Quick Snort Setup Instructions for New Users
-
I tried this myself and I can't seem to add an "Alias" either. Its the same issue in Suricata.
I'm sure Bill Meeks (Package Maintainer) will reply with a fix or a solution.
-
After further review, I think this is done by Design by the pfSense Devs. You should be able to create a new Pass List and at the bottom of the passlist, you can add an "Alias" there.
Hope this helps.
-
I am having problems getting the Home Net defined properly. The drop down box does not allow me to select anything other than default. I have a firewall alias for home net.
I have also gone into the ip lists in the services->snort section. I checked the snort.conf that is auto generated, and renamed it to force a new one and it still created $HOME_NET as default.
Thanks,
Christina
Because the default $HOME_NET is sufficient for probably 99% of the user base, there is no facility to directly add an Alias to $HOME_NET via the drop-down. Instead, if you have to customize $HOME_NET, go create a PASS LIST and give it a name that you can mentally link as HOME_NET. You can select whichever of the normal PASS LIST defaults you want (WAN IP, locally-attached networks, DNS servers, etc.). Then at the bottom of the page you can add an Alias. That Alias can be a group consisting of additional aliases if necessary. You have to create any of these Aliases first under Firewall…Aliases before you can use them in Snort or Suricata.
While the procedure outlined above is admittedly not intuitive, it does allow you to accomplish the goal if you have an advanced need. In a future release I will reconsider adding the option to directly add an existing alias to $HOME_NET.
Bill
-
I know this is an old topic, but it is also a very popular one. If you came here looking to configure Snort, but were unsure of the untitled SID's included in jflsakfja's suppression list, I think I can help. I've spent a lot of time tracking down all (but one) of the nameless SID's.
I've also included links for the ones I had to search for. I simply commented out all of the untitled SID's in my Suppression list, and then only re-enabled the ones that were actually tripped. I maintain and monitor several pfSense installations for several networks, and have never seen any of the SID's I've left disabled trip as of yet. I have however completely disabled the following rules:
#emerging-chat.rules
#emerging-tor.rules
#emerging-p2p.rulesSo, any of the SID's belonging to these rules were completely unnecessary to also add to the Suppression List. ;)
The only SID I could not find any information on is: 20122758. I'm not sure if this is a typo, and is actually supposed to be 2012275 or not. jflsakfja would have to answer that. ;)
I also want to add a big THANKS! to bmeeks and jflsakfja for their contributions to this topic, and to the pfSense community!
Without further ado; here is the list:
#UPDATED 2014.09.03
#UNKNOWN SID's will be added to the Suppress list after they have appeared in the Blocked list.#Unknown
#This event is generated when an attempt is made to gain access to private resources using Samba.
#https://www.snort.org/rule_docs/536
#suppress gen_id 1, sig_id 536#TRIPPED & SUPPRESSED
#GPLv2_community.rules INDICATOR-SHELLCODE x86 NOOP
suppress gen_id 1, sig_id 648#Unknown
#This event is generated when suspicious shell code is detected in network traffic.
#https://www.snort.org/rule_docs/653
#suppress gen_id 1, sig_id 653#TRIPPED & SUPPRESSED
#GPLv2_community.rules INDICATOR-SHELLCODE x86 inc ebx NOOP
suppress gen_id 1, sig_id 1390#TRIPPED & SUPPRESSED
#GPLv2_community.rules POLICY-SOCIAL Yahoo IM ping
suppress gen_id 1, sig_id 2452#Unknown
#This event is generated when network traffic that indicates download of executable content is being used.
#https://www.snort.org/rule_docs/11192
#suppress gen_id 1, sig_id 11192#Unknown
#This rule generates events when a portable executable file is downloaded.
#https://www.snort.org/rule_docs/15306
#suppress gen_id 1, sig_id 15306#Unknown
#This event is generated when network traffic that indicates the download of executable content has occurred.
#https://www.snort.org/rule_docs/16313
#suppress gen_id 1, sig_id 16313#Unknown
#This event is generated when an attempt is made to exploit a known vulnerability in internet security.
#https://www.snort.org/rule_docs/17458
#suppress gen_id 1, sig_id 17458#Unknown
#This event is generated when an attempt is made to exploit a known vulnerability in firefox 3-6.
#https://www.snort.org/rule_docs/20583
#suppress gen_id 1, sig_id 20583#TRIPPED & SUPPRESSED
#IPS Policy - Balanced FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
suppress gen_id 1, sig_id 23098#Unknown
#ET POLICY P2P BitTorrent peer sync
#http://doc.emergingthreats.net/bin/view/Main/2000334
#suppress gen_id 1, sig_id 2000334#TRIPPED & SUPPRESSED
#ET TFTP Outbound TFTP Read Request
suppress gen_id 1, sig_id 2008120#TRIPPED & SUPPRESSED
#ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
suppress gen_id 1, sig_id 2010516#Unknown
#ET POLICY INFO EXE - OSX Disk Image Download
#http://doc.emergingthreats.net/bin/view/Main/2014518
#suppress gen_id 1, sig_id 2014518#Unknown
#ET POLICY INFO EXE - Served Attached HTTP
#http://doc.emergingthreats.net/bin/view/Main/2014520
#suppress gen_id 1, sig_id 2014520#Unknown
#GPL ICMP_INFO PING *NIX (emerging-icmp_info.rules)
#http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2011-06-02T20:30:08.txt
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2011-06-02T20:30:08.txt
#suppress gen_id 1, sig_id 2100366#Unknown
#GPL ICMP_INFO PING BSDtype (emerging-icmp_info.rules)
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.open.2011-10-12T19:40:39.txt
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2011-10-12T19:40:39.txt
#suppress gen_id 1, sig_id 2100368#Unknown
#GPL SHELLCODE x86 stealth NOOP (emerging-shellcode.rules)
#http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2012-08-21T21:30:42.txt
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2012-08-21T21:30:42.txt
#suppress gen_id 1, sig_id 2100651#Unknown
#GPL SHELLCODE x86 inc ebx NOOP (emerging-shellcode.rules)
#http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2012-09-12T17:44:37.txt
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2014-03-19T20:35:50.txt
#suppress gen_id 1, sig_id 2101390#Unknown
#GPL SHELLCODE x86 0xEB0C NOOP (emerging-shellcode.rules)
#http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2012-09-12T17:44:37.txt
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2012-09-12T17:44:37.txt
#suppress gen_id 1, sig_id 2101424#Unknown
#GPL SHELLCODE x86 0x90 NOOP unicode (emerging-shellcode.rules)
#http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2012-01-17T00:38:01.txt
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2012-01-17T00:38:01.txt
#suppress gen_id 1, sig_id 2102314#Unknown
#GPL WEB_CLIENT PNG large colour depth download attempt (emerging-web_client.rules)
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.open.2011-08-02T02:55:35.txt
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2011-08-02T02:55:35.txt
#suppress gen_id 1, sig_id 2103134#NOT TRIPPED & NOT SUPPRESSED
#ET POLICY ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 29
#suppress gen_id 1, sig_id 2500056#Unknown
#suppress gen_id 1, sig_id 20122758#Unknown
#GPL CHAT MISC Jabber/Google Talk Outgoing Traffic (emerging-chat.rules)
#http://rules.emergingthreats.net/changelogs/snort-2.9.0.open.2011-10-12T19:40:39.txt
#http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2014-05-28T20:53:43.txt
#suppress gen_id 1, sig_id 100000230#Unknown
#This event is generated when an attempt is made to exploit a known vulnerability in libpng.
#https://www.snort.org/rule_docs/3-14772
#WEB-CLIENT libpng malformed chunk denial of service attempt
#suppress gen_id 3, sig_id 14772#TRIPPED & SUPPRESSED
#(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
suppress gen_id 120, sig_id 10@jflsakfja:
The Missing Part to Quick Snort Setup Instructions for New Users
-
just wanted to ask if snort be downloaded as a package e.g tar or such format and installed manually instead of selecting via GUI ? I ask since we try to avoid exposing our systems to internet. we have limited number of stand alone systems having access to the internnet. So if there is a package avail for snort, i can download it on those systems and install on the servers hosting pfsense.
Thanks -
I'm assuming that you are using pfsense as a network gateway, in which case it already has access to the internet (cough DNS cough). There is absolutely no reason why you should manually install any package available through the GUI, outside the GUI.
Cutting off pfsense's internet access might be effective security, but it's the wrong kind of effective security. How will you keep the rule/ip lists up to date? Answer: You won't. A couple years down the road it will become an unmaintainable system, which everybody will hate you for implementing.
-
no mate, it isnt connected to the internet. no dns servers nothing. we have our own network connecting our 3 branches located at various places.
as for cutting off access to the internet, its company policy and well it takes time for policies to change. Hopefuly we'l have it changed sooner than later but the thing is it isnt in my hands unfortunately. :( -
no mate, it isnt connected to the internet. no dns servers nothing. we have our own network connecting our 3 branches located at various places.
as for cutting off access to the internet, its company policy and well it takes time for policies to change. Hopefuly we'l have it changed sooner than later but the thing is it isnt in my hands unfortunately. :(How are you managing keeping the system up to date if it's offline?
-
How are you managing keeping the system up to date if it's offline?
running 2.1.1, no updates performed since.
is there no way to install snort manually? -
How are you managing keeping the system up to date if it's offline?
running 2.1.1, no updates performed since.
is there no way to install snort manually?I rest my case. I also wish the company you work for, good luck when the security breach eventually happens.
-
How are you managing keeping the system up to date if it's offline?
running 2.1.1, no updates performed since.
is there no way to install snort manually?No, there really is not a way to install it manually. It consists of multiple parts and pieces that must get installed by the built-in package manager in pfSense. It does not exist in something like a tar.gz file you could unzip and install.
I also agree with jflsakfja that you have less security than you think by running older unpatched firewall software. Simply not providing Internet access does not help much if you have unpatched vulnerabilities and somebody walks around with a USB stick in your "protected" network … ;)
Bill
-
How are you managing keeping the system up to date if it's offline?
running 2.1.1, no updates performed since.
is there no way to install snort manually?No, there really is not a way to install it manually. It consists of multiple parts and pieces that must get installed by the built-in package manager in pfSense. It does not exist in something like a tar.gz file you could unzip and install.
Bill
Sad to know but thanks for the reply :)
-
Feel for you bhawk6901.
Sometimes required by law.
http://en.wikipedia.org/wiki/Air_gap_%28networking%29
-
lol.. Just when you think your secure… Your not! :o :o
http://thehackernews.com/2014/10/airhopper-hacking-into-isolated.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29
-
Yeah, Thanks. Now they'll require a Faraday Cage around the MDF and all the IDF's… LMAO...
lol.. Just when you think your secure… Your not! :o :o
http://thehackernews.com/2014/10/airhopper-hacking-into-isolated.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29
-
how to configure pfsense for multi wan setup ?
thanksother thing ..
how i can test my server security ? ( how to "hack" my server for testing .. ) -
Good Evening,
I am running into a fatal error when starting Snort on the WAN. Has anyone run into this before &/or have any suggestions on how to fix it? I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.
Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''
Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
Best-
Darren
-
Good Evening,
I am running into a fatal error when starting Snort on the WAN. Has anyone run into this before &/or have any suggestions on how to fix it? I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.
Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''
Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
Best-
Darren
This is a broken Emerging Threats rule that has had broken syntax for almost a year. Several attempts at getting it fixed at the source have been unsuccessful. Folks here just disable that rule. You can find its GID:SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules in a text editor (such as vi) and going to line 11872. That is the rule that is malformed.
I don't have the rule SID in my head at the moment, but you can search this forum for similar errors and will find multiple posts about this rule.
Bill
-
Good Evening,
I am running into a fatal error when starting Snort on the WAN. Has anyone run into this before &/or have any suggestions on how to fix it? I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.
Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''
Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
Best-
Darren
This is a broken Emerging Threats rule that has had broken syntax for almost a year. Several attempts at getting it fixed at the source have been unsuccessful. Folks here just disable that rule. You can find its GID:SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules in a text editor (such as vi) and going to line 11872. That is the rule that is malformed.
I don't have the rule SID in my head at the moment, but you can search this forum for similar errors and will find multiple posts about this rule.
Bill
Thank you Bill! That was very helpful. For anyone else that runs into this, the rule that needs to be disabled is:
emerging-web_client.rules
SID: 2011695
ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure AttemptBest-
Darren
-
Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?
