Snort Aleart Port Scan Mulltiple & TOR
-
Sir , I am using PFsense as Router+NAT+FW with Snort inline IPS (with blocking disabled)
–ISP -----PFSENSE----Switch -50 PC's
Lately i am find lot of TOR RELAY , port scan , Decoy port scan , misc attack , kindly help ,
is it real attack ?
if i enable auto block source is there any change i face net issue ? (like snort accidently block traffic from my public IP ?)Note : my public IP in the log is changed to 1.1.1.1
edit-
i want to know how to configure snort such a way that my public ip wont b blocked , (in case of wan interface ) . i dont want entire people calling at me telling net is downAlso white list some IP address ( like some local IP address /and my public ip)
-
By default, Snort will not block your WAN IP unless you are on a frequently changing dynamic IP (something like PPPoE that goes up and down frequently or your ISP forcibly changes your WAN IP). There are some issues with Snort and Suricata when the WAN IP changes frequently. In those cases the WAN IP can get inadvertently blocked. I am researching/working on a solution for that. If you have a static WAN IP, then you don't have to worry about it getting blocked by Snort.
In the meantime, looking at your log I notice a number of fairly well known false positive alerts. Pretty much anything with "http_inspect" in the message is from a rule set known for a lot of log noise. I suggest disabling those rules or adding their SIDs to a Suppress List.
You do have a few legitimate alerts indicating one or more machines on your protected network are running TOR clients.
Bill
-
Thank you for your reply , we are using static IP
- i checked that application its running utorrent but i couldnt find Tor client , so i created a LAN rule to block port dest 36033
based on log
07/24/15 17:57:53 2 UDP Misc Attack 80.100.250.244 Icon Reverse Resolve with DNS 49351 192.168.1.95 Icon Reverse Resolve with DNS 39590 1:2522957 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 479 07/24/15 17:51:31 2 UDP Misc Attack 110.175.249.202 Icon Reverse Resolve with DNS 55788 192.168.1.213 Icon Reverse Resolve with DNS 36033 1:2522259 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 130 07/24/15 17:51:28 2 UDP Misc Attack 192.71.245.137 Icon Reverse Resolve with DNS 12333 192.168.1.213 Icon Reverse Resolve with DNS 36033 1:2522513 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 257 07/24/15 17:44:03 2 UDP Misc Attack 37.187.125.228 Icon Reverse Resolve with DNS 52491 192.168.1.213 Icon Reverse Resolve with DNS 36033 1:2522695 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 348
this is the suppression list i am used ( got from this forum , will check http_inspect warnings and add to supression list
# gen_id_1 suppress gen_id 1, sig_id 536 #"GPL SHELLCODE x86 NOOP" suppress gen_id 1, sig_id 648 #GPL SHELLCODE x86 0x90 unicode NOOP suppress gen_id 1, sig_id 653 # This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines. suppress gen_id 1, sig_id 1390 suppress gen_id 1, sig_id 2452 suppress gen_id 1, sig_id 8375 # FILE-IDENTIFY download of executable content -> stops file downloads suppress gen_id 1, sig_id 11192 suppress gen_id 1, sig_id 12286 suppress gen_id 1, sig_id 15147 # This event indicates that a portable executable file has been downloaded. suppress gen_id 1, sig_id 15306 suppress gen_id 1, sig_id 15362 # FILE-IDENTIFY download of executable content - x-header -> stops windows download suppress gen_id 1, sig_id 16313 #WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt suppress gen_id 1, sig_id 16482 suppress gen_id 1, sig_id 17458 suppress gen_id 1, sig_id 20583 suppress gen_id 1, sig_id 23098 suppress gen_id 1, sig_id 2000334 #"ET TFTP Outbound TFTP Read Request" -- VONAGE suppress gen_id 1, sig_id 2008120 suppress gen_id 1, sig_id 2010516 suppress gen_id 1, sig_id 2012088 #ET SHELLCODE Common 0a0a0a0a Heap Spray String suppress gen_id 1, sig_id 2012252 suppress gen_id 1, sig_id 2012758 suppress gen_id 1, sig_id 2013222 #ET INFO EXE - OSX Disk Image Download suppress gen_id 1, sig_id 2014518 suppress gen_id 1, sig_id 2014520 suppress gen_id 1, sig_id 2014819 #ET INFO PDF Using CCITTFax Filter suppress gen_id 1, sig_id 2015561 suppress gen_id 1, sig_id 2100366 suppress gen_id 1, sig_id 2100368 #GPL SHELLCODE x86 stealth NOOP suppress gen_id 1, sig_id 2100651 suppress gen_id 1, sig_id 2101390 #GPL SHELLCODE x86 0xEB0C NOOP suppress gen_id 1, sig_id 2101424 suppress gen_id 1, sig_id 2102314 suppress gen_id 1, sig_id 2103134 suppress gen_id 1, sig_id 2500056 suppress gen_id 1, sig_id 100000230 # #WEB-CLIENT libpng malformed chunk denial of service attempt suppress gen_id 3, sig_id 14772 # #(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 4 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7 #(http_inspect) NON-RFC DEFINED CHAR suppress gen_id 119, sig_id 14 suppress gen_id 119, sig_id 31 suppress gen_id 119, sig_id 32 # # HTTP Inspect Errors suppress gen_id 120, sig_id 2 suppress gen_id 120, sig_id 3 suppress gen_id 120, sig_id 4 suppress gen_id 120, sig_id 6 suppress gen_id 120, sig_id 8 suppress gen_id 120, sig_id 9 suppress gen_id 120, sig_id 10 # suppress gen_id 122, sig_id 19 suppress gen_id 122, sig_id 21 suppress gen_id 122, sig_id 22 suppress gen_id 122, sig_id 23 suppress gen_id 122, sig_id 26 # #(spp_frag3) Bogus fragmentation packet. Possible BSD attack suppress gen_id 123, sig_id 10 # suppress gen_id 137, sig_id 1 # Sensitive Data disable # Credit Card Numbers suppress gen_id 138, sig_id 2 # U.S. Social Security Numbers (with dashes) suppress gen_id 138, sig_id 3 # U.S. Social Security Numbers (w/out dashes) suppress gen_id 138, sig_id 4 # Email Addresses suppress gen_id 138, sig_id 5 # U.S. Phone Numbers suppress gen_id 138, sig_id 6 event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600 #FILE-IDENTIFY Armadillo v1.71 packer file magic detected suppress gen_id 1, sig_id 23256 (smtp) Attempted response buffer overflow: 1448 chars suppress gen_id 124, sig_id 3 #(ftp_telnet) Invalid FTP Command suppress gen_id 125, sig_id 2 #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected suppress gen_id 137, sig_id 1 #(IMAP) Unknown IMAP4 command suppress gen_id 141, sig_id 1
ok i wiill add http_inspect to supression list but why is pfsense unable to detect class , its showing class Unknown traffic ? i am also able to find two type of http inspect ,
07/24/15 18:08:03 3 TCP Unknown Traffic 192.168.1.108 Icon Reverse Resolve with DNS 60018 209.197.3.16 Icon Reverse Resolve with DNS 80 119:31 (http_inspect) UNKNOWN METHOD
07/24/15 18:07:32 3 TCP Unknown Traffic 195.232.248.148 Icon Reverse Resolve with DNS 80 202.122.17.58 Icon Reverse Resolve with DNS 34070 120:3 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
-
The string "unknown traffic" is part of the classification.config file included with the Snort binary. It's not a problem with pfSense or the GUI part of the Snort package. It just means there is no official designation for that traffic type in the default classification.config file distributed with Snort.
The TOR alerts may also be false positives. The alerts work by looking at destination IP addresses of certain types of traffic. It could be that a given IP address was formerly a TOR node and is one no longer, but the ET rules were not updated. Not saying that is definitely the reason in your case, but just understand that Intrusion Detection systems are not 100% foolproof. They require a lot of administrator attention and careful research of alerts to verify if they are real or a false positive.
Bill
-
thank you , i enabled Block , now my snort is working as IPS
-
google /youtube is getting blocked i whitelisted 1 ip in passthrough i guess i need to find source rule which is blocking it and remove it since google uses lot of ip range and whitelisting entire range is imposible
-
google /youtube is getting blocked i whitelisted 1 ip in passthrough i guess i need to find source rule which is blocking it and remove it since google uses lot of ip range and whitelisting entire range is imposible
Correct. Identify the blocking rule on the ALERTS tab and then click the red X beside the SID to automatically disable that rule for the interface.
Bill