So many issues



  • I've began using Snort on pfSense just a week ago and I have so many issues just getting started.  Yes, we've ordered the book.

    I have seen the alerts below but cannot find these rules anywhere.  I've looked in every Wan category (that I have enabled), in each subcategory and every rule within the subcategory.

    #(IMAP) Unknown IMAP4 response
    suppress gen_id 141, sig_id 2
    #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
    suppress gen_id 137, sig_id 1
    #(IMAP) Unknown IMAP4 command
    suppress gen_id 141, sig_id 1
    #ET SCAN Potential SSH Scan
    suppress gen_id 1, sig_id 2001219
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4

    About interface categories; where is a good place to begin?  What is the difference between Snort GPLv2 Community Rules (VRT certified), ET Open Rules, Snort Text Rules and Snort SO Rules.  Then, what subcategories should one enable?

    Also, how can I find out more about the (seemingly thousands) of rules?  Is this documented anywhere?  I feel I would have had to been on the development team or had used this product for years to understand every rule.  That or I can dedicate my workday to learning Snort rules!  Great product, but I have SQL code to write, VMs to manage, a phone system, 14 vital applications, network equip., flakey employees, flakier board members, lans, wans and sans to deal with.

    Should I suppress or simply disable a rule?  If I suppress the alert will this create a block rule?  Can I quickly search on a rule ID when I find an issue, like everyone is blocked from using the web.

    About the subcategories; why are some enabled and other disabled out of the box?  There are exploits, worms and Trojans rules disabled.  Have we found friendly exploits, worms or Trojans?  From ET Open Rules, emerging-inappropriate.rules, every rule is disabled.  Kiddy Porn and Free Porn are two topics I'd like to see blocked.

    Please, really, I'm not bagging on Snort.  I'm just a new user who is really frustrated and would like some guidance getting rolling with the product.  At this point we are afraid to enable blocking on any interface because we've seen very undesirable results.



  • To further my frustration: 
    An Alert is triggered which reads:

    02/10/14    10:26:06 3 TCP Unknown Traffic 108.214.218.190  44022 54.225.141.82  80 119:33  (http_inspect) UNESCAPED SPACE IN HTTP URI

    I find this rule (sid=119)  in GPLv2 Community Rules as Malware Backdoor Doly 2.  Also, this rule, in fact the entire rule set is disabled.


  • Moderator

    My first suggestion is to put SNORT in Alert Mode Only. It can take months to get Snort Configured properly for your network. Than once you have ironed out the rules you can turn Blocking back on.  If you have time to spare, you can leave it in Blocking Mode, but you need to clear False Positives or your users will be affected.

    Snort and ET have Free and Paid versions. The free versions are 30 days behind.

    In Snort:Wan:Wan Categories, select a policy and select either "Balanced" or "Connectivity". Once you are comfortable, you can play with the other rulesets individually.

    When you see an alert with "ET" at the start, its an EMERGING THREATS rule. so

    #ET SCAN Potential SSH Scan
    suppress gen_id 1, sig_id 2001219

    is in ET-PRO-SCAN.RULES (PAID) or ET-SCAN.RULES (FREE)

    Once you have disabled a Rule, you need to restart the interface for the new settings to take effect.

    IMAP, http_inspect, ssp_ssl, ssp_sip, ssp_gtp, smtp are PRE-PROCESSOR alerts. They don't have a rule like the others. These need to be suppressed. You can tune Snort Pre-processors in snort:Interface:Preprocessors

    Generally if you have an alert that you don't want at all, then disable it so it doesn't use up system resources. Use Suppression when you want to suppress an alert for a certain SRC/DST IP address and allow it to alert you for any other activity.

    Look at the ET-Policy and Snort-Policy rules to block other types of content like porn. Or use pfBlocker or Squid or Dansguardian.



  • @MilesDeep:

    To further my frustration: 
    An Alert is triggered which reads:

    02/10/14    10:26:06 3 TCP Unknown Traffic 108.214.218.190  44022 54.225.141.82  80 119:33  (http_inspect) UNESCAPED SPACE IN HTTP URI

    I find this rule (sid=119)  in GPLv2 Community Rules as Malware Backdoor Doly 2.  Also, this rule, in fact the entire rule set is disabled.

    Hi Miles…:

    As BBcan17 pointed out, Snort can be a bear to get tuned for your environment.  With any IPS there are bound to be false positives.  The admin has to figure out what is a real problem, and what is likely a false positive.  Snort uses a combination of rules and preprocessors to analyze and test traffic for abnormalities.  Of the Snort preprocessors, the most false-positive prone one is the HTTP_INSPECT preprocessor.  That's because the web server RFCs are not always perfectly followed by the various web servers out there.  That can lead to the HTTP_INSPECT preprocessor flagging something as potentially bad, when in fact it may just be sloppy programming on the part of the web host (that is, not really intended to be malevolent).

    Looking at the list of alerts you posted, it certainly seems you are hitting some of the better known false-positives that HTTP_INSPECT can generate.  Following BBcan17's advice of running Snort for a few weeks in IDS mode only (non-blocking) and studying the alerts you get can help you sort out good from bad.  Google is definitely your friend when trying to figure out if a given alert is really bad or just maybe a false positive.  There is a thread here on the forum where a number of users have posted their Suppression List containing known and frequent false-positives they experience.  You can try copying their suggest list.  The thread is here in the PACKAGES sub-forum.

    Bill



  • Thank you both for your help.

    I now see the Preprocessor rules and have a better understanding of why they are there.

    I will keep Snort in IDS mode for some time before moving to IPS mode.

    This is interesting to me, but I can't find it on the Snort: Interface WAN - Categories page: 
    In Snort:Wan:Wan Categories, select a policy and select either "Balanced" or "Connectivity". Once you are comfortable, you can play with the other rulesets individually.

    Which rule set would you begin with.  ET Open, Snort Text, or Snort GPLv2 Community Rules (VRT certified) (or all??)?

    I have seen the suppress lists and I'm beginning to create my own.  If I suppress alerts, then turn on blocking, will those hosts, found in the alerts, then be blocked?

    Thanks for everything.



  • This is interesting:  When I disabled the HTTP Inspect preprocessor, I was unable to start the Snort Daemon.



  • I guess it's not that interesting:

    Rules may be dependent on preprocessors! Disabling preprocessors may result in Snort start failures unless dependent rules are also disabled. The Auto-Rule Disable feature can be used, but note the warning about compromising protection. Defaults will be used where no user input is provided.

    My issue is that I do not see a dependent rule that would need to be disabled.



  • @MilesDeep:

    I guess it's not that interesting:

    Rules may be dependent on preprocessors! Disabling preprocessors may result in Snort start failures unless dependent rules are also disabled. The Auto-Rule Disable feature can be used, but note the warning about compromising protection. Defaults will be used where no user input is provided.

    My issue is that I do not see a dependent rule that would need to be disabled.

    Rules have things called "rule options" attached to them.  You have to look at the individual rule text files to see them.  You can do this to see how many rules would be auto-disabled by disabling the HTTP_INSPECT preprocessor.  On the PREPROCESSORS tab, near the top, click the box to auto-disable rules for non-enabled preprocessors.  It will warn you that's a bad idea.  Now scroll down and disable the HTTP_INSPECT preprocessor.  Save the changes.  A new VIEW DISABLE RULES button will appear up near the top where you checked the auto-disable rules checkbox (can't remember at the moment exactly what the name says, but that's close).  Click that button and a pop-up dialog window will open showing you all the rules that depend on the HTTP_INSPECT preprocessor.

    As for your question on IPS Policy (Balanced, Security, Connectivity), that only shows up when you have enabled the download of the Snort VRT rules.  In order to get them, you must register on the Snort.org web site and obtain an oinkcode.  There are two offerings.  One is free by simply registering, and the other is a subscription for $29.95 annually for home use (more $$ for commercial use).  The difference in the two is the free rules are 30 days old while the subscriber rules are current.

    One last suggestion is to visit the Snort.org web site, download the PDF version of the current Snort manual, and study it a bit.  There are also some excellent Google tutorials out there.  Snort (and any IDS/IPS) is a complex product that can be quite a hassle to get your arms around at first.  The manual and some Google foo will help you fully understand the importance of the preprocessors, how the rules work, what rule options are, etc.

    Bill



  • Thanks for everything, it's beginning to come around a bit.  I'll be patient as this is a very complex system.

    Can you tell me what is the difference between the rule sets and what would you recommend to start.

    Ruleset: ET Open Rules  vs  Ruleset: Snort Text Rules  vs Ruleset:  Snort SO Rules.

    I'm currently using Snort GPLv2 Community Rules (VRT certified) free version but plan to convince someone to pay the enterprise fee.  Is it true the ET Open Rules are included in this set, so enable them is useless?

    Thanks again.



  • @MilesDeep:

    Thanks for everything, it's beginning to come around a bit.  I'll be patient as this is a very complex system.

    Can you tell me what is the difference between the rule sets and what would you recommend to start.

    Ruleset: ET Open Rules  vs  Ruleset: Snort Text Rules  vs Ruleset:  Snort SO Rules.

    I'm currently using Snort GPLv2 Community Rules (VRT certified) free version but plan to convince someone to pay the enterprise fee.  Is it true the ET Open Rules are included in this set, so enable them is useless?

    Thanks again.

    I'm not sure about the ET Open rules being in the Snort GPLv2 rules.  I do know that the Snort GPLv2 rules are included in the Snort paid rules, so you don't need both GPLv2 and the Snort paid rules.

    The SO (shared object) rules are precompiled binary libraries that are operating system specific.  They are Snort text rules that have been "preprocessed" into a binary form in order to hide what they are doing.  This is partly to protect some intellectual property, and partly to help keep the bad guys from easily seeing how to circumvent the rule and get their stuff past Snort.

    I use the Snort paid rules (the home version for my home LAN) and have chosen the "Balanced" IPS Policy for my rule set on my LAN interface.  I think I also have maybe the ET Open Trojan and ET Open Worm rules enabled (don't remember at the moment).  On my WAN interface I run the ET Open CINS and RBN rule sets.  These have all those long lists of known or suspected bad IPs.

    For a beginner with Snort, my personal view is one of the Snort VRT IPS Policies is the best starting point (Connectivity or Balanced is my suggestion).  Then as you gain experience, experiment with the ET rules.

    If you mainly want to run Snort in IDS mode (no blocking), and you have fairly decent hardware with 4 GB of RAM or more, then just run all the ET Open rules and then tweak them using the Suppress List feature to prevent alerts on stuff that is of no concern or that you suspect is a false positive.

    Bill



  • I will do what you recommend with regards to rule sets.

    One last thing on this topic,  you write:  As for your question on IPS Policy (Balanced, Security, Connectivity), that only shows up when you have enabled the download of the Snort VRT rules.

    We have enabled to download the Snort VRT rules.  Where do I (globally, I hope) set the IPS Policy?



  • @MilesDeep:

    I will do what you recommend with regards to rule sets.

    One last thing on this topic,  you write:  As for your question on IPS Policy (Balanced, Security, Connectivity), that only shows up when you have enabled the download of the Snort VRT rules.

    We have enabled to download the Snort VRT rules.  Where do I (globally, I hope) set the IPS Policy?

    You can select an IPS Policy on the RULE CATEGORIES tab for the Interface in the Snort menu.  So click Services…Snort and then select the Snort interface you want to edit by clicking the small e icon next to the interface.  Next, in the bottom row of tabs that appears, click RULE CATEGORIES.  You should see a dropdown selection like the one pictured in the attachment to this post.

    Bill