Snort 2.9.4.6 pkg v2.6.1
-
Hi Bill. Would it be a good option to increase the snort widget number of rows to 10 or 20 and make it update in a fixed interval of 10 secs independently of the entire dashboard GUI?
To refresh the dashboard, I need to refresh the entire GUI and change the default autoscale back to follow on a number of interfaces.
-
Hi Bill. Would it be a good option to increase the snort widget number of rows to 10 or 20 and make it update in a fixed interval of 10 secs independently of the entire dashboard GUI?
To refresh the dashboard, I need to refresh the entire GUI and change the default autoscale back to follow on a number of interfaces.
I don't know about the refresh stuff. The Dashboard Widget for Snort was written by someone else. I can study it a bit and see if I can understand better how it works. I've only made a couple of really small tweaks to it. Perhaps a configuration link could be added like some of the other widgets have (the Services widget is one that comes to mind). That would let a user set their own configuration preferences. Not promising anything until I can get into and understand that code better, though.
Bill
-
And my Snort seems to be all crazy again. Only one Snort process running at the moment and Cron looks good also with just one copy of snort_check_for_rule_updates.php
Starting rules update... Time: 2013-11-08 12:20:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Starting rules update... Time: 2013-11-08 12:20:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Starting rules update... Time: 2013-11-08 12:20:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Emerging Threats Open md5. Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-11-08 12:20:03 Checking Emerging Threats Open md5. Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-11-08 12:20:03 Checking Emerging Threats Open md5. Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-11-08 12:20:03Edit:
I'm also seeing other things going off three times instead of once, what in the system could be causing this? I'm on pfSense:
Version 2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:37 EDT 2013
FreeBSD 8.3-RELEASE-p11Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblocktor does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeretRBNmalvertisers does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerMalwaredomainlistcom does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerCIArmy does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockwebexploit does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerblockspyware does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockhijacked does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblocktor does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeretRBNmalvertisers does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerMalwaredomainlistcom does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerCIArmy does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockwebexploit does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerblockspyware does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockhijacked does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblocktor does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeretRBNmalvertisers does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerMalwaredomainlistcom does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerCIArmy does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockwebexploit does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerblockspyware does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockhijacked does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 11 seconds. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Starting up. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 24 seconds. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Starting up. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 39 seconds. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Starting up.Fragged:
I really don't know what is going on with your setup. Something is definitely weird. Did you remove just Snort? I'm wondering if something is off in either your config.xml file or even with the base pfSense install itself. The fact other packages are showing duplicate or triplicate log entries points to something other than just the Snort package.
Bill
-
I have done a complete reinstall + recovery of my settings.xml and so far so good, though there haven't been any Snort or ET rules updates yet. There must have been something wrong with my base pfSense setup, which I've had from 2.0.3 -> 2.1 snapshots -> 2.1 release.
-
I am running Snort 2.9.4.6 pkg v. 2.6.1 and have set the WAN Interface to Block Offenders and Kill State. Its set to block the SRC.
I am also using an IPS program called "Security Onion" which also uses Snort and it has captured the same packets that were supposed to be Blocked at pfSense level.
Is this normal? or am I missing some configurations?
-
@BBcan17:
I am running Snort 2.9.4.6 pkg v. 2.6.1 and have set the WAN Interface to Block Offenders and Kill State. Its set to block the SRC.
I am also using an IPS program called "Security Onion" which also uses Snort and it has captured the same packets that were supposed to be Blocked at pfSense level.
Is this normal? or am I missing some configurations?
Make sure of two things.
First, both Snort on pfSense and the Security Onion appliance, ensure the exact same rules are being used. Also verify and scrub the hits you see on Security Onion against the auto-whitelist in Snort. Could be you are seeing packets captured on Onion that matched the whitelist in Snort (and thus were not blocked) on ingress.
Second, my recommendation is to operate Snort blocking in the BOTH mode (that is, block source and destination IP addresses).
Bill
-
Hello Bill,
Please see the screenshots below. You can see the alert and the block in pfsense. There is no entry in the Whitelist WAN or LAN for this Wan IP or Sig ID. The Alert is also
in Security Onion with the same Sig ID. This alert is a false positive but it should still have blocked it.I have also attached the full packet capture from Security Onion. I changed the ext to .TXT (Hope it attaches properly)
If I block both the SRC and DST wont that kill the ability for the alerted LAN address to access the Net?
If you need any further details please let me know.
[Wireshark 11-20-13.txt](/public/imported_attachments/1/Wireshark 11-20-13.txt)
-
Screen shot didnt attach. Please see attached jpg file.
-
@BBcan17:
Hello Bill,
If I block both the SRC and DST wont that kill the ability for the alerted LAN address to access the Net?
If you need any further details please let me know.
No, the auto-whitelist will keep it from actually blocking the LAN addresses. This is because locally attached networks like the LAN are automatically added to the whitelist. By choosing BOTH for the block parameter, this catches an offending IP no matter which way the traffic is flowing. However, this setting is only for blocking. The alerting in the logs is not dependent on that setting.
Bill
-
@BBcan17:
Screen shot didnt attach. Please see attached jpg file.
Looking at the attached images (the JPG was cut off a bit in my browser window), it appears the traffic was alerted and blocked by Snort. Or least an entry was put in the pf table (snort2c). That's all Snort can do. After that it is up to the packet filter engine in FreeBSD to do the rest. Where exactly is the Security Onion appliance in the network traffic path as compared to Snort on the pfSense firewall? Could it be they are both seeing the traffic in parallel? I'm asking how exactly the Onion appliance is wired into the network such that it is seeing WAN traffic.
Bill
-
Thanks Bill,
I will try to block/kill the SRC/DST and see if that fixes the issue.
The Lan side of pfSense goes to a Switch which span/mirrors the traffic to Security Onions sensor port.
On another note - Would it be possible to Add a comment line to the Suppression process when we select "Add this alert to the suppress list" or "Add this alert to the suppress list .. DST/SRC" This way you can record the reasoning behind some of the Suppressions?
Thanks
-
@BBcan17:
I will try to block/kill the SRC/DST and see if that fixes the issue.
The Lan side of pfSense goes to a Switch which span/mirrors the traffic to Security Onions sensor port.
I don't think this will necessarily fix the issue, but it's worth a try. Can I assume from your reply about the sensor location that one of those IP addresses is in your LAN and you are not using NAT?
@BBcan17:
On another note - Would it be possible to Add a comment line to the Suppression process when we select "Add this alert to the suppress list" or "Add this alert to the suppress list .. DST/SRC" This way you can record the reasoning behind some of the Suppressions?
That might be possible. I will file it away for some future feature adds. The next big release is already packaged (version 3.0.0) and it's too late to add more features. That version, when released, will add support in the GUI for multiple target engine configurations for five of the preprocessors (frag3, stream5, http_inspect, ftp_server and ftp_client).
Bill
-
Great stuff. I dont know what i would do without pfsense and snort.
I also notice that when I am viewing the alert list and select the "+" or "x' buttons for suppression that the refresh of the screen brings me to another snort interface alert list.
Yes the alert was for an IP on the same network (10.1.xx.xxx) as the pfsense LAN port.
-
Hello Bill,
I changed the Blocking to both SRC/DST but I noticed that this one alert was blocked in pfSense but Security Onion picked it up.
See the jpg attached.
-
@BBcan17:
Hello Bill,
I changed the Blocking to both SRC/DST but I noticed that this one alert was blocked in pfSense but Security Onion picked it up.
See the jpg attached.
Is this routine or more random? What I mean by that is does it seem to leak all the packets that should have been blocked, or is it more like randomly it does this? I'm asking to see if this might be tied in any way to the random clearing of the block table. I doubt it is, but just checking all possibilities.
It certainly does appear from your captures that the packet is supposedly "blocked", but it leaks by anyway to the LAN. I do notice a 5 hour time discrepancy in the Snort log entry versus the Security Onion entry. The times match on the minute and second, but the hour is off. I'm assuming this maybe is a time zone issue with one of the devices.
This is obviously not supposed to happen, so I would like to get to the bottom of it. Unfortunately this is likely to require some pfSense uber-geek magic to figure out. The packet filter and all the network stack stuff in pfSense is not my area of expertise. Perhaps we can get one of the Core Team developers to take a look. I will ping them with a link to this thread to see if one will weigh in.
Bill
-
Hi Bill,
Activity has been fairly low today, but I would say that most alerts are passing thru unblocked. The things that I dont see in Security Onion are the DROP/DShield/ET RBN's alerts in snort but that activity could also be drooped by the router.
I am in EST and Security Onion is configured in UTC time so that is your time difference.
I have three NICs installed on this router. I have two WAN addresses but only one GW. I have been trying to get Multiwan to work without success.
http://forum.pfsense.org/index.php/topic,64682.msg374930.html#msg374930I have the second WAN Disabled for several weeks and I also had disabled the Snort Interface for this 2nd Wan port. However, today i noticed activity in this disabled Wan2 port Snort interface. It didnt match the snort alerts from Wan1.
So this afternoon, I deleted the WAN2 interface and also deleted the snort interface and Rebooted pfSense.
This didnt fix the issue but I thought I would share that with you just in case,
-
Bill,
The router is set for Automatic Outbound Nat but there were 4 entries from the Manual Outbound NAT that I was working with a few weeks ago. I have since cleared the Manual rules and restarted pfSense.
-
@BBcan17:
Bill,
The router is set for Automatic Outbound Nat but there were 4 entries from the Manual Outbound NAT that I was working with a few weeks ago. I have since cleared the Manual rules and restarted pfSense.
I sent a request via e-mail to the pfSense Core Team asking for one of them to take a look at this thread and see if they had any thoughts about what might be going on. It's weird that the blocks are getting set in the packet filter table, but yet some traffic still seems to get through.
Bill
-
@BBcan17:
Hi Bill,
…The things that I dont see in Security Onion are the DROP/DShield/ET RBN's alerts in snort but that activity could also be drooped by the router.
Can you elaborate a bit more on this statement. Are you saying you have some of the ET RBN and ET CIARMY rules enabled on the WAN side of pfSense in Snort, and those are all getting blocked but traffic matching other rules is not being reliably blocked?
Bill
-
Yes It was blocking DROP/Dshield/ET RBNs/CINS but i didnt see any CIARMY.
There were also blocked port scan sweeps and ET SCAN Sipvicious.
I didnt see any of that in Security Onion. I dont think I have ever seen one of those alerts.
https://code.google.com/p/security-onion/wiki/ManagingAlerts (They do have them as part of the rulesets.)
