1. Home
  2. pfSense Packages
  3. IDS/IPS
  4. Possible SNORT bug, not detecting rule

Possible SNORT bug, not detecting rule

  • V

    Hello forum,

    I have been searching for a solution for a weird Snort behaviour, but haven't been able to find a solution - this may be a bug in the snort implementation.
    Could someone assist me in this matter? - NB: real malicious domain has been change to "evilpage.tld"

    Snort info: Snort 2.9.7.6 pkg v3.2.9.1
    Rule that fires an alarm (correctly):
    alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - POLICY - malicious web page access - LAN"; content:"GET"; nocase; http_method; content:"evilpage.tld"; nocase; http_header; classtype:policy-violation; sid:56001810; rev:1;)

    Rule that does not fires an alarm at all
    alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - POLICY - malicious web page access"; flow:to_server,established; detection_filter:track by_dst, count 14, seconds 15; content:"GET"; nocase; http_method; content:"evilpage.tld"; nocase; http_header; classtype:policy-violation; metadata:NF,25042015; sid:56001810; rev:1;)

    Would anyone in the forum be able to assist me, so both rules fire a alarm in Snort,  I have a gut feeling that the "flow:established" keyword are the differentiator,
    but i would expect that the PFsense Snort would be able to understand this?

    many thanks in advance.

    0
  • BBcan177
    Moderator

    You could also add a DNS sinkhole in the Resolver… or the Fowarder...

    Example Resolver redirect rule:

    local-zone: "evilpage.tld" redirect
    local-data: "evilpage.tld A 127.0.0.1"

    0
  • V

    Hello BBcan117,

    Many thanks for taking the time to reply,

    Yes I know that the resolver can be used, but I am wondering why the "flow:established" keyword are working in a "normal" snort installation but not in the PFsense implementation.

    Would you know that ?

    Many thanks for all assistance,

    0
  • F

    @vingaard:

    Would anyone in the forum be able to assist me, so both rules fire a alarm in Snort,  I have a gut feeling that the "flow:established" keyword are the differentiator,
    but i would expect that the PFsense Snort would be able to understand this?

    many thanks in advance.

    Well in that case, why dont you remove the threshold and diagnose only the flow…your second rule should be

    alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - POLICY - malicious web page access"; flow:to_server,established; content:"GET"; nocase; http_method; content:"evilpage.tld"; nocase; http_header; classtype:policy-violation; metadata:NF,25042015; sid:56001811; rev:1;)

    F.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy