Bug #14754
closedSnort security issue bug within tcp/UDP scan detection blocking tool DoS event
0%
Description
Version:
Snort 4.1.6_8 built on pfSense plus Netgate 2100 appliance running an ARM processor. Package is prebuilt for use with this firewall.
Rules Enabled:
Emerging Threats (ET) Rules
Snort Subscriber Rules
Suspected Bug within Wan Preprocs:
Bug abused within Portscan Detection Enabled
Bug Details:
I thought I should report this, I have witnessed this DoS attack several times. The Snort package can not determine the difference between a decoy scan using the hosts WAN ISP issued IP address, as well as the hosts DNS address in use over a regular non decoy Nmap scan. This causes issues when snort has portscan detection and blocking enabled on the WAN Preproces. This results in degraded performance of the external DNS resolvers or a full off-lined system event. When the host running Snort has a decoy scan such as this Snort will block the hosts WAN ip address it is running on-top of.
Steps to reproduce:
Use the hosts WAN IP address and perform a decoy TCP/IP scan Nmap with it from an external system. Snort will detect the scan and block its own WAN address creating a denial of service event. This can also be done with DNS address that host uses such as 8.8.8.8 forcing the DNS to be also be blocked. Keep in mind the Nmap scan ran will have to use the hosts wan address for its decoy address.I have had this occur several times already with my pfSense firewall.
Possible Resolve:
What I want to happen when a Nmap scan occurs from your firewalls WANs IP address externally with such “decoys” is the firewall should black hole it hence create an auto reply custom reply/response. The Snort system can be preconfigured to auto reply for when a scan occurs from a decoy address of its own WAN address. Again, Snort should be pre configured for when such decoy scans are detected and have a packet crafted response should this be seen with the IPD/IDS. Packet crafting can be done for the hosts WAN and DNS ip addresses.
Ending Notes:
This is a major concern. I have also showcased this with Palo Alto during my cyber security class at Sierra College. I have also reported this to Netgate pfSense team seen below. PfSense Netgate security team has asked me to send this upstream to Snort. (See below)
WARNING:
Several invasive actors have found this Zero Day does create a DoS event and has been testing it on my home network and off-lined my system several times. When I review the blocks it shows my own WAN IP address ran Nmap scans and IPS/IDS blocks it right after. Snort does not know the difference at this point.
Side Note:
This has been reported upstream to bugs@snort.org and security@netgate.com, security at netgate asked me to post in Netgate forum and to report to Snort. I have also added this information to Redmine for more visibility as this team could also provide a possible solution and or contact someone at bugs@snort to also report this. Thos DoS has occurred several times now. My IP address is not listed on any of the lists in this blocked event.
Files
Related issues