Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Quick Snort Setup Instructions for New Users

    IDS/IPS
    46
    147
    215404
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeks
      bmeeks last edited by

      @Supermule:

      I understand! Thx mate. Really appreciated!

      You're welcome. I just used some quick and dirty names for example, but you could name things logically and perhaps create a "WAN_whitelist_hosts" Alias and then others for different interfaces.  As I said, Aliases are very powerful tools once you get the hang of using them.

      Bill

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned last edited by

        I have named it Snort Friendly IP :D

        1 Reply Last reply Reply Quote 0
        • bmeeks
          bmeeks last edited by

          @vipermy:

          First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

          FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

          Thank you in advance.

          Sent you a PM with my e-mail address.  Reply back to the address and I will send you a patched file I would like for you to test for me.  I think it will allow Snort rule updates through the pfSense system proxy.

          Bill

          1 Reply Last reply Reply Quote 0
          • M
            Mr. Jingles last edited by

            Thank you both for the explanations, I learned something valuable  ;D

            6 and a half billion people know that they are stupid, agressive, lower life forms.

            1 Reply Last reply Reply Quote 0
            • M
              Mr. Jingles last edited by

              Could I ask a question about the oinkcode?

              I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

              Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

              But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

              Thank you for your answer  ;D

              6 and a half billion people know that they are stupid, agressive, lower life forms.

              1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks last edited by

                @Hollander:

                Could I ask a question about the oinkcode?

                I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

                Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

                But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

                Thank you for your answer  ;D

                The paid subscription Oinkcode automatically includes the "Snort Community Rules" in the downloaded rule set, so you do not need to manually select those anymore.

                Just check the Snort VRT rules (and optionally Emerging Threats if you want some of those), then choose an IPS Policy.  You will get the Community Rules this way.

                Bill

                1 Reply Last reply Reply Quote 0
                • J
                  jdsilva last edited by

                  I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz

                  1 Reply Last reply Reply Quote 0
                  • bmeeks
                    bmeeks last edited by

                    @jdsilva:

                    I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz

                    No, the binary version of Snort is considered when downloading rule updates.  The rules are coded for the different binary versions.  Snort on pfSense is currently version 2.9.4.6, so you will download the 2.9.4.6 rules snapshot.  The rules usually update on Tuesday and Thursday over at Snort.org.

                    An update to the 2.9.5.5 Snort binary for the pfSense Snort package should come out late this month or early in November.  Testing it now.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • C
                      coolcat1975 last edited by

                      Hi!

                      I am using policy connectivity.
                      I am getting false positives for ssp_ssl: Invalid Client HELLO after Server HELLO Detected.

                      How can i disable this policy when using policy?

                      best regards

                      Karl

                      1 Reply Last reply Reply Quote 0
                      • bmeeks
                        bmeeks last edited by

                        @coolcat1975:

                        Hi!

                        I am using policy connectivity.
                        I am getting false positives for ssp_ssl: Invalid Client HELLO after Server HELLO Detected.

                        How can i disable this policy when using policy?

                        best regards

                        Karl

                        You can't easily disable this directly because it is a preprocessor alert.  I've seen some traffic about this alert on the Snort mailing list that indicates it is a potential bug in the preprocesor code.

                        The best workaround for now is to create a Suppress List entry for this alert.  On the ALERTS tab, click the little plus sign (+) next to the alert's GID:SID.  This will automatically add it to the Suppress List and you won't get blocks on those IPs.  You will still see the alert in the ALERTS tab, but it will not block the offending IP.

                        After adding the Suppress entry, restart Snort on the affect interface.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • C
                          coolcat1975 last edited by

                          hi!

                          thanks for your answer.

                          i am aware about the supress function but best practice says that you should disable the rule.

                          anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed

                          greetings

                          karl

                          1 Reply Last reply Reply Quote 0
                          • bmeeks
                            bmeeks last edited by

                            @coolcat1975:

                            hi!

                            thanks for your answer.

                            i am aware about the supress function but best practice says that you should disable the rule.

                            anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed

                            greetings

                            karl

                            Disabling is the best, but with today's hardware capability just suppressing is fine.  That's the answer you generally get from the Snort VRT folks as well.  Maybe if you are inspecting 1 Gbit/sec plus traffic loads, the distinction between disabling and suppressing matters; but for most folks with modern hardware there is no meaning difference.

                            Bill

                            1 Reply Last reply Reply Quote 0
                            • C
                              coolcat1975 last edited by

                              Just another question:

                              If snort is bound to Interface WAN and pfsense is in transparent mode, how is snort working when blocking is activated?

                              does snort drop the packet and blocks the ip or is the packet passed and then the ip is blocked?

                              regards

                              karl

                              1 Reply Last reply Reply Quote 0
                              • bmeeks
                                bmeeks last edited by

                                @coolcat1975:

                                Just another question:

                                If snort is bound to Interface WAN and pfsense is in transparent mode, how is snort working when blocking is activated?

                                does snort drop the packet and blocks the ip or is the packet passed and then the ip is blocked?

                                regards

                                karl

                                I honestly don't know the answer to that question.  I've never tested Snort on pfSense in Transparent Mode.  I suspect the traffic will still get blocked because Snort actually uses the packet filter engine and its tables to insert blocks.  In that sense it operates just like the firewall module itself.

                                Where Snort might get tripped up in Transparent Mode is with the defintion of $HOME_NET and $EXTERNAL_NET variables.

                                Bill

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sebna last edited by

                                  Hi,

                                  Thanks for great guide.

                                  Before I found it I just went through all the options and configured as I thought it makes sense to my limited knowledge and I did one thing differently.

                                  I went to my defined WAN interface in snort -> Wan Rules -> selected from drop down GPLv2 rules and pressed on enable all rules in the current category as they were all greyed out before that and seemed inactive - is this necessary step and what it actually means if I leave all of them greyed out and what it means if I enable them.

                                  Also in point

                                  20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

                                  If I only registered an account (without a paid subscription) to get access to GPL rules should I tick or leave the "Use IPS Policy" box unticked?

                                  If I have mail server, DNS, DHCP and SQL server on my LAN should I define the names in WAN Variables and if yes what is the correct syntax? Can it be IP or is it a FQN

                                  Thank you for explaining any of the above.

                                  seb

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeks
                                    bmeeks last edited by

                                    @sebna:

                                    I went to my defined WAN interface in snort -> Wan Rules -> selected from drop down GPLv2 rules and pressed on enable all rules in the current category as they were all greyed out before that and seemed inactive - is this necessary step and what it actually means if I leave all of them greyed out and what it means if I enable them.

                                    Also in point

                                    20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

                                    If I only registered an account (without a paid subscription) to get access to GPL rules should I tick or leave the "Use IPS Policy" box unticked?

                                    If I have mail server, DNS, DHCP and SQL server on my LAN should I define the names in WAN Variables and if yes what is the correct syntax? Can it be IP or is it a FQN

                                    Thank you for explaining any of the above.

                                    seb

                                    If you registered at Snort.org for the free account, that entitles you to the full Snort VRT rules download.  The only caveat is they are 30 days older than the rules the paid subscribers get.  As for the GPLv2 Community Rules, generally only a few of them will be enabled by default.  You can turn on the ones of interest to you.  If you don't want the headache of figuring out which Community Rules you want or need, then an easier approach in my view is to enable and use the Emerging Threats rules instead.  They stay pretty current and are arranged in categories that give clues as to what the rules are doing.

                                    You can use the IPS Policy with the Snort VRT rules whether you have a paid or free account.  The only difference in paid versus free is the age of the rules.  As I mentioned, the paid subscribers get current updates.  The free account registered users get the new rules 30 days after the paid users.  It's a 30-day rolling sort of thing.  But the same IPS policies are available in both sets of rules.

                                    If you have Mail, DNS and other specific servers on your network, you can certainly define their IP addresses for Snort. This makes Snort's job a bit easier.  By default, it assumes all the IP addresses in your network are all of the potential servers.  So this means it sort of inspects all traffic for all IPs for everything.  You can narrow this down by defining where some services are located (that is, which IP addresses host those services on your HOME_NET networks).  Armed with that information, Snort won't waste time looking for HTTP web exploits against a DNS or DHCP server.  It does this by matching the IP address in the target to the values you define in the variables.

                                    To define servers or ports on the VARIABLES tab, you must first create a corresponding Alias under Firewall…Alias from the pfSense menu.  Type a descriptive name for the Alias, such as DNS_Servers, and then enter the IP addresses of all of your DNS servers.  Repeat the process to create Aliases for any other servers.  Now go to the VARIABLES tab in Snort and scroll down to the server description.  Start typing the name of the Alias you defined earlier.  It should auto-complete in the Alias form field.  Click SAVE when done.

                                    1 Reply Last reply Reply Quote 1
                                    • S
                                      sebna last edited by

                                      Thank you Bill,

                                      It was late and I was tried yesterday :) I found the cause of the problem and basically I just need a restart for my OINK to work and to be able to download the definitions…

                                      Thank you for clarifying other things and advice. Much appreciated as the whole guide :)

                                      Seb

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        coolcat1975 last edited by

                                        hi!

                                        is it possible to run snort-inline?

                                        actually if not then i wouldnt call it an IPS.

                                        regards

                                        Karl

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeks
                                          bmeeks last edited by

                                          @coolcat1975:

                                          hi!

                                          is it possible to run snort-inline?

                                          actually if not then i wouldnt call it an IPS.

                                          regards

                                          Karl

                                          Snort is kinda-sorta "inline" on pfSense.  It can insert blocks into the firewall.  It is not 100% technically inline like it would be in a classic pure IPS.

                                          Bill

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            sebna last edited by

                                            My SNORT will produce a lot alerts but only few blocks (ATM it runs only on WAN interface). Before adding pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.

                                            I dont have any custom whitelist and my Suppress contains only of google ip(s).

                                            Any ideas?

                                            Thanks

                                            1 Reply Last reply Reply Quote 0
                                            • bmeeks
                                              bmeeks last edited by

                                              @sebna:

                                              … Before adding pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.

                                              I dont have any custom whitelist and my Suppress contains only of google ip(s).

                                              Any ideas?

                                              Thanks

                                              It could be that pfBlocker is preempting Snort and putting blocks in place.  I don't think the blocks of a particular IP address will be duplicated.

                                              Also, you did not post the version of pfSense you are running.  If it is 2.1, then a problem with the filter_reload() function within that version of pfSense periodically clears the Snort block table.  So Snort is possibly blocking the IP, then the pfSense filter_reload() function comes along and clears the table.  When you look at the BLOCKED tab in Snort, it is actually reading the current entries from the snort2c block table that pfSense maintains.  The table may have been recently cleansed by the filter_reload() routine.

                                              However, even considering the above, protection afforded by Snort is still there.  On the next offending packet from one of those formerly blocked IP addresses, Snort will insert a fresh block.

                                              Bill

                                              1 Reply Last reply Reply Quote 0
                                              • G
                                                godlyatheist last edited by

                                                Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green arrow in the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is stopped, am I confused? Also, why does my Block column say DISABLED when though Snort is enabled?

                                                1 Reply Last reply Reply Quote 0
                                                • ?
                                                  A Former User last edited by

                                                  @godlyatheist:

                                                  Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green arrow in the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is stopped, am I confused? Also, why does my Block column say DISABLED when though Snort is enabled?

                                                  The arrow color was recently changed to be more in "sync" with the rest of the interface. It used to be press the green to start, press the red to stop. The problem was that it showed a red arrow on the status tab while snort was running, which was different with all the rest of the interface (green means OK).
                                                  The reason it says that, is that we cannot change old posts on this forum.

                                                  To clarrify myself:
                                                  Green means snort IS running, you click it to STOP it.
                                                  Red means snort is NOT running, you click it to START it.

                                                  1 Reply Last reply Reply Quote 0
                                                  • M
                                                    Mr. Jingles last edited by

                                                    @godlyatheist:

                                                    Also, why does my Block column say DISABLED when though Snort is enabled?

                                                    Did you tell Snort to block offenders? (Interface -> block offenders).

                                                    6 and a half billion people know that they are stupid, agressive, lower life forms.

                                                    1 Reply Last reply Reply Quote 0
                                                    • G
                                                      godlyatheist last edited by

                                                      @Hollander:

                                                      @godlyatheist:

                                                      Also, why does my Block column say DISABLED when though Snort is enabled?

                                                      Did you tell Snort to block offenders? (Interface -> block offenders).

                                                      Now it says blocked, thank you.

                                                      1 Reply Last reply Reply Quote 0
                                                      • M
                                                        Mr. Jingles last edited by

                                                        @godlyatheist:

                                                        @Hollander:

                                                        @godlyatheist:

                                                        Also, why does my Block column say DISABLED when though Snort is enabled?

                                                        Did you tell Snort to block offenders? (Interface -> block offenders).

                                                        Now it says blocked, thank you.

                                                        You're most welcome  ;D

                                                        6 and a half billion people know that they are stupid, agressive, lower life forms.

                                                        1 Reply Last reply Reply Quote 0
                                                        • N
                                                          net125mp last edited by

                                                          I just wanted to thank you for this guide.  I just set up a PFSense install on an old Dell PowerEdge2850 server.  This helped me more than I can say.  The old network admins left no documentation behind, so when I had to rebuild PFS from scratch, I was a little out of my depth.  This certainly made setting up snort more than a little easier.  Especially since I really didn't even know where to start.  Thanks a million.

                                                          1 Reply Last reply Reply Quote 0
                                                          • E
                                                            edirob last edited by

                                                            If anyone winds up without any blocked items over time in their Blocked tab despite loads of alerts, check your "Status: System logs: General" tab and look for any services reporting FILTER reloads or reconfigurations.  Since filter reloads cause the block table to clear, misconfigured or broken services can cause the Blocked tab to appear consistently empty.

                                                            Rob…

                                                            1 Reply Last reply Reply Quote 0
                                                            • D
                                                              DiskWizard last edited by

                                                              Good day !
                                                              I have 2 WAN Interfaces and was trying to set up rules according to this forum. Making a setup for 1 interface took me around 1,5 hour. The question is - Is there any facility to simply copy the ruleset between interfaces ?
                                                              Thank you in advance.

                                                              1. GA-N3150M-D3P 8Gb RAM

                                                              2. GA-C1037EN-EU 4GB RAM

                                                              • 2,5 SATA III Solid State Drive SLIM S60
                                                              1 Reply Last reply Reply Quote 0
                                                              • bmeeks
                                                                bmeeks last edited by

                                                                @DiskWizard:

                                                                Good day !
                                                                I have 2 WAN Interfaces and was trying to set up rules according to this forum. Making a setup for 1 interface took me around 1,5 hour. The question is - Is there any facility to simply copy the ruleset between interfaces ?
                                                                Thank you in advance.

                                                                Not currently, but another user requested something similar.  I have that sort of feature on my TODO list.  I was thinking along the lines of being able to create "templates" with rules, preprocessors, variables, and some other parameters all configurable.  You could save and name the templates, then apply one to any interface on demand.  Would that work for you?

                                                                Bill

                                                                1 Reply Last reply Reply Quote 0
                                                                • T
                                                                  Trel last edited by

                                                                  I have the community rules box checked, but when I go to the tab to update, the button is greyed out.  Am I doing something wrong?  If I select the emerging threat box, I am able to click the update button, but with just community rules checked, I am not.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • D
                                                                    DiskWizard last edited by

                                                                    Thank you beemks ! Yes, I think it worked for me. Does it means what Snort consider Autogenerated Supress list as "top list" ?

                                                                    1. GA-N3150M-D3P 8Gb RAM

                                                                    2. GA-C1037EN-EU 4GB RAM

                                                                    • 2,5 SATA III Solid State Drive SLIM S60
                                                                    1 Reply Last reply Reply Quote 0
                                                                    • bmeeks
                                                                      bmeeks last edited by

                                                                      @DiskWizard:

                                                                      Thank you beemks ! Yes, I think it worked for me. Does it means what Snort consider Autogenerated Supress list as "top list" ?

                                                                      The auto-generated list will have the name of the interface followed by a random number (UUID).

                                                                      Bill

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • R
                                                                        Ramosel last edited by

                                                                        I don't want to discount Bill's efforts on this thread.  It is absolutely the best place to start.

                                                                        That said, I've recently introduced pfSense and the Snort package to a few friends who are long time, big time, professional security hawks looking for a solution at home a bit more elegant than running generations old (but affordable) dedicated firewall hardware.  I believe the best "find" I have come across and directed my friends to is the "fine tuning" post started by user "jflsakfja" as this thread:

                                                                        https://forum.pfsense.org/index.php/topic,64674.0.html

                                                                        This user requested the ability some time ago at the start of that thread to be able to edit his post in this sticky rather than having to continuously add to an existing thread.  I, for one, would like this be reconsidered by the mods as the above thread is slowly being buried as time passes.  I can only surmise the lack of updates as anticipated by "jflsakfja" could be because of a lack of response (evidenced by lack of edits here as of this date) to that request.  Or perhaps because I've pushed him/her for more information…?  If not at least maybe this post can serve as a jump point for folks looking for or could benefit from that information.

                                                                        I'd like to see his/her updates continue as the schema introduced by this user may not be the absolute best way of setting up Snort and pfBlocker but its the best I've come across and certainly has made my system more efficient and less troublesome.  Judging by recent posts in the Packages area, it seems many others could benefit from this schema as well.... if they knew about it.

                                                                        Respectfully submitted,
                                                                        Rick

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • J
                                                                          joako last edited by

                                                                          Is there any way to log the packets that trigger a snort alert? Mainly I want to see HTTP header and request associated with the alert.

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • bmeeks
                                                                            bmeeks last edited by

                                                                            @joako:

                                                                            Is there any way to log the packets that trigger a snort alert? Mainly I want to see HTTP header and request associated with the alert.

                                                                            The new 2.9.6.0 version of Snort offers increased packet/file capture abilities according to the post on the Snort.org web site.  I am working now on readying that version for the next Snort package update.  I will investigate what is offered in the new binary and see what I can reasonably incorporate into the GUI.

                                                                            I had a similar request from some folks in the new Suricata BETA package thread where the wish was a clickable link from the alert on the ALERTS tab to a view of the packets that triggered the alert.  I am mulling over in my head the best way to accomplish that without bogging down the firewall CPU searching through hundreds of megabytes of packet capture files.  In general its better to offload such tasks to an external system.

                                                                            Bill

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • M
                                                                              Melphiz last edited by

                                                                              @jflsakfja:

                                                                              The Missing Part to Quick Snort Setup Instructions for New Users

                                                                              In tab "Rules", under "Category" select:
                                                                              (–- means blank table at time of writing)

                                                                              Hello,

                                                                              does this mean I have to enable ALL when it's written all? Jesus, that would take ages as you can only enable one at a time … Especially GPLv2 has like 85% disabled by default ... Holy, I have 3x WAN, I'd never find the time for that.

                                                                              I don't really understand enabled/disabled here. For your example with "2000419" (which occurs right after I started snort with default settings) the rule is faded/greyed out - means it is disabled by default, right? So why does it generate an alert?

                                                                              Edit: Whoa I couldn't use that whole package for 3x WAN, it uses 42% of 2027 MB for 1 WAN already o.O


                                                                              1 Reply Last reply Reply Quote 0
                                                                              • bmeeks
                                                                                bmeeks last edited by

                                                                                @Melphiz:

                                                                                @jflsakfja:

                                                                                The Missing Part to Quick Snort Setup Instructions for New Users

                                                                                In tab "Rules", under "Category" select:
                                                                                (–- means blank table at time of writing)

                                                                                Hello,

                                                                                does this mean I have to enable ALL when it's written all? Jesus, that would take ages as you can only enable one at a time … Especially GPLv2 has like 85% disabled by default ... Holy, I have 3x WAN, I'd never find the time for that.

                                                                                I don't really understand enabled/disabled here. For your example with "2000419" (which occurs right after I started snort with default settings) the rule is faded/greyed out - means it is disabled by default, right? So why does it generate an alert?

                                                                                Edit: Whoa I couldn't use that whole package for 3x WAN, it uses 42% of 2027 MB for 1 WAN already o.O

                                                                                There is an "Enable All Rules in the Current Category" button on the RULES tab for a Snort interface.  So select the GPLv2 Community Rules in the drop-down, then click the "Enable All Rules in the Current Category" button (it is a plus "+" icon).

                                                                                The answer to your second question about a "disabled rule" apparently causing an alert is as follows.  Many Snort rules either fire, or look for previously fired, internal triggers called flowbits.  Google the terms "snort flowbits" to find some web sites with more detailed explanations.  In order for some rules to fire an alert, they need to see flowbits set by some other rules.  The Auto-Flowbits feature of Snort will walk through all of your enabled rules looking any flowbit dependencies.  If it finds a needed flowbit is only set by a currently disabled rule, then it will auto-enable that rule (unless you have explicitly manually disabled it).  So the short answer is the alert is coming from a rule that the auto-flowbits process toggled from "default disabled" to "default enabled" behind the scenes.  If you really do not want an alert for that rule, simply add it's GID:SID to the Suppression List.

                                                                                Bill

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • C
                                                                                  cogumel0 last edited by

                                                                                  Hi Bill,

                                                                                  You said in a couple of your posts that to work around NAT and knowing the origin of an internal threat you'd also enable snort on the LAN interface.

                                                                                  You suggested leaving snort also looking at the WAN interface but with a lot less rules than the LAN and handling everything else on the LAN (I'm assuming you also mean setting both WAN and LAN snort configurations to look at both source and destination).

                                                                                  I can understand the logic of moving it to the LAN since otherwise in a NAT environment you can't see which client is generating threat alerts, but what is the reason behind leaving some of the rules on the WAN and not moving everything to the LAN?

                                                                                  Also another question: my pfSense setup consists of 3 LANs, if I were to setup snort with the vast majority/all the rules on the LAN, would I need to have one setup for each interface? Which in turn would mean 3x as much RAM usage, and manually setting each of the interfaces manually? Is there one way to apply the same config to all LANs through without the increase in memory?

                                                                                  EDIT

                                                                                  Forgot to say my pfSense is a VM running on ESXi 5.5 Update 1, so is this something I can change by configuring promiscuous mode on the VM network?

                                                                                  Thank you.

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • bmeeks
                                                                                    bmeeks last edited by

                                                                                    @cogumel0:

                                                                                    Hi Bill,

                                                                                    You said in a couple of your posts that to work around NAT and knowing the origin of an internal threat you'd also enable snort on the LAN interface.

                                                                                    You suggested leaving snort also looking at the WAN interface but with a lot less rules than the LAN and handling everything else on the LAN (I'm assuming you also mean setting both WAN and LAN snort configurations to look at both source and destination).

                                                                                    I can understand the logic of moving it to the LAN since otherwise in a NAT environment you can't see which client is generating threat alerts, but what is the reason behind leaving some of the rules on the WAN and not moving everything to the LAN?

                                                                                    Also another question: my pfSense setup consists of 3 LANs, if I were to setup snort with the vast majority/all the rules on the LAN, would I need to have one setup for each interface? Which in turn would mean 3x as much RAM usage, and manually setting each of the interfaces manually? Is there one way to apply the same config to all LANs through without the increase in memory?

                                                                                    EDIT

                                                                                    Forgot to say my pfSense is a VM running on ESXi 5.5 Update 1, so is this something I can change by configuring promiscuous mode on the VM network?

                                                                                    Thank you.

                                                                                    It is true there is no necessary technical advantage running Snort with split rules (some on WAN and most on LAN, for example).  It is more of a preference thing.  Depends primarily on the network design you have and what you want to protect in what ways.

                                                                                    As for a VMware environment with multiple LANs, I don't know of a way short of running Snort on each LAN interface.  I have not, though, played with promiscuous mode in VMware.  I don't know if that would be a solution or not.

                                                                                    Bill

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post