RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker
-
Agree with you BBcan17, that's why I said only use 1 instance of snort if you are running 2 PCs. You do know which ONE of those PCs is currently connected to the network right?
Ideally you should be running PER HOST IPS systems, that is a system upstream of each host, that is then connected to the core router.
Some say "theoretically, theory and practice is the same. Practically they are not". I say "there are always exceptions to the rules, but never a rule to the exceptions".
To make myself clear: I have NEVER argued the use of an internal facing snort interface. I'm arguing its usefulness when running small networks that are trusted (wired, no external hosts entering the network at random). Rules not firing on WAN side and firing on the LAN side are to be considered DANGEROUS, not something you live and swear by. This is assuming the rule is NOT meant for use as a LAN side rule (yes there are rules that are only meant to be running on the LAN side). This particular rule SHOULD fire up on the wan side, based on what I see in the rule. The source is $EXTERNAL_NET, and the destination is $HOME_NET. Either one of those, or both, are missconfigured in your setup.
ramosel: Let's say you have a LAN, a WAN, and an ANDROID interface.
WAN should be obviously connected to a physical interface named WAN. LAN and ANDROID interface, can be on a VLAN tagged port, assuming that the management VLAN (the SINGLE port that allows you to change the switch's settings) is kept separate from them (separate, UNTAGGED interface). HP says a port that understands that it should pass traffic destined for different VLANs is a tagged port, and a port passing traffic for a single VLAN is an untagged port. Cisco insists they invented both ports.
So, 1 physical interface connected to the wan, one VLAN tagged interface connected to a managed switch's tagged port, which in turn "splits" the VLANs to different ports (3 ports always connected in this scenario, 1 only connected when you need access to the switch's management webgui, for a total of 4 connected ports).
The ANDROID interface is obviously connected to an access point for wifi access to the android phones. LAN is connected to the single host on your LAN. If you have more hosts, add more untagged ports on the switch.
Allowing the management VLAN to be on the same port that passes all network traffic opens you up to the possibility of a VLAN hop (and since the management VLAN is involved, complete control of the switch). How vulnerable your switch (AND your network topology) is to this, is another argument. -
@jflsakfja:
Now, at some point in the undetermined future, the exploit decides to execute. Since the NSA was monitoring you, with the complicit help of your ISP of course, they already know you are running pfsense v2.1.
;D
I just popped in to say 'thank you'. It is obvious you do know a lot, and it will take me a while to interpret all you write, but I do appreciate it very much that you take the time to share this knowledge.
Bye,
PS Yellow is not green. I repeat: yellow is not green. The goose is in the oven. I repeat: the goose has left the oven.
-
Thanks jflsakfja,
If you have the ram I would monitor both. I've seen strange things happen and the more info you have the better. But I agree with you on a small 1-2 desktop setup.
I am Port Mirroring ($60 Mikrotik) all of the traffic to/from pfsense LAN side. So anything on the internal side that hits pfSense gets monitored with Security Onion. I also have a Port Mirror on traffic going to/from my Server2008 ActiveDirectory DNS server. The beauty about Security Onion IDS is that you can have a Server/Sensor configuration, or a Server and hundreds of Sensor Depolyments. I have a third sensor at a remote location feeding intel thru a VPN tunnel back to the SO Server.
I have checked my $HOME_NET and $EXTERNAL_NET and they are set as "default". THe Whitelist and Suppression lists don't contain that Rule or the ET ip address. But I noticed in the rule that it has:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
I have set the $HTTP port var in pfSense to [80, 443]
I took a look at the payload transcript from Security Onion (Its in my orginal email)
SRC IP - Lan - Mail Server address
DST IP - 54.236.168.233
SRC Port - 56238
DST Port - 80I looked at the first 10 frames of the payload and the Src/Dst flips back and forth on these numbers.
The only other possibility could be that I am using a Virtual IP for the my second WAN address. I had to set it as a virtual address because both WANs utilize the same External Gateway. So I have configured Outbound NAT so that my outbound traffic from my mail server goes out the second address and I have port forwards to direct inbound traffic to the mail server for that IP Alias.
The Whitelist for Snort has "Virtual Aliases" on the list. But that should only stop the alias from being blocked.
Maybe the $EXTERNAL_NET needs to specifically reference the WAN IP and WAN Alias. I will need to test that out.
-
I Set the $EXTERNAL_NET to use an alias which has the two WAN addresses, but now am getting several alerts for
BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
SRC (External DNS Provider) and DST (is my WAN address)
Does anyone know how to define the following? I cant enter that into the alias fields.
var EXTERNAL_NET !$HOME_NET
-
So I was right again?
Please post the sig_id for those rules, I'm not going to search until I find something that I think might be what you are looking for.
Don't forget that the DNS servers in use should always be whitelisted. It's not like you have a choice anyway. You either trust the DNS servers, or you don't. It's one of the reasons they don't let me finish the IPv8 draft (to those rolling their eyes, get real will you? Then get a higher access classification and study the CYCLOPS program). I decided that the DNS system should be replaced with a similar system as a bittorrent hash table. Works exactly like normal persons recognise known persons. If a number of people agree your face belongs to Jack Daniels, you sound like Jack Daniels, you move like Jack Daniels then you are Jack Daniels. Since I'm interested in the well being of the entire Internet community, I agreed to let them implement part of it in IPv7 (only the necessary parts for surveilance are implemented by them and butchered together, and it's one of the reasons Cisco will claim design for this, they are never wrong even when the shit does hit the fan).
Ouch, my head hurts but it was a necessary tangent we all had to read through. It shows why there are 13 DNS servers (masters) worldwide. Surveilance. And DNS poisoning. For the most part, nobody should be bothered by it, just trust your upstream DNS server. To the others, nothing to see here, move along.and let's see what we have for custom variables…
The easiest way is creating a new whitelist and assigning that to the external net and the home net. The defaults should work a ok, unless you are running a transparent bridge.
"var $EXTERNAL_NET !HOME_NET" doesn't look right. How about "var EXTERNAL_NET !$HOME_NET".
That goes directly in the custom.rules (where you edit the per interface rules, first option in the dropdown). Dunno if it will override the default (which should be what you are intending to do, puzzles me it doesn't work) but it definately works for other variables. I'm using it for my custom rules and is perfect for declaring custom variables.A tip on the correct usage for HOME_NET variable. This variable should include ALL your external IPs (saw you mention something about an alias) since it should recognise traffic destined for all your IPs. You can use subnets in the variable, eg: 1.1.1.0/24.
-
You were right on the WAN side not picking up the alert but …. I'll leave my other opinions alone ..lol.
You would think that to edit the HOME_NET and EXTERNAL_NET that you would do that in -
Snort Interfaces-WAN Settings, "Choose the networks Snort should inspect and whitelist."
The Drop Box links to the "WhiteList" Tab.
In the WhiteList tab, create a new List and at the Bottom enter an "Alias" which can be defined from the Firewall, Alias lists.
I created a new Alias for the External with the two external WAN ip's (all the checkmarks are whitelisting the others already?)
I created a second alias for Home_net and listed 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 (all the checkmarks are whitelisting the others already?)To enter these changes in Custom.rules would you need to use IPVAR instead of VAR? Not sure how this will affect the Whitelist?
ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
ipvar EXTERNAL_NET !HOME_NET -
An easy way to check what is in the HOME_NET is to -
Snort Interfaces-WAN Settings, "Choose the networks Snort should inspect and whitelist." and choose "VIEW"
When its set to "default", all the correct entries are there including the WAN Alias that I setup previously.
(Not sure why the EXTERNAL NET doesnt have a "VIEW" button also?)If I enter the Alias entry as per my previous post it adds those aliases to the list correctly also.
So back to the drawing board on why that "Blatantly Evil JS Function" rule didn't trigger on the WAN side!!
[UPDATE]
EXTERNAL_NET should be set to "default" which is probably defined as "any".
To use "!$HOME_NET" (Still trying to see how to enter that in the alias field)
-
@jflsakfja:
You either trust the DNS servers, or you don't. It's one of the reasons they don't let me finish the IPv8 draft (to those rolling their eyes, get real will you? Then get a higher access classification and study the CYCLOPS program).
Holy smokes… I haven't seen mention of IPv8 for 10 or 12? years... Network geeks taking sides with Terrell or Fleming... lots of flame retardant underwear needed for that arena.
Rick
-
@BBcan17:
You were right on the WAN side not picking up the alert but …. I'll leave my other opinions alone ..lol.
You would think that to edit the HOME_NET and EXTERNAL_NET that you would do that in -
Snort Interfaces-WAN Settings, "Choose the networks Snort should inspect and whitelist."
The Drop Box links to the "WhiteList" Tab.
In the WhiteList tab, create a new List and at the Bottom enter an "Alias" which can be defined from the Firewall, Alias lists.
I created a new Alias for the External with the two external WAN ip's (all the checkmarks are whitelisting the others already?)
I created a second alias for Home_net and listed 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 (all the checkmarks are whitelisting the others already?)To enter these changes in Custom.rules would you need to use IPVAR instead of VAR? Not sure how this will affect the Whitelist?
ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
ipvar EXTERNAL_NET !HOME_NETYes that's how you add aliases (add a whitelist).
Yes it does need to be defined in the scope that you use it, eg portvar for ports, when used in custom.rules.
As long as you have the loopback,all the networks (10.0.0.0/8, which brings me to what are you doing with a /8 and a /16? routing for a whole country?), the dns servers, and the public IPs (preferably with their subnet) HOME_NET should work. That's what it's supposed to do on its own when setting up the list automatically.
Who in here doesn't believe that the draft for IPv8 is in the process of getting completed? Mark my words, preferably chisel them in stone, just in case the EMP knocks out all technology: IPv8 will use a distributed DNS system, and will force only encrypted connections from host>host. Do NOT forget I told you that, 15 years before it was implemented.
Joe says that Jack is Jack, Joshua says that Jack is Jack, Daphne says Jack is not Jack. Per the NTP website (which I WILL NOT sideload, please go and read it there if you don't believe me), a person with a single watch knows the time, but a person with two watches is never sure.
-
@jflsakfja:
[Who in here doesn't believe that the draft for IPv8 is in the process of getting completed? Mark my words, preferably chisel them in stone, just in case the EMP knocks out all technology: IPv8 will use a distributed DNS system, and will force only encrypted connections from host>host. Do NOT forget I told you that, 15 years before it was implemented.
[/quote]Not saying IPv8 draft isn't being worked… But isn't the IPv8 address space 43bit? With IPv6 rolling (at 128bit) isn't there going to be a reluctance to move that direction even if the draft is being completed? Or will the IPv8 draft be worked to fit inside the IPv6 address space?
Rick
-
Not saying IPv8 draft isn't being worked… But isn't the IPv8 address space 43bit? With IPv6 rolling (at 128bit) isn't there going to be a reluctance to move that direction even if the draft is being completed? Or will the IPv8 draft be worked to fit inside the IPv6 address space?
Rick
IPv8 will not have addresses in the traditional context. Your domain is your address. Hosts join a domain based on what hosts trust they belong in that domain. If the hosts trusted to be authoritative for that domain trust the new host, then it is added to the domain, and they in turn announce to other hosts that a new host has joined. Not authoritative hosts then query the new host, and if they determine that the host truelly belongs in that domain (based on how routing to the host is done, its personal key, and a few other factors), then they start adding it to their tables. Hosts can then query any host for any host, and then agree on a key exchange (for the mandatory encrypted connections). If your host and my host agree that the keys other hosts delivered (multiple hosts) belong to each other, then your host trust my host, queries the dns for how to directly get here, then cut all other hosts from the communication and set up the encrypted connections. In the future, it first queries my host, and if the host responds OK, new connections are set up. If the host doesn't respond, then a new query is done for my host. Think of it as failover at the dns level.
In the rare occurance that a hostile host is added to a domain (all the first level failguards failed) then the authoritative hosts are no longer trusted for adding new hosts to their domain. There is a process to trust them in the future, but their credibility is reduced. After a certain threshold, those hosts are no longer trusted.It's an extremely complicated system to explain, and the only thing I can say helps in the explanation is that the dns is part of the IP (Internet Protocol, not IP addresses).
-
I jokingly used your JF initials a few posts back… if you are not JF, you certainly have read his stuff and are following his path!
If you are JF, damn glad to know you are still around. Read a lot of your stuff in years gone by.Rick
-
Not him, neither have I read his stuff. Maybe he read mine?
-
@jflsakfja:
Not him, neither have I read his stuff. Maybe he read mine?
Really?! Although I thought Terrell introduced it… Jim Fleming was quite a proponent of IPv8 back in the 1998-2002 timeframe. His stuff was all over APNIC and NANOG. I also think he was involved or maybe even created UNIR. There are still some archive messages relating to him on RIPE and IETF. Most were not too kind to him back then. I thought he was brilliant... but with some limited social skills. I haven't heard/seen anything from him in over 10 years now. When you brought up IPv8 it jogged this memory of him.
Rick
-
Update
This is an update to remove redundant suppressions (thanks to Bill for adding the preprocessor rules so we can disable those instead of suppressing them). Some rules added to various categories. As always there were some rules missing in action, didn't note which were those though. Snort needs an update to add commands to the IMAP recognised commands, but I didn't have time to push the list upstream to be included in Snort's code. Those lists are embedded in the code and need updating upstream. If a Snort dev notices this, please consider updating those lists.
Don't know how much longer this list will be updated, since I'm personally waiting to migrate over to the Suricata package. As soon as the Suricata package is ready for production (hoping for full IPS functionality), this thread will stop being updated.
In tab "Rules", under "Category" select:
(–- means blank table at time of writing)Auto-Flowbit rules > all except:
8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
23714 FILE-IDENTIFY Microsoft Office Publisher file magic detectedDISABLED:2
emerging-activex > all
DISABLED:0
emerging-attack_responses > all
DISABLED:0
DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
emerging-chat > all except:
2010784 ET CHAT Facebook Chat (send message)
2010785 ET CHAT Facebook Chat (buddy list)
2010786 ET CHAT Facebook Chat (settings)
2010819 ET CHAT Facebook Chat using XMPP
2002327 ET CHAT Google Talk (Jabber) Client Login
2002334 ET CHAT Google IM traffic Jabber client sign-on
2001241 ET CHAT MSN file transfer request
2001242 ET CHAT MSN file transfer accept
2001243 ET CHAT MSN file transfer reject
2001682 ET CHAT MSN IM Poll via HTTP
2002192 ET CHAT MSN status change
2008289 ET CHAT Possible MSN Messenger File Transfer
2009375 ET CHAT General MSN Chat Activity
2009376 ET CHAT MSN User-Agent Activity
2001595 ET CHAT Skype VOIP Checking Version (Startup)
2002157 ET CHAT Skype User-Agent detected
2003022 ET CHAT Skype Bootstrap Node (udp)DISABLED:17
DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt
DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
emerging-current_events > all
DISABLED:0
emerging-deleted > ---
emerging-dns > all except:
2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
2001117 ET DNS Standard query response, Name ErrorDISABLED:3
emerging-dos > all
DISABLED:0
DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
DO NOT USE! > emerging-dshield > use pfblocker with: (cannot find specific list, but ip listed in pfblocker tables, NEED HELP HERE<<<<) Could be due to ET list used by pfblocker. http://rules.emergingthreats.net/blockrules/compromised-ips.txt <<< includes IP related to different subjects, so its a misc list, likely including the hosts I could not find on specific lists.
emerging-exploit > all except:
2001058 ET EXPLOIT libpng tRNS overflow attempt
2002913 ET EXPLOIT VNC Client response
2002914 ET EXPLOIT VNC Server VNC Auth Offer
2002919 ET EXPLOIT VNC Good Authentication Reply
2002915 ET EXPLOIT VNC Authentication Reply
2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3DISABLED:7
emerging-ftp > all
2010731 ET FTP FTP CWD command attempt without loginDISABLED:1
emerging-games > all
DISABLED:0
emerging-icmp > ---
emerging-icmp_info > ---
emerging-imap > ---
emerging-inappropriate > all except:
2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
2001608 ET INAPPROPRIATE Likely PornDISABLED:2
emerging-info > all except:
2014472 ET INFO JAVA - Java Archive Download
2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
2014819 ET INFO Packed Executable Download
2015016 ET INFO FTP STOR to External Network
2015561 ET INFO PDF Using CCITTFax Filter
2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2016360 ET INFO JAVA - ClassID
2016361 ET INFO JAVA - ClassID
2016404 ET INFO MPEG Download Over HTTP (1)
2015674 ET INFO 3XX redirect to data URL
2016847 ET INFO Possible Chrome Plugin install
2017669 ET INFO Zip FileDISABLED:12
emerging-malware > all except:
2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware RelatedDISABLED:3
emerging-misc > all
DISABLED:0
emerging-mobile_malware > all except:
2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URIDISABLED:2
emerging-netbios > all
DISABLED:0
emerging-p2p > all except:
2000369 ET P2P BitTorrent Announce
2007727 ET P2P possible torrent download
2008581 ET P2P BitTorrent DHT ping request
2008583 ET P2P BitTorrent DHT nodes reply
2008585 ET P2P BitTorrent DHT announce_peers request
2010144 ET P2P Vuze BT UDP Connection (5)
2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
2014734 ET P2P BitTorrent - Torrent File Downloaded
2003317 ET P2P Edonkey Search Request (any type file)
2009971 ET P2P eMule KAD Network Hello Request (2)
2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)DISABLED:12
emerging-policy > all except:
2000419 ET POLICY PE EXE or DLL Windows file download
2000428 ET POLICY ZIP file download
2001115 ET POLICY MSI (microsoft installer file) download
2003595 ET POLICY exe download via HTTP - Informational
2001898 ET POLICY eBay Bid Placed
2001907 ET POLICY eBay Placing Item for sale
2001908 ET POLICY eBay View Item
2001909 ET POLICY eBay Watch This Item
2003303 ET POLICY FTP Login Attempt (non-anonymous)
2003410 ET POLICY FTP Login Successful
2003121 ET POLICY docs.google.com Activity
2003597 ET POLICY Google Calendar in Use
2002801 ET POLICY Google Desktop User-Agent Detected
2002838 ET POLICY Google Search Appliance browsing the Internet
2000035 ET POLICY Hotmail Inbox Access
2000036 ET POLICY Hotmail Message Access
2000037 ET POLICY Hotmail Compose Message Access
2000038 ET POLICY Hotmail Compose Message Submit
2000039 ET POLICY Hotmail Compose Message Submit Data
2008238 ET POLICY Hotmail Inbox Access
2008239 ET POLICY Hotmail Message Access
2008240 ET POLICY Hotmail Compose Message Access
2008242 ET POLICY Hotmail Access Full Mode
2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
2002330 ET POLICY Google Talk TLS Client Traffic
2002332 ET POLICY Google IM traffic Windows client user sign-on
2002333 ET POLICY Google IM traffic friend invited
2002878 ET POLICY iTunes User Agent
2002722 ET POLICY MP3 File Transfer Outbound
2002723 ET POLICY MP3 File Transfer Inbound
2001114 ET POLICY Mozilla XPI install files download
2001973 ET POLICY SSH Server Banner Detected on Expected Port
2001974 ET POLICY SSH Client Banner Detected on Expected Port
2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
2001978 ET POLICY SSH session in progress on Expected Port
2001979 ET POLICY SSH Server Banner Detected on Unusual Port
2001980 ET POLICY SSH Client Banner Detected on Unusual Port
2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
2001984 ET POLICY SSH session in progress on Unusual Port
2009001 ET POLICY Login Credentials Possibly Passed in URI
2009004 ET POLICY Login Credentials Possibly Passed in POST Data
2003214 ET POLICY Pingdom.com Monitoring detected
2003215 ET POLICY Pingdom.com Monitoring Node Active
2001669 ET POLICY Proxy GET Request
2001670 ET POLICY Proxy HEAD Request
2001674 ET POLICY Proxy POST Request
2001675 ET POLICY Proxy CONNECT Request
2002922 ET POLICY VNC Authentication Successful
2002920 ET POLICY VNC Authentication Failure
2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
2001449 ET POLICY Proxy Connection detected
2002822 ET POLICY Wget User Agent
2002823 ET POLICY POSSIBLE Web Crawl using Wget
2002824 ET POLICY CURL User Agent
2002934 ET POLICY libwww-perl User Agent
2002828 ET POLICY Googlebot User Agent
2002829 ET POLICY Googlebot Crawl
2002830 ET POLICY Msnbot User Agent
2002831 ET POLICY Msnbot Crawl
2002832 ET POLICY Yahoo Crawler User Agent
2002833 ET POLICY Yahoo Crawler Crawl
2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
2002948 ET POLICY External Windows Update in Progress
2002949 ET POLICY Windows Update in Progress
2001402 ET POLICY ZIPPED DOC in transit
2001403 ET POLICY ZIPPED XLS in transit
2001404 ET POLICY ZIPPED EXE in transit
2001405 ET POLICY ZIPPED PPT in transit
2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2012648 ET POLICY Dropbox Client Broadcasting
2013028 ET POLICY curl User-Agent Outbound
2013030 ET POLICY libwww-perl User-Agent
2013031 ET POLICY Python-urllib/ Suspicious User Agent
2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
2013414 ET POLICY Executable served from Amazon S3
2013458 ET POLICY Facebook Like Button Clicked (1)
2013459 ET POLICY Facebook Like Button Clicked (2)
2013503 ET POLICY OS X Software Update Request Outbound
2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
2014313 ET POLICY Executable Download From DropBox
2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
2017015 ET POLICY DropBox User Content Access over SSL
2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
2001328 ET POLICY SSN Detected in Clear Text (dashed)
2001384 ET POLICY SSN Detected in Clear Text (spaced)
2007971 ET POLICY SSN Detected in Clear Text (SSN )
2007972 ET POLICY SSN Detected in Clear Text (SSN# )
2011854 ET POLICY Java JAR file download
2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets <<<<<<<< handled by ticking block bogon networks in interface settings
2002752 ET POLICY Reserved Internal IP Traffic <<<<<<<<<<<<< handled by ticking block private networks in interface settings
2000418 ET POLICY Executable and linking format (ELF) file download
2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
2016877 ET POLICY Unsupported/Fake FireFox Version 2.
2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
2013255 ET POLICY Majestic12 User-Agent Request Inbound
2014726 ET POLICY Outdated Windows Flash Version IE
2012911 ET POLICY URL Contains password Parameter
2011085 ET POLICY HTTP Redirect to IPv4 AddressDISABLED:149
emerging-pop3 > ---
DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
DO NOT USE! > emerging-rbn > use pfblocker with: http://rules.emergingthreats.net/blockrules/rbn-ips.txt
emerging-rpc > ---
emerging-scada > all
DISABLED:0
emerging-scan > all except
2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force AttackDISABLED:4
emerging-shellcode > all except
2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray StringDISABLED:7
emerging-smtp > all
DISABLED:0
emerging-snmp > all
DISABLED:0
emerging-sql > all
DISABLED:0
emerging-telnet > all
DISABLED:0
emerging-tftp > all
DISABLED:0
DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p
emerging-trojan > all except:
2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
2001046 ET TROJAN UPX compressed file download possible malwareDISABLED:5
emerging-user_agents > all except:
2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojanDISABLED:1
emerging-voip > all
DISABLED:0
emerging-web_client > all except
2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
2011507 ET WEB_CLIENT PDF With Embedded File
2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure AttemptDISABLED:13
emerging-web_server > all except
2003099 ET WEB_SERVER Poison Null Byte
2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
2016672 ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)DISABLED:5
emerging-web_specific_apps > all except:
2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attemptDISABLED:5
emerging-worm > all
DISABLED:0
GPLv2 community rules > all except
254 DNS SPOOF query response with TTL of 1 min. and no authority
384 PROTOCOL-ICMP PING
385 PROTOCOL-ICMP traceroute
399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
408 PROTOCOL-ICMP Echo Reply
540 POLICY-SOCIAL Microsoft MSN message
648 INDICATOR-SHELLCODE x86 NOOP
649 INDICATOR-SHELLCODE x86 setgid 0
1200 INDICATOR-COMPROMISE Invalid URL
1201 INDICATOR-COMPROMISE 403 Forbidden
1292 INDICATOR-COMPROMISE directory listing
1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
1437 FILE-IDENTIFY Microsoft Windows Media download detected
1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
1852 SERVER-WEBAPP robots.txt access
1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
1990 POLICY-SOCIAL Microsoft MSN user search
1991 POLICY-SOCIAL Microsoft MSN login attempt
2180 PUA-P2P BitTorrent announce request
2181 PUA-P2P BitTorrent transfer
2707 FILE-IMAGE JPEG parser multipacket heap overflow
3463 SERVER-WEBAPP awstats access
25518 OS-OTHER Apple iPod User-Agent detected
25519 OS-OTHER Apple iPad User-Agent detected
25520 OS-OTHER Apple iPhone User-Agent detected
25521 OS-OTHER Android User-Agent detected
25522 OS-OTHER Nokia User-Agent detected
25523 OS-OTHER Samsung User-Agent detected
25524 OS-OTHER Kindle User-Agent detected
25525 OS-OTHER Nintendo User-Agent detected
2417 PROTOCOL-FTP format string attempt
1377 PROTOCOL-FTP wu-ftp bad file completion attempt
1378 PROTOCOL-FTP wu-ftp bad file completion attemptDISABLED:38
IPS Policy - Security > all except
19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
13360 APP-DETECT failed FTP login attempt
23098 FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
14772 WEB-CLIENT libpng malformed chunk denial of service attempt
29466 FILE-OTHER Corel PDF fusion XPS stack buffer overflow attemptDISABLED:11
preprocessor.rules > all except (first_column:second_column details)
119:2 HI_CLIENT_DOUBLE_DECODE
119:4 HI_CLIENT_BARE_BYTE
119:7 HI_CLIENT_IIS_UNICODE
119:14 HI_CLIENT_NON_RFC_CHAR
119:31 HI_CLIENT_UNKNOWN_METHOD
119:32 HI_CLIENT_SIMPLE_REQUEST
120:2 HI_SERVER_INVALID_STATCODE
120:3 HI_SERVER_NO_CONTLEN
120:4 HI_SERVER_UTF_NORM_FAIL
120:6 HI_SERVER_DECOMPR_FAILED
120:8 HI_CLISRV_MSG_SIZE_EXCEPTION
120:9 HI_SERVER_JS_OBFUSCATION_EXCD
120:10 HI_SERVER_JS_EXCESS_WS
122:1 PSNG_TCP_PORTSCAN
122:4 PSNG_TCP_DISTRIBUTED_PORTSCAN
122:17 PSNG_UDP_PORTSCAN
122:20 PSNG_UDP_DISTRIBUTED_PORTSCAN
124:3 SMTP_RESPONSE_OVERFLOW
125:1 FTPP_FTP_TELNET_CMD
125:2 FTPP_FTP_INVALID_CMD
125:7 FTPP_FTP_ENCRYPTED
125:9 FTPP_FTP_EVASIVE_TELNET_CMD
137:1 SSL_INVALID_CLIENT_HELLO
141:1 IMAP_UNKNOWN_CMD <<< pending upstream update
141:2 IMAP_UNKNOWN_RESP <<< pending upstream update
145:2 DNP3_DROPPED_FRAME
DISABLED>>>26DO NOT USE! > sensitive-data.rules > NONE enabled
Suppression list:
#GLOBAL
gen_id 1
suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 653
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 16313
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 20122758
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 100000230
suppress gen_id 3, sig_id 14772
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1 -
Emerging threats has stopped updating the RBN related lists, hence a new update to this topic. That and a couple of added rules.
In tab "Rules", under "Category" select:
(–- means blank table at time of writing)Auto-Flowbit rules > all except:
8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
23714 FILE-IDENTIFY Microsoft Office Publisher file magic detectedDISABLED:2
emerging-activex > all
DISABLED:0
emerging-attack_responses > all
DISABLED:0
DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
emerging-chat > all except:
2010784 ET CHAT Facebook Chat (send message)
2010785 ET CHAT Facebook Chat (buddy list)
2010786 ET CHAT Facebook Chat (settings)
2010819 ET CHAT Facebook Chat using XMPP
2002327 ET CHAT Google Talk (Jabber) Client Login
2002334 ET CHAT Google IM traffic Jabber client sign-on
2001241 ET CHAT MSN file transfer request
2001242 ET CHAT MSN file transfer accept
2001243 ET CHAT MSN file transfer reject
2001682 ET CHAT MSN IM Poll via HTTP
2002192 ET CHAT MSN status change
2008289 ET CHAT Possible MSN Messenger File Transfer
2009375 ET CHAT General MSN Chat Activity
2009376 ET CHAT MSN User-Agent Activity
2001595 ET CHAT Skype VOIP Checking Version (Startup)
2002157 ET CHAT Skype User-Agent detected
2003022 ET CHAT Skype Bootstrap Node (udp)DISABLED:17
DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt
DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
emerging-current_events > all
DISABLED:0
emerging-deleted > ---
emerging-dns > all except:
2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
2001117 ET DNS Standard query response, Name ErrorDISABLED:3
emerging-dos > all
DISABLED:0
DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
DO NOT USE! > emerging-dshield > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
emerging-exploit > all except:
2001058 ET EXPLOIT libpng tRNS overflow attempt
2002913 ET EXPLOIT VNC Client response
2002914 ET EXPLOIT VNC Server VNC Auth Offer
2002919 ET EXPLOIT VNC Good Authentication Reply
2002915 ET EXPLOIT VNC Authentication Reply
2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3DISABLED:7
emerging-ftp > all
2010731 ET FTP FTP CWD command attempt without loginDISABLED:1
emerging-games > all
DISABLED:0
emerging-icmp > ---
emerging-icmp_info > ---
emerging-imap > ---
emerging-inappropriate > all except:
2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
2001608 ET INAPPROPRIATE Likely PornDISABLED:2
emerging-info > all except:
2014472 ET INFO JAVA - Java Archive Download
2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
2014819 ET INFO Packed Executable Download
2015016 ET INFO FTP STOR to External Network
2015561 ET INFO PDF Using CCITTFax Filter
2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2016360 ET INFO JAVA - ClassID
2016361 ET INFO JAVA - ClassID
2016404 ET INFO MPEG Download Over HTTP (1)
2015674 ET INFO 3XX redirect to data URL
2016847 ET INFO Possible Chrome Plugin install
2017669 ET INFO Zip FileDISABLED:12
emerging-malware > all except:
2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware RelatedDISABLED:3
emerging-misc > all
DISABLED:0
emerging-mobile_malware > all except:
2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URIDISABLED:2
emerging-netbios > all
DISABLED:0
emerging-p2p > all except:
2000369 ET P2P BitTorrent Announce
2007727 ET P2P possible torrent download
2008581 ET P2P BitTorrent DHT ping request
2008583 ET P2P BitTorrent DHT nodes reply
2008585 ET P2P BitTorrent DHT announce_peers request
2010144 ET P2P Vuze BT UDP Connection (5)
2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
2014734 ET P2P BitTorrent - Torrent File Downloaded
2003317 ET P2P Edonkey Search Request (any type file)
2009971 ET P2P eMule KAD Network Hello Request (2)
2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)DISABLED:12
emerging-policy > all except:
2000419 ET POLICY PE EXE or DLL Windows file download
2000428 ET POLICY ZIP file download
2001115 ET POLICY MSI (microsoft installer file) download
2003595 ET POLICY exe download via HTTP - Informational
2001898 ET POLICY eBay Bid Placed
2001907 ET POLICY eBay Placing Item for sale
2001908 ET POLICY eBay View Item
2001909 ET POLICY eBay Watch This Item
2003303 ET POLICY FTP Login Attempt (non-anonymous)
2003410 ET POLICY FTP Login Successful
2003121 ET POLICY docs.google.com Activity
2003597 ET POLICY Google Calendar in Use
2002801 ET POLICY Google Desktop User-Agent Detected
2002838 ET POLICY Google Search Appliance browsing the Internet
2000035 ET POLICY Hotmail Inbox Access
2000036 ET POLICY Hotmail Message Access
2000037 ET POLICY Hotmail Compose Message Access
2000038 ET POLICY Hotmail Compose Message Submit
2000039 ET POLICY Hotmail Compose Message Submit Data
2008238 ET POLICY Hotmail Inbox Access
2008239 ET POLICY Hotmail Message Access
2008240 ET POLICY Hotmail Compose Message Access
2008242 ET POLICY Hotmail Access Full Mode
2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
2002330 ET POLICY Google Talk TLS Client Traffic
2002332 ET POLICY Google IM traffic Windows client user sign-on
2002333 ET POLICY Google IM traffic friend invited
2002878 ET POLICY iTunes User Agent
2002722 ET POLICY MP3 File Transfer Outbound
2002723 ET POLICY MP3 File Transfer Inbound
2001114 ET POLICY Mozilla XPI install files download
2001973 ET POLICY SSH Server Banner Detected on Expected Port
2001974 ET POLICY SSH Client Banner Detected on Expected Port
2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
2001978 ET POLICY SSH session in progress on Expected Port
2001979 ET POLICY SSH Server Banner Detected on Unusual Port
2001980 ET POLICY SSH Client Banner Detected on Unusual Port
2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
2001984 ET POLICY SSH session in progress on Unusual Port
2009001 ET POLICY Login Credentials Possibly Passed in URI
2009004 ET POLICY Login Credentials Possibly Passed in POST Data
2003214 ET POLICY Pingdom.com Monitoring detected
2003215 ET POLICY Pingdom.com Monitoring Node Active
2001669 ET POLICY Proxy GET Request
2001670 ET POLICY Proxy HEAD Request
2001674 ET POLICY Proxy POST Request
2001675 ET POLICY Proxy CONNECT Request
2002922 ET POLICY VNC Authentication Successful
2002920 ET POLICY VNC Authentication Failure
2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
2001449 ET POLICY Proxy Connection detected
2002822 ET POLICY Wget User Agent
2002823 ET POLICY POSSIBLE Web Crawl using Wget
2002824 ET POLICY CURL User Agent
2002934 ET POLICY libwww-perl User Agent
2002828 ET POLICY Googlebot User Agent
2002829 ET POLICY Googlebot Crawl
2002830 ET POLICY Msnbot User Agent
2002831 ET POLICY Msnbot Crawl
2002832 ET POLICY Yahoo Crawler User Agent
2002833 ET POLICY Yahoo Crawler Crawl
2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
2002948 ET POLICY External Windows Update in Progress
2002949 ET POLICY Windows Update in Progress
2001402 ET POLICY ZIPPED DOC in transit
2001403 ET POLICY ZIPPED XLS in transit
2001404 ET POLICY ZIPPED EXE in transit
2001405 ET POLICY ZIPPED PPT in transit
2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2012648 ET POLICY Dropbox Client Broadcasting
2013028 ET POLICY curl User-Agent Outbound
2013030 ET POLICY libwww-perl User-Agent
2013031 ET POLICY Python-urllib/ Suspicious User Agent
2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
2013414 ET POLICY Executable served from Amazon S3
2013458 ET POLICY Facebook Like Button Clicked (1)
2013459 ET POLICY Facebook Like Button Clicked (2)
2013503 ET POLICY OS X Software Update Request Outbound
2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
2014313 ET POLICY Executable Download From DropBox
2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
2017015 ET POLICY DropBox User Content Access over SSL
2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
2001328 ET POLICY SSN Detected in Clear Text (dashed)
2001384 ET POLICY SSN Detected in Clear Text (spaced)
2007971 ET POLICY SSN Detected in Clear Text (SSN )
2007972 ET POLICY SSN Detected in Clear Text (SSN# )
2011854 ET POLICY Java JAR file download
2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets <<<<<<<< handled by ticking block bogon networks in interface settings
2002752 ET POLICY Reserved Internal IP Traffic <<<<<<<<<<<<< handled by ticking block private networks in interface settings
2000418 ET POLICY Executable and linking format (ELF) file download
2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
2016877 ET POLICY Unsupported/Fake FireFox Version 2.
2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
2013255 ET POLICY Majestic12 User-Agent Request Inbound
2014726 ET POLICY Outdated Windows Flash Version IE
2012911 ET POLICY URL Contains password Parameter
2011085 ET POLICY HTTP Redirect to IPv4 Address
2009303 ET POLICY MediaFire file download service accessDISABLED:150
emerging-pop3 > ---
DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS
DO NOT USE! > emerging-rbn > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS
emerging-rpc > ---
emerging-scada > all
DISABLED:0
emerging-scan > all except
2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
2011367 ET SCAN TCP Traffic (ET SCAN Malformed Packet SYN FIN)DISABLED:5
emerging-shellcode > all except
2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray StringDISABLED:7
emerging-smtp > all
DISABLED:0
emerging-snmp > all
DISABLED:0
emerging-sql > all
DISABLED:0
emerging-telnet > all
DISABLED:0
emerging-tftp > all
DISABLED:0
DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p
emerging-trojan > all except:
2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
2001046 ET TROJAN UPX compressed file download possible malwareDISABLED:5
emerging-user_agents > all except:
2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojanDISABLED:1
emerging-voip > all
DISABLED:0
emerging-web_client > all except
2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
2011507 ET WEB_CLIENT PDF With Embedded File
2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure AttemptDISABLED:13
emerging-web_server > all except
2003099 ET WEB_SERVER Poison Null Byte
2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
2016672 ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)DISABLED:5
emerging-web_specific_apps > all except:
2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attemptDISABLED:5
emerging-worm > all
DISABLED:0
GPLv2 community rules > all except
254 DNS SPOOF query response with TTL of 1 min. and no authority
384 PROTOCOL-ICMP PING
385 PROTOCOL-ICMP traceroute
399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
408 PROTOCOL-ICMP Echo Reply
540 POLICY-SOCIAL Microsoft MSN message
648 INDICATOR-SHELLCODE x86 NOOP
649 INDICATOR-SHELLCODE x86 setgid 0
1200 INDICATOR-COMPROMISE Invalid URL
1201 INDICATOR-COMPROMISE 403 Forbidden
1292 INDICATOR-COMPROMISE directory listing
1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
1437 FILE-IDENTIFY Microsoft Windows Media download detected
1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
1852 SERVER-WEBAPP robots.txt access
1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
1990 POLICY-SOCIAL Microsoft MSN user search
1991 POLICY-SOCIAL Microsoft MSN login attempt
2180 PUA-P2P BitTorrent announce request
2181 PUA-P2P BitTorrent transfer
2707 FILE-IMAGE JPEG parser multipacket heap overflow
3463 SERVER-WEBAPP awstats access
25518 OS-OTHER Apple iPod User-Agent detected
25519 OS-OTHER Apple iPad User-Agent detected
25520 OS-OTHER Apple iPhone User-Agent detected
25521 OS-OTHER Android User-Agent detected
25522 OS-OTHER Nokia User-Agent detected
25523 OS-OTHER Samsung User-Agent detected
25524 OS-OTHER Kindle User-Agent detected
25525 OS-OTHER Nintendo User-Agent detected
2417 PROTOCOL-FTP format string attempt
1377 PROTOCOL-FTP wu-ftp bad file completion attempt
1378 PROTOCOL-FTP wu-ftp bad file completion attemptDISABLED:38
IPS Policy - Security > all except
19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
13360 APP-DETECT failed FTP login attempt
23098 FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
14772 WEB-CLIENT libpng malformed chunk denial of service attempt
29466 FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt
27948 FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt
17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1DISABLED:13
preprocessor.rules > all except (first_column:second_column details)
119:2 HI_CLIENT_DOUBLE_DECODE
119:4 HI_CLIENT_BARE_BYTE
119:7 HI_CLIENT_IIS_UNICODE
119:14 HI_CLIENT_NON_RFC_CHAR
119:31 HI_CLIENT_UNKNOWN_METHOD
119:32 HI_CLIENT_SIMPLE_REQUEST
120:2 HI_SERVER_INVALID_STATCODE
120:3 HI_SERVER_NO_CONTLEN
120:4 HI_SERVER_UTF_NORM_FAIL
120:6 HI_SERVER_DECOMPR_FAILED
120:8 HI_CLISRV_MSG_SIZE_EXCEPTION
120:9 HI_SERVER_JS_OBFUSCATION_EXCD
120:10 HI_SERVER_JS_EXCESS_WS
122:1 PSNG_TCP_PORTSCAN
122:4 PSNG_TCP_DISTRIBUTED_PORTSCAN
122:17 PSNG_UDP_PORTSCAN
122:20 PSNG_UDP_DISTRIBUTED_PORTSCAN
124:3 SMTP_RESPONSE_OVERFLOW
124:10 SMTP_B64_DECODING_FAILED
125:1 FTPP_FTP_TELNET_CMD
125:2 FTPP_FTP_INVALID_CMD
125:7 FTPP_FTP_ENCRYPTED
125:9 FTPP_FTP_EVASIVE_TELNET_CMD
137:1 SSL_INVALID_CLIENT_HELLO
141:1 IMAP_UNKNOWN_CMD <<< pending upstream update
141:2 IMAP_UNKNOWN_RESP <<< pending upstream update
145:2 DNP3_DROPPED_FRAME
DISABLED>>>27DO NOT USE! > sensitive-data.rules > NONE enabled
Suppression list:
#GLOBAL
gen_id 1
suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 653
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 16313
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 20122758
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 100000230
suppress gen_id 3, sig_id 14772
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1 -
Hi jflsakfja,
Quite like your idea of disabling the rule rather than adding suppresses.
However, if you have the time, I think it would be nice to separate things into categories.
e.g., things "everyone" is likely to want, things required for Facebook, things required for GMail, things required for Skype, things required for downloading files, etc etc.
Using a real scenario as an example, I want Skype to be allowed. I currently have my rules set only to log and thought I had previously allowed all Skype related rules. Today after a Skype call I came back to see hundreds of alerts for:
1:2007637 ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack
1:2007635 ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Connect Ack(This might be something you want to add to your exception list).
Both alerts started exactly when my Skype call started and ended exactly when my Skype call ended. This rule is only triggered by SkypeOut calls (calls from Skype to physical numbers, not Skype-to-Skype calls). SkypeOut uses port 12340, which is exactly the port that traffic was coming in on when these rules got triggered.
Just looking at the description of the rule, I would say that anything with the name "TROJAN" on it should definitely be blocked, and if someone tells me I should unblock it without justifying it I would just leave it blocked until the alerts show me a genuine reason to unblock it. Having a list that says this is related to Skype and without it Skype will not work will give me enough confidence to enable it without needing to test it myself. It also means I then know that if I want to enable Skype I have to enable this one too, but I can quite happily leave others still enabled.
For example, if the following two rules do exactly what their name suggests, I have no need for them since I do not use Microsoft Office Publisher:
8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
23714 FILE-IDENTIFY Microsoft Office Publisher file magic detectedHowever, if you tell me that iPhone AppStore (crazy example) triggers that rule, I'll quite happily enable it.
I know there is a massive amount of work involved in assigning every single rule to a category, but if that's done, it will also be a lot easier for the community to later maintain it…
Just my two cents.
-
Thought about putting a reason for disabling a particular rule next to the rule. Then sat down and thought. If a rule produces false positives, it's not a "I don't use skype (for example) so I'll leave active all rules related to skype that generate false positives" scenario, it's more of a "I don't use skype, but other persons do".
This particular list is in use at a site that provides internet connectivity to clients, and hosts a couple of servers behind it. If something ends up on my list it's a)the rule should be removed upstream (coughsimple HTTP requestcough) b)client's requirements (stuff they use, I don't use) c)company requirements (stuff nobody but me uses, but causes a false positive). In all cases, the rule is required to be disabled, since nobody wants to get a call at 3am to get up and unblock an IP that was blocked by mistake.Personally I would like to see a simple explanation next to the rule for the reason why it's disabled. I would prefer it though if the false positive (or overly-paranoid rules coughsimple HTTP requestcough) get removed upstream. Rules "protecting" from 5 year vulnerabilities in a program shouldn't be used, but instead the program in question should be fixed. Yes there is the chance of a regression in a future update. I'll take my chances with that, instead of dropping connectivity at random due to false positives.
Until all, each and every single one, of the past,present and future sysadmins, goes to work with an attitude of "I'll check for updates to software in use daily and co-operate with the community on getting bugs fixed" AND developers adopt the versioning scheme I suggested on a debian list a while back (only 2 versions for programs: stable and testing) then all kinds of these lists will be needed to "watch after" other people's mess.Let's take your example, for example (no pun intended). Those two rules caused an alert for something they should not produce. What the entire community is faced with is a simple choice:
A) update the rule and fix it. If detection for that particular worm is not possible without using an NSA dragnet approach (all traffic to that port,not allowed) then that rule should be removed.
B) leave the rule as is, and instead put additional effort into maintaining a copy of "This rule should be disabled because it's causing a false positive when you use skype".I'll take option A.
Let's take my example now. SYN (first step to establishing a connection) traffic destined for an HTTP port, directed to a non-HTTP server. In my case, that particular rule is a "WTF?!? traffic directed at a web server is trying to get to a client's computer" type of reaction. This particular rule cannot produce a false positive. The reason is actually in the use case for the rule. HTTP traffic, NOT directed to a webserver. This rule detects attempts to find a webserver faster than all those rules related to detecting this (snort/ET). The reason is simple. There are times you can use a not needed traffic approach. There are other times though that using that approach, could lead to false positives. What if another sysadmin adds a webserver using a client's IP (theoretical scenario, play along)? In that case the system will still see that traffic is trying to get to a client's pc, but block it. It's still NOT a false positive though, since I know that that address block shouldn't have servers in it. It's the sysadmin's responsibility of notifying me to get the IP added to the webservers' list, and my responsibility of adding it. It's not the sysadmin's responsibility of going in and disabling a rule because my rule needs updating. Hope it makes sense.
PS.
Re-read the post and saw that I got carried away. Summary: yes, explanations would be nice, people actually doing what they are supposed to do would be nicer. -
You guys using pfBlocker may be interested in the upcoming Snort package update. It will include support for Snort's IP Reputation preprocessor. This is a high-speed preprocessor that is the first link in the Snort traffic inspection train (when enabled). It can use one or more plain text files of IP addresses or CIDR-notation networks that it should block outright. Traffic is matched on a simple IP and not using the complex regex engines and stuff the text rules use. This means the inspection is quick and efficient.
Here is my personal take on this new Snort blacklist approach versus the pfBlocker approach. Both eventually produce the same result: offender IPs blocked. The difference in my opinion is how they get there. pfBlocker is a sort of shotgun approach where you load your firewall up with all the potential bad-guy addresses. This can potentially waste lots of memory and packet filter resources protecting against an army of IP addresses when maybe only 50 or 60 of them may actually ever hit your firewall (just an example; busier or high-value networks probably see more bad actor IPs than that). At any rate, it seems more efficient in terms of resources in my view to let Snort sit there with a blacklist and only fill your firewall block tables with those blacklisted IPs that actually hit your box.
The new Snort package will have a new top-level tab for managing IP Lists used by the new preprocessor, and then a new IP REP tab for each interface where you will assign the blacklist and/or whitelist for the interface and adjust other settings. Some screenshots are attached below.
Bill
-
@jflsakfja:
Thought about putting a reason for disabling a particular rule next to the rule. Then sat down and thought. If a rule produces false positives, it's not a "I don't use skype (for example) so I'll leave active all rules related to skype that generate false positives" scenario, it's more of a "I don't use skype, but other persons do".
This particular list is in use at a site that provides internet connectivity to clients, and hosts a couple of servers behind it. If something ends up on my list it's a)the rule should be removed upstream (coughsimple HTTP requestcough) b)client's requirements (stuff they use, I don't use) c)company requirements (stuff nobody but me uses, but causes a false positive). In all cases, the rule is required to be disabled, since nobody wants to get a call at 3am to get up and unblock an IP that was blocked by mistake.Personally I would like to see a simple explanation next to the rule for the reason why it's disabled. I would prefer it though if the false positive (or overly-paranoid rules coughsimple HTTP requestcough) get removed upstream. Rules "protecting" from 5 year vulnerabilities in a program shouldn't be used, but instead the program in question should be fixed. Yes there is the chance of a regression in a future update. I'll take my chances with that, instead of dropping connectivity at random due to false positives.
Until all, each and every single one, of the past,present and future sysadmins, goes to work with an attitude of "I'll check for updates to software in use daily and co-operate with the community on getting bugs fixed" AND developers adopt the versioning scheme I suggested on a debian list a while back (only 2 versions for programs: stable and testing) then all kinds of these lists will be needed to "watch after" other people's mess.Let's take your example, for example (no pun intended). Those two rules caused an alert for something they should not produce. What the entire community is faced with is a simple choice:
A) update the rule and fix it. If detection for that particular worm is not possible without using an NSA dragnet approach (all traffic to that port,not allowed) then that rule should be removed.
B) leave the rule as is, and instead put additional effort into maintaining a copy of "This rule should be disabled because it's causing a false positive when you use skype".I'll take option A.
Let's take my example now. SYN (first step to establishing a connection) traffic destined for an HTTP port, directed to a non-HTTP server. In my case, that particular rule is a "WTF?!? traffic directed at a web server is trying to get to a client's computer" type of reaction. This particular rule cannot produce a false positive. The reason is actually in the use case for the rule. HTTP traffic, NOT directed to a webserver. This rule detects attempts to find a webserver faster than all those rules related to detecting this (snort/ET). The reason is simple. There are times you can use a not needed traffic approach. There are other times though that using that approach, could lead to false positives. What if another sysadmin adds a webserver using a client's IP (theoretical scenario, play along)? In that case the system will still see that traffic is trying to get to a client's pc, but block it. It's still NOT a false positive though, since I know that that address block shouldn't have servers in it. It's the sysadmin's responsibility of notifying me to get the IP added to the webservers' list, and my responsibility of adding it. It's not the sysadmin's responsibility of going in and disabling a rule because my rule needs updating. Hope it makes sense.
PS.
Re-read the post and saw that I got carried away. Summary: yes, explanations would be nice, people actually doing what they are supposed to do would be nicer.Umm, it does sound like you got slightly carried away, but I understand what you mean.
However, I would question your logic for not putting reasons next to the disabled rules. You said you didn't do it because if a rule produces false positives it should be disabled, regardless of whether I as a user uses skype or not (as other might).
This doesn't take a few things into account though:
A) The pfSense environment might be at home, not in a workplace (in which case it would make sense to block as many things as possible to reduce the attack surface - even if that's being overly careful in 99% of the cases)
B) Corporate policy says that skype cannot be used.
In either of those scenarios, the end result is that the user wants to actively block Skype. Having a list of what rules go with what helps to identify whether this is something that the person setting up pfSense should disable, leave as default or make sure it gets enabled.
As for how to resolve the particular rules causing false positives I posted, I completely agree with your way of looking at it: the rule should be fixed, not disabled in an ideal world.
However, I would raise the same question about other rules you have disabled on your config, such as:
2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)Why are those being disabled rather than fixing the rule?
Don't get me wrong, I'm not trying to bust your balls or anything and I really really appreciate what you are doing here, but I think it would be a much better effort if more people could help you with generating a list that actually works and I feel that for that to work we need to have reasons behind why a certain rule is disabled.