Snort gives altert yet nothing happens



  • Hi.

    i am diving into pfsense the last few days and i try my best to learn more about its functionality and how to use it.
    Of course i soon stumpled upon snort and read a few guides how to configure it properly for starters. (hopefully)

    After a few hours and a few adjustments to the suppresion list i had everything up and running, at least thats what i thought ^^
    I wanted to tweak snort a little bit more, so i enabled a few emerging-threat rules (emerging-games and emerging-p2p rules)
    I downloaded a torrent file to trigger the snort rule and it showed up in the alert section and was blocked immediately.
    Much to my surprise i could finish the torrent download without any problems at all.

    I decided to try something else and launched World of Warcraft and Diablo 3 to trigger the emerging-games rules and even though
    it was properly alerted and blocked right after,  i could connect and play both games without any restrictions.

    Did i do something wrong in the configuration of snort or do i misunderstand the functionality of the program?
    I am a little bit confused because i thought pfsense would discard my connection after a rule has been violated.
    Snort is bind to WAN. I am running pfSense 21.5 and Snort 2.9.6.2.



  • @FreeYourMind:

    Hi.

    i am diving into pfsense the last few days and i try my best to learn more about its functionality and how to use it.
    Of course i soon stumpled upon snort and read a few guides how to configure it properly for starters. (hopefully)

    After a few hours and a few adjustments to the suppresion list i had everything up and running, at least thats what i thought ^^
    I wanted to tweak snort a little bit more, so i enabled a few emerging-threat rules (emerging-games and emerging-p2p rules)
    I downloaded a torrent file to trigger the snort rule and it showed up in the alert section and was blocked immediately.
    Much to my surprise i could finish the torrent download without any problems at all.

    I decided to try something else and launched World of Warcraft and Diablo 3 to trigger the emerging-games rules and even though
    it was properly alerted and blocked right after,  i could connect and play both games without any restrictions.

    Did i do something wrong in the configuration of snort or do i misunderstand the functionality of the program?
    I am a little bit confused because i thought pfsense would discard my connection after a rule has been violated.
    Snort is bind to WAN. I am running pfSense 21.5 and Snort 2.9.6.2.

    On the INTERFACE SETTINGS tab for Snort where you configured it to block, did you check the box to KILL STATES?  I believe the default is checked, but just make sure you left it checked.  Snort on pfSense uses libpcap to sniff the network traffic and thus gets a copy of traffic passing through the firewall.  By the time Snort gets a packet and has a chance to analyze it and insert a block, at least one and sometimes several packets have passed through the firewall from that host.  Thus the firewall has established a connection entry in the state table for that host and won't bother running the packets through the rules again.  That means Snort's block is ignored.  To fix this, make sure the KILL STATES checkbox is clicked.  This causes Snort to also wipe out all the state table entries for the offending host when a block for that host is inserted into the firewall's rules.  That causes the firewall to inspect the packets again, and this time, with no existing state table entry, it will test them against all the rules and see Snort's block.

    Also, leave the WHICH IP TO BLOCK setting on BOTH.  Changing this can result in no blocks depending on the exact direction of traffic and what the PASS LIST settings are.

    Bill



  • Hi bmeeks,

    thank you for your quick reply and effort to help me out.

    You were right, killing states was still unchecked and after i enabled it, it worked for me.
    Unfortunately torrent traffic is still going through but at least the webpage from where i got the torrent file gets blocked.

    With games its a little bit odd too, i can still play them but in case of d3 and wow it seems snort blocks the attempt to download an upcoming patch through the background downloader butr doesn`t reject the eonnection to the gaming servers itself.

    If you dont mind me asking there is something about the configuration of snort i didnt understand.
    All rules are working with the $Home net and $External Net variables but shouldnt be the WAN interface on which i activated snort be considered as $External Net? When i click on the view list button for home net it lists all my private networks but including the ip of my wan interface. That doesnt make sense to me or am i totally wrong here?



  • @FreeYourMind:

    Hi bmeeks,

    thank you for your quick reply and effort to help me out.

    You were right, killing states was still unchecked and after i enabled it, it worked for me.
    Unfortunately torrent traffic is still going through but at least the webpage from where i got the torrent file gets blocked.

    With games its a little bit odd too, i can still play them but in case of d3 and wow it seems snort blocks the attempt to download an upcoming patch through the background downloader butr doesn`t reject the eonnection to the gaming servers itself.

    If you dont mind me asking there is something about the configuration of snort i didnt understand.
    All rules are working with the $Home net and $External Net variables but shouldnt be the WAN interface on which i activated snort be considered as $External Net? When i click on the view list button for home net it lists all my private networks but including the ip of my wan interface. That doesnt make sense to me or am i totally wrong here?

    You don't want to ever block your own WAN interface.  Then nothing would get through your box.  You want to block either the far-end source or destination host, or sometimes one of your LAN clients.  You don't want blocks directly on any of the firewall interface IP addresses.  If that happened, you would be completely locked out of the firewall.  So that's why the firewall interface IPs (including the WAN IP) get put in $HOME_NET and included in the default PASS LIST of "never blocked" IP addresses.

    As for your torrent and game stuff, are you sure that all the necessary rules are actually in place?  You will need to examine carefully the rules you have selected.  Doing this requires understanding the rule syntax and how rules operate in Snort or Suricata.  There are lots of how-to and tutorial links to be found on Google for that.  Snort only blocks what a rule specifically identifies.  To elaborate, the rules you are using may work off a simple list of IP addresses.  If that list only includes say popular torrent web sites (for fetching the torrent files themselves), then attempts to download the torrent file itself would be identified, but later connecting to some random seeder may not be if the IP address is not in the list.  Same for game servers.  I'm not saying this is your issue, but it is a possibility.  You will need to examine the P2P and GAMES rules individually to see what they are actually looking for to kick off an alert.

    Bill


Log in to reply