Non-Selected rules showing up in alerts



  • I recently backed up and restored my pfSense (including Snort) to new hardware.

    On the new hardware I added a few new categories to WAN interface in Snort. Shortly after that I noticed alerts for ET POLICY PE EXE or DLL Windows file download in my WAN alerts. I do not have the ET Policy category selected for my WAN interface. But I do have it selected for my LAN interface.

    I am trying to find out how that rule got selected and how I can deselect it



  • Snort stores specific NIC information along with the interface configuration, so likely when you changed hardware your WAN/LAN interfaces are on different NIC IDs than they were before.  As an example, your WAN may have formerly been on em0 but now it's em1.  When you restored the Snort config from your old box, the interface IDs are not the same.  Your actual NIC IDs may be different, but you get the idea.

    This will be a little tricky to fix.  You may be able to fix it by going to the INTERFACE SETTINGS tab for each interface and swapping LAN to WAN and WAN to LAN.

    Bill



  • @bmeeks:

    Snort stores specific NIC information along with the interface configuration, so likely when you changed hardware your WAN/LAN interfaces are on different NIC IDs than they were before.  As an example, your WAN may have formerly been on em0 but now it's em1.  When you restored the Snort config from your old box, the interface IDs are not the same.  Your actual NIC IDs may be different, but you get the idea.

    This will be a little tricky to fix.  You may be able to fix it by going to the INTERFACE SETTINGS tab for each interface and swapping LAN to WAN and WAN to LAN.

    Bill

    Hi Bill, can you think of any other fixes? This will be really inconvenient as the new hardware is an APU with the interfaces labelled on the case. Additionally we run a number of pfSenses on similar hardware at different sites and having different interfaces on different physical ports could be problematic from a consistency standpoint as we're working at different sites.

    Would enabling and then disabling rules on either/all interfaces change things? It doesn't seem like all the categories and rules I had on the LAN interface are now showing up on the WAN, only a few (maybe just one rule).

    If that isn't an option I could at least remove and re-install the Snort package, correct? (Making sure to not save the config when I remove it?) That would be inconvenient, but probably a better solution for us in the long run than editing interface assignments.



  • Yes, if you are not put off by the extra work, removing Snort and NOT saving the current config would be best overall.  You would reinstall Snort and then configure it from scratch.

    The manual fix would require editing the config.xml file and then renaming some directories.  It's doable, but must all be done manually.  The impacted directories will be under /var/log/snort and /usr/pbi/snort_amd64/etc/snort.  I am assuming a 64-bit installation.  If you have 32-bit instead, then that snort_amd64 directory is snort_i386.

    If you look at the directory structure under the two paths I referenced, you will see the old physical NIC name as part of the path.  Depending on your old NIC card, the string might be "em0", "re1", etc.  There are several variations according to the model of network card in your old box.  The numbers (0, 1, etc.) in the NIC strings would be interfaces.  For instance, on my box em0 is my WAN and em1 is my LAN.  Both are Intel NICs.

    So you have to rename these folders to match up with your new NIC drivers.  Then in the config.xml in the _<installedpackages><snortglobal></snortglobal></installedpackages>_section you will see all the interfaces defined and the matching NIC name as well.  Those would have to be changed to match your new NIC drivers.

    Bill