Snort: What am I doing wrong? Slow start/stop, config doesn't seem to stick



  • I am having an odd problem where none of my snort config seems to be working quite right in a new (~1 week) deployment.  Even when I mimic installs that I have had running at other locations for very long times, I keep getting things like rules which are completely disabled blocking sites, and white-listed IPs getting blocked.

    To compound, when I start or stop it takes eons to actually start or stop, regardless of what pfsense/snort say the status is.  This is causing me great frustration and causing both myself and my users to question my abilities, even considering I have used known-good configurations.

    I can post my config if someone wants to inspect it, I will just have to make a backup and trim out the snort config unless there's a better way?

    Does this sound similar to something anyone else has encountered?

    A few examples:

    • With the ET POLICY disabled, it is still blocking based on ET POLICY

    • With anything that I can tell requires SDS disabled, it keeps giving SDS preproc missing errors.  This happens even if I disable ALL packages.

    • PFSense and Snort both show disabled, but the block list keeps growing based on ET POLICY blocking good downloads.

    • Whitelisted IPs blocked as soon as anything addresses them. - Regardles of set as Unblack or Trust

    • Whitelisted IPs from firewall->aliases still being blocked.



  • With the slow start/stop, this particular box is fairly beefy with a C2758 and 16gb of ram, but takes minutes to start, where my home which runs on a d525 and 2gb starts in about 30 secs with similar (albeit more restrictive) rules.



  • More information,

    When I run it from ssh, the startup appears to be relatively instantaneous.  Is there some form of debug output I can use to see exactly what command the gui sends?


  • Moderator

    With Snort disabled, run the following command.

    ps aux | grep snort
    

    If you see snort processes, kill those processes from the shell and try again to start the Snort Interfaces from the Snort GUI.



  • Sorry for delay in response:

    I should have mentioned before, and I just verified, that whether the webGUI says the snort service is enabled or unenabled, I never see SNORT or similar in process status.

    I am to the point where I am going to just wipe and completely re-set everything this weekend while I do some major dns/dhcp fixes that I have been wanting to do since I started here.



  • @sticcino:

    I should have mentioned before, and I just verified, that whether the webGUI says the snort service is enabled or unenabled, I never see SNORT or similar in process status.

    That statement seems fundamentally at odds with your original post where you said Snort was blocking (things such as ET POLICY blocks and whitelisted IPs getting blocked).  If you see no Snort process running, then Snort can't be blocking.  You could still have IP addresses show up in the BLOCKED tab, though, if they have not been cleared out.

    Are you sure you correctly executed the command line to view running processes?  It does sound like you may have a duplicate Snort process running on the box.  But such a process should definitely show up in a process list.

    Bill



  • @bmeeks:

    That statement seems fundamentally at odds with your original post where you said Snort was blocking (things such as ET POLICY blocks and whitelisted IPs getting blocked).  If you see no Snort process running, then Snort can't be blocking.  You could still have IP addresses show up in the BLOCKED tab, though, if they have not been cleared out.

    Are you sure you correctly executed the command line to view running processes?  It does sound like you may have a duplicate Snort process running on the box.  But such a process should definitely show up in a process list.

    Bill

    Hence my curiosity wtf I am doing wrong.  I am sure that when I ps -aux | grep 'snort|SNORT' (or just snort or just SNORT), I get```
    [2.2.4-RELEASE][root@#redacted#]/root: ps -aux | grep 'snort|SNORT'
    root  76757  0.0  0.0  18876  2376  0  S+    5:32PM      0:00.00 grep snort\|SNORT
    [2.2.4-RELEASE][root@#redacted#]/root: ps -aux | grep snort
    root  79784  0.0  0.0  18876  2384  0  S+    5:32PM      0:00.00 grep snort
    [2.2.4-RELEASE][root@#redacted#]/root: ps -aux | grep SNORT
    root  80078  0.0  0.0  18876  2384  0  S+    5:32PM      0:00.00 grep SNORT

    
    Even though, the gui shows Snort running in status -> service, not running on the WAN and new alerts/blocks are cointinuing to populate.  That is a specific example which applies to this specific moment (for instance, I just tried to download a driver from intel's site and it generated a ET POLICY PE EXE or DLL Windows file download block) even though it doesn't show up, even though that policy is disabled.  I have seen it with the wan showing running (green arrow), service disabled, alerting/blocking, and I have seen it with both showing disabled and generating alerts/blocking.  Luckily, the only thing it doesn't seem to do is show running and not block (I would rather frustrate users with an overly secure network than risk vulnerability) but I am starting to think I am in some weird nightmare.
    
    

    Date Pri Proto Class Source SPort Destination DPort SID Description
    10/22/15
    17:12:27 3 TCP Misc activity 23.11.80.37
    Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP Remove host from Blocked Table 80 XXX.XX.XX.XXX
    Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 33376 1:2000419[img][/img]
    Add this alert to the Suppress List  Force-disable this rule and remove it from current rules set. ET POLICY PE EXE or DLL Windows file download

    
    This is seriously frustrating (the situation, not the product) because unless I am missing something, this is an extremely WTF situation which is making me look incompetent.
    
    For even more extreme weirdness, on Tuesday night since I was the last to leave the office I hit start, just to see what would happen if I left it for a while.  When I arrived in the morning everything looked fine, and ran fine until the mid afternoon when it randomly blocked the upstream DNSs (google's public dns and OpenDNS.)  I added their IPs to the friendlyIPs alias, and since then it has just been back to this WTF status.
    
    I have tried removing and reinstalling a few different ways/times, but there has to be something I am missing…
    
    (edited to convert quote to code for log outputs)
    
    ![wtfsnort.png](/public/_imported_attachments_/1/wtfsnort.png)
    ![wtfsnort.png_thumb](/public/_imported_attachments_/1/wtfsnort.png_thumb)


  • [2.2.4-RELEASE][root@#redacted#]/root: ps -aux | grep 'sn'
    root   82492   0.0  0.0  18876  2380  0  S+    5:48PM      0:00.00 grep sn
    
    
    10/22/15
    17:32:21	2	UDP	Attempted Information Leak	85.25.207.78
    Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP	7063	XXX.XX.XX.XXX
    Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP	5060	1:2011716
    Add this alert to the Suppress List  Force-disable this rule and remove it from current rules set.	ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
    

    I know it is hard to believe (edit: and I would have a hard time believing it too if it wasn't happening to me), but that new alert came in while I was typing the last post, and I just status'd again to make sure whether or not snort was running…

    (edit#2 to convert quote to code for log outputs)


  • Banned

    You might want to use something like this (reasonably commented for reasons, though it's for Suricata more specifically):

    disablesid.conf

    
    ##########################
    ### Suricata Overrides ###
    ##########################
    ### decoder-events.rules FPs
    # Loads of noise, DNS and others
    1:2200038 # SURICATA UDP packet too small
    # Messes up some DNS traffic
    1:2200040 # SURICATA UDP invalid header length
    1:2200070 # SURICATA FRAG IPv4 Fragmentation overlap
    1:2200072 # SURICATA FRAG IPv6 Fragmentation overlap
    # messes up with DNS resolution on LAN
    1:2200073 # SURICATA IPv4 invalid checksum
    # Bittorrent noise, DNS
    1:2200075 # SURICATA UDPv4 invalid checksum
    1:2200078 # SURICATA UDPv6 invalid checksum
    # lots of useless noise
    1:2200076 # SURICATA ICMPv4 invalid checksum
    1:2200079 # SURICATA ICMPv6 invalid checksum
    # Messes with IPv6 DNS resolution with some DNS servers - ns1.statnipokladna.cz, ns2.statnipokladna.cz
    1:2200080 # SURICATA IPv6 useless Fragment extension header
    
    ### dns-events.rules FPs
    1:2240001 # SURICATA DNS Unsollicited response
    # DNS Servers FPs
    1:2240002 # SURICATA DNS malformed request data
    1:2240003 # SURICATA DNS malformed response data
    # Windows default DNS server addresses IPv6 stupidity
    # https://technet.microsoft.com/en-us/library/cc783049%28v=ws.10%29.aspx
    1:2240007 # SURICATA DNS request flood detected
    # DNS Query for Suspicious Domain (stupid rules, break DNS resolution by blocking DNS servers)
    1:2011407-1:2011411
    1:2013847-1:2013862
    1:2012811,1:2012826,1:2012900,1:2012901,1:2012902,1:2012903,1:2012956,1:2013016,1:2013124,1:2013172,1:2015550,1:2013970,1:2014285
    
    ### http-events.rules FPs
    # breaks Windows updates
    1:2221000 # SURICATA HTTP unknown error
    # http://www.bundesfinanzministerium.de
    1:2221021 # SURICATA HTTP response header invalid
    
    # smtp-events.rules
    # SpamD FPs
    1:2220006 # SURICATA SMTP no server welcome message
    
    ### stream-events.rules FPs
    # disable all, way too many FPs
    stream-events.rules
    # random FPs
    #1:2210016 # SURICATA STREAM CLOSEWAIT FIN out of window
    #1:2210020 # SURICATA STREAM ESTABLISHED packet out of window
    #1:2210021 # SURICATA STREAM ESTABLISHED retransmission packet before last ack
    #1:2210029 # SURICATA STREAM ESTABLISHED invalid ack
    #1:2210030 # SURICATA STREAM FIN invalid ack
    #1:2210032 # SURICATA STREAM FIN1 FIN with wrong seq
    #1:2210038 # SURICATA STREAM FIN out of window
    #1:2210039 # SURICATA STREAM Last ACK with wrong seq
    #1:2210042 # SURICATA STREAM TIMEWAIT ACK with wrong seq
    #1:2210045 # SURICATA STREAM Packet with invalid ack
    #1:2210046 # SURICATA STREAM SHUTDOWN RST invalid ack
    # Messes with DNS resolution over TCP with some DNS servers
    #1:2210000 # SURICATA STREAM 3way handshake with ack in wrong dir
    #1:2210010 # SURICATA STREAM 3way handshake wrong seq wrong ack
    
    ### tls-events.rules FPs
    # random false positives (e.g. Yahoo)
    1:2230002 # SURICATA TLS invalid record type
    # breaks viber
    1:2230003 # SURICATA TLS invalid handshake message
    ##########################
    
    ##########################
    ### ET Open Overrides  ###
    ##########################
    ### disable useless empty categories in the open-nogpl ruleset
    # empty
    emerging-icmp.rules
    emerging-icmp_info.rules
    emerging-imap.rules
    emerging-pop3.rules
    emerging-rpc.rules
    
    ### emerging-dns.rules
    # generic unwanted rules
    1:2012811 # ET DNS DNS Query to a .tk domain - Likely Hostile
    1:2018438 # ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling
    # FPs with Bittorrent peers using port 53
    1:2014703 # ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy
    1:2014701 # ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set - Likely Kazy
    
    ### emerging-scan.rules
    # FPs with Total Commander SFTP, PuTTY etc.
    1:2003068 # ET SCAN Potential SSH Scan OUTBOUND
    # FPs with RDP automatic reconnect
    1:2013479 # ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
    # Loads of noise, plus FPs with DNS resulting in blocking root DNS servers
    1:2008578 # ET SCAN Sipvicious Scan
    1:2011716 # ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
    
    ### emerging-shellcode.rules
    # Fires up when syncing debian mirror
    1:2012086 # ET SHELLCODE Possible Call with No Offset TCP Shellcode
    1:2012088 # ET SHELLCODE Possible Call with No Offset TCP Shellcode
    1:2012252 # ET SHELLCODE Common 0a0a0a0a Heap Spray String
    1:2013319 # ET SHELLCODE Unicode UTF-8 Heap Spray Attempt
    # Dangerous rule based on cleartext HTTP. Fires up on known good sites when repeated occurences of *heap* is encountered.
    1:2013222 # ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
    
    ### emerging-web_client.rules
    # generic unwanted rules
    1:2011507 # ET WEB_CLIENT PDF With Embedded File
    1:2010514 # ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source)
    1:2010516 # ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
    1:2010518 # ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
    1:2010520 # ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)
    1:2010522 # ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)
    1:2010525 # ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
    1:2010527 # ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
    # fires up when downloading zipped drivers
    1:2012266 # ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
    1:2012272 # ET WEB_CLIENT Hex Obfuscation of eval % Encoding
    1:2012398 # ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
    
    ### emerging-web_server.rules
    # generic unwanted rules
    1:2101201 # GPL WEB_SERVER 403 Forbidden
    1:2101852 # GPL WEB_SERVER robots.txt access
    1:2016672 # ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
    ##########################
    
    

    Suppress tab:

    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET POLICY PE EXE or DLL Windows file download
    suppress gen_id 1, sig_id 2000419
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET POLICY ASProtect/ASPack Packed Binary
    suppress gen_id 1, sig_id 2008575
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET POLICY PE EXE or DLL Windows file download HTTP
    suppress gen_id 1, sig_id 2018959
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET POLICY Executable and linking format (ELF) file download
    suppress gen_id 1, sig_id 2000418
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET POLICY Executable and linking format (ELF) file download Over HTTP
    suppress gen_id 1, sig_id 2019240
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET CHAT IRC USER command
    suppress gen_id 1, sig_id 2002023
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET CHAT IRC NICK command
    suppress gen_id 1, sig_id 2002024
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET CHAT IRC JOIN command
    suppress gen_id 1, sig_id 2002025
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET CHAT IRC PRIVMSG command
    suppress gen_id 1, sig_id 2002026
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET CHAT IRC PING command
    suppress gen_id 1, sig_id 2002027
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET CHAT IRC PONG response
    suppress gen_id 1, sig_id 2002028
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET POLICY Vulnerable Java Version 1.8.x Detected
    suppress gen_id 1, sig_id 2019401
    
    ## -- This rule manually suppressed from the Auto-Flowbits list. -- ##
    # ET POLICY Vulnerable Java Version 1.7.x Detected
    suppress gen_id 1, sig_id 2014297
    
    

    Note: If this all is frustrating to you, simply disable blocking altogether. IDS is not a click-click-forget it stuff.



  • @sticcino:

    The command line for finding Snort processes is like this:

    
    ps -ax | grep snort
    
    

    Do not include the "u" in the command arguments.  This will show the running Snort processes.  You are running the command with the "-aux" argument and that causes no Snort processes to display.  Run it with just the "-ax" argument.

    As @doktornotor posted, Snort and Suricata are professional-grade IDS packages.  They are not "install and forget" packages.  They require constant vigilance and careful tuning in busy networks to identify false positives and weed them out with selective disabling of rules and the use of pass lists.  Remember also, when creating a PASS LIST, you must go to the INTERFACES tab in Snort and assign the new Pass List to the interface.  If you do not, then Snort does not use the Pass List.  Finally, don't forget to restart Snort on an interface when you change a Pass List.  The lists are only read and processed during start up of Snort.

    Why don't you run Snort in just IDS mode for a few weeks (that is with blocking not enabled) to get a good feel for the types of alerts that fire in your network?  That will help you identify potential false positives so you can selectively disable those rules.

    Bill


Log in to reply