Is Snort ignoring host names in pass lists?



  • Hi All,

    The only way for me to prevent being blocked by Snort from some pfSense test boxes I added my home DynDNS address to a pass list using a firewall alias. But… I still got blocked once even with my DynDNS address added to a passlist.
    I was running a few tests and the pfSense Snort package seems to ignore hostnames in firewall aliases. IP addresses in aliases work well.

    I created a very easy example and added the screenshots to this post.

    1. Firewall Alias "test_de" containing only one host called "test.de"
    2. This "test.de" resolves into "82.212.218.166"
    3. I added the alias "test_de" to a passlist "TestPass".
    4. I assigned "TestPass" as white list for the interface. But it is showing only 127.0.0.1 and the WAN IP of the pfSense box. I would have expected "test.de" or "82.212.218.166" showing up there as well but it doesn't.

    If I change the firewall alias from "test.de" to "82.212.218.166" then it shows up in the "Pass List Viewer" but that doesn't help me for a DynDNS hostname...









  • Neither Snort nor Suricata can resolve FQDN (fully-qualified hostnames) in Aliases.  That is a limitation of pfSense itself as that functionality is not supported for packages using the built-in alias handling function calls.  The overhead of supporting that was judged to be too much by some of the Core Team Developers.  I had a discussion about that with them quite some time back (about this time last year if I remember correctly).

    Even if pfSense supported FQDN aliases for packages, there is still the problem of updating Snort's in-memory IP list.  Output plugins in Snort (which the blocking module is) can not be hot-updated.  A restart is required for them to re-read any configuration.

    There is a text notice at the bottom of the dialog where you select Aliases telling you that FQDN Aliases are not supported.  This is the dialog that will open up if you click the Aliases button beside the alias form fields in Snort.  If you instead directly typed the Alias name into the box on the Pass List page, you would not have seen that dialog.

    Bill



  • Thanks for your answer!

    @bmeeks:

    Even if pfSense supported FQDN aliases for packages, there is still the problem of updating Snort's in-memory IP list.  Output plugins in Snort (which the blocking module is) can not be hot-updated.  A restart is required for them to re-read any configuration.

    I'm currently not running any Snort on WAN interfaces with dynamic IP address.
    In Germany it usual that you have a ADSL2+ or VDSL connection in most cases (SoHo) and the providers drop the connection once/24hrs and assign a new IP address. Does that mean the WAN IP address that is automatically added to the suppress list is only the address from when Snort started and would never update if the WAN IP changes?
    When I looked at the source code of the alert_pf output plugin it looked like it is pulling the suppress list each time before a block is added but looks like I misinterpreted the code.

    @bmeeks:

    There is a text notice at the bottom of the dialog where you select Aliases telling you that FQDN Aliases are not supported.  This is the dialog that will open up if you click the Aliases button beside the alias form fields in Snort.  If you instead directly typed the Alias name into the box on the Pass List page, you would not have seen that dialog.

    Ahh… I missed that. I added the alias directly.

    Well, I found a workaround: Whenever I get blocked during testing I just VPN to another IP, logon to pfSense and unblock my home IP from there. Maybe I will be able to write a script that runs as cron job and searches for my DynDNS IP every minute in the block list and removes it from there but that means I need to learn some BSD scripting. At least it would be a better workaround than VPNing to someone else to unblock my IP.



  • @ConfusedUser:

    I'm currently not running any Snort on WAN interfaces with dynamic IP address.
    In Germany it usual that you have a ADSL2+ or VDSL connection in most cases (SoHo) and the providers drop the connection once/24hrs and assign a new IP address. Does that mean the WAN IP address that is automatically added to the suppress list is only the address from when Snort started and would never update if the WAN IP changes?
    When I looked at the source code of the alert_pf output plugin it looked like it is pulling the suppress list each time before a block is added but looks like I misinterpreted the code.

    It looks at the list before each block decision to see if the IP is in the list, but the list is a static in-memory linked list that is loaded only on startup of Snort (or Suricata, since both use the same technique).  During initialization, the Pass List is read line-by-line and the IP addresses are put into a simple linked-list held in memory.  The list is then not updated again until the next restart of Snort/Suricata.

    When DHCP grabs a new IP address, it signals pfSense and a script runs that does several things.  One of those things is to restart the packages.  So if all of that happens correctly, then Snort will restart on a WAN IP address change and thus the Pass List will be regenerated during the restart and contain the new IP address.

    I am thinking about some other options to try and make this a bit more dynamic.

    Bill



  • I'm stuck - my scripting knowledge is simply not good enough.  :'(

    What I want to do is to create a simple cron job that runs every minute and does the following:
    pfctl -t snort2c -T delete 1.2.3.4

    To get my IP address I used:
    host -4 my.hostname.com | grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
    This gives for example a "1.2.3.4" on the stdout

    Now the question: how can I use the stdout from the grep command in the pfctl command?
    I thought about storing the output from grep into a variable (MyIp) and use the variable in pfctl:
    pfctl -t snort2c -T delete $MyIp

    But… I just can't get it working.


  • Moderator

    I didn't test it, but try this in an sh script

    Create new script
    vi myip

    **#!/bin/sh

    MyIp="$(host -4 my.hostname.com | grep -oEw -e "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}" -e "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}")"

    pfctl -t snort2c -T delete $MyIp**

    (Save and exit)
    :wq

    (make script executable)
    chmod +x myip



  • Many thanks!!!

    Earlier I assigned a variable the same way like you did but it failed - simply because I tested it directly on the shell in SSH.
    With your help I moved my code to a script file and it works now.

    So - even if I get blocked now by Snort I will be able to access my pfSense maximum one minute later again.


  • Moderator

    @ConfusedUser:

    Many thanks!!!

    Earlier I assigned a variable the same way like you did but it failed - simply because I tested it directly on the shell in SSH.
    With your help I moved my code to a script file and it works now.

    So - even if I get blocked now by Snort I will be able to access my pfSense maximum one minute later again.

    Anytime. Make sure you share the love with those that need it …..  Would be nice if Snort/Suricata could handle FQDN and Mobile VPN addresses.



  • Hi BBcan177,

    Questions:-

    (1) Will it work on Suricata?
    (2) I have the passlist in place. Will the script wipe the passlist? If so, I want the passlist + the script run together. Is it possible??
    (3) if multiple hostnames, how can I do it?

    If you use the pfctl -t xxxx -T delete, it just delete the IP from the block list. eventually, the ip will be blocked again. It is the other way around.

    How can I update the passlist ip using script?

    @BBcan177:

    I didn't test it, but try this in an sh script

    Create new script
    vi myip

    **#!/bin/sh

    MyIp="$(host -4 my.hostname.com | grep -oEw -e "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}" -e "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}")"

    pfctl -t snort2c -T delete $MyIp**

    (Save and exit)
    :wq

    (make script executable)
    chmod +x myip


Log in to reply