Quick Snort Setup Instructions for New Users
-
How are you managing keeping the system up to date if it's offline?
running 2.1.1, no updates performed since.
is there no way to install snort manually? -
How are you managing keeping the system up to date if it's offline?
running 2.1.1, no updates performed since.
is there no way to install snort manually?I rest my case. I also wish the company you work for, good luck when the security breach eventually happens.
-
How are you managing keeping the system up to date if it's offline?
running 2.1.1, no updates performed since.
is there no way to install snort manually?No, there really is not a way to install it manually. It consists of multiple parts and pieces that must get installed by the built-in package manager in pfSense. It does not exist in something like a tar.gz file you could unzip and install.
I also agree with jflsakfja that you have less security than you think by running older unpatched firewall software. Simply not providing Internet access does not help much if you have unpatched vulnerabilities and somebody walks around with a USB stick in your "protected" network … ;)
Bill
-
How are you managing keeping the system up to date if it's offline?
running 2.1.1, no updates performed since.
is there no way to install snort manually?No, there really is not a way to install it manually. It consists of multiple parts and pieces that must get installed by the built-in package manager in pfSense. It does not exist in something like a tar.gz file you could unzip and install.
Bill
Sad to know but thanks for the reply :)
-
Feel for you bhawk6901.
Sometimes required by law.
http://en.wikipedia.org/wiki/Air_gap_%28networking%29
-
lol.. Just when you think your secure… Your not! :o :o
http://thehackernews.com/2014/10/airhopper-hacking-into-isolated.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29
-
Yeah, Thanks. Now they'll require a Faraday Cage around the MDF and all the IDF's… LMAO...
lol.. Just when you think your secure… Your not! :o :o
http://thehackernews.com/2014/10/airhopper-hacking-into-isolated.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29
-
how to configure pfsense for multi wan setup ?
thanksother thing ..
how i can test my server security ? ( how to "hack" my server for testing .. ) -
Good Evening,
I am running into a fatal error when starting Snort on the WAN. Has anyone run into this before &/or have any suggestions on how to fix it? I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.
Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''
Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
Best-
Darren
-
Good Evening,
I am running into a fatal error when starting Snort on the WAN. Has anyone run into this before &/or have any suggestions on how to fix it? I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.
Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''
Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
Best-
Darren
This is a broken Emerging Threats rule that has had broken syntax for almost a year. Several attempts at getting it fixed at the source have been unsuccessful. Folks here just disable that rule. You can find its GID:SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules in a text editor (such as vi) and going to line 11872. That is the rule that is malformed.
I don't have the rule SID in my head at the moment, but you can search this forum for similar errors and will find multiple posts about this rule.
Bill
-
Good Evening,
I am running into a fatal error when starting Snort on the WAN. Has anyone run into this before &/or have any suggestions on how to fix it? I have spent hours looking through the rules trying to locate the problem rule but have been unsuccessful in locating it.
Feb 22 19:37:07 php-fpm[20485]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/snort -R 31559 -D -q –suppress-config-log -l /var/log/snort/snort_em131559 --pid-path /var/run --nolock-pidfile -G 31559 -c /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/snort.conf -i em1' returned exit code '1', the output was ''
Feb 22 19:37:07 snort[53353]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules(11872) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
Best-
Darren
This is a broken Emerging Threats rule that has had broken syntax for almost a year. Several attempts at getting it fixed at the source have been unsuccessful. Folks here just disable that rule. You can find its GID:SID by opening the file /usr/pbi/snort-amd64/etc/snort/snort_31559_em1/rules/snort.rules in a text editor (such as vi) and going to line 11872. That is the rule that is malformed.
I don't have the rule SID in my head at the moment, but you can search this forum for similar errors and will find multiple posts about this rule.
Bill
Thank you Bill! That was very helpful. For anyone else that runs into this, the rule that needs to be disabled is:
emerging-web_client.rules
SID: 2011695
ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure AttemptBest-
Darren
-
Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?
-
Good Morning,
Has anyone had success in configuring Snort to allow apple devices to communicate with the Apple Store & iCloud? I have followed the quick setup guide, rule configuration, & everything appears to be working great, with the exception of iPad's & iPhone's not being able to communicate with the Apple Store & not able to restore from iCloud Backup. Any direction on how best to allow this connectivity would be greatly appreciated.
Best-
Darren
-
Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?
I am leery of permanently disabling a rule within the GUI code.
Bill
-
Good Morning,
Has anyone had success in configuring Snort to allow apple devices to communicate with the Apple Store & iCloud? I have followed the quick setup guide, rule configuration, & everything appears to be working great, with the exception of iPad's & iPhone's not being able to communicate with the Apple Store & not able to restore from iCloud Backup. Any direction on how best to allow this connectivity would be greatly appreciated.
Best-
Darren
I have no problem with this working in my home network using Snort and pfSense 2.2. Have you checked to see if some particular alert is firing and generating a block? You can check the ALERTS or BLOCKED tabs to see what Snort is doing.
Bill
-
Since this sid has been an issue for over a year, wouldn't it be appropriate to disable it from the ruleset so it doesn't come and haunt future users?
What, you mean ET actually disabling a non functioning rule? Come on it's ET we are talking about here. ;)
I'm on bmeek's side here. Permanently disabling a rule shouldn't be the solution. Not unless we can get a premade list out anyway (hint:new guide).
-
Good Day,
I'm running into an issue with the Ooma IP Telephone Service whereby anytime a telephone call is made or received, it trips the following rule in Snort:
ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
I created a Firewall Alias called Ooma with the following data for the Ooma Servers:
70.42.139.0/24 Ooma
208.83.244.0/22 Ooma, Inc.I then added the Alias to the Snort Pass List, checking the Ooma Alias, & leaving all other boxes unchecked. I've clearly missed something, as the alerts are still being triggered & blocked, inspite of having added the correct Ooma Servers. Any thoughts?
Best-
Darren
-
Did you stop/start the snort interface after adding that to the passlist?
-
Good Day,
I'm running into an issue with the Ooma IP Telephone Service whereby anytime a telephone call is made or received, it trips the following rule in Snort:
ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
I created a Firewall Alias called Ooma with the following data for the Ooma Servers:
70.42.139.0/24 Ooma
208.83.244.0/22 Ooma, Inc.I then added the Alias to the Snort Pass List, checking the Ooma Alias, & leaving all other boxes unchecked. I've clearly missed something, as the alerts are still being triggered & blocked, inspite of having added the correct Ooma Servers. Any thoughts?
Best-
Darren
Also make sure the new Pass List is actually assigned to your Snort interface by choosing it in the PASS LIST drop-down box on the INTERFACE SETTINGS tab. Save the change and then restart Snort on the interface as @jflsakfja suggested.
Additionally, I don't recommend unchecking the other Pass List checkboxes. You generally don't ever want to do that except in very unusual situations. Yours does not sound like one where I would uncheck those default-checked boxes.
Bill
-
Excellent, thank you both! I went back & changed the settings per your guidance & the telephone service is now working. Can't thank you enough for your help! Alerts are still being generated, but no longer blocked. Is there any reason why I would not want to suppress these alerts?
Best-
Darren
