Feature #15260
closed
Snort IPS False Positives and Preprocessor Rules Misconfiguration
100%
Description
Greetings to all from IT And General.
I would like to point out an issue that we are experiencing with the Snort package.
It appears that pfSense is not enabling Snort preprocessor rules based on policy. This has been observed in Snort logs from multiple installs where preprocessor rule alerts were seen for specific preprocessor rules that were not enabled as part of the policy selected.
The preprocessor rules, embedded in the code, are modifiable via the preprocessor.rules file within the Snort rules package. This file mirrors the policy assignment format used in the Snort rules files. The current issue surfaces when all preprocessor rules are enabled regardless of the policy selection, leading to an excessive number of events being generated, contrary to the user's expectation when opting for one of the three base policies: Connectivity, Balanced, or Security.
CONNECTIVITY POLICY
¶
- No preprocessor or decoder rules enabled
BALANCED POLICY¶
Preprocessor Rules:
- alert ( msg: "BO_TRAFFIC_DETECT"; sid: 1; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
- alert ( msg: "BO_CLIENT_TRAFFIC_DETECT"; sid: 2; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
- alert ( msg: "BO_SERVER_TRAFFIC_DETECT"; sid: 3; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660;)
- alert ( msg: "BO_SNORT_BUFFER_ATTACK"; sid: 4; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,2005-3252; )
No decoder rules enabled
SECURITY POLICY¶
Preprocessor Rules:
- alert ( msg: "BO_TRAFFIC_DETECT"; sid: 1; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
- alert ( msg: "BO_CLIENT_TRAFFIC_DETECT"; sid: 2; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
- alert ( msg: "BO_SERVER_TRAFFIC_DETECT"; sid: 3; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660;)
- alert ( msg: "BO_SNORT_BUFFER_ATTACK"; sid: 4; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,2005-3252; )
- alert ( msg: "RPC_LARGE_FRAGSIZE"; sid: 3; gid: 106; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )
- alert ( msg: "RPC_INCOMPLETE_SEGMENT"; sid: 4; gid: 106; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )
- alert ( msg: "RPC_ZERO_LENGTH_FRAGMENT"; sid: 5; gid: 106; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )
- alert ( msg: "SMTP_COMMAND_OVERFLOW"; sid: 1; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0260; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )
- alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2002-1337; reference:cve,2010-4344; )
- alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-user; reference:cve,2002-1090; )
- alert ( msg: "SMTP_SPECIFIC_CMD_OVERFLOW"; sid: 4; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )
- alert ( msg: "SMTP_HEADER_NAME_OVERFLOW"; sid: 7; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0105; )
- alert ( msg: "SMTP_XLINK2STATE_OVERFLOW"; sid: 8; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )
- alert ( msg: "SMTP_AUTH_COMMAND_OVERFLOW"; sid: 15; gid: 124; rev: 3; metadata: rule-type preproc, service smtp, policy max-detect-ips drop, policy security-ips drop ; classtype:attempted-admin; )
- alert ( msg: "FTPP_FTP_PARAMETER_LENGTH_OVERFLOW"; sid: 3; gid: 125; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0286; reference:url,www.kb.cert.org/vuls/id/276653; reference:cve,1999-0368; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,2006-5815; reference:bugtraq,20992; )
- alert ( msg: "FTPP_FTP_PARAMETER_STR_FORMAT"; sid: 5; gid: 125; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2000-0573; )
- alert ( msg: "FTPP_FTP_RESPONSE_LENGTH_OVERFLOW"; sid: 6; gid: 125; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-user; reference:cve,2007-3161; reference:cve,2010-1465; reference:url,www.kb.cert.org/vuls/id/276653; )
- alert ( msg: "FTPP_TELNET_AYT_OVERFLOW"; sid: 1; gid: 126; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service telnet, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0554; )
- alert ( msg: "SSH_EVENT_RESPOVERFLOW"; sid: 1; gid: 128; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-0639; reference:cve,2002-0640; classtype:attempted-admin;)
- alert ( msg: "SSH_EVENT_CRC32"; sid: 2; gid: 128; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-1024; reference:cve,2002-1547; reference:cve,2006-2971; reference:cve,2007-1051; reference:cve,2007-4654; classtype:attempted-admin;)
- alert ( msg: "SSH_EVENT_SECURECRT"; sid: 3; gid: 128; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2001-1466; reference:cve,2002-1059; classtype:attempted-admin;)
- alert ( msg: "DNS_EVENT_RDATA_OVERFLOW"; sid: 3; gid: 131; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service dns, policy security-ips drop ; classtype:attempted-admin; reference:cve,2006-3441; reference:url,www.microsoft.com/technet/security/bulletin/ms06-041.mspx; )
No decoder rules enabled
Updated by Roberto@ IT and General 3 months ago
Above, there is a list of the preprocessor rules and decoder rules that should be enabled/disabled for each of the three VRT policies.
The 'max-detect' policy should have both preprocessor and decoder rules enabled.
For more information regarding the manual adjustment of the preprocessor and decoder rules when utilising the Snort VRT IPS Policies, visit: https://www.itandgeneral.com/snort-on-pfsense-ips-policy-accuracy/
Updated by Bill Meeks 3 months ago
I am the volunteer package maintainer for Snort on pfSense. The method you described above for removing rules (disabling them) from a detection package is not how I understood the ips-policy metadata was intended to work. My understanding is the policy metadata specifies what the rule's ACTION should be for each IPS Policy (ALERT or DROP), but not which rules should be enabled. Do you have a link to some official Talos/Cisco documentation explaining your point of view for the ips-policy metadata? Not trying to be argumentative, but I genuinely did not understand the ips-policy metadata to be intended to operate as you describe it in this ticket in regards to the preprocessor rules.
Also, just FYI. I visited your link, and you advocate on the page using the DISABLE ALL option on the RULES tab for removing rules. There is a much easier method available for that using the features on the SID MGMT tab. You would create a custom disable.conf file and simply include either the individual SIDs (or a SID range) if wanting to disable just some rules in a cateogry, or you can specify the category name and automatically all rules in that category. Read the comments in the supplied SID MGMT conf template files on that tab for a more detailed explaination of the options available there.
Updated by Roberto@ IT and General 3 months ago
Hello Bill,
Thank you very much for your comment. I didn't perceive your message as an attempt to be argumentative. In fact, I genuinely appreciate the time and effort you're putting into trying to understand this issue.
As a Netgate partner and Snort integrator, we're working to facilitate the resolution of this issue by communicating with both sides, and now with yourself.
Below, in quotes, is the information we received from the Snort Team and Research Engineers at CISCO Talos. Please let me know if this is helpful or if we need to seek further details.
"All our Snort rules, both the plaintext and the preprocessor/decode rules have a keyword called "metadata" in them. This keyword lists various things like what service (dns, pop, imap) and policy. The different policy options are:
policy max-detect-ips drop (or alert)
policy security-ips drop (or alert)
policy balanced-ips drop (or alert)
policy connectivity drop (or alert)
pfsense is already doing that kind of parsing on the regular rulseset, and those keywords are present in preprocessor.rules and decoder.rules files. So, it should be a very simple thing to simply add those two files to the list of files being parsed.
The more general writeup about why rules are in specific policies can be found on Snort.org (https://www.snort.org/faq/why-are-rules-commented-out-by-default)"
P.S.
I appreciate your suggestion for a more efficient approach using the SID MGMT tab.
We will explore this method further.
Updated by Bill Meeks 3 months ago
Roberto@ IT and General wrote in #note-3:
Hello Bill,
The more general writeup about why rules are in specific policies can be found on Snort.org (https://www.snort.org/faq/why-are-rules-commented-out-by-default)"
I had read that link earlier, but managed to overlook this important line:
The last state is “in no policies”. This means that we insist that you look through these by product name or CVE in order to turn them on.
So, your interpretation is indeed correct, and certain preprocessor rules should be excluded from the active rules file when IPS-Policy mode operation is selected.
It should be trivial to implement that change. As you surmise, it is just a matter of including the preprocessor rules in the list of category files already being processed by the enforcing rules file builder logic. I will add this Redmine Issue to my internal tracking and see about getting this included in the next Snort update.
Updated by Bill Meeks 2 months ago
The fix for this feature request/bug fix has been posted as part of this pull request: https://github.com/pfsense/FreeBSD-ports/pull/1347.
When the pull request is merged, this Issue can be marked as RESOLVED.
Updated by Jim Pingle 2 months ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
PR merged, thanks!