Project

General

Profile

Actions

Bug #14822

open

Services/Snort/Pass List/Edit Auto-Generated IP Addresses has degraded performance on passing

Added by Jonathan Lee about 1 year ago. Updated about 1 year ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
23.05.1
Affected Architecture:
SG-2100

Description

I have learned that Snort's GUI Passlist Auto-Generated IP addresses area is not 100% passing and still blocking when an IP is being used in decoy or spoofed port scans of the system.

https://www.snort.org/faq/readme-sfportscan
https://redmine.pfsense.org/issues/14754
https://redmine.pfsense.org/issues/14514
https://redmine.pfsense.org/issues/14821

Example of standard non decoy detection and block of port scan attached below showing port scan blocking is fully functional.

Kali OS has decoy scanning abilities for lan tests that are being abused such that a port scan target is utilizing the target IP as the decoy IP creating a snort block on its own wan IP

P: WAN ISP Issued IP or DNS pfSense forwards to, or P = IP of WAN interface snort resides on/DNS unbound uses

Q: snort set to block port scans or Q(source IP of port scans)

A: a decoy IP or A(any decoy IP needed)

R: result block the source IP of a detected port scan

therefore equation can be
(Q(A(P))) = R

Q of A of P = resulting block
this is the equivalent of Q(P) = R

This condition should always be Q(~P) = R however the auto generated IP passlist is not functional at times.

now suppose Q(P) = R
or where q is from the universe of all blocked port scans
and a is from the universe of the decoy scans.
and p is from the universe WAN ISP Issued IP address or DNS that pfSense forwards to for this system that snort resides on

∀q∃a(p)

This should be ∀q ¬ ∃a(p) Per pass-list Auto-Generated IP Addresses in Snort

Per Marcos M
"This isn't a bug. To avoid the issue, relevant IP addresses can be added to a passlist. There also likely exist rules for Snort/Suricata to detect spoofed scans, further details here:
https://www.snort.org/faq/readme-sfportscan"

I have spoof rules enabled they are still blocking the passlist addresses seen below.

However they are not being auto-generated into the pass-list in snort per GUI settings. Something is not allowing it to add the Auto-Generated IP pass-list group.


Files

Screenshot 2023-09-07 150042.jpg (253 KB) Screenshot 2023-09-07 150042.jpg DNS that unbound resolves to was not passed still blocked Jonathan Lee, 09/29/2023 06:47 PM
Screenshot 2023-09-29 at 11.42.26 AM.png (319 KB) Screenshot 2023-09-29 at 11.42.26 AM.png DNS address that was blocked is already in auto generated passlist Jonathan Lee, 09/29/2023 06:48 PM
bugtest.PNG (209 KB) bugtest.PNG STANDARD: non decoy port scan ran shows port scan works correctly without decoy Jonathan Lee, 09/29/2023 06:51 PM
Screenshot 2023-09-29 at 9.45.25 AM.png (177 KB) Screenshot 2023-09-29 at 9.45.25 AM.png STANDARD: Snort Blocking source of port scan after shows port scan works correctly without decoy Jonathan Lee, 09/29/2023 06:51 PM
947C78F9-9BD9-4CB7-A183-F9019ED422CD.PNG (669 KB) 947C78F9-9BD9-4CB7-A183-F9019ED422CD.PNG WAN IP in snort showing blocked was not passed Jonathan Lee, 09/29/2023 06:53 PM
Screenshot 2023-09-29 at 11.58.56 AM.png (386 KB) Screenshot 2023-09-29 at 11.58.56 AM.png WAN IP Blocked above was not passed it was blocked Jonathan Lee, 09/29/2023 06:59 PM
Screenshot 2023-09-29 at 11.59.38 AM.png (132 KB) Screenshot 2023-09-29 at 11.59.38 AM.png DNS that unbound forwards to was not passed it was also blocked Jonathan Lee, 09/29/2023 06:59 PM
Actions #1

Updated by Marcos M about 1 year ago

  • Status changed from New to Feedback

I have spoof rules enabled they are still blocking the passlist addresses seen below.

This has been an issue in the past with Suricata. There have been attempts to resolve/mitigate/troubleshoot this, but I'm not certain on the latest status for that; perhaps there's a similar situation with Snort. More simply, it may be that the passlist hasn't properly taken effect yet - there are multiple factors that can affect it. I suggest discussing the issue on the forums first.

Actions

Also available in: Atom PDF