Blocked list in Snort



  • Is it possible to add to the block list in snort without having to enable or use an entire ruleset?  I do believe the rule I am trying to add is part of the ET ruleset.  I want to add a block rule without having to manage the entire ET ruleset.  Not yet, anyway.

    If this is possible, and I'm sure it is, can some please tell me where the file is located.  I just can't find it.



  • @MilesDeep:

    Is it possible to add to the block list in snort without having to enable or use an entire ruleset?  I do believe the rule I am trying to add is part of the ET ruleset.  I want to add a block rule without having to manage the entire ET ruleset.  Not yet, anyway.

    If this is possible, and I'm sure it is, can some please tell me where the file is located.  I just can't find it.

    You can create your own custom rule by going to the RULES tab and selecting "Custom Rules" in the category drop-down.  That will open an editor window where you can enter your own Snort rule and then save it and use it along with any others from the public categories.  Just remember to carefully follow the syntax requirements for Snort rules, and don't forget that providing a "classtype" parameter is mandatory in Snort rules now.  If you don't provide one, Snort will choke and crash when the rule fires!  Look at some of the existing public rules to see how classtype is handled.

    You will probably also be interested in a new feature coming in the next Snort package update - the IP Reputation preprocessor.  Here is a thread reply where I discussed it briefly.

    https://forum.pfsense.org/index.php?topic=73863.msg403785#msg403785

    Bill



  • Thanks for the reply but my very little experience with Snort shows again; I see no Rules tab.  Where do I need to be?  Also, is there a conf file somewhere we can edit to accomplish this?  Just curious and would like to learn more about Snort.  Thanks.



  • Sorry, WAN rules, Custom rules….thanks.  What about navigating via the shell?



  • At times the place to add custom rules show up, at times it does not.  It seemed to accept the custom rule on one interface but gave errors on another.

    Actually, now I can't get the custom rule to show up at all and now Snort is not running on two interfaces.  Any suggestions?



  • So, the downed interfaces were the interfaces that received the following rule.  After clicking on custom.rules 8 to 10 times it finally showed the Defined Custom Rules panel.  I tried to clear the custom rule, when I hit save it popped back into the panel.  After doing that 4 or 5 times it finally want away.  The interfaces could be Snort enabled again!

    Is this just a buggy aspect of Snort or am I doing something wrong?  When I chose, under Available Rules Categories, Custom.rules, why does nothing often happen?  If I screw up a custom rule, why is Snort shut down on that interface?

    This seems to be way harder than it needs to be.

    Is there something wrong with this rule?

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
    Dropbox.com Offsite File Backup in Use"; flow:established,to_server;
    content:"/subscribe?host_int="; http_uri; content:"&ns_map="; http_uri;
    content:"&ts="; http_uri; content:".dropbox.com|0d 0a|";
    classtype:policy-violation; reference:url,www.dropbox.com;
    reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/;
    sid:2012647; rev:2;)



  • @MilesDeep:

    So, the downed interfaces were the interfaces that received the following rule.  After clicking on custom.rules 8 to 10 times it finally showed the Defined Custom Rules panel.  I tried to clear the custom rule, when I hit save it popped back into the panel.  After doing that 4 or 5 times it finally want away.  The interfaces could be Snort enabled again!

    Is this just a buggy aspect of Snort or am I doing something wrong?  When I chose, under Available Rules Categories, Custom.rules, why does nothing often happen?  If I screw up a custom rule, why is Snort shut down on that interface?

    This seems to be way harder than it needs to be.

    Is there something wrong with this rule?

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
    Dropbox.com Offsite File Backup in Use"; flow:established,to_server;
    content:"/subscribe?host_int="; http_uri; content:"&ns_map="; http_uri;
    content:"&ts="; http_uri; content:".dropbox.com|0d 0a|";
    classtype:policy-violation; reference:url,www.dropbox.com;
    reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/;
    sid:2012647; rev:2;)

    I'm not an expert on Snort rules writing, but at first glance your rule looks OK.

    As for the other issues with custom rules, I did find, in working on the upcoming release, some problems in the code around displaying/saving custom rules.  I think I have those worked out in the upcoming release. The problems displaying the custom rules dialog come about when you have no other rules enabled.  As a workaround, enable one of the ET rule categories that is really empty (that is, it has no active rules).  I think the ET ICMP INFO rule category is one of those.  There are some others here on the Forum using custom rules in Snort, perhaps one of them will chime in with some advice.

    When you save a custom rule, it is validated by launching a separate Snort process.  There should be no interaction with your running Snort instances on the interfaces.  The only thing that should crash one of them is if your custom rule passes validation for syntax but causes some kind of internal fault when actually triggered.

    Bill



  • It would be great to see that working in the future.  Thanks for all your help.



  • @MilesDeep:

    It would be great to see that working in the future.  Thanks for all your help.

    I have about one more week of final development and testing left on the next Snort package update, then I will post it for the Core Team Developers to review and approve.  After they approve it and merge the updated package, then it will show up under the Packages menu in pfSense as an available update.

    Bill



  • Bill,
    I assume the block rules are being written somewhere regardless of the rules not showing up in the Blocked Hosts list.  Can you tell me what file I need to find (and where) to know the rules are working?  Thanks in advance.



  • @MilesDeep:

    Bill,
    I assume the block rules are being written somewhere regardless of the rules not showing up in the Blocked Hosts list.  Can you tell me what file I need to find (and where) to know the rules are working?  Thanks in advance.

    Not sure I understand what you are asking.  If you want to see the actual list of rules traffic is being compared against, they reside in a file buried down in a path that is dependent upon the version of pfSense you have.  The file is called snort.rules.  Assuming you have 2.1 pfSense with a PBI package installation, the path is:

    /usr/pbi/snort-arch/etc/snort/snort__xxxxif_/rules

    where arch is either i386 or amd64, and xxxxif is a UUID followed by the physical interface name (such as em0 for an older Intel NIC).

    When Snort detects a problem and fires an alert, that alert and a list of key parameters will be shown on the ALERTS tab in the Snort GUI.  There is a drop-down selector on that page for choosing which Snort-enabled interface to examine.

    Bill



  • I'll try to be more clear.  Since there are no entries to view in the Block Hosts tab, I want to figure out how to make sure these rules are being enforced.  What does Snort do when it automatically blocks an alert?  Does write a "block" rule somewhere?  Does it replace the "alert" with "block" at the beginning of the rule?  What actually happens and where?  Sorry for such a noob question but I'm just getting started.



  • @MilesDeep:

    I'll try to be more clear.  Since there are no entries to view in the Block Hosts tab, I want to figure out how to make sure these rules are being enforced.  What does Snort do when it automatically blocks an alert?  Does write a "block" rule somewhere?  Does it replace the "alert" with "block" at the beginning of the rule?  What actually happens and where?  Sorry for such a noob question but I'm just getting started.

    Miles:

    When Snort blocks, it will put the IP address of the offender and a brief description on the BLOCKED tab.

    If you are seeing alerts on the ALERTS tab, but nothing on the BLOCKED tab, then one of two possibilities exist.  Either the IP addresses generating the alerts are on the default whitelist, or you do not have "Block Offenders" checked on the INTERFACE SETTINGS tab.  The default whitelist includes all locally-attached networks as well as your WAN IP and gateway and DNS servers.  These IP addresses will never be blocked.

    Snort does not change the text of the rules. Snort actually "blocks" by stuffing the offender's IP address into the packet filter alias table called <snort2c>.  You can view the contents of this table under Diagnostics…Tables from the pfSense menu.

    There are several Internet scanner web sites you can use to "live test" Snort if you wish.  That way you can see a block happen.  Depending on the exact rule you are running, the Gibson Research site ShieldsUp will generate Snort alerts and blocks (if you have blocking actually enabled).

    Bill</snort2c>



  • This is the problem I've tried to describe for a couple of weeks.  There are several entries in Alerts tab for several interfaces.  When I go into the Blocked tab, nothing.  They seem to be there for a very short period, maybe an hour.  Then the Blocked tab, as well as the snort2c table, is empty.

    The "Please select the amount of time you would like hosts to be blocked." is set to 7 days.

    The "Checking this option will automatically block hosts that generate a Snort alert." is checked.

    Can I actually go into the snort2c table and add entries?  This would help with my trying to block Dropbox issue.

    Thanks again for your patience and help.



  • @MilesDeep:

    This is the problem I've tried to describe for a couple of weeks.  There are several entries in Alerts tab for several interfaces.  When I go into the Blocked tab, nothing.  They seem to be there for a very short period, maybe an hour.  Then the Blocked tab, as well as the snort2c table, is empty.

    The "Please select the amount of time you would like hosts to be blocked." is set to 7 days.

    The "Checking this option will automatically block hosts that generate a Snort alert." is checked.

    Can I actually go into the snort2c table and add entries?  This would help with my trying to block Dropbox issue.

    Thanks again for your patience and help.

    Oh, I understand you now.  This "premature clearing of blocked hosts" is a problem that came with pfSense 2.1 and is not a problem with Snort itself.  Snort does what it always has since pfSense 1.2.x.  With pfSense 2.1, there is an internal process called filter_reload() that is kicked off by several internal events (and not Snort-related events, by the way).  Some examples are a WAN IP address release/renew, any kind of edit to firewall rules or alias values, bouncing of an interface, etc.  Any of these events causes pfSense to clear out the blocked host table that Snort happens to use.  This happens no matter what setting you use for the "clear blocked hosts" time interval.  I have not tested it yet, but others report this problem is fixed in the upcoming pfSense 2.1.1 release.  The pre-release snapshot is out there now for testing if you want to try it.

    So odds are your bad traffic is getting blocked, but then that pfSense filter_reload() process comes along randomly and removes the blocks early (as in earlier than the 7 days you have configured).  Even if you manually add entries to the <snort2c>table, they will be randomly cleared just the same as the ones Snort itself adds.  When you click on the BLOCKED tab in Snort, it gets the IP addresses it shows from that <snort2c>table, so if that table is currently empty, the BLOCKED tab will show no blocks.

    Make sure that on the INTERFACE SETTINGS tab where you configure blocking that you check the "Kill States" checkbox.  That means each time Snort inserts a block it will kill any related state table entries.  Also, on the next offending packet from even a formerly blocked host, Snort should insert a fresh block.

    But the bottom line is that with 2.1 pfSense, you can't do much about the random clearing of the block table.

    Bill</snort2c></snort2c>



  • Thanks again.



  • I vaguely remember somebody mentioning that Snort's block list works correctly on 2.1.1, which is about to release  really soon.

    @https://github.com/pfsense/pfsense/commit/c40d6c7a99c35838ed222b83ee3d8c903a68e6b6:

    etc/version

    @@ -1 +1 @@

    -2.1.1-PRERELEASE

    +2.1.1-RELEASE


Log in to reply