Quick Snort Setup Instructions for New Users

whitexp · Jan 25, 2015, 3:52 AM

how to configure pfsense for multi wan setup ?
thanks

other thing ..
how i can test my server security ? ( how to "hack" my server for testing .. )

darrenkdean · Feb 23, 2015, 12:50 AM

Good Evening,

I am running into a fatal error when starting Snort on the WAN. Has anyone run into this before &/or have any suggestions on how to fix it? I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.

Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''

Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

Best-

Darren

bmeeks · Feb 23, 2015, 1:56 AM

@darrenkdean:

Good Evening,

I am running into a fatal error when starting Snort on the WAN. Has anyone run into this before &/or have any suggestions on how to fix it? I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.

Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''

Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

Best-

Darren

This is a broken Emerging Threats rule that has had broken syntax for almost a year. Several attempts at getting it fixed at the source have been unsuccessful. Folks here just disable that rule. You can find its GID:SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules in a text editor (such as vi) and going to line 11872. That is the rule that is malformed.

I don't have the rule SID in my head at the moment, but you can search this forum for similar errors and will find multiple posts about this rule.

Bill

darrenkdean · Feb 23, 2015, 3:55 AM

@bmeeks:

@darrenkdean:

Good Evening,

I am running into a fatal error when starting Snort on the WAN. Has anyone run into this before &/or have any suggestions on how to fix it? I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.

Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''

Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o

Best-

Darren

This is a broken Emerging Threats rule that has had broken syntax for almost a year. Several attempts at getting it fixed at the source have been unsuccessful. Folks here just disable that rule. You can find its GID:SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules in a text editor (such as vi) and going to line 11872. That is the rule that is malformed.

I don't have the rule SID in my head at the moment, but you can search this forum for similar errors and will find multiple posts about this rule.

Bill

Thank you Bill! That was very helpful. For anyone else that runs into this, the rule that needs to be disabled is:

emerging-web_client.rules

SID: 2011695
ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt

Best-

Darren

BBcan177 · Feb 23, 2015, 4:35 AM

Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?

darrenkdean · Feb 23, 2015, 3:11 PM

Good Morning,

Has anyone had success in configuring Snort to allow apple devices to communicate with the Apple Store & iCloud? I have followed the quick setup guide, rule configuration, & everything appears to be working great, with the exception of iPad's & iPhone's not being able to communicate with the Apple Store & not able to restore from iCloud Backup. Any direction on how best to allow this connectivity would be greatly appreciated.

Best-

Darren

bmeeks · Feb 23, 2015, 7:43 PM

@BBcan177:

Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?

I am leery of permanently disabling a rule within the GUI code.

Bill

bmeeks · Feb 23, 2015, 9:33 PM

@darrenkdean:

Good Morning,

Has anyone had success in configuring Snort to allow apple devices to communicate with the Apple Store & iCloud? I have followed the quick setup guide, rule configuration, & everything appears to be working great, with the exception of iPad's & iPhone's not being able to communicate with the Apple Store & not able to restore from iCloud Backup. Any direction on how best to allow this connectivity would be greatly appreciated.

Best-

Darren

I have no problem with this working in my home network using Snort and pfSense 2.2. Have you checked to see if some particular alert is firing and generating a block? You can check the ALERTS or BLOCKED tabs to see what Snort is doing.

Bill

Feb 24, 2015, 5:38 PM

@BBcan177:

Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?

What, you mean ET actually disabling a non functioning rule? Come on it's ET we are talking about here. ;)

I'm on bmeek's side here. Permanently disabling a rule shouldn't be the solution. Not unless we can get a premade list out anyway (hint:new guide).

darrenkdean · Mar 7, 2015, 4:59 PM

Good Day,

I'm running into an issue with the Ooma IP Telephone Service whereby anytime a telephone call is made or received, it trips the following rule in Snort:

ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)

I created a Firewall Alias called Ooma with the following data for the Ooma Servers:
70.42.139.0/24 Ooma
208.83.244.0/22 Ooma, Inc.

I then added the Alias to the Snort Pass List, checking the Ooma Alias, & leaving all other boxes unchecked. I've clearly missed something, as the alerts are still being triggered & blocked, inspite of having added the correct Ooma Servers. Any thoughts?

Best-

Darren

Mar 7, 2015, 5:35 PM

Did you stop/start the snort interface after adding that to the passlist?

bmeeks · Mar 7, 2015, 5:50 PM

@darrenkdean:

Good Day,

I'm running into an issue with the Ooma IP Telephone Service whereby anytime a telephone call is made or received, it trips the following rule in Snort:

ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)

I created a Firewall Alias called Ooma with the following data for the Ooma Servers:
70.42.139.0/24 Ooma
208.83.244.0/22 Ooma, Inc.

I then added the Alias to the Snort Pass List, checking the Ooma Alias, & leaving all other boxes unchecked. I've clearly missed something, as the alerts are still being triggered & blocked, inspite of having added the correct Ooma Servers. Any thoughts?

Best-

Darren

Also make sure the new Pass List is actually assigned to your Snort interface by choosing it in the PASS LIST drop-down box on the INTERFACE SETTINGS tab. Save the change and then restart Snort on the interface as @jflsakfja suggested.

Additionally, I don't recommend unchecking the other Pass List checkboxes. You generally don't ever want to do that except in very unusual situations. Yours does not sound like one where I would uncheck those default-checked boxes.

Bill

darrenkdean · Mar 7, 2015, 7:37 PM

Excellent, thank you both! I went back & changed the settings per your guidance & the telephone service is now working. Can't thank you enough for your help! Alerts are still being generated, but no longer blocked. Is there any reason why I would not want to suppress these alerts?

Best-

Darren

bmeeks · Mar 8, 2015, 1:31 AM

@darrenkdean:

Excellent, thank you both! I went back & changed the settings per your guidance & the telephone service is now working. Can't thank you enough for your help! Alerts are still being generated, but no longer blocked. Is there any reason why I would not want to suppress these alerts?

Best-

Darren

You can suppress them if you wish, but depending on how you do it you may expose yourself to a real attack (as opposed to the false positive you are likely seeing now). Here is what I would do:

You know the IP address in question (your phone system), so create a suppress list rule by IP address. The easiest way to accomplish this is on the ALERTS tab. Click the plus (+) icon beside the IP address you don't want to block on one of the alert rows. This will create a suppress list entry of type "track by IP". It will be either source (SRC) or destination (DST) depending on which address column you clicked. The entry will be for that specific IP. If you want to suppress by an IP block instead, then after creating the entry as described previously, go to the SUPPRESS LIST tab, find the newly created list and edit it. Change the IP address to a CIDR block.

Bill

darrenkdean · Mar 13, 2015, 5:03 PM

Good Afternoon,

I have configured Snort according to the guide & everything works great on the WAN. I have created a LAN Interface & mirrored the rules for both. When I go to start Snort on the LAN, I am getting the following error:

snort[93176]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating …snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

I have searched for documentation on this, but have been unable to find out what it is &/or why Snort will not start on the LAN interface. Any guidance or suggestions would be greatly appreciated.

Best-

Darren

Mr. Jingles · Mar 13, 2015, 5:25 PM

@darrenkdean:

Good Afternoon,

I have configured Snort according to the guide & everything works great on the WAN. I have created a LAN Interface & mirrored the rules for both. When I go to start Snort on the LAN, I am getting the following error:

snort[93176]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating …snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

I have searched for documentation on this, but have been unable to find out what it is &/or why Snort will not start on the LAN interface. Any guidance or suggestions would be greatly appreciated.

Best-

Darren

Confirmed. My system log is filled with this too:

snort[4022]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating ...snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

Snort starts on all interfaces 'though, yet it is cluttering up the logs with this constantly repeating message.

pfSense 2.1.5 X64, Snort 2.9.7.0 pkg 3.2.3

bmeeks · Mar 13, 2015, 9:44 PM

@darrenkdean:

Good Afternoon,

I have configured Snort according to the guide & everything works great on the WAN. I have created a LAN Interface & mirrored the rules for both. When I go to start Snort on the LAN, I am getting the following error:

snort[93176]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating …snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

I have searched for documentation on this, but have been unable to find out what it is &/or why Snort will not start on the LAN interface. Any guidance or suggestions would be greatly appreciated.

Best-

Darren

It would be better if you start a new thread in the IDS/IPS sub-forum. This thread was designed to contain just the how-to instructions.

The answer to your problem is also posted in a previous thread here: https://forum.pfsense.org/index.php?topic=89393.msg495651#msg495651, but I will repeat it here. This is a known syntax error in the OpenAppID rules package from the Snort VRT. They committed to fix it in a mailing list post about two weeks ago. It appears they have not yet. You can disable the OpenAppID preprocessor to make the error go away. Unless you have also written your own custom rules to use the OpenAppID signatures, they aren't working anyway.

Bill

tty0 · Dec 27, 2015, 7:34 PM

Very simple guide bmeeks, thank you for taking the time to explain this to us new users. Followed another guide and I kept having snort ban websites I was visiting.

2chemlud · Feb 13, 2016, 4:17 PM

Hi!

How about adding a little bit of info specific to nano users running snort? ;-)

Maybe somethink like this:

https://forum.pfsense.org/index.php?topic=106725.msg594731#msg594731

Regards

chemlud

AR15USR · Apr 23, 2016, 3:33 AM

Hi bmeeks/jflsakfja,

This post was originally done a few years ago, how valid is the setup in post 1 and the rule configuration in post 3 these days?