet: global \
              inspection_type stateless
              
              preprocessor ftp_telnet_protocol: telnet \
                 normalize \
                 ayt_attack_thresh 200
              
              preprocessor ftp_telnet_protocol: \
                  ftp server default \
                  def_max_param_len 100 \
                  ports { 21 } \
                  ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
                  ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
                  ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
                  ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
                  ftp_cmds { FEAT CEL CMD MACB } \
                  ftp_cmds { MDTM REST SIZE MLST MLSD } \
                  ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
                  alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
                  alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
                  alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
                  alt_max_param_len 256 { RNTO CWD } \
                  alt_max_param_len 400 { PORT } \
                  alt_max_param_len 512 { SIZE } \
                  chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
                  chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
                  chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
                  chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
                  chk_str_fmt { FEAT CEL CMD } \
                  chk_str_fmt { MDTM REST SIZE MLST MLSD } \
                  chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
                  cmd_validity MODE < char ASBCZ > \
                  cmd_validity STRU < char FRP > \
                  cmd_validity ALLO < int [ char R int ] > \
                  cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
                  cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
                  cmd_validity PORT < host_port >
              
              preprocessor ftp_telnet_protocol: ftp client default \
                 max_resp_len 256 \
                 bounce yes \
                 telnet_cmds yes
              	
              # SMTP preprocessor #
              preprocessor SMTP: \
                  ports { 25 143 465 691 } \
                  inspection_type stateful \
                  normalize cmds \
                  valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
              CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
                  normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
              PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
                  max_header_line_len 1000 \ 
                  max_response_line_len 512 \
                  alt_max_command_line_len 260 { MAIL } \
                  alt_max_command_line_len 300 { RCPT } \
                  alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
                  alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
                  alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
                  alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
                  alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
                  xlink2state { enable }
              	
              # sf Portscan  #
              preprocessor sfportscan: scan_type { all } \
                                       proto  { all } \
                                       memcap { 10000000 } \
                                       sense_level { medium } \
                                       ignore_scanners { $HOME_NET }
              	
              # DCE/RPC 2   #
              preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
              preprocessor dcerpc2_server: default, policy WinXP, \
                  detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
                  autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
                  smb_max_chain 3
              	
              # DNS preprocessor #
              preprocessor dns: \
                  ports { 53 } \
                  enable_rdata_overflow
              	
              preprocessor sensitive_data:
              
              # Ignore SSL and Encryption  #
              preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted
              
              # Snort Output Logs #
              output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
              
              output unified2: filename snort_60770_em3.u2, limit 128
              output alert_pf: /usr/local/etc/snort/snort_60770_em3/MainWhiteList,snort2c,src,
              						
              # Misc Includes #
              include /usr/local/etc/snort/snort_60770_em3/reference.config
              include /usr/local/etc/snort/snort_60770_em3/classification.config
              include $PREPROC_RULE_PATH/sensitive-data.rules
              include $PREPROC_RULE_PATH/decoder.rules
              include $PREPROC_RULE_PATH/preprocessor.rules
              
              include /usr/local/etc/snort/snort_60770_em3/suppMainSuppressList
              
              # Snort user pass through configuration
              
              # Rules Selection #
              include $RULE_PATH/snort_attack-responses.rules
              include $RULE_PATH/snort_bad-traffic.so.rules
              include $RULE_PATH/emerging-attack_response.rules
              include $RULE_PATH/snort_backdoor.rules
              include $RULE_PATH/emerging-botcc.rules
              include $RULE_PATH/snort_bad-traffic.rules
              include $RULE_PATH/snort_dos.so.rules
              include $RULE_PATH/snort_blacklist.rules
              include $RULE_PATH/snort_exploit.so.rules
              include $RULE_PATH/emerging-ciarmy.rules
              include $RULE_PATH/snort_botnet-cnc.rules
              include $RULE_PATH/emerging-compromised.rules
              include $RULE_PATH/emerging-current_events.rules
              include $RULE_PATH/snort_content-replace.rules
              include $RULE_PATH/snort_misc.so.rules
              include $RULE_PATH/snort_ddos.rules
              include $RULE_PATH/emerging-dos.rules
              include $RULE_PATH/snort_dos.rules
              include $RULE_PATH/emerging-dshield.rules
              include $RULE_PATH/emerging-exploit.rules
              include $RULE_PATH/snort_exploit.rules
              include $RULE_PATH/snort_web-client.so.rules
              include $RULE_PATH/snort_web-misc.so.rules
              include $RULE_PATH/emerging-malware.rules
              include $RULE_PATH/emerging-misc.rules
              include $RULE_PATH/emerging-mobile_malware.rules
              include $RULE_PATH/snort_indicator-compromise.rules
              include $RULE_PATH/snort_indicator-obfuscation.rules
              include $RULE_PATH/snort_misc.rules
              include $RULE_PATH/emerging-rbn-malvertisers.rules
              include $RULE_PATH/emerging-rbn.rules
              include $RULE_PATH/emerging-rpc.rules
              include $RULE_PATH/emerging-scan.rules
              include $RULE_PATH/emerging-shellcode.rules
              include $RULE_PATH/snort_other-ids.rules
              include $RULE_PATH/snort_phishing-spam.rules
              include $RULE_PATH/emerging-trojan.rules
              include $RULE_PATH/emerging-user_agents.rules
              include $RULE_PATH/emerging-virus.rules
              include $RULE_PATH/emerging-web_client.rules
              include $RULE_PATH/snort_rpc.rules
              include $RULE_PATH/emerging-worm.rules
              include $RULE_PATH/snort_scan.rules
              include $RULE_PATH/snort_shellcode.rules
              include $RULE_PATH/snort_specific-threats.rules
              include $RULE_PATH/snort_spyware-put.rules
              include $RULE_PATH/snort_virus.rules
              include $RULE_PATH/snort_web-attacks.rules
              include $RULE_PATH/snort_web-client.rules
              include $RULE_PATH/snort_web-iis.rules
              include $RULE_PATH/snort_web-misc.rules
              
              

              I have the same problem except I have static Wan addresses snort was running just without problems then the following

              system log
              Jul 17 13:33:32 apinger: ALARM: WAN1GW(nn.nn.nnn.nnn) *** WAN1GWdown ***
              Jul 17 13:28:04 snort[40189]: [1:2500062:2570] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32) [Classification: Misc Attack] [Priority: 2] {TCP}
              Jul 17 13:28:04 snort[40189]: [1:2500062:2570] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32) [Classification: Misc Attack] [Priority: 2]

              Alert description which is very strange.

              "ET RBN Known Russian Business Network IP UDP (112)" - 07/17-12:25:48
                                                           "ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt" - 07/17-11:59:17
              4 nnn.nnn.nnn.nnn                  "ET RBN Known Russian Business Network IP TCP (232)" - 07/17-09:59:36
                                                           "ET RBN Known Russian Business Network IP TCP (208)" - 07/17-11:05:21
                                                             "ET RBN Known Russian Business Network IP TCP (94)" - 07/17-11:14:14
                                                             "ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (29)" - 07/17-11:23:48
                                                             "(dcerpc2) Connection-oriented DCE/RPC - Bind: Remaining fragment length (3) less than size needed (20)" - 07/17-13:19:42
              "ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32)" - 07/17-13:28:04

              Snort started blocking the Wan interface ip.

              The wan addresses are defined as nnn.nnn.nnn.nnn/nn in the white list.

              1 Reply Last reply Reply Quote 0
              • D Offline
                dwood
                last edited by

                Same here…SNORT was running fine for a few hours before the WAN connections were blocked.

                1 Reply Last reply Reply Quote 0
                • E Offline
                  eri--
                  last edited by

                  but i did another (de)install, saved every paged.. then rebooted

                  That is not necessary anymore Cino :)
                  Everything will just get magically applied.

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    Fesoj
                    last edited by

                    Which sides are you blocking on the WAN interface? If you block src and dst you can effectively shoot yourself in the foot. It seems that snort 2.9.2.3 has more sensitive preprocessors and I had to suppress a few more rules for my box compared to 2.9.0.x.

                    So looking at the alerts should tell you whether your WAN IP was part of an alert message. My 2.9.2.3/2.5.0 box has currently an uptime of more than 7 hours with typically about 5 clients and everything looks fine.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dwood
                      last edited by

                      Blocking src only, kill states and checksum enabled.  The WAN IP being blocked was x.x.x.0 effectively blocking everything over that connetion.  My uptime was several hours, about 20 users before the alert was triggered.  I had to remove Snort but can throw it back on later for a log if required.  My concern was IP6 blocking as I need to learn more about IP6 before I'm able to manage it on a router ;-)

                      Cheers
                      D.

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        mschiek01
                        last edited by

                        @Fesoj:

                        Which sides are you blocking on the WAN interface? If you block src and dst you can effectively shoot yourself in the foot. It seems that snort 2.9.2.3 has more sensitive preprocessors and I had to suppress a few more rules for my box compared to 2.9.0.x.

                        So looking at the alerts should tell you whether your WAN IP was part of an alert message. My 2.9.2.3/2.5.0 box has currently an uptime of more than 7 hours with typically about 5 clients and everything looks fine.

                        Same here source only with "kill states and checksum" both selected. This has now happened on multiple installations. Some installations have static wans others have dynamic.  I do not see a common pattern at all.

                        uptime on boxes varies from days to weeks.  I have turned off auto updates for snort rules as well.  Still have not found a common thread.

                        1 Reply Last reply Reply Quote 0
                        • F Offline
                          Fesoj
                          last edited by

                          On the WAN side, I am blocking destination addresses only (because offenders are typically coming from the inside, and I want to block their outside contact on the WAN interface, but there is a corresponding handling on the LAN side to vet my clients :(). Of course this depends on what you actually want to block and which rules are active.

                          You need to look at each rule, if the source is s.th. like $HOME_NET, then you might have to do the blocking on the LAN side, maybe sometimes you could simply suppress the alert.

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            mschiek01
                            last edited by

                            @Fesoj:

                            On the WAN side, I am blocking destination addresses only (because offenders are typically coming from the inside, and I want to block their outside contact on the WAN interface, but there is a corresponding handling on the LAN side to vet my clients :(). Of course this depends on what you actually want to block and which rules are active.

                            You need to look at each rule, if the source is s.th. like $HOME_NET, then you might have to do the blocking on the LAN side, maybe sometimes you could simply suppress the alert.

                            I agree with you but, this is the alert trigger right before snort blocked the wan ip.

                            Jul 17 13:28:04 snort[40189]: [1:2500062:2570] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32) [Classification: Misc Attack] [Priority: 2] {TCP} 59.175.218.166:31157 -> nn.nn.nn.nnn

                            This clearly show the source is 59.175.218.166 but snort blocked the wan ip instead.

                            1 Reply Last reply Reply Quote 0
                            • E Offline
                              eri--
                              last edited by

                              Fixed on 2.0.x you can just upgrade in 10 minutes.
                              You need a new binary.
                              The match of the ip against a CIDR net specification was being done wrong.

                              Other than that it should behave now and you WAN shouold not be blocked.

                              The only thing i am not sure is since HOME_NET contents are used for whitelist of alert_pf maybe that is a bit wide as whitelist by default?
                              Probably just put listening interface IP all gateway/dns/vpns(what was clicked) and no include the CIDR and theother interfaces!

                              EDIT: 2.1 is still building.
                              EDIT2: There is a method to specify that the binary should be reinstalled but it would mean for us to keep a copy of each and every freebsd port that pfSense has pkg.

                              1 Reply Last reply Reply Quote 0
                              • F Offline
                                Fesoj
                                last edited by

                                The only thing i am not sure is since HOME_NET contents are used for whitelist of alert_pf maybe that is a bit wide as whitelist by default?

                                Yes, I see what you mean. You need to be able to block entries from the HOME_NET. E.g. if a company policy says no to eMule, Bittorrent, etc., then it makes sense to block local machines on the LAN side, which is sometimes better than reporting with subsequent hard consequences… So, I'd say HOME_NET is not necessarily white.

                                UPDATE: ... but gateways, DNS servers, WAN side ips probably should.

                                1 Reply Last reply Reply Quote 0
                                • C Offline
                                  Cino
                                  last edited by

                                  @ermal:

                                  but i did another (de)install, saved every paged.. then rebooted

                                  That is not necessary anymore Cino :)
                                  Everything will just get magically applied.

                                  Good to know!!! Old habit from the old days

                                  @ermal:

                                  Fixed on 2.0.x you can just upgrade in 10 minutes.
                                  You need a new binary.
                                  The match of the ip against a CIDR net specification was being done wrong.

                                  Other than that it should behave now and you WAN shouold not be blocked.

                                  The only thing i am not sure is since HOME_NET contents are used for whitelist of alert_pf maybe that is a bit wide as whitelist by default?
                                  Probably just put listening interface IP all gateway/dns/vpns(what was clicked) and no include the CIDR and theother interfaces!

                                  EDIT: 2.1 is still building.
                                  EDIT2: There is a method to specify that the binary should be reinstalled but it would mean for us to keep a copy of each and every freebsd port that pfSense has pkg.

                                  i'm leaning to agree also.. interface IPs/gw/dns/vnps are the way to go.. If we need to add the subnet, then we manually do that via a whitelist. With the added Alias feature in snort, shouldnt be a big issue… Unless whitelist can't accept CIDR (which it noted it can't, haven't really tested that)... then there would be issue if you want to exclude a whole subnet (VPN, IPv6 Subnet)..

                                  idk, maybe by default HOME_NET would just be interfaces, then add a couple of options within whitelist/netlist page to add interface subnets also.

                                  1 Reply Last reply Reply Quote 0
                                  • D Offline
                                    dwood
                                    last edited by

                                    Fired up 2.5.0 on two different installations (AMD64, 2.0.1) So far, so good.

                                    Ermal, can you sort blocked IPs the same as in the alerts?  Alerts on both interfaces are listed so the most recent is at the top of the page (perfecto), however blocked IPs are randomly sorted.

                                    Question:  With all the new suppression entries required, is there a way to add a descriptor above each suppress entry?  I notice the add feature from the alerts list leaves a space between each entry added to the suppress list.  Could find nothing on this one in the docs.

                                    Cheers,
                                    Dennis.

                                    1 Reply Last reply Reply Quote 0
                                    • C Offline
                                      Cino
                                      last edited by

                                      @dwood:

                                      Question:  With all the new suppression entries required, is there a way to add a descriptor above each suppress entry?  I notice the add feature from the alerts list leaves a space between each entry added to the suppress list.  Could find nothing on this one in the docs.

                                      sure:

                                      
                                      # **** Main Suppress List ****
                                      # ****************************
                                      #
                                      # HTTP INSPECT Suppress
                                      #
                                      # DOUBLE DECODING ATTACK
                                      suppress gen_id 119, sig_id 2
                                      # suppress gen_id 119, sig_id 3
                                      # NON-RFC DEFINED CHAR
                                      suppress gen_id 119, sig_id 14
                                      # suppress gen_id 119, sig_id 19
                                      # suppress gen_id 119, sig_id 32
                                      # suppress gen_id 119, sig_id 31
                                      # NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
                                      suppress gen_id 120, sig_id 3
                                      # HTTP RESPONSE GZIP DECOMPRESSION FAILED
                                      suppress gen_id 120, sig_id 6
                                      # INVALID CONTENT-LENGTH OR CHUNK SIZE
                                      suppress gen_id 120, sig_id 8
                                      
                                      
                                      1 Reply Last reply Reply Quote 0
                                      • C Offline
                                        Cino
                                        last edited by

                                        If I disable all my suppression rules I'm able to reproduce the WAN IP blocking on the fly.. I did notice that new snort binary was built at 2012-Jul-17 21:37:45. Did this include the changes you made or will the next will?

                                        1 Reply Last reply Reply Quote 0
                                        • M Offline
                                          miles267
                                          last edited by

                                          What happened to the snort Whitelist UI screen?  It used to allow you to input into unique dialog boxes a description and IP or CIDR.  No all Alias IPs are crammed into a single, narrow dialog box.  This seems like a step backward.

                                          1 Reply Last reply Reply Quote 0
                                          • D Offline
                                            dwood
                                            last edited by

                                            Thanks Cino :-)  Just what I was looking for.

                                            Miles, create an Alias list for your IPs. (under Firewall - Aliases).  Then reference that alias in your whitelist.  As soon as you start typing the name of your alias it will autofill in the whitelist box.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.