Snort blocking VPN traffic


  • Moderator

    I noticed today that Snort is blocking IPSEC VPN traffic on the wan interface.

    The Mobile device connects to pfSense with a Mobile IPSEC VPN tunnel. (Using a Cisco Secure PIX FirewallVPN definition on the mobile device)

    I browse to the local IP address for pfsense admin web GUI. And got blocked with these rules.

    In Snorts Alert Window, I am getting the following alert (WAN - DST WAN pfSense IP, SRC - WAN Ipsec Mobile User IP)

    The Bit value alerts on 1,4,5,16 on different alerts.

    ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)

    In "Pass Lists", the Add VPN Addresses to the list. Is checked.

    From the VPN STATUS page I see the Remote IP address from the mobile device that has a connection as "Mobile User".

    Seet the attached pic for the rules.

    Shouldn't the PASS rule bypass this alert?

    ![ET Trojan.png](/public/imported_attachments/1/ET Trojan.png)
    ![ET Trojan.png_thumb](/public/imported_attachments/1/ET Trojan.png_thumb)



  • @BBcan17:

    I noticed today that Snort is blocking IPSEC VPN traffic on the wan interface.

    The Mobile device connects to pfSense with a Mobile IPSEC VPN tunnel. (Using a Cisco Secure PIX FirewallVPN definition on the mobile device)

    I browse to the local IP address for pfsense admin web GUI. And got blocked with these rules.

    In Snorts Alert Window, I am getting the following alert (WAN - DST WAN pfSense IP, SRC - WAN Ipsec Mobile User IP)

    The Bit value alerts on 1,4,5,16 on different alerts.

    ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)

    In "Pass Lists", the Add VPN Addresses to the list. Is checked.

    From the VPN STATUS page I see the Remote IP address from the mobile device that has a connection as "Mobile User".

    Seet the attached pic for the rules.

    Shouldn't the PASS rule bypass this alert?

    Yes, it should, but verify the VPN Addresses that should be there are actually there.  Go to the INTERFACE SETTINGS tab for the affected interface and click the "View List" button beside the Pass List drop-down.  Look at the actual IP addresses shown in the pop-up window and verify if the correct VPN addresses are shown.  I'm going to guess they are missing.  If they are, then we can launch down another troubleshooting path.

    I don't have an IPSEC VPN to test with, though.

    Bill


  • Moderator

    @bmeeks:

    Yes, it should, but verify the VPN Addresses that should be there are actually there.  Go to the INTERFACE SETTINGS tab for the affected interface and click the "View List" button beside the Pass List drop-down.  Look at the actual IP addresses shown in the pop-up window and verify if the correct VPN addresses are shown.  I'm going to guess they are missing.  If they are, then we can launch down another troubleshooting path.

    I don't have an IPSEC VPN to test with, though.

    Bill

    No the VPN addresses aren't in the Passlist that is defined in the Snort WAN interface. I launched a VPN connection and then took a look at the file. Does the PASS list need to have the interface restarted to pull the new VPN addressees? Hopefully it does that on the fly?

    Thanks.



  • @BBcan17:

    @bmeeks:

    Yes, it should, but verify the VPN Addresses that should be there are actually there.  Go to the INTERFACE SETTINGS tab for the affected interface and click the "View List" button beside the Pass List drop-down.  Look at the actual IP addresses shown in the pop-up window and verify if the correct VPN addresses are shown.  I'm going to guess they are missing.  If they are, then we can launch down another troubleshooting path.

    I don't have an IPSEC VPN to test with, though.

    Bill

    No the VPN addresses aren't in the Passlist that is defined in the Snort WAN interface. I launched a VPN connection and then took a look at the file. Does the PASS list need to have the interface restarted to pull the new VPN addressees? Hopefully it does that on the fly?

    Thanks.

    The Snort interface may well have to be restarted.  The Pass List can only be read and loaded into Snort during startup.  This is a limitation of the Snort binary itself.  The "blocking plugin" is an Output Plugin within Snort, and Snort only allows Output Plugins to initialize during the startup of Snort.  So you can't "live reload" settings for Output Plugins.  I've investigated this area and so far have not found a way around it sort of recoding huge swaths of the Snort binary – and that's not really a viable option.

    Can you just add the VPN Address Pool to your Pass List as an Alias using the Addresses box at the bottom of the page?

    Bill


  • Moderator

    Thanks Bill,

    The mobile clients are all dynamic so I will have to look at my logs and see what the address pool is before I can do that.

    Too bad snort can't automatically add the mobile vpn clients.

    Thanks