Quick Snort Setup Instructions for New Users



  • Someone found a workaround for it in this thread at the end. https://forum.pfsense.org/index.php?topic=74486.15



  • Noob issue with creating Alias/Whitelist….

    I am having an issue creating a Passlist (whitelist).  I click on the "Pass List Tab" and lists "passlist_36480", then Edit (e)  with a set of check boxes, and an Alias box at the bottom.

    To add my own to the White/Passlist, I am guessing I add a file name to the Alias Box:  But I get an error message when adding a file name, whether it as created in the "Ip List" or not:  The following input errors were detected:        A valid alias must be provided

    I follow the Alias button, and there is no (+) Add button.  I tried different syntax in the file name, adding a "IP List" but have not been able to create or add.  I saw the pictures listed before in this thread about Editing a Alias, but not about creating one.

    What simple idiot step am I missing?  Thanks.



  • @Amuzed2pieces:

    Noob issue with creating Alias/Whitelist….

    I am having an issue creating a Passlist (whitelist).  I click on the "Pass List Tab" and lists "passlist_36480", then Edit (e)  with a set of check boxes, and an Alias box at the bottom.

    To add my own to the White/Passlist, I am guessing I add a file name to the Alias Box:  But I get an error message when adding a file name, whether it as created in the "Ip List" or not:  The following input errors were detected:        A valid alias must be provided

    I follow the Alias button, and there is no (+) Add button.  I tried different syntax in the file name, adding a "IP List" but have not been able to create or add.  I saw the pictures listed before in this thread about Editing a Alias, but not about creating one.

    What simple idiot step am I missing?  Thanks.

    Firewall/aliasses. Create one first.

    It is good to see more noobs on this board; for over a year I've been feeling so lonely  ;D



  • RE Selecting Rule Sets:

    Under "WAN Categories", I have the IPS Ruleset:Connectivity and Flowbits boxes checked.

    Do I just ignore the "Rulesets Snort will load at Startup"  below this?  So is this an ALTERNATIVE or ADDITION, or do I have to check the Rulesets to use UNDER the IPS Ruleset: Connectivity?

    Thanks for the noob clarification.



  • @Hollander:

    Firewall/aliasses. Create one first.

    It is good to see more noobs on this board; for over a year I've been feeling so lonely  ;D

    I will probably make your week.



  • @Amuzed2pieces:

    RE Selecting Rule Sets:

    Under "WAN Categories", I have the IPS Ruleset:Connectivity and Flowbits boxes checked.

    Do I just ignore the "Rulesets Snort will load at Startup"  below this?  So is this an ALTERNATIVE or ADDITION, or do I have to check the Rulesets to use UNDER the IPS Ruleset: Connectivity?

    Thanks for the noob clarification.

    When you select an IPS Policy, that will load a preset collection of Snort VRT rules.  The VRT rule authors decide which particular rules are associated with a given IPS Policy.  But this only applies to Snort VRT rules.  Emerging Threats is a completely separate and unrelated set of rules.  So when you use an IPS Policy, individual selections for Snort VRT rule categories are disabled, but you are free to select ET rules categories (if you have Emerging Threats rules enabled for download under GLOBAL SETTINGS) that will be added to your automatic Snort VRT collection coming from the chosen policy.  So when using a policy, the checkboxes further down below are optional and will add more rules to those that are part of the policy.

    Bill



  • @Amuzed2pieces:

    Noob issue with creating Alias/Whitelist….

    I am having an issue creating a Passlist (whitelist).  I click on the "Pass List Tab" and lists "passlist_36480", then Edit (e)  with a set of check boxes, and an Alias box at the bottom.

    To add my own to the White/Passlist, I am guessing I add a file name to the Alias Box:  But I get an error message when adding a file name, whether it as created in the "Ip List" or not:  The following input errors were detected:        A valid alias must be provided

    I follow the Alias button, and there is no (+) Add button.  I tried different syntax in the file name, adding a "IP List" but have not been able to create or add.  I saw the pictures listed before in this thread about Editing a Alias, but not about creating one.

    What simple idiot step am I missing?  Thanks.

    Aliases are used throughout pfSense and are really cool.  They allow you to use a "name" for one or more IP addresses (hosts, networks, etc.).  Anywhere you use the "name", then at runtime pfSense will go grab the underlying associated IP addresses and use them in the firewall rules.  This way, if later on you need to edit an IP address or add or delete one, you just edit the Alias.  Then the change is instantly applied to all the firewall rules (or in the case of PASS LISTS in Snort), the Snort pass list.  That keeps you from having to manually search out all the places where that IP was used and then hand editing it in every instance.

    You create Aliases under Firewall…Aliases as another user posted.  Once created, you can then access the list of Aliases from several places in Snort where Aliases are allowed by clicking the VIEW button beside the fields.  Anytime you see a textbox entry field with a red background, that means it will only accept an already-created Alias name as a valid parameter.



  • I have three questions about Snort.

    1. Auto-Flowbit Rules. There is a warning on the Auto-Flowbit Rules page “WARNING: You should not disable flowbit rules! Add Suppress List entries for them instead by clicking here.”

    Do I understand correctly that this warning exists because disabling any of these rules may make other, enabled, rules not function?

    A small comment: since a rule can be disabled right from the Alerts page, a user may never see the warning and disable an Auto-Flowbit Rule.
    Is there some kind of rule of thumb, which rules are safe to disable and which must remain enabled and may only be suppressed?

    1. Pass Lists. The Pass Lists page contains the following information, “The default Pass List includes the WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks. Be careful, it is very easy to get locked out of your system by altering the default settings.”

    By default there is no Pass List, so the default pass list must be hidden or something. Now, when I create a custom pass list, I realize that I need to add WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks, to it by leaving the corresponding checkboxes on in the “Add auto-generated IP Addresses” section checked.

    Now, what happens when something in this auto-generated section changes? For example, if I changed a DNS server address, will the pass-list automatically reference the new DNS address, or do I need to go to the pass list and re-save it?

    1. Memory usage. If I have plenty of memory on the system, will Snort be automatically allocated as much as it needs, or is there a setting somewhere to give Snort more memory for better performance? I already selected the “AC” search method, I am just wondering if I also need to dedicate the memory to Snort somehow, or it will grab the free memory automatically.

    Thank you!



  • @G.D.:

    I have three questions about Snort.

    1. Auto-Flowbit Rules. There is a warning on the Auto-Flowbit Rules page “WARNING: You should not disable flowbit rules! Add Suppress List entries for them instead by clicking here.”

    Do I understand correctly that this warning exists because disabling any of these rules may make other, enabled, rules not function?

    A small comment: since a rule can be disabled right from the Alerts page, a user may never see the warning and disable an Auto-Flowbit Rule.
    Is there some kind of rule of thumb, which rules are safe to disable and which must remain enabled and may only be suppressed?

    First, auto-flowbit rules are those that set flowbits required by other rules that check those flowbits.  So if you have enabled a rule that only triggers when some particular flowbit is set, but you neglected to enable the rule that sets that flowbit, then your enabled rule would never fire.  The auto-flowbit logic takes care of this for you behind the scenes by looking at all your rules and finding each one that examines a flowbit.  It then looks to make sure that at least one enabled rule exists that sets that flowbit.  If not, it will enable all rules that set that flowbit for you.

    So this is why you should suppress, rather than disable, flowbit rules that generate false positives.  The Snort VRT folks are really good about including the "noalert" option with nearly all of their flowbit "set" rules so they don't generate alerts but do set the flowbit.

    Finally, yeah it is possible to inadvertently disable a flowbit rule on the ALERTS tab if you don't pay attention.

    @G.D.:

    1. Pass Lists. The Pass Lists page contains the following information, “The default Pass List includes the WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks. Be careful, it is very easy to get locked out of your system by altering the default settings.”

    By default there is no Pass List, so the default pass list must be hidden or something. Now, when I create a custom pass list, I realize that I need to add WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks, to it by leaving the corresponding checkboxes on in the “Add auto-generated IP Addresses” section checked.

    Now, what happens when something in this auto-generated section changes? For example, if I changed a DNS server address, will the pass-list automatically reference the new DNS address, or do I need to go to the pass list and re-save it?

    The default Pass List does indeed contain those items that are default "checked" on the PASS LISTS tab.  If any of those change, Snort will pick it up with the following important caveat – Snort reads these values only on a restart.  So if something changes and Snort is not restarted, it will not see the changed item.  pfSense is pretty good about restarting packages when important things happen (like DHCP giving a new WAN IP address, for example).

    @G.D.:

    1. Memory usage. If I have plenty of memory on the system, will Snort be automatically allocated as much as it needs, or is there a setting somewhere to give Snort more memory for better performance? I already selected the “AC” search method, I am just wondering if I also need to dedicate the memory to Snort somehow, or it will grab the free memory automatically.

    Thank you!

    The answer here is "yes", Snort will take what it needs up to the max defined for parameters that have max memcap settings (these are on the PREPROCESSORS tab mostly).  This is also why Snort can bring a box without a lot of RAM to its knees quickly in a high traffic situation.

    Bill



  • Quick question, I have snort setup and running, but I find if I restart or shutdown or restart snort, the interface does not start automatically.

    But if I click on it, it will start and operate.

    Is this normal or did I miss some setting .

    Thanks in advance

    David


  • Moderator

    Depending on RAM and the amount of Rules enabled, Snort can take some time to Stop and Start.

    When you Re-Start Snort from the Services Menu, it will restart all of the Enabled Interfaces Automatically. You dont need to click the start Interface again.

    If you make configuration changes to a Snort Interface, Click the Green Enabled Interface and it can take some time to shutdown. You can refresh the page or click the snort interfaces tab until it stops. Then click it once again to re-enable.

    From an SSH shell, you can run the following command to see if you have any duplicate PIDS for Snort. There should only be one PID per Enabled Interface. or from the Diagnostics:Command Prompt.

    pgrep snort

    If there are duplicate PIDS, you could run  pkill snort  and then Restart the Snort Services.



  • A couple more general questions about the Snort package:

    1. I verified that a rule is not on the Auto-Flowbit list. I then clicked on the red “x” to disable it, and restarted the PFSense. The rule is now showing up with a yellow “x” (Rule forced to a disabled state). But Snort still triggers and blocks on this rule. What am I doing wrong?

    2. Upon pfSense reboot the list of blocked hosts is erased. Is this correct behavior or is something broken in my install? If this is correct, is there an option somewhere to make the blocked hosts list survive reboot?

    Thank you.


  • Moderator

    @G.D.:

    1. I verified that a rule is not on the Auto-Flowbit list. I then clicked on the red “x” to disable it, and restarted the PFSense. The rule is now showing up with a yellow “x” (Rule forced to a disabled state). But Snort still triggers and blocks on this rule. What am I doing wrong?

    Is the alert in the "Alerts" Tab or the "Blocked" Tab?  If its only in the Blocked Tab, it could be from a different rule?

    Which Rule, can you provide any more details?

    1. Upon pfSense reboot the list of blocked hosts is erased. Is this correct behavior or is something broken in my install? If this is correct, is there an option somewhere to make the blocked hosts list survive reboot?

    In the "Global Settings" tab there are options to configure the Block table. I don't recall this being an issue from my boxes that I use. I only have "Keep Snort Settings After Deinstall" setting enabled in that section. I also set the remove Blocks to "Never"

    Are you running pfSense on an embedded machine or Full Blown Hardware?



  • The rule is “1:2017015 ET POLICY DropBox User Content Access over SSL.” It shows up both on the Blocked tab, and on the Alerts tab with a yellow “x” next to it.

    I am running the symmetric multiprocessing kernel on full-blown hardware.

    Thank you.

    Update: I noticed I could not trigger the rule anymore after a while. Now I re-enabled the rule, and restarted Snort, but even though the interfaces went green, I still cannot trigger the rule.

    Is just that something rebuilds on the background and the enabled/disabled rules start functioning or not functioning after a while, even after interfaces show running?



  • @G.D.:

    The rule is “1:2017015 ET POLICY DropBox User Content Access over SSL.” It shows up both on the Blocked tab, and on the Alerts tab with a yellow “x” next to it.

    I am running the symmetric multiprocessing kernel on full-blown hardware.

    Thank you.

    Update: I noticed I could not trigger the rule anymore after a while. Now I re-enabled the rule, and restarted Snort, but even though the interfaces went green, I still cannot trigger the rule.

    Is just that something rebuilds on the background and the enabled/disabled rules start functioning or not functioning after a while, even after interfaces show running?

    Enabling or disabling rules should only take a few seconds (well, maybe as long as minute or so if you have a lot of rules, a lower horsepower CPU and not much RAM).  When you click the icon on the ALERTS tab to disable a rule, the Snort process is sent a "reload configuration" command.  This is a kind of warm restart where Snort reads all the rules again and updates its in-memory copy.

    Bill


  • Moderator

    If you see this behaviour again, run a shell cmd

    [ pgrep snort ]

    and ensure that you only have pids for the number of enabled snort interfaces.



  • @bmeeks:

    Enabling or disabling rules should only take a few seconds (well, maybe as long as minute or so if you have a lot of rules, a lower horsepower CPU and not much RAM).  When you click the icon on the ALERTS tab to disable a rule, the Snort process is sent a "reload configuration" command.  This is a kind of warm restart where Snort reads all the rules again and updates its in-memory copy.

    I have re-enabled the rule on the WAN interface over 25 minutes ago, and the WAN interface is not alerting on it yet. The rule was always enabled all day today on the LAN interface, and it is alerting as it should.

    The computer is powerful with plenty of memory free, but I have a lot of the rules enabled on the WAN interface (all of them, practically, both VRT and ET, except those disabled by default). It takes a couple of minutes for the WAN interface to go green after restart. LAN is almost instant, as I have just a few rules enabled there, for testing.



  • I restarted the PFSense box yesterday and frolicked with it for another hour or so, trying to trigger the re-enabled rule. It would not trigger.

    I left the box to sit overnight, and in the morning the rule was working again.

    So, it appears that, for rule disabling/enabling to take effect it takes a while for something somewhere to reset/reload/reshape.



  • @G.D.:

    I restarted the PFSense box yesterday and frolicked with it for another hour or so, trying to trigger the re-enabled rule. It would not trigger.

    I left the box to sit overnight, and in the morning the rule was working again.

    So, it appears that, for rule disabling/enabling to take effect it takes a while for something somewhere to reset/reload/reshape.

    Did you remember to remove the block that would have been inserted from the first rule firing (assuming you have block offenders enabled)?  Where did you disable the rule?  Was it on the RULES tab or using the little icon beside the SID on the ALERTS tab?  If on the RULES tab, you must click the icon to disable, then click APPLY to save the changes and actually restart Snort.  If you did not do that, then the change in the rule did not happen until maybe the nightly rules update (since that restarts Snort).  Other than the scenario I just described, it should be almost immediate (as in 30 to 60 seconds).

    Bill



  • @bmeeks:

    Did you remember to remove the block that would have been inserted from the first rule firing (assuming you have block offenders enabled)?  Where did you disable the rule?  Was it on the RULES tab or using the little icon beside the SID on the ALERTS tab?  If on the RULES tab, you must click the icon to disable, then click APPLY to save the changes and actually restart Snort.  If you did not do that, then the change in the rule did not happen until maybe the nightly rules update (since that restarts Snort).  Other than the scenario I just described, it should be almost immediate (as in 30 to 60 seconds).

    I removed the block. All blocks are cleared on reboot anyway.

    I flipped the rule using the little icon beside the SID on the ALERTS tab.

    Thank you.



  • How can I update the blocked URL message?

    That is instead of the generic squid error.



  • @Cheetohz:

    How can I update the blocked URL message?

    That is instead of the generic squid error.

    If you are asking about customizing Snort alert event messages, that can only be done by manually editing the specific rule text.  I don't recommend it.  First, it's something you would have to redo with each rule update (potentially daily), and it quite easy to insert typos that can stop Snort from starting.

    Perhaps, I've misunderstood your question, though ???

    Bill



  • @bmeeks:

    @Cheetohz:

    How can I update the blocked URL message?

    That is instead of the generic squid error.

    If you are asking about customizing Snort alert event messages, that can only be done by manually editing the specific rule text.  I don't recommend it.  First, it's something you would have to redo with each rule update (potentially daily), and it quite easy to insert typos that can stop Snort from starting.

    Perhaps, I've misunderstood your question, though ???

    Bill

    Thanks, Bill. That was a wonderful response. And I can see where i should've taken my time and phrased it better.

    What i am asking is when a specific rule triggers an alert, blocks a host and then a user tried to access an http site with that host, they are presents with a generic error page. I was hoping to alter this to be a bit more descriptive on what is being blocked and why, this was I have an easy reference on what I need to change or fix and users are not freaking out that the whole of the internet is crashing down.



  • @Cheetohz:

    @bmeeks:

    @Cheetohz:

    How can I update the blocked URL message?

    That is instead of the generic squid error.

    If you are asking about customizing Snort alert event messages, that can only be done by manually editing the specific rule text.  I don't recommend it.  First, it's something you would have to redo with each rule update (potentially daily), and it quite easy to insert typos that can stop Snort from starting.

    Perhaps, I've misunderstood your question, though ???

    Bill

    Thanks, Bill. That was a wonderful response. And I can see where i should've taken my time and phrased it better.

    What i am asking is when a specific rule triggers an alert, blocks a host and then a user tried to access an http site with that host, they are presents with a generic error page. I was hoping to alter this to be a bit more descriptive on what is being blocked and why, this was I have an easy reference on what I need to change or fix and users are not freaking out that the whole of the internet is crashing down.

    Hmm…that would be quite a challenge because the IPS (Snort or Suricata) and the web proxy (Squid) don't know what the other did.  By that I mean Squid only knows the web site did not load because the TCP traffic stopped or never got started.  The IPS may well have blocked the traffic, but on the other hand, the IPS does not necessarily know which service on a given host initiated that outbound traffic.  So there is no way to "connect the dots" and pop up a pinpoint error message.

    If you were willing to dive into a lot of custom programming inside both packages (Snort and Squid), then you could perhaps pull this off.  But it would not be a trivial task.

    Bill



  • I am having problems getting the Home Net defined properly. The drop down box does not allow me to select anything other than default. I have a firewall alias for home net.

    I have also gone into the ip lists in the services->snort section. I checked the snort.conf that is auto generated, and renamed it to force a new one and it still created $HOME_NET as default.

    Thanks,

    Christina


  • Moderator

    goto the Firewall:Alias Tab and create an Alias. Enter the IPs that you would like to have in the Home_Net.

    See the text from the Home Net GUI Screen:

    Note: Default Home Net adds only local networks, WAN IPs, Gateways, VPNs and VIPs.
    Hint: Create an Alias to hold a list of friendly IPs that the firewall cannot see or to customize the default Home Net.

    Click on "View List" to see what it is currently being set to.

    Usually this can be left as default.


  • Moderator

    I tried this myself and I can't seem to add an "Alias" either. Its the same issue in Suricata.

    I'm sure Bill Meeks (Package Maintainer) will reply with a fix or a solution.


  • Moderator

    After further review, I think this is done by Design by the pfSense Devs. You should be able to create a new Pass List and at the bottom of the passlist, you can add an "Alias" there.

    Hope this helps.



  • @kaisermac:

    I am having problems getting the Home Net defined properly. The drop down box does not allow me to select anything other than default. I have a firewall alias for home net.

    I have also gone into the ip lists in the services->snort section. I checked the snort.conf that is auto generated, and renamed it to force a new one and it still created $HOME_NET as default.

    Thanks,

    Christina

    Because the default $HOME_NET is sufficient for probably 99% of the user base, there is no facility to directly add an Alias to $HOME_NET via the drop-down.  Instead, if you have to customize $HOME_NET, go create a PASS LIST and give it a name that you can mentally link as HOME_NET.  You can select whichever of the normal PASS LIST defaults you want (WAN IP, locally-attached networks, DNS servers, etc.).  Then at the bottom of the page you can add an Alias.  That Alias can be a group consisting of additional aliases if necessary.  You have to create any of these Aliases first under Firewall…Aliases before you can use them in Snort or Suricata.

    While the procedure outlined above is admittedly not intuitive, it does allow you to accomplish the goal if you have an advanced need.  In a future release I will reconsider adding the option to directly add an existing alias to $HOME_NET.

    Bill



  • I know this is an old topic, but it is also a very popular one. If you came here looking to configure Snort, but were unsure of the untitled SID's included in jflsakfja's suppression list, I think I can help. I've spent a lot of time tracking down all (but one) of the nameless SID's.

    I've also included links for the ones I had to search for. I simply commented out all of the untitled SID's in my Suppression list, and then only re-enabled the ones that were actually tripped. I maintain and monitor several pfSense installations for several networks, and have never seen any of the SID's I've left disabled trip as of yet. I have however completely disabled the following rules:

    #emerging-chat.rules
    #emerging-tor.rules
    #emerging-p2p.rules

    So, any of the SID's belonging to these rules were completely unnecessary to also add to the Suppression List. ;)

    The only SID I could not find any information on is: 20122758. I'm not sure if this is a typo, and is actually supposed to be 2012275 or not. jflsakfja would have to answer that. ;)

    I also want to add a big THANKS! to bmeeks and jflsakfja for their contributions to this topic, and to the pfSense community!

    Without further ado; here is the list:

    #UPDATED 2014.09.03
    #UNKNOWN SID's will be added to the Suppress list after they have appeared in the Blocked list.

    #Unknown
    #This event is generated when an attempt is made to gain access to private resources using Samba.
    #https://www.snort.org/rule_docs/536
    #suppress gen_id 1, sig_id 536

    #TRIPPED & SUPPRESSED
    #GPLv2_community.rules INDICATOR-SHELLCODE x86 NOOP
    suppress gen_id 1, sig_id 648

    #Unknown
    #This event is generated when suspicious shell code is detected in network traffic.
    #https://www.snort.org/rule_docs/653
    #suppress gen_id 1, sig_id 653

    #TRIPPED & SUPPRESSED
    #GPLv2_community.rules INDICATOR-SHELLCODE x86 inc ebx NOOP
    suppress gen_id 1, sig_id 1390

    #TRIPPED & SUPPRESSED
    #GPLv2_community.rules POLICY-SOCIAL Yahoo IM ping
    suppress gen_id 1, sig_id 2452

    #Unknown
    #This event is generated when network traffic that indicates download of executable content is being used.
    #https://www.snort.org/rule_docs/11192
    #suppress gen_id 1, sig_id 11192

    #Unknown
    #This rule generates events when a portable executable file is downloaded.
    #https://www.snort.org/rule_docs/15306
    #suppress gen_id 1, sig_id 15306

    #Unknown
    #This event is generated when network traffic that indicates the download of executable content has occurred.
    #https://www.snort.org/rule_docs/16313
    #suppress gen_id 1, sig_id 16313

    #Unknown
    #This event is generated when an attempt is made to exploit a known vulnerability in internet security.
    #https://www.snort.org/rule_docs/17458
    #suppress gen_id 1, sig_id 17458

    #Unknown
    #This event is generated when an attempt is made to exploit a known vulnerability in firefox 3-6.
    #https://www.snort.org/rule_docs/20583
    #suppress gen_id 1, sig_id 20583

    #TRIPPED & SUPPRESSED
    #IPS Policy - Balanced FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
    suppress gen_id 1, sig_id 23098

    #Unknown
    #ET POLICY P2P BitTorrent peer sync
    #http://doc.emergingthreats.net/bin/view/Main/2000334
    #suppress gen_id 1, sig_id 2000334

    #TRIPPED & SUPPRESSED
    #ET TFTP Outbound TFTP Read Request
    suppress gen_id 1, sig_id 2008120

    #TRIPPED & SUPPRESSED
    #ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
    suppress gen_id 1, sig_id 2010516

    #Unknown
    #ET POLICY INFO EXE - OSX Disk Image Download
    #http://doc.emergingthreats.net/bin/view/Main/2014518
    #suppress gen_id 1, sig_id 2014518

    #Unknown
    #ET POLICY INFO EXE - Served Attached HTTP
    #http://doc.emergingthreats.net/bin/view/Main/2014520
    #suppress gen_id 1, sig_id 2014520

    #Unknown
    #GPL ICMP_INFO PING *NIX (emerging-icmp_info.rules)
    #http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2011-06-02T20:30:08.txt
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2011-06-02T20:30:08.txt
    #suppress gen_id 1, sig_id 2100366

    #Unknown
    #GPL ICMP_INFO PING BSDtype (emerging-icmp_info.rules)
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.open.2011-10-12T19:40:39.txt
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2011-10-12T19:40:39.txt
    #suppress gen_id 1, sig_id 2100368

    #Unknown
    #GPL SHELLCODE x86 stealth NOOP (emerging-shellcode.rules)
    #http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2012-08-21T21:30:42.txt
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2012-08-21T21:30:42.txt
    #suppress gen_id 1, sig_id 2100651

    #Unknown
    #GPL SHELLCODE x86 inc ebx NOOP (emerging-shellcode.rules)
    #http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2012-09-12T17:44:37.txt
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2014-03-19T20:35:50.txt
    #suppress gen_id 1, sig_id 2101390

    #Unknown
    #GPL SHELLCODE x86 0xEB0C NOOP (emerging-shellcode.rules)
    #http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2012-09-12T17:44:37.txt
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2012-09-12T17:44:37.txt
    #suppress gen_id 1, sig_id 2101424

    #Unknown
    #GPL SHELLCODE x86 0x90 NOOP unicode (emerging-shellcode.rules)
    #http://rules.emergingthreats.net/changelogs/snort-2.8.4.open.2012-01-17T00:38:01.txt
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2012-01-17T00:38:01.txt
    #suppress gen_id 1, sig_id 2102314

    #Unknown
    #GPL WEB_CLIENT PNG large colour depth download attempt (emerging-web_client.rules)
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.open.2011-08-02T02:55:35.txt
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2011-08-02T02:55:35.txt
    #suppress gen_id 1, sig_id 2103134

    #NOT TRIPPED & NOT SUPPRESSED
    #ET POLICY ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 29
    #suppress gen_id 1, sig_id 2500056

    #Unknown
    #suppress gen_id 1, sig_id 20122758

    #Unknown
    #GPL CHAT MISC Jabber/Google Talk Outgoing Traffic (emerging-chat.rules)
    #http://rules.emergingthreats.net/changelogs/snort-2.9.0.open.2011-10-12T19:40:39.txt
    #http://rules.emergingthreats.net/changelogs/snort-2.8.6.etpro.2014-05-28T20:53:43.txt
    #suppress gen_id 1, sig_id 100000230

    #Unknown
    #This event is generated when an attempt is made to exploit a known vulnerability in libpng.
    #https://www.snort.org/rule_docs/3-14772
    #WEB-CLIENT libpng malformed chunk denial of service attempt
    #suppress gen_id 3, sig_id 14772

    #TRIPPED & SUPPRESSED
    #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
    suppress gen_id 120, sig_id 10

    @jflsakfja:

    The Missing Part to Quick Snort Setup Instructions for New Users



  • just wanted to ask if  snort be downloaded as a package e.g tar or such format and installed manually instead of selecting via GUI ? I ask since we try to avoid exposing our systems to internet. we have limited number of stand alone systems having access to the internnet. So if there is a package avail for snort, i can download it on those systems and install on the servers hosting pfsense.
    Thanks



  • I'm assuming that you are using pfsense as a network gateway, in which case it already has access to the internet (cough DNS cough). There is absolutely no reason why you should manually install any package available through the GUI, outside the GUI.

    Cutting off pfsense's internet access might be effective security, but it's the wrong kind of effective security. How will you keep the rule/ip lists up to date? Answer: You won't. A couple years down the road it will become an unmaintainable system, which everybody will hate you for implementing.



  • no mate, it isnt connected to the internet. no dns servers nothing. we have our own network connecting our 3 branches located at various places.
    as for cutting off access to the internet, its company policy and well it takes time for policies to change. Hopefuly we'l have it changed sooner than later but the thing is it isnt in my hands unfortunately.  :(



  • @bhawk6901:

    no mate, it isnt connected to the internet. no dns servers nothing. we have our own network connecting our 3 branches located at various places.
    as for cutting off access to the internet, its company policy and well it takes time for policies to change. Hopefuly we'l have it changed sooner than later but the thing is it isnt in my hands unfortunately.  :(

    How are you managing keeping the system up to date if it's offline?



  • How are you managing keeping the system up to date if it's offline?

    running 2.1.1, no updates performed since.
    is there no way to install snort manually?



  • @bhawk6901:

    How are you managing keeping the system up to date if it's offline?

    running 2.1.1, no updates performed since.
    is there no way to install snort manually?

    I rest my case. I also wish the company you work for, good luck when the security breach eventually happens.



  • @bhawk6901:

    How are you managing keeping the system up to date if it's offline?

    running 2.1.1, no updates performed since.
    is there no way to install snort manually?

    No, there really is not a way to install it manually.  It consists of multiple parts and pieces that must get installed by the built-in package manager in pfSense.  It does not exist in something like a tar.gz file you could unzip and install.

    I also agree with jflsakfja that you have less security than you think by running older unpatched firewall software.  Simply not providing Internet access does not help much if you have unpatched vulnerabilities and somebody walks around with a USB stick in your "protected" network …  ;)

    Bill



  • @bmeeks:

    @bhawk6901:

    How are you managing keeping the system up to date if it's offline?

    running 2.1.1, no updates performed since.
    is there no way to install snort manually?

    No, there really is not a way to install it manually.  It consists of multiple parts and pieces that must get installed by the built-in package manager in pfSense.  It does not exist in something like a tar.gz file you could unzip and install.

    Bill

    Sad to know but thanks for the reply :)



  • Feel for you bhawk6901.

    Sometimes required by law.

    http://en.wikipedia.org/wiki/Air_gap_(networking)


  • Moderator


Log in to reply