Snort 2.9.4.1 pkg v.2.5.8
-
Sounds great.
I am curious.. Is there a way to deal with the copy including extra hidden characters? I only say that because I copied it into another program but now I am wondering if that document has these extra hidden characters in there too. I wonder if a copy into gnome editor for an example would strip them out during a paste into the gnome editor or not.
I don't expect anything to be done… I am just interested in knowing how things like that could be dealt with if the copy needed to be pristine. For example maybe not having the characters in the table if possible which i assume its not. You can ignore this question and I won't feel bad... I am sure you have better things to do :).
-
Sounds great.
I am curious.. Is there a way to deal with the copy including extra hidden characters? I only say that because I copied it into another program but now I am wondering if that document has these extra hidden characters in there too. I wonder if a copy into gnome editor for an example would strip them out during a paste into the gnome editor or not.
I don't expect anything to be done… I am just interested in knowing how things like that could be dealt with if the copy needed to be pristine. For example maybe not having the characters in the table if possible which i assume its not. You can ignore this question and I won't feel bad... I am sure you have better things to do :).
I don't know of a way to exclude them from the copy operation since that is totally outside the scope of the Snort GUI.Scratch that first sentence. Should have done a quick Google before I posted it originally. Turns out it is possible to "capture" a copy operation in JavaScript and manipulate the clipboard contents. I will experiment with this approach on the Alerts tab page to see if I can capture and "scrub" the clipboard data of any zero-length space characters before passing the data on to the OS.The zero-length spaces are currently a sort of quasi-necessary evil. Without them, IPv6 addresses are so long they overlap the next column on the tab. There is limited real estate on the screen for all the data required for the Alerts tab. The Widescreen package is not yet standard in pfSense. The default display width is 725 pixels no matter what the total screen width is. So I try to stay within that limit for now until something like Widescreen is incorporated into the baseline pfSense GUI. The zero-length spaces are the best I could come up with to break IPv6 addresses.
I also don't know what other editors will do with them. I do know they come across from your Forum post here to my browser. I copied your IPv6 address example and then pasted it into a PERL regex test web site. The zero-length spaces came over and showed up as the values. So they survived through that process of copying from your post and pasting into another web site's text form.
Bill
-
Just a small question regarding that….what if you change the 725px to 80% or 100% instead??
-
Guys I updated and lost all my settings - no big deal but now I have an issue with http_inspect.
Constantly sites like google, reddit, imgur, yahoo, youtube…the list goes on... are getting blocked.
Can you please tell me what I am doing wrong with the setup of this and if any of you are seeing the same issues?
I tried to disable it via options but then snort won't start - guessing some WAN categories are dependent on http_inspect starting.
-
Just a small question regarding that….what if you change the 725px to 80% or 100% instead??
I am using 100% as the table widths, but when you call in the header and footer includes that constitute the pfSense GUI, you wind up running as a nested table that ends up being 100% of 725 pixels… :(
The good news is once something like the Widescreen package stabilizes and becomes part of the standard GUI, Snort should adapt quite well since all of its width specifications are in percentage.
Bill
-
Guys I updated and lost all my settings - no big deal but now I have an issue with http_inspect.
Constantly sites like google, reddit, imgur, yahoo, youtube…the list goes on... are getting blocked.
Can you please tell me what I am doing wrong with the setup of this and if any of you are seeing the same issues?
I tried to disable it via options but then snort won't start - guessing some WAN categories are dependent on http_inspect starting.
There is a check box on the Preprocessors tab at the bottom of the HTTP_INSPECT section that says "disable http_inspect alerts" or something similar. Tick that box. You should then no longer get blocks from HTTP_INSPECT alerts. There is also a new button at the bottom of the page for 2.5.8 that will reset all the preprocessor settings to their defaults. The default for HTTP_INSPECT should be enabled but with alerts disabled.
Attached below are my HTTP_INSPECT settings. You can also automatically add problem alerts to the Suppress List by clicking the plus icons (+) under the alert on the Alerts tab. Once you do this, you will need to stop and restart Snort to pick up the change.
Bill
-
Did you see the thread I created about finding a notification script by someone else? I am making good use of it. I only block on the LAN snort instance though. I would get too many notifications on the wan side.
http://forum.pfsense.org/index.php/topic,63418.0.html -
Did you see the thread I created about finding a notification script by someone else? I am making good use of it. I only block on the LAN snort instance though. I would get too many notifications on the wan side.
http://forum.pfsense.org/index.php/topic,63418.0.htmlYes, I saw the post. It is a handy script, but with a number of commercial Snort installations I think it could lead to "information overload" with the number of blocks and unblocks that routinely happen. An improvement might be to filter the events and only send notifications for high priority ones so that you don't get an e-mail flood for something like blocks/unblocks from IPs on the RBN or CIARMY lists.
Bill
-
I agree. Currently it would mean that I would get about 1000+ emails a day and I dont have time for that…
It would consume a LOT of space on the mailserver for nothing really.
-
Guys I updated and lost all my settings - no big deal but now I have an issue with http_inspect.
Constantly sites like google, reddit, imgur, yahoo, youtube…the list goes on... are getting blocked.
Can you please tell me what I am doing wrong with the setup of this and if any of you are seeing the same issues?
I tried to disable it via options but then snort won't start - guessing some WAN categories are dependent on http_inspect starting.
There is a check box on the Preprocessors tab at the bottom of the HTTP_INSPECT section that says "disable http_inspect alerts" or something similar. Tick that box. You should then no longer get blocks from HTTP_INSPECT alerts. There is also a new button at the bottom of the page for 2.5.8 that will reset all the preprocessor settings to their defaults. The default for HTTP_INSPECT should be enabled but with alerts disabled.
Attached below are my HTTP_INSPECT settings. You can also automatically add problem alerts to the Suppress List by clicking the plus icons (+) under the alert on the Alerts tab. Once you do this, you will need to stop and restart Snort to pick up the change.
Bill
Thanks for that…but I am still getting alerts and blocks for it?
Have changed my settings to be exactly the same as yours and still getting things like this:
-
Guys I updated and lost all my settings - no big deal but now I have an issue with http_inspect.
Constantly sites like google, reddit, imgur, yahoo, youtube…the list goes on... are getting blocked.
Can you please tell me what I am doing wrong with the setup of this and if any of you are seeing the same issues?
I tried to disable it via options but then snort won't start - guessing some WAN categories are dependent on http_inspect starting.
There is a check box on the Preprocessors tab at the bottom of the HTTP_INSPECT section that says "disable http_inspect alerts" or something similar. Tick that box. You should then no longer get blocks from HTTP_INSPECT alerts. There is also a new button at the bottom of the page for 2.5.8 that will reset all the preprocessor settings to their defaults. The default for HTTP_INSPECT should be enabled but with alerts disabled.
Attached below are my HTTP_INSPECT settings. You can also automatically add problem alerts to the Suppress List by clicking the plus icons (+) under the alert on the Alerts tab. Once you do this, you will need to stop and restart Snort to pick up the change.
Bill
Thanks for that…but I am still getting alerts and blocks for it?
Have changed my settings to be exactly the same as yours and still getting things like this:
And you did restart Snort after the change, correct?
If you did, and are still getting the alerts, then click on the (+) icon under the SID column on the Alerts tab. That will add the Generator ID:Signature ID for that alert to the Suppress List. After doing this, stop and restart Snort on the Snort Interfaces tab. That should for sure silence the alert.
If you restarted Snort after changing the Preprocessor settings and still got the alerts, post back and let me know. That should have silenced them, and if it did not, I need to investigate that in the code.
Bill
-
hmmm right some weird stuff happening now.
I restarted snort under the interfaces tab after checking
Turn off alerts from HTTP Inspect preprocessor. This has no effect on HTTP rules. Default is Checked.
But still getting the IPs blocked for http_inspect.
So as you said I tried to add to the suppress list:
However when I go to the suppress list there is nothing entered?
I am going to try to re-install snort right now and see if that helps! -
hmmm right some weird stuff happening now.
I restarted snort under the interfaces tab after checking
Turn off alerts from HTTP Inspect preprocessor. This has no effect on HTTP rules. Default is Checked.
But still getting the IPs blocked for http_inspect.
So as you said I tried to add to the suppress list:
However when I go to the suppress list there is nothing entered?
I am going to try to re-install snort right now and see if that helps!I do believe you will need to manually create it first. Mine working as I already have suppress list
-
okay quick update
uninstalled snort
re-installed it
put all my setting back to how they were.
having the check box ticked for it to not block for http_inspect issues didn't work.
So added that ID to the suppress list as you said - this seems to have worked now.
need any logs from me to see why the http_inspect check box isn't working?
-
okay quick update
uninstalled snort
re-installed it
put all my setting back to how they were.
having the check box ticked for it to not block for http_inspect issues didn't work.
So added that ID to the suppress list as you said - this seems to have worked now.
need any logs from me to see why the http_inspect check box isn't working?
With that box checked, you will see the alerts logged on the Alerts tab, but you should not be getting blocks for those IP addresses on the Blocked tab. If you are no longer getting blocks for those IPs listed on the Blocked tab, then the check box is working correctly. It's a bit of a misnomer with the titling. The Alerts tab is really just reading the Snort logs. Snort will log everything. What pfSense calls blocks on the Blocked tab is what Snort calls alerts. A little confusing, probably for new users. When you put something on the Suppress List, it will no longer cause blocks, but will still get logged on the Alerts tab (since the event will be logged by Snort). If you truly do not want to even see the event in the logs, then you have to disable the rule. Your screenshot was of the Alerts tab, so I assume the Blocked tab no longer shows an active block for those hosts listed.
As to the blank Suppress List page, go to the If Settings tab for the WAN interface and post a screenshot of the Suppression List setting in the drop-down near the bottom of the page. Unless you specifically had a name set there, it should be either "default" or "wansuppress".
Bill
-
yea the box was checked and the hosts were getting blocked
100% sure on this because as soon as the host ip was on that block list the website in question would stop working.
-
Anyone still having issues where a blocked IP is removed from snort2c within a few minutes? I'm banging my head here. I've set it for never expire, disabled log limit and removed the 2 cron jobs. They still disappear. I've done a clean install of snort with my old config.. Only 2 options left are to either wipe all snort settings and start fresh or rebuild my box from iso install..
-
Anyone still having issues where a blocked IP is removed from snort2c within a few minutes? I'm banging my head here. I've set it for never expire, disabled log limit and removed the 2 cron jobs. They still disappear. I've done a clean install of snort with my old config.. Only 2 options left are to either wipe all snort settings and start fresh or rebuild my box from iso install..
When the packet filter is reloaded the table "snort2c" will be cleared. This can have many causes and the log file should give clues. It is discussed before.
-
Anyone still having issues where a blocked IP is removed from snort2c within a few minutes? I'm banging my head here. I've set it for never expire, disabled log limit and removed the 2 cron jobs. They still disappear. I've done a clean install of snort with my old config.. Only 2 options left are to either wipe all snort settings and start fresh or rebuild my box from iso install..
gogol is correct. Anything that causes pfSense to reload the packet filter will automatically dump the table Snort's output plugin uses to implement blocks. Reloads can happen because of edits within the GUI, DHCP address changes, links going up and down, etc. Look for the tag check_reload_status: Syncing firewall in the system log. That's an event that clears the table, I believe.
Not really sure why this is a big deal to folks, though. If an offending packet for that IP traverses the firewall again, the IP will be "re-blocked". Or put another way, if whatever caused it to get blocked in the first place repeats, then it will be blocked again. Maybe I'm missing something?
Bill
-
I've been away for a couple of weeks and when I brought it up last month, there wasnt a reason why. Going thru my cron jobs, there is a job that re-sync every 15 minutes so that would explain why the table is being cleared..
This is new behavior for snort. I've been using snort on pfsense for many years and it never acted this way. And if it did, I've never noticed it while testing for last 2 developers of the snort package. This is why I bring it up.