Snort doesn't generate alerts on 2 interfaces



  • 2.1-RELEASE (i386) 
    built on Wed Sep 11 18:16:50 EDT 2013 
    FreeBSD 8.3-RELEASE-p11
    
    Snort 2.9.4.6 pkg v. 2.6.0
    

    I have Snort running on 4 WAN interfaces on pfSense, 2 static (WAN1 & WAN2) and 2 pppoe(WAN3 & WAN4). All of them have same rules, although only the 2 pppoe generates alerts. Not sure if it matters but WAN1 and WAN2 are in the same NIC. We didn't use this config. on 2.0.3 so can't say it was working before.

    Also, we have loadbalacing working, so we do have traffic on all interfaces…

    What am I missing here?


  • Banned

    Is traffic flowing through all interfaces?



  • @Supermule:

    Is traffic flowing through all interfaces?

    Yes, it is. I'm checking all traffic graphs on all interfaces (on Dashboard).


  • Banned

    Can you post trafiic graphs and RRD graphs?



  • I'll try, it says Restrictions: 15 per post, maximum total size 300KB, maximum individual size 250KB tho…

    As you can see there's more traffic on WAN1 & WAN2, which there is no alert than WAN3 & WAN4

    ![WAN1 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN1 Traffic 1 Month 1 Hour Average.png)
    ![WAN1 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN1 Traffic 1 Month 1 Hour Average.png_thumb)
    ![WAN2 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN2 Traffic 1 Month 1 Hour Average.png)
    ![WAN2 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN2 Traffic 1 Month 1 Hour Average.png_thumb)
    ![WAN3 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN3 Traffic 1 Month 1 Hour Average.png)
    ![WAN3 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN3 Traffic 1 Month 1 Hour Average.png_thumb)
    ![WAN4 Traffic 1 Month 1 Hour Average.png](/public/imported_attachments/1/WAN4 Traffic 1 Month 1 Hour Average.png)
    ![WAN4 Traffic 1 Month 1 Hour Average.png_thumb](/public/imported_attachments/1/WAN4 Traffic 1 Month 1 Hour Average.png_thumb)


  • Banned

    Post a picture of the snort interfaces….



  • Here you go:

    ![Snort Interfaces.png](/public/imported_attachments/1/Snort Interfaces.png)
    ![Snort Interfaces.png_thumb](/public/imported_attachments/1/Snort Interfaces.png_thumb)


  • Banned

    post a picture of the alerts section for all interfaces…



  • WAN1 & WAN2 are totally empty

    WAN3 & WAN4 have a lot of

    (ssp_ssl) Invalid Client HELLO after Server HELLO Detected
    

    and some

     (spp_frag3) Fragmentation overlap
    

  • Banned

    Hmmmmm


  • Banned

    Delete Wan2 and Wan4 snort interfaces and see if it oicks up on Wan1.

    If not delete all and remove package and reinstall. THen begin with only one interface that snort listens to. Then add one more at a time while you get alerts on all interfaces.

    How is your memory coming along and are you swapping on the harddrive?



  • @Supermule:

    Delete Wan2 and Wan4 snort interfaces and see if it oicks up on Wan1.

    If not delete all and remove package and reinstall. THen begin with only one interface that snort listens to. Then add one more at a time while you get alerts on all interfaces.

    I'll be doing that shortly, thank you for your help.

    @Supermule:

    How is your memory coming along and are you swapping on the harddrive?

    On heavy load my memory goes up to 85%, and yes, I'm using swap (it's 39% mem. and 14% swap atm)


  • Banned

    Is Pfsense running physical or virtual?



  • @Supermule:

    Is Pfsense running physical or virtual?

    Physically.



  • Are these extra WAN interfaces part of a CARP or multi-WAN setup?  Is there perhaps some asymmetrical routing going on?

    If so, this could trip up Snort as some alerts depend on flowbits set by previous traffic.  If that previous traffic was seen on a "different interface" (as in one of the other WAN pathways), then the alert with that set flowbit dependency would not fire.  Not saying this is your issue, but it is something to be considered.

    Another possibility, if any asymmetrical routing is happening, is the stream5 preprocessor can fail to correctly reassemble streams if it does not see all of the traffic.  Remember that Snort really runs as totally separate and autonomous processes – one per interface.  So it's basically like having physically separate computers running Snort.  Any weirdness with routing between those multiple WANs could trip up those independent Snort processes.

    Bill


Log in to reply