Project

General

Profile

Actions
Copy link

Feature #15260

closed

Snort IPS False Positives and Preprocessor Rules Misconfiguration

Added by Roberto@ IT and General 10 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:

Description

Greetings to all from IT And General.

I would like to point out an issue that we are experiencing with the Snort package.

It appears that pfSense is not enabling Snort preprocessor rules based on policy. This has been observed in Snort logs from multiple installs where preprocessor rule alerts were seen for specific preprocessor rules that were not enabled as part of the policy selected.

The preprocessor rules, embedded in the code, are modifiable via the preprocessor.rules file within the Snort rules package. This file mirrors the policy assignment format used in the Snort rules files. The current issue surfaces when all preprocessor rules are enabled regardless of the policy selection, leading to an excessive number of events being generated, contrary to the user's expectation when opting for one of the three base policies: Connectivity, Balanced, or Security.

 
 

CONNECTIVITY POLICY
 

  • No preprocessor or decoder rules enabled

 

BALANCED POLICY

Preprocessor Rules:

  • alert ( msg: "BO_TRAFFIC_DETECT"; sid: 1; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
  • alert ( msg: "BO_CLIENT_TRAFFIC_DETECT"; sid: 2; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
  • alert ( msg: "BO_SERVER_TRAFFIC_DETECT"; sid: 3; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660;)
  • alert ( msg: "BO_SNORT_BUFFER_ATTACK"; sid: 4; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,2005-3252; )

No decoder rules enabled

SECURITY POLICY

Preprocessor Rules:

  • alert ( msg: "BO_TRAFFIC_DETECT"; sid: 1; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
  • alert ( msg: "BO_CLIENT_TRAFFIC_DETECT"; sid: 2; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
  • alert ( msg: "BO_SERVER_TRAFFIC_DETECT"; sid: 3; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660;)
  • alert ( msg: "BO_SNORT_BUFFER_ATTACK"; sid: 4; gid: 105; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,2005-3252; )
  • alert ( msg: "RPC_LARGE_FRAGSIZE"; sid: 3; gid: 106; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )
  • alert ( msg: "RPC_INCOMPLETE_SEGMENT"; sid: 4; gid: 106; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )
  • alert ( msg: "RPC_ZERO_LENGTH_FRAGMENT"; sid: 5; gid: 106; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )
  • alert ( msg: "SMTP_COMMAND_OVERFLOW"; sid: 1; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0260; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )
  • alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2002-1337; reference:cve,2010-4344; )
  • alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-user; reference:cve,2002-1090; )
  • alert ( msg: "SMTP_SPECIFIC_CMD_OVERFLOW"; sid: 4; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )
  • alert ( msg: "SMTP_HEADER_NAME_OVERFLOW"; sid: 7; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0105; )
  • alert ( msg: "SMTP_XLINK2STATE_OVERFLOW"; sid: 8; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )
  • alert ( msg: "SMTP_AUTH_COMMAND_OVERFLOW"; sid: 15; gid: 124; rev: 3; metadata: rule-type preproc, service smtp, policy max-detect-ips drop, policy security-ips drop ; classtype:attempted-admin; )
  • alert ( msg: "FTPP_FTP_PARAMETER_LENGTH_OVERFLOW"; sid: 3; gid: 125; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0286; reference:url,www.kb.cert.org/vuls/id/276653; reference:cve,1999-0368; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,2006-5815; reference:bugtraq,20992; )
  • alert ( msg: "FTPP_FTP_PARAMETER_STR_FORMAT"; sid: 5; gid: 125; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2000-0573; )
  • alert ( msg: "FTPP_FTP_RESPONSE_LENGTH_OVERFLOW"; sid: 6; gid: 125; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-user; reference:cve,2007-3161; reference:cve,2010-1465; reference:url,www.kb.cert.org/vuls/id/276653; )
  • alert ( msg: "FTPP_TELNET_AYT_OVERFLOW"; sid: 1; gid: 126; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service telnet, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0554; )
  • alert ( msg: "SSH_EVENT_RESPOVERFLOW"; sid: 1; gid: 128; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-0639; reference:cve,2002-0640; classtype:attempted-admin;)
  • alert ( msg: "SSH_EVENT_CRC32"; sid: 2; gid: 128; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-1024; reference:cve,2002-1547; reference:cve,2006-2971; reference:cve,2007-1051; reference:cve,2007-4654; classtype:attempted-admin;)
  • alert ( msg: "SSH_EVENT_SECURECRT"; sid: 3; gid: 128; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2001-1466; reference:cve,2002-1059; classtype:attempted-admin;)
  • alert ( msg: "DNS_EVENT_RDATA_OVERFLOW"; sid: 3; gid: 131; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service dns, policy security-ips drop ; classtype:attempted-admin; reference:cve,2006-3441; reference:url,www.microsoft.com/technet/security/bulletin/ms06-041.mspx; )

No decoder rules enabled

Actions
Copy link

Also available in: Atom PDF