RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker
-
Sometimes the pfblocker lists I use are updated and block legitimate sites. The reason is that the host that website is on, could be compromised and start throwing scans here and there and sooner or later it's detected. From my point of view, that host shouldn't be allowed, but considered as a hostile compromised host. It's the host's admin responsibility to check how the compromise happened, why it happened, what was compromised, correct all those, then notify the list maintainers to request removal from those lists.
An example is a host that scanned one of the networks I'm responsible for. That scan was detected by my rules (which, to be completely honest account for about 90% of all hosts snort blocks). Investigating it shows that it's supposed to be a mail gateway host, but it's scanning for webservers. Interesting behaviour for a mail gateway. I could notify the server admins, but why bother? Last time I bothered was after some of my hosts were hit with persistent scans. The hosting company's response was:
"Thank you for your report.This client has assured us that they are performing benign research scans at a non-intrusive and non-destructive rate. We do not believe that they are in violation of any relevant laws or our terms of service at this time…." snipped
That's after I provided log snippets showing multiple scans to multiple hosts for well over half an hour.
Knowing most server admins come from the "hell bent to f*** up the user interface" company's environment, then I'm guessing one of 2 things will happen:- Not bother at all with their compromise
- Not bother with their compromise for the next 5 years, at which point their whole infrastructure will be updated.
There are the exceptions to server admins, the best of the best, coming from the Linux/Unix environment. In that case only one thing will happen: - Bother with it after 6 months.
If anyone reading this thinks I'm overly trigger happy, I'll have you know I identified 2 things that need fixing in the infrastructure of one of the 3 largest banks in my country. I notified their "IT department" which I'm sure it's manned by the absolute best server admins, with multiple PhDs in "Computer Security" and regularly being inspected by the world's top white hat hackers to find ways in. 2 years later and both things identified to them are still there. 1 of those is using password storing (hashing) technology from even before the abacus was invented, and the other is a simple 1 line fix in their web interface to download your statements, which as is, gives more details than I would be happy to give to my server admins, let alone the public (hint:it's IIS running on an unpatched version of windows).
Disclaimer: This is not a libelus comment with regards to server administrators worldwide. It's a riducule attempt to the idiots pretending to be server admins. And the idiots that hire them.
To recap, there's a reason those hosts ended up on the lists I use. It's the server admin's responsibility to determine why. Then there's the hosting companies that cover up for their clients. Personally, I don't want any traffic from said hosts.
-
@jflsakfja:
Disclaimer: This is not a libelus comment with regards to server administrators worldwide. It's a riducule attempt to the idiots pretending to be server admins. And the idiots that hire them.
Bingo! Thats what happened when "bean counters" started getting into management. There is not a major corporation that is not infested with "bean counters" or worse yet, "wannabe bean counters". Attend a meeting at any level, any dept. within the corporate world and 90% of it will be Budget related - guaranteed!! Replace whatever bogus motto the marketing folks try to foist onto the public with "we are a budget business who moonlight in XYZ" XYZ being the core business or product of the business.
<soap box="" mode="" off="">Back on topic. I stll can't get this one RBN list to populate any field other than the list of lists… Is there a (corrupt) marker somewhere other than the main XML file that is hanging this up? If the error is being logged, where is that log... I've looked endlessly. Anyone have any ideas? I've also asked Marcello over on the pfblocker main thread... so far no response. I'll admit I'm from the MS world and spent little of my time in the unix/FreeBSD world (although I did do some work with Jordan Hubbard MANY years ago... when he was thinner, had a beard and long hair that was black).Apologies to the moderator. Thanks for indulging my little rant at the start, but "jflsakfja" just hit a nerve still a bit raw even after being retired for several years.
Rick</soap>
-
Diagnostics>table remains blank even if left overnight? (assuming you set it up to auto update sometime during that night).
As far as I can remember pfblocker will not update a list during bootup, so I'll leave the "have you tried turning it on and off?" comment aside :P
If it's only 1 list, then I'm guessing it's something to do with that list. Have you tried contacting the maintainers? (will not help, try convincing the nano text editor creator that CTRL + W for search is a bug not a feature for example)Edit: forgot the bean counter bashing.
I expect all my sys admins to stand up in a meeting and ask the bean counter making the decissions "are you a f***ing idiot? do you prefer to spend 100K on mitigating a compromise, or spend 10K and not worry about the compromise?". If nobody stands up, both the beancounter in question and the sys admins are fired. It's in their contract actually. And the bonus is, both of them have to reimburse the company. -
Bingo! Thats what happened when "bean counters" started getting into management. There is not a major corporation that is not infested with "bean counters" or worse yet, "wannabe bean counters". Attend a meeting at any level, any dept. within the corporate world and 90% of it will be Budget related - guaranteed!! Replace whatever bogus motto the marketing folks try to foist onto the public with "we are a budget business who moonlight in XYZ" XYZ being the core business or product of the business.
<soap box="" mode="" off=""></soap>@jflsakfja:
Edit: forgot the bean counter bashing.
I expect all my sys admins to stand up in a meeting and ask the bean counter making the decissions "are you a f***ing idiot? do you prefer to spend 100K on mitigating a compromise, or spend 10K and not worry about the compromise?". If nobody stands up, both the beancounter in question and the sys admins are fired. It's in their contract actually. And the bonus is, both of them have to reimburse the company.;D ;D ;D
I happen to know somebody, also a member on this forum, I think he ain't too bad - at least he tries to be kind -, who I think is what you refer to as 'bean counter'. Actually, if I am not mistaken, he has mastered 'the art of bean counting' to the post academic level. As I know him rather well, I think he won't be too offended by your statements. Aux contraire, I think he is laughing very hard right now :P
-
When you talk with him again, lay out this scenario:
In our organization, Company ABC, we use exclussively Windows XP boxes. The EOL for XP is coming in April 14 (do correct me in the extremely rare occassion I'm wrong. Non-transferable license etc..etc..). Our projected cost for replacing all of our infrastructure is $13,000. That includes buying new workstations with Windows 7 installed on them, and taking a week off for user re-training.
Do you approve the expenditure?A true bean counter will say: "$13,000!!!!! Omg were are we going to find that much money!?!???!oneelevenonehundredandeleven"
A wannabe bean counter will say: "Well according to our projections, the Return on Investment has not yet being achieved on those workstations. I recommend we use the old systems for now and upgrade in the future"
A bean counter trained by me: "Windows XP? And they let you go? Without even providing the funny shirt with buttons on the back?" At this point any attempt to react will lead to you attending "rapid training school", if you catch my drift (no pun intended).
As stated, bean counters are the plague of modern world. I don't care if he is fresh into school, just born, or a seasoned professor. Any person who says that saving $1 now is better than saving $3 in the long term shouldn't be let out of the asylum.
-
@jflsakfja:
When you talk with him again, lay out this scenario:
In our organization, Company ABC, we use exclussively Windows XP boxes. The EOL for XP is coming in April 14 (do correct me in the extremely rare occassion I'm wrong. Non-transferable license etc..etc..). Our projected cost for replacing all of our infrastructure is $13,000. That includes buying new workstations with Windows 7 installed on them, and taking a week off for user re-training.
Do you approve the expenditure?A true bean counter will say: "$13,000!!!!! Omg were are we going to find that much money!?!???!oneelevenonehundredandeleven"
A wannabe bean counter will say: "Well according to our projections, the Return on Investment has not yet being achieved on those workstations. I recommend we use the old systems for now and upgrade in the future"
A bean counter trained by me: "Windows XP? And they let you go? Without even providing the funny shirt with buttons on the back?" At this point any attempt to react will lead to you attending "rapid training school", if you catch my drift (no pun intended).
As stated, bean counters are the plague of modern world. I don't care if he is fresh into school, just born, or a seasoned professor. Any person who says that saving $1 now is better than saving $3 in the long term shouldn't be let out of the asylum.
I just spoke with him. He says this:
You have good and bad bean counters, and good and bad sys admins. That would give a nice matrix if you apply game theory to it. To make the matter worse, in general, bean counters are from Mars, and sysadmins from Venus. Now make them communicate.
The bean counter I was talking about would probably simply have asked you: "can you give me differential cost- and profit break down, direct- and indirect, fixed and variable, and justify the assumptions you are making, preferably with own historic data as well as peer group data? Then I'll make a business case of it and support your proposal to the board from my department's point of view".
There's bean counters and bean counters, and sys admins and sys admins. Most of the time, world peace would benefit from them working in different companies. Unfortunately, any company needs both.
;D
-
@jflsakfja:
Diagnostics>table remains blank even if left overnight? (assuming you set it up to auto update sometime during that night).
Exactly. This one list shows up in the "Lists" tab after I create it and never shows up anywhere else. I've left it for 3 days over the weekend and its just not going beyond the list creation point
Have you tried contacting the maintainers? (will not help, try convincing the nano text editor creator that CTRL + W for search is a bug not a feature for example)
I did, left a message at "emerging threats" but prefaced it by stating there must be a lot of you here that are not having any issues with this list so I'm assuming its something local… I'm just not well versed in this so I'm having trouble even finding any indication of where its falling flat.
Edit: forgot the bean counter bashing.
I expect all my sys admins to stand up in a meeting and ask the bean counter making the decissions "are you a f***ing idiot? do you prefer to spend 100K on mitigating a compromise, or spend 10K and not worry about the compromise?". If nobody stands up, both the beancounter in question and the sys admins are fired. It's in their contract actually. And the bonus is, both of them have to reimburse the company.Having lots of problems with a product I was responsible for… and constantly fighting for the time/funding/updates it needed... In a top/down meeting, actually asked an EVP what his intentions were. Did we want to release the best product possible or the worst one we could get away with?? I could do either, but I need to know what he really wanted before I proceeded. He slapped his notebook closed, stood up, glared at me and left the room. His only response 2 days later was that I should never put him on the spot like that again... <sigh>Rick</sigh>
-
Hollander: he has clearly never read the BOFH. Direct him to theregister.co.uk
Ramosel: Don't know how I can help you anymore. If you don't find a fix for this, the alternative is snort's rbn rules. Doesn't provide the same security (through obscurity, but I don't personally know of anyone leaving their jewelery on the pavement outside their house) but at least it's something.
-
@jflsakfja:
As stated, bean counters are the plague of modern world.
That and "political correctness" <ducking>> I don't care if he is fresh into school, just born, or a seasoned professor. Any person who says that saving $1 now is better than saving $3 in the long term shouldn't be let out of the asylum.
But that is the axiom of modern corporate officers. Save the dollar now… make your budget look good (at all costs), get promoted and leave the mess to the next guy.
Sorry for going off topic again.... had to... and it is your thread.
rick</ducking>
-
@jflsakfja:
Hollander: he has clearly never read the BOFH. Direct him to theregister.co.uk
What is 'BOFH' ???
-
I did, left a message at "emerging threats" but prefaced it by stating there must be a lot of you here that are not having any issues with this list so I'm assuming its something local…
I am having the same problem as you. With spontaneous messages in the Dashboard 'pfBlocker crashed', just as you did. So I ditched the offending list for the time being.
Having lots of problems with a product I was responsible for… and constantly fighting for the time/funding/updates it needed... In a top/down meeting, actually asked an EVP what his intentions were. Did we want to release the best product possible or the worst one we could get away with?? I could do either, but I need to know what he really wanted before I proceeded. He slapped his notebook closed, stood up, glared at me and left the room. His only response 2 days later was that I should never put him on the spot like that again... <sigh>Rick</sigh>
I think I understand both you and your EVP. One from Mars, the other from Venus, really ;)
-
@jflsakfja:
As stated, bean counters are the plague of modern world.
That and "political correctness" <ducking>> I don't care if he is fresh into school, just born, or a seasoned professor. Any person who says that saving $1 now is better than saving $3 in the long term shouldn't be let out of the asylum.
But that is the axiom of modern corporate officers. Save the dollar now… make your budget look good (at all costs), get promoted and leave the mess to the next guy.
Sorry for going off topic again.... had to... and it is your thread.
rick</ducking>
Mars- and Venus ;D ;D ;D ;D ;D
Gentlemens, might I introduce you into the concepts of the time value of money and the DCF (discounted cash flow method)?
-
@Hollander:
@jflsakfja:
Hollander: he has clearly never read the BOFH. Direct him to theregister.co.uk
What is 'BOFH' ???
:o don't know what BOFH stands for? what do you read when idle at work?
-
What is this "idle at work" of which you speak?
-
The time when instead of being on fb, you actually read something related to your work?
There are people that will say they work 8 hours a day, straight, without a single break, neither for relaxing, nor for eating. While I understand that there are employees in third world countries which get whipped when not working, in most civilised countries you are allowed a break for relaxing and eating.
People I work with are free to take a nap break, or a snack break anytime they see fit.There are only two categories of people really: Those that work for a living, and those that live to work. We don't like working with people in the first category. A typical characteristic of the first category is multiple Cisco certifications. Those are the first to go when interviewing for a job. A typical characteristic of the second category is sleeping on the datacenter floor after working 48 hours straight to troubleshoot a server, just because THEY chose to work those hours, nobody forced them to. It's simple exhaustion that forced them to sleep while listening to the whine of 6K rpm deltas. Those are the people that stay, and those people produce more in a single week than people of the first category produce in a year.
-
Update:
Some people reported problems with the RBN list. I have therefore stopped using that list, as well as the rbn-malvertisers.
So, red becomes blue:
DO NOT USE! > emerging-rbn > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt >>>>
DO NOT USE! > emerging-rbn > use pfblocker with: http://rules.emergingthreats.net/blockrules/rbn-ips.txtand….
DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/emerging-rbn-malvertisers.txt >>>>
DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txtboth of those are txt format of course.
Any ideas/corrections/hints are welcomed.
These will be merged in the next update.
-
Thanks much! This thread is extremely helpful!
As I'm new to Snort, I have also followed the beginner's guide and configured the blueprint for WAN to start with. I only use IPS Policy - Security (in Blueprint config) right now (plus pfBlocker with Blueprint lists) - no ET lists yet. Next step is to add a LAN interface in order to block trojans etc. and there are only few remaining questions - grateful for your thoughts:-
I understand that the Snort Blueprint on WAN is a waste of resource if I configure Snort LAN with Blueprint settings as well. So it's recommended to use a lighter set of ETs for WAN only. Question given that meanwhile the ET lists recommended in the initial post have essentially been replaced by pfBlocklist recommendations: Would I now only configure LAN blueprint and rely on the pfBlock blueprint alias for the WAN - or would I rather keep a Snort WAN interface also and use ET rules or e.g. IPS Policy - Balance?
-
As a more general point, given that the beginner's guide recommends IPS and I'm subscribed now: Once you have a subscription to the IPS list, do additional ET lists make much sense or are they mutually exclusive?
Great work anyway! Have very few false positives but do have correct blocks :)
-
-
First answer:
Running identical setups for the LAN side and the WAN side is not ideal, but doable with lots of RAM. Following the blueprint, your memory usage should be around 500oddMB per interface. If you are running a single LAN interface and a single WAN interface (not snort interfaces, physical ones), then you don't need to run snort on the LAN side, since all traffic goes through the firewall, which will get inspected by snort anyway (make sure you set it up to ban both source+destination, it should have set up itself to recognise "its" own IPs (WAN IP, DNS).
There is still the possibility of something passing through snort, taking advantage of a vulnerability on a pc behind pfsense, and if not smart set up a remote connection to accept commands, or if smart it should be able to scan the network and use existing vulnerabilities. This is NOT a scenario you should be worried about, since we are talking about a few MBs passing through snort without it noticing anything (hint:it will notice it), in the case that it's smart, or a connection to known CnC servers will be flagged sooner or later.
Ideally you should run rules designed for LAN on the LAN, and WAN rules on the WAN. It's quite the work to go through all the rules and manually disable/enable needed ones. If you are using it for a simple home connection, just use one snort interface, on your WAN.Second answer:
It's either the normal rules or the subscription rules as far as I remember.EDIT: Trigger happy with the post button:
In the specific case of trojans, they will most likely be blocked coming in to your network (while downloading them) or they will be flagged going out. Either case, it will be obvious by your alerts+blocked tab (you do inspect them daily, right?). I'm assuming it's for a home network of 5 PCs/tablets/phones and it should be pretty obvious in that case which one got the trojan. Reformat it and it's done. Then check why it got infected.On a side note (since we are talking about trojans), never leave computer equipment unattended. When left unattended all equipment should be treated as compromised. Don't use it for typing and/or manipulating any document above PUBLIC, and as soon as possible dissassemble the aforementioned equipment, and visually inspect the printed circuit boards, cables, solder joints and connectors for signs of tampering. Solder joints tampered with should have a yellowish color if the solder used contained lead, or otherwise should have a matte surface if the solder was lead free. If the equipment is a laptop, pay special attention to the monitor bezel. Antennas need to be upright, and the bezel is an ideal place for them. If the equipment is a desktop computer, pay special attention to the keyboard, as well as the cable. If computers were left unattended while being turned off, compare their disk's smart reports for increase in attribute 12, Power Cycle Count. Compare with the count from the previous boot up. Do not leave unattended computers without first locking them (requiring a passPHRASE to let you back in).
And all that is after I'm assuming you physically disabled the firewire port on your laptop (firewire ports have direct RAM access, it's the first thing to go).
Yes I did leave my laptop unattended once. We were at a library and I was in the process of closing programs to power it down and take it with me. A friend wanted to get on facebook and I wanted to go outside for a smoke. 3 hours later it was being disassembled, even though it was within warranty (it took me a couple of hours to finish up and go home). By bedtime it was restored to a known clean image. I never trusted anyone with any of my computers after that. They always turn your friends first. I now keep it under 24 hour surveilance. Either me, or, shall we say colleagues, are always around it. ;) (colleagues doesn't mean people you work with, it means people you trust your life to. Members of the family are best to be excluded)
-
Just FYI:
I first caught wind of the new Linksys vulnerability last week. Then, a buddy of mine (going back to FIDONet days) who does security for one of the big investment firms sent this over.https://isc.sans.edu/forums/diary/Scans+Increase+for+New+Linksys+Backdoor+32764+TCP+/17336
I have a handful of Linksys boxes… but I use them purely as distributed APs. They are all on DD-WRT and behind my pfSense box. I did see evidence of the attempted scans, But I took a quick check on my tables and didn't see the offending IPs listed anywhere. Hopefully they'll show on an update soon. For now I just manually added those mentioned in the link.
Rick
edit: for those interested, I went looking and found the github post: https://github.com/elvanderb/TCP-32764
-
@jflsakfja:
First question: … If you are using it for a simple home connection, just use one snort interface, on your WAN.
Thanks! Understood - so I should be set up all right. You are right about RAM usage, pfSense has a D525 Atom + 2GB RAM exclusively and seems to feel comfortable though (pfBlock, Snort, SIProxd, openvpn).
The only thing I've been wondering is this: I have family members + friends laptop / tablets in my network. The ones in my inner LAN and able to access server resources are all on Linux. But there are Androids dialling out into the Internet etc. - and they are used out in the wild as well (airports etc.) or could get compromised by a rogue App. That's why I thought about having Snort monitor the LAN port using Blueprint, and only use the pfBlocker Blueprint aliases on the WAN interface.Correct: I look at Alerts + Blocked on a daily basis.
Correct: I have configured Snort WAN to block Both. LAN addresses will be whitelisted - but I guess I would still see the Alert then from what you are saying - and should then be able to treat the offending LAN device.@jflsakfja:
Second answer: It's either the normal rules or the subscription rules as far as I remember.
Ok I was unclear: I meant to ask whether I still need to configure Emerging Threats if I use the subscribed (i.e. quick) IPS Lists in Security mode.
@jflsakfja:
…never leave computer equipment unattended.
Will try my very best - but as the post on commercial Linksys etc routers shows it is pretty easy to buy compromised stuff in the first place :) And I would not be too sure as regards the Androids of my kids either…