Snort2c and whitelist CIDR



  • Hello!

    Thanks a lot to Scott Ullrich for the snort2c package ported to FreeBSD (http://pfsense.org/~sullrich/ported_software)

    I'm testing it on my snort system, external to pfSense (I don't like to charge my firewall with snort).

    I'm not sure that if snort2c is capable to work with CIDR notation at its whitelist.

    I have the following scenario:

    snort_sensor# ps -aux | grep snort2c

    nobody  1013  0,0  0,1  1320   760  ??  Is   10:29PM  0:00,00 /usr/local/sbin/expiretable -d -t 3600 snort2c
    root    1014  0,0  0,1  1284   788  ??  Is   10:29PM  0:00,02 /usr/local/sbin/snort2c -w /var/db/whitelist -a /var/log/snort/alert
    root    3981  0,0  0,1  1604   960  p0  S+    9:46AM   0:00,00 grep snort2c

    snort_sensor# cat /var/db/whitelist

    192.168.XXX.0/24
    192.168.YYY.0/24
    192.168.ZZZ.0/24
    192.168.AAA.1
    192.168.AAA.2
    192.168.AAA.3
    192.168.BBB.1
    192.168.BBB.2
    192.168.CCC.1
    192.168.CCC.2
    80.58.###.###
    80.58.###.###
    213.176.###.###
    213.176.###.###
    80.58.###.###
    80.58.###.###
    127.0.0.1

    XXX, YYY, ZZZ are my LANs
    AAA, BBB, CCC are my WANs
    followed IPs are my external DNS servers
    127.0.0.1 is the obvious localhost

    Sometimes I see blocked machines at 192.168.XXX.0/24 range. Example:

    snort_sensor# pfctl -rt snort2c -vT show | grep -vE "In/|Out/"

    192.168.XXX.207      (s-207)
           Cleared:     Wed May 30 09:40:54 2007

    snort_sensor# tail /var/log/snort/alert

    [] [1:7694:1] BACKDOOR exception 1.0 runtime detection - intial connection
    server-to-client [
    ]
    [Classification: A Network Trojan was detected] [Priority: 1]
    05/30-09:40:59.688329 192.168.XXX.207:445 -> 192.168.XXX.119:1070
    TCP TTL:64 TOS:0x0 ID:3532 IpLen:20 DgmLen:440 DF
    AP Seq: 0xC55E038F  Ack: 0xB4DD15C  Win: 0xFFFF  TcpLen: 20
    [Xref => http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453077099]
    [Xref => http://www.megasecurity.org/trojans/e/exception/Exception1.0b1.html]

    So, if you are using snort whitelist with pfSense be careful with CIDR notation.

    Regards,

    Josep Pujadas


Log in to reply