Bug #14822
openServices/Snort/Pass List/Edit Auto-Generated IP Addresses has degraded performance on passing
0%
Description
I have learned that Snort's GUI Passlist Auto-Generated IP addresses area is not 100% passing and still blocking when an IP is being used in decoy or spoofed port scans of the system.
https://www.snort.org/faq/readme-sfportscan
https://redmine.pfsense.org/issues/14754
https://redmine.pfsense.org/issues/14514
https://redmine.pfsense.org/issues/14821
Example of standard non decoy detection and block of port scan attached below showing port scan blocking is fully functional.
Kali OS has decoy scanning abilities for lan tests that are being abused such that a port scan target is utilizing the target IP as the decoy IP creating a snort block on its own wan IP
P: WAN ISP Issued IP or DNS pfSense forwards to, or P = IP of WAN interface snort resides on/DNS unbound uses
Q: snort set to block port scans or Q(source IP of port scans)
A: a decoy IP or A(any decoy IP needed)
R: result block the source IP of a detected port scan
therefore equation can be
(Q(A(P))) = R
Q of A of P = resulting block
this is the equivalent of Q(P) = R
This condition should always be Q(~P) = R however the auto generated IP passlist is not functional at times.
now suppose Q(P) = R
or where q is from the universe of all blocked port scans
and a is from the universe of the decoy scans.
and p is from the universe WAN ISP Issued IP address or DNS that pfSense forwards to for this system that snort resides on
∀q∃a(p)
This should be ∀q ¬ ∃a(p) Per pass-list Auto-Generated IP Addresses in Snort
Per Marcos M
"This isn't a bug. To avoid the issue, relevant IP addresses can be added to a passlist. There also likely exist rules for Snort/Suricata to detect spoofed scans, further details here:
https://www.snort.org/faq/readme-sfportscan"
I have spoof rules enabled they are still blocking the passlist addresses seen below.
However they are not being auto-generated into the pass-list in snort per GUI settings. Something is not allowing it to add the Auto-Generated IP pass-list group.
Files
Updated by Marcos M about 1 year ago
- Status changed from New to Feedback
I have spoof rules enabled they are still blocking the passlist addresses seen below.
This has been an issue in the past with Suricata. There have been attempts to resolve/mitigate/troubleshoot this, but I'm not certain on the latest status for that; perhaps there's a similar situation with Snort. More simply, it may be that the passlist hasn't properly taken effect yet - there are multiple factors that can affect it. I suggest discussing the issue on the forums first.