RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker

A Former User

Hollander: he has clearly never read the BOFH. Direct him to theregister.co.uk

Ramosel: Don't know how I can help you anymore. If you don't find a fix for this, the alternative is snort's rbn rules. Doesn't provide the same security (through obscurity, but I don't personally know of anyone leaving their jewelery on the pavement outside their house) but at least it's something.

Ramosel

@jflsakfja:

As stated, bean counters are the plague of modern world.

That and "political correctness" <ducking>> I don't care if he is fresh into school, just born, or a seasoned professor. Any person who says that saving $1 now is better than saving $3 in the long term shouldn't be let out of the asylum.

But that is the axiom of modern corporate officers.  Save the dollar now… make your budget look good (at all costs), get promoted and leave the mess to the next guy.

Sorry for going off topic again.... had to... and it is your thread.

rick</ducking>

Mr. Jingles

@jflsakfja:

Hollander: he has clearly never read the BOFH. Direct him to theregister.co.uk

What is 'BOFH'  ???

Mr. Jingles

@Ramosel:

I did, left a message at "emerging threats" but prefaced it by stating there must be a lot of you here that are not having any issues with this list so I'm assuming its something local…

I am having the same problem as you. With spontaneous messages in the Dashboard 'pfBlocker crashed', just as you did. So I ditched the offending list for the time being.

Having lots of problems with a product I was responsible for… and constantly fighting for the time/funding/updates it needed...  In a top/down meeting, actually asked an EVP what his intentions were.  Did we want to release the best product possible or the worst one we could get away with??  I could do either, but I need to know what he really wanted before I proceeded.  He slapped his notebook closed, stood up, glared at me and left the room.  His only response 2 days later was that I should never put him on the spot like that again... <sigh>Rick</sigh>

I think I understand both you and your EVP. One from Mars, the other from Venus, really  ;)

Mr. Jingles

@Ramosel:

@jflsakfja:

As stated, bean counters are the plague of modern world.

That and "political correctness" <ducking>> I don't care if he is fresh into school, just born, or a seasoned professor. Any person who says that saving $1 now is better than saving $3 in the long term shouldn't be let out of the asylum.

But that is the axiom of modern corporate officers.  Save the dollar now… make your budget look good (at all costs), get promoted and leave the mess to the next guy.

Sorry for going off topic again.... had to... and it is your thread.

rick</ducking>

Mars- and Venus  ;D ;D ;D ;D ;D

Gentlemens, might I introduce you into the concepts of the time value of money and the DCF (discounted cash flow method)?

A Former User

@Hollander:

@jflsakfja:

Hollander: he has clearly never read the BOFH. Direct him to theregister.co.uk

What is 'BOFH'  ???

:o don't know what BOFH stands for? what do you read when idle at work?

Guest

What is this "idle at work" of which you speak?

A Former User

The time when instead of being on fb, you actually read something related to your work?
There are people that will say they work 8 hours a day, straight, without a single break, neither for relaxing, nor for eating. While I understand that there are employees in third world countries which get whipped when not working, in most civilised countries you are allowed a break for relaxing and eating.
People I work with are free to take a nap break, or a snack break anytime they see fit.

There are only two categories of people really: Those that work for a living, and those that live to work. We don't like working with people in the first category. A typical characteristic of the first category is multiple Cisco certifications. Those are the first to go when interviewing for a job. A typical characteristic of the second category is sleeping on the datacenter floor after working 48 hours straight to troubleshoot a server, just because THEY chose to work those hours, nobody forced them to. It's simple exhaustion that forced them to sleep while listening to the whine of 6K rpm deltas. Those are the people that stay, and those people produce more in a single week than people of the first category produce in a year.

A Former User

Update:

Some people reported problems with the RBN list. I have therefore stopped using that list, as well as the rbn-malvertisers.

So, red becomes blue:
DO NOT USE! > emerging-rbn > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt >>>>
DO NOT USE! > emerging-rbn > use pfblocker with: http://rules.emergingthreats.net/blockrules/rbn-ips.txt

and….

DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/emerging-rbn-malvertisers.txt >>>>
DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt

both of those are txt format of course.

Any ideas/corrections/hints are welcomed.

These will be merged in the next update.

segfooled

Thanks much! This thread is extremely helpful!
As I'm new to Snort, I have also followed the beginner's guide and configured the blueprint for WAN to start with. I only use IPS Policy - Security (in Blueprint config) right now (plus pfBlocker with Blueprint lists) - no ET lists yet. Next step is to add a LAN interface in order to block trojans etc. and there are only few remaining questions - grateful for your thoughts:

• I understand that the Snort Blueprint on WAN is a waste of resource if I configure Snort LAN with Blueprint settings as well. So it's recommended to use a lighter set of ETs for WAN only. Question given that meanwhile the ET lists recommended in the initial post have essentially been replaced by pfBlocklist recommendations: Would I now only configure LAN blueprint and rely on the pfBlock blueprint alias for the WAN - or would I rather keep a Snort WAN interface also and use ET rules or e.g. IPS Policy - Balance?

• As a more general point, given that the beginner's guide recommends IPS and I'm subscribed now: Once you have a subscription to the IPS list, do additional ET lists make much sense or are they mutually exclusive?

Great work anyway! Have very few false positives but do have correct blocks :)

A Former User

First answer:
Running identical setups for the LAN side and the WAN side is not ideal, but doable with lots of RAM. Following the blueprint, your memory usage should be around 500oddMB per interface. If you are running a single LAN interface and a single WAN interface (not snort interfaces, physical ones), then you don't need to run snort on the LAN side, since all traffic goes through the firewall, which will get inspected by snort anyway (make sure you set it up to ban both source+destination, it should have set up itself to recognise "its" own IPs (WAN IP, DNS).
There is still the possibility of something passing through snort, taking advantage of a vulnerability on a pc behind pfsense, and if not smart set up a remote connection to accept commands, or if smart it should be able to scan the network and use existing vulnerabilities. This is NOT a scenario you should be worried about, since we are talking about a few MBs passing through snort without it noticing anything (hint:it will notice it), in the case that it's smart, or a connection to known CnC servers will be flagged sooner or later.
Ideally you should run rules designed for LAN on the LAN, and WAN rules on the WAN. It's quite the work to go through all the rules and manually disable/enable needed ones. If you are using it for a simple home connection, just use one snort interface, on your WAN.

Second answer:
It's either the normal rules or the subscription rules as far as I remember.

EDIT: Trigger happy with the post button:
In the specific case of trojans, they will most likely be blocked coming in to your network (while downloading them) or they will be flagged going out. Either case, it will be obvious by your alerts+blocked tab (you do inspect them daily, right?). I'm assuming it's for a home network of 5 PCs/tablets/phones and it should be pretty obvious in that case which one got the trojan. Reformat it and it's done. Then check why it got infected.

On a side note (since we are talking about trojans), never leave computer equipment unattended. When left unattended all equipment should be treated as compromised. Don't use it for typing and/or manipulating any document above PUBLIC, and as soon as possible dissassemble the aforementioned equipment, and visually inspect the printed circuit boards, cables, solder joints and connectors for signs of tampering. Solder joints tampered with should have a yellowish color if the solder used contained lead, or otherwise should have a matte surface if the solder was lead free. If the equipment is a laptop, pay special attention to the monitor bezel. Antennas need to be upright, and the bezel is an ideal place for them. If the equipment is a desktop computer, pay special attention to the keyboard, as well as the cable. If computers were left unattended while being turned off, compare their disk's smart reports for increase in attribute 12, Power Cycle Count. Compare with the count from the previous boot up. Do not leave unattended computers without first locking them (requiring a passPHRASE to let you back in).

And all that is after I'm assuming you physically disabled the firewire port on your laptop (firewire ports have direct RAM access, it's the first thing to go).

Yes I did leave my laptop unattended once. We were at a library and I was in the process of closing programs to power it down and take it with me. A friend wanted to get on facebook and I wanted to go outside for a smoke. 3 hours later it was being disassembled, even though it was within warranty (it took me a couple of hours to finish up and go home). By bedtime it was restored to a known clean image. I never trusted anyone with any of my computers after that. They always turn your friends first. I now keep it under 24 hour surveilance. Either me, or, shall we say colleagues, are always around it.  ;) (colleagues doesn't mean people you work with, it means people you trust your life to. Members of the family are best to be excluded)

Ramosel

Just FYI:
I first caught wind of the new Linksys vulnerability last week.  Then, a buddy of mine (going back to FIDONet days) who does security for one of the big investment firms sent this over.

https://isc.sans.edu/forums/diary/Scans+Increase+for+New+Linksys+Backdoor+32764+TCP+/17336

I have a handful of Linksys boxes… but I use them purely as distributed APs.  They are all on DD-WRT and behind my pfSense box.  I did see evidence of the attempted scans,  But I took a quick check on my tables and didn't see the offending IPs listed anywhere.  Hopefully they'll show on an update soon.  For now I just manually added those mentioned in the link.

Rick

edit: for those interested, I went looking and found the github post:  https://github.com/elvanderb/TCP-32764

segfooled

@jflsakfja:

First question: … If you are using it for a simple home connection, just use one snort interface, on your WAN.

Thanks! Understood - so I should be set up all right. You are right about RAM usage, pfSense has a D525 Atom + 2GB RAM exclusively and seems to feel comfortable though (pfBlock, Snort, SIProxd, openvpn).
The only thing I've been wondering is this: I have family members + friends laptop / tablets in my network. The ones in my inner LAN and able to access server resources are all on Linux. But there are Androids dialling out into the Internet etc. - and they are used out in the wild as well (airports etc.) or could get compromised by a rogue App. That's why I thought about having Snort monitor the LAN port using Blueprint, and only use the pfBlocker Blueprint aliases on the WAN interface.

Correct: I look at Alerts + Blocked on a daily basis.
Correct: I have configured Snort WAN to block Both. LAN addresses will be whitelisted - but I guess I would still see the Alert then from what you are saying - and should then be able to treat the offending LAN device.

@jflsakfja:

Second answer: It's either the normal rules or the subscription rules as far as I remember.

Ok I was unclear: I meant to ask whether I still need to configure Emerging Threats if I use the subscribed (i.e. quick) IPS Lists in Security mode.

@jflsakfja:

…never leave computer equipment unattended.

Will try my very best - but as the post on commercial Linksys etc routers shows it is pretty easy to buy compromised stuff in the first place :) And I would not be too sure as regards the Androids of my kids either…

Mr. Jingles

If I could ask the most stupid questions again, for which I am famous by now ( ;D)

Why would you not run Snort on LAN? (I do, on LAN and VLAN). I am following Bmeeks recommendation in this matter: crap from the inside that wants to go out needs to be blocked as well; SPI doesn't take care of that.

And something I didn't quite understand: block both src/dest on WAN, doesn't that mean you LAN-IP gets on the block list and can't go anywhere at all anymore?

May 2014 be the year that I am no longer champion in the stupid questions department  ;D ;D ;D

segfooled

@Hollander:

Why would you not run Snort on LAN? (I do, on LAN and VLAN).

Only to not waste resources by doing redundant things.

@Hollander:

I am following Bmeeks recommendation in this matter: crap from the inside that wants to go out needs to be blocked as well; SPI doesn't take care of that.
And something I didn't quite understand: block both src/dest on WAN, doesn't that mean you LAN-IP gets on the block list and can't go anywhere at all anymore?

Ok - in that case, yes. In my case, I'm not so concerned about a bit of rogue traffic going out (that would go out of the devices when at school etc. anyway and booked into third party networks) - I want to fix them. Thus them being flagged by an Alerter is good enough for me. I understand that in case of a rogue LAN device blocking Both (src/dest) still blocks the WAN dest only but the LAN src will be flagged (not blocked due to whitelisting LAN).

BBcan177

I just implemented pfBlocker with ET, Spamhaus, some of the IBlock, abuse.ch (Zeus etc), dShield and Ciarmy.

I have enabled blocking rules for the WAN and Reject rules for the LAN. I would recommend monitoring the LAN as a must.

It is taking a big load off Snort so it can process for other alerts.

An interesting point is that the .txt files used from ET are the Open rules. I have an email out to see if PRO .txt file are available. Snort is still picking up some of the ET alerts because Snort in my application is using the ET PRO ruleset.

ET also mentioned that they will be eliminating the RBN listings as they are inaccurate. I will post my findings later.

A Former User

Further explanation on why you should NOT use snort on LAN if you only have 2 computers
I feel the need to further explain my reasoning for not running a duplicate instance on the LAN. The main reason is duplication of effort. That translates to increase resources being used for no reason.
Let's assume that your WAN IP is 1.1.1.10. Let's also assume that an attacker sits at 2.2.2.10. You go to a bad site for example, and packets start coming in from your wan side start getting copied and the copies sent to snort. In the meantime the packets start hitting your hosts behind that 1.1.1.10 address, which get access to the public internet through NAT. Internal IPs are in the range 192.168.1.x. Host 192.168.1.2 is in the process of receiving a priviledge escalation exploit. Snort sees the bad traffic, behind the scenes, as it it happening, and starts the banning process (alert,snort2c table etc…etc...). The ban was successful and the connection to host 2.2.2.10 has been interrupted, rendering the exploit delivery unsuccessful. What has actually happened though, while banning is that traffic coming from host 192.168.1.1 (ACKs for the packets coming in) was being NATed to ip 1.1.1.10. Snort saw the suspect traffic, and as instructed proceeded to ban both the destination (1.1.1.10) and the source (2.2.2.10), later realizing that 1.1.1.10 was on its whitelist, and therefore left it alone.
The same scenario can be reversed. In that case, you are the source of the exploit, and snort will effectively interrupt connections to the victim host (your source is on the whitelist, therefore not banned completely). If your WAN IP was not on the snort whitelist, then snort would set up a ban for your IP, effectively dropping all your internet traffic (that IP is not allowed to get any packets, nor send any packets).
Why the short thesis: If you only have a couple of PCs connected to a pfsense box running snort, running another instance of snort on your LAN side is simply a waste of resources. Snort will detect exploits/malware/etc coming in (it also detects if an antivirus/antimalware is being downloaded on a windows box for example) and will stop you from getting the exploit delivered to you (theoretically, assuming banning is faster than delivery, see one of my previous posts about the SSH exloit). The attack surface of your internal hosts is minimised, as well as the attack surface of the pfsense box (only accessible from lan side: webgui port/ssh/dhcp/ntp/other services you shouldn't be running on your core router (eg: freenas, as suggested)).

That brings us to why you should be running internal snort interfaces (on dmz for example).
Now, hosts hostile to your network (any host that connects to a network not under your control, eg an android phone,iphone,tablet you take to work) should be isolated on a different interface (VLANs acceptable under extremely specific scenarios). Since those hosts have connected to a network not under your control, nobody can guarantee that an http session was not hijacked (Man In The Middle, MITM attack), and an exploit was delivered to it. A physical interface which only has internet access is acceptable for them.
Now, at some point in the undetermined future, the exploit decides to execute. Since the NSA was monitoring you, with the complicit help of your ISP of course, they already know you are running pfsense v2.1. They go through the documentation, and find out that the DHCP server running on that version is vulnerable to a known exploit, let's call it DHCPExploit. The exploit delivered on your phone (not DHCPExploit) is silently waiting, and the right time has come (you go home from work). Upon it's IP being refreshed, it starts executing the DHCPExploit. The ET guys though have known about this exploit and a snort rule is already in place. Snort sees the suspect traffic, and bans your phone from communicating with your pfsense box. In the NSA's words, an attack was thwarded, and the world is saved from the evil terrorists.
Snort prevents exploits (if they are known) from getting inside your network, as long as it has complete control over what goes in and out of the network. This is a reason I wet my pants everytime I read about the work being done to implement a suricata IPS on pfsense. It's one of my wet dreams coming true.

In summary, if you only have interfaces connected to hosts you trust (wired, small number of hosts) you don't need an inward facing snort interface. If you have interfaces facing untrusted hosts (phones/customer's servers) then you need an inward facing interface. Again, this only applies to known exploits.

On the subject of IPs getting banned. Snort should be set up to ban both the destination and the source, AT ALL TIMES, UNDER ANY USE!!!. It should be also set up to know that it shouldn't ban itself. I'll give an example for a LAN type interface, but it also applies to a WAN type interface.

Network: 192.168.1.x
pfsense LAN interface IP: 192.168.1.1
Workstation: 192.168.1.2
Laptop:192.168.1.3
Evil terrorist: 1.1.1.1
Laptop receives exploit from evil terrorist
In this scenario, snort should be aware that it should not ban 192.168.1.1. IPs 192.168.1.3 and 1.1.1.1 were both banned (no traffic allowed for them). 192.168.1.2 still has access to 192.168.1.1, therefore still has complete network access.

Laptop send exploit to evil terrorist (in case you work for the NSA, please consult me at the known telephone before handling dangerous cyber warfare weapons).
In this scenario, snort should be aware that is should not ban 192.168.1.1.IPs 192.168.1.3 and 1.1.1.1 were both banned (no traffic allowed for them). 192.168.1.2 still has access to 192.168.1.1, therefore still has complete network access.

See? The same outcome for both scenarios, therefore snort should always be set up to ban both the source, as well as the destination IPs. If you have it set up any way differently than that, you are doing it wrong. Please inspect your whitelists and start using it as I say.

BBcan177

Using duplicate resources aside, monitoring both the WAN and the LAN provides more visibility for the security of your network. I am monitoring both sides and I will show you an example from this morning.

The alert in the attacheded jpeg (Alert Lan) shows an "ET Current_Events Blatantly Evil JS Function"
No Alert was generated on the WAN side. (Both Sides are using the same ruleset - Currently only the WAN is in blocking mode src/dst)

If you are only monitoring the WAN side, this wouldn't have been alerted. (As the LAN made the request, you would assume that when the packets came thru the WAN side, that it would be picked up, but it doesnt always do that)

If you are only monitoring the WAN side, an Alert that is Blocked on the WAN, the only information you see is the SRC (Suspected Attacker) and the DST (Which is you WAN Address).
So which computer on your LAN side was the TARGET?

The problem with only using Snort in pfSense is that things get blocked and you have no idea what it actually was. You always have to guess and use your best judgement.

As I have been using "Security Onion' for almost 3 months now, I can say that it provides more detail into what is occuring.

Take a look at the attached jpeg (SO Alert Transcript) Here is the same alert as was generated in pfSense Snort but showing the payload transcript of this alert.

Take a look at the attached jpeg (SO NetworkMiner) Here is the same alert and using "Network Miner", the file can be extracted from the Full packet capture system.

I can now conclude that this is a pull request from my mail server to Emerging Threats to get an RSS feed. The feed has some code about a threat that Snort suspects as a threat. However, this is not a false positive, as the Rule did find the correct string but it is a false alert in terms of being malicious.

I am still using pfSense snort, but am now using pfBlocker to block all of the obvious IPs before snort sees it. The WAN has block rules on the pfblocker aliases, and the LAN has Reject rules for the same pfBlocker aliases. Snort in pfSense has several disabled SIDs and Suppressions so that all alerts can be further investigated in Security Onion.


BBcan177

Third Attachment


Ramosel

@jflsakfja:

That brings us to why you should be running internal snort interfaces (on dmz for example).
Now, hosts hostile to your network (any host that connects to a network not under your control, eg an android phone,iphone,tablet you take to work) should be isolated on a different interface (VLANs acceptable under extremely specific scenarios).

Can you elaborate on the possible use of a VLAN for this?  Guess I'm trying to piece this together in my head without seeing the topology on paper…

Rick