Snort Aleart Port Scan Mulltiple & TOR



  • Sir , I am using PFsense as Router+NAT+FW  with Snort inline IPS (with blocking disabled)

    –ISP -----PFSENSE----Switch -50 PC's

    Lately i am find lot of TOR RELAY , port scan , Decoy port scan , misc attack , kindly help ,

    is it real attack ?
    if i enable auto block source is there any change  i face net issue ?  (like snort accidently block traffic from my public IP ?)

    Note : my public IP in the log is changed to 1.1.1.1

    edit-
    i want to know how to configure snort such a way that my public ip wont b blocked , (in case of wan interface ) .  i dont want entire people calling at me telling net is down

    Also white list some IP address ( like some local IP address /and my public ip)

    SNORT_LOG.txt



  • By default, Snort will not block your WAN IP unless you are on a frequently changing dynamic IP (something like PPPoE that goes up and down frequently or your ISP forcibly changes your WAN IP).  There are some issues with Snort and Suricata when the WAN IP changes frequently.  In those cases the WAN IP can get inadvertently blocked.  I am researching/working on a solution for that.  If you have a static WAN IP, then you don't have to worry about it getting blocked by Snort.

    In the meantime, looking at your log I notice a number of fairly well known false positive alerts.  Pretty much anything with "http_inspect" in the message is from a rule set known for a lot of log noise.  I suggest disabling those rules or adding their SIDs to a Suppress List.

    You do have a few legitimate alerts indicating one or more machines on your protected network are running TOR clients.

    Bill



  • Thank you for your reply , we are using static IP

    • i checked that application its running utorrent but i couldnt find Tor client , so i created a LAN rule to block  port  dest 36033

    based on log

    
    07/24/15
    17:57:53 	2 	UDP 	Misc Attack 	80.100.250.244
    Icon Reverse Resolve with DNS   	49351 	192.168.1.95
    Icon Reverse Resolve with DNS   	39590 	1:2522957
       	ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 479
    07/24/15
    17:51:31 	2 	UDP 	Misc Attack 	110.175.249.202
    Icon Reverse Resolve with DNS   	55788 	192.168.1.213
    Icon Reverse Resolve with DNS   	36033 	1:2522259
       	ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 130
    07/24/15
    17:51:28 	2 	UDP 	Misc Attack 	192.71.245.137
    Icon Reverse Resolve with DNS   	12333 	192.168.1.213
    Icon Reverse Resolve with DNS   	36033 	1:2522513
       	ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 257
    07/24/15
    17:44:03 	2 	UDP 	Misc Attack 	37.187.125.228
    Icon Reverse Resolve with DNS   	52491 	192.168.1.213
    Icon Reverse Resolve with DNS   	36033 	1:2522695
       	ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 348
    
    

    this is the suppression list i am used ( got from this forum , will  check http_inspect warnings and add to supression list

    
    # gen_id_1
    suppress gen_id 1, sig_id 536
    #"GPL SHELLCODE x86 NOOP"
    suppress gen_id 1, sig_id 648
    #GPL SHELLCODE x86 0x90 unicode NOOP
    suppress gen_id 1, sig_id 653
    # This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.
    suppress gen_id 1, sig_id 1390
    suppress gen_id 1, sig_id 2452
    suppress gen_id 1, sig_id 8375
    # FILE-IDENTIFY download of executable content -> stops file downloads
    suppress gen_id 1, sig_id 11192
    suppress gen_id 1, sig_id 12286
    suppress gen_id 1, sig_id 15147
    # This event indicates that a portable executable file has been downloaded.
    suppress gen_id 1, sig_id 15306
    suppress gen_id 1, sig_id 15362
    # FILE-IDENTIFY download of executable content - x-header  -> stops windows download
    suppress gen_id 1, sig_id 16313
    #WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt
    suppress gen_id 1, sig_id 16482
    suppress gen_id 1, sig_id 17458
    suppress gen_id 1, sig_id 20583
    suppress gen_id 1, sig_id 23098
    suppress gen_id 1, sig_id 2000334
    #"ET TFTP Outbound TFTP Read Request" -- VONAGE
    suppress gen_id 1, sig_id 2008120
    suppress gen_id 1, sig_id 2010516
    suppress gen_id 1, sig_id 2012088
    #ET SHELLCODE Common 0a0a0a0a Heap Spray String
    suppress gen_id 1, sig_id 2012252
    suppress gen_id 1, sig_id 2012758
    suppress gen_id 1, sig_id 2013222
    #ET INFO EXE - OSX Disk Image Download
    suppress gen_id 1, sig_id 2014518
    suppress gen_id 1, sig_id 2014520
    suppress gen_id 1, sig_id 2014819
    #ET INFO PDF Using CCITTFax Filter
    suppress gen_id 1, sig_id 2015561
    suppress gen_id 1, sig_id 2100366
    suppress gen_id 1, sig_id 2100368
    #GPL SHELLCODE x86 stealth NOOP
    suppress gen_id 1, sig_id 2100651
    suppress gen_id 1, sig_id 2101390
    #GPL SHELLCODE x86 0xEB0C NOOP
    suppress gen_id 1, sig_id 2101424
    suppress gen_id 1, sig_id 2102314
    suppress gen_id 1, sig_id 2103134
    suppress gen_id 1, sig_id 2500056
    suppress gen_id 1, sig_id 100000230
    #
    #WEB-CLIENT libpng malformed chunk denial of service attempt
    suppress gen_id 3, sig_id 14772
    #
    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 4
    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
    suppress gen_id 119, sig_id 7
    #(http_inspect) NON-RFC DEFINED CHAR
    suppress gen_id 119, sig_id 14
    suppress gen_id 119, sig_id 31
    suppress gen_id 119, sig_id 32
    #
    # HTTP Inspect Errors
    suppress gen_id 120, sig_id 2
    suppress gen_id 120, sig_id 3
    suppress gen_id 120, sig_id 4
    suppress gen_id 120, sig_id 6
    suppress gen_id 120, sig_id 8
    suppress gen_id 120, sig_id 9
    suppress gen_id 120, sig_id 10
    #
    suppress gen_id 122, sig_id 19
    suppress gen_id 122, sig_id 21
    suppress gen_id 122, sig_id 22
    suppress gen_id 122, sig_id 23
    suppress gen_id 122, sig_id 26
    #
    #(spp_frag3) Bogus fragmentation packet. Possible BSD attack
    suppress gen_id 123, sig_id 10
    #
    suppress gen_id 137, sig_id 1
    # Sensitive Data disable
    # Credit Card Numbers
    suppress gen_id 138, sig_id 2
    # U.S. Social Security Numbers (with dashes)
    suppress gen_id 138, sig_id 3
    # U.S. Social Security Numbers (w/out dashes)
    suppress gen_id 138, sig_id 4
    # Email Addresses
    suppress gen_id 138, sig_id 5
    # U.S. Phone Numbers
    suppress gen_id 138, sig_id 6
    event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600
    
    #FILE-IDENTIFY Armadillo v1.71 packer file magic detected
    suppress gen_id 1, sig_id 23256
    
    (smtp) Attempted response buffer overflow: 1448 chars
    suppress gen_id 124, sig_id 3
    #(ftp_telnet) Invalid FTP Command
    suppress gen_id 125, sig_id 2
    #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
    suppress gen_id 137, sig_id 1
    #(IMAP) Unknown IMAP4 command
    suppress gen_id 141, sig_id 1
    

    ok i wiill add http_inspect to  supression list but  why is pfsense unable to detect class , its showing class Unknown traffic ?  i am also able to find two type of http inspect ,

    
    07/24/15
    18:08:03 	3 	TCP 	Unknown Traffic 	192.168.1.108
    Icon Reverse Resolve with DNS   	60018 	209.197.3.16
    Icon Reverse Resolve with DNS   	80 	119:31
       	(http_inspect) UNKNOWN METHOD
    
    
    
    07/24/15
    18:07:32 	3 	TCP 	Unknown Traffic 	195.232.248.148
    Icon Reverse Resolve with DNS   	80 	202.122.17.58
    Icon Reverse Resolve with DNS   	34070 	120:3
       	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    
    


  • The string "unknown traffic" is part of the classification.config file included with the Snort binary.  It's not a problem with pfSense or the GUI part of the Snort package.  It just means there is no official designation for that traffic type in the default classification.config file distributed with Snort.

    The TOR alerts may also be false positives.  The alerts work by looking at destination IP addresses of certain types of traffic.  It could be that a given IP address was formerly a TOR node and is one no longer, but the ET rules were not updated.  Not saying that is definitely the reason in your case, but just understand that Intrusion Detection systems are not 100% foolproof.  They require a lot of administrator attention and careful research of alerts to verify if they are real or a false positive.

    Bill



  • thank you  , i enabled Block , now my snort is working as  IPS



  • google /youtube is getting blocked i whitelisted 1 ip in passthrough  i guess i need to find source rule which is blocking it and remove it since google uses lot of ip range and whitelisting entire range is imposible



  • @Abhishek:

    google /youtube is getting blocked i whitelisted 1 ip in passthrough  i guess i need to find source rule which is blocking it and remove it since google uses lot of ip range and whitelisting entire range is imposible

    Correct.  Identify the blocking rule on the ALERTS tab and then click the red X beside the SID to automatically disable that rule for the interface.

    Bill