Netgate Store

Author Topic: Snort LAN Alert  (Read 599 times)

0 Members and 1 Guest are viewing this topic.

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Snort LAN Alert
« on: January 21, 2018, 04:54:31 pm »
I added LAN interface in snort, however, a day later I decided to remove the LAN interface and just keep the WAN interface, now i'm constantly getting LAN alerts from snort in the firewall logs. Is there a way to stop this?

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: Snort LAN Alert
« Reply #1 on: January 22, 2018, 06:58:23 am »
I added LAN interface in snort, however, a day later I decided to remove the LAN interface and just keep the WAN interface, now i'm constantly getting LAN alerts from snort in the firewall logs. Is there a way to stop this?

Sounds like the LAN daemon for Snort did not get stopped.  It should have with the interface removal, but apparently did not if you are still seeing live alerts.  Run this CLI command to see if a Snort daemon process is still running on your LAN:

Code: [Select]
ps -ax | grep snort
You should see only the Snort process on your WAN show up.  It will have the physical NIC name of your WAN in the process name.  For example, if your WAN is using the generic Intel em0 driver, then the string em0 will be in the process name.  Look for one with the NIC name from your LAN in its process name.  If you see one, manually kill that process.

Bill

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #2 on: January 23, 2018, 04:04:16 pm »
The only response i'm getting from the command is

Code: [Select]
15824  -  S       0:00.00 sh -c ps -ax | grep snort 2>&1
16030  -  S       0:00.00 grep snort
60105  -  SNs   182:42.94 /usr/local/bin/snort -R 12902 -D -q --suppress-config

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: Snort LAN Alert
« Reply #3 on: January 23, 2018, 06:28:04 pm »
The only response i'm getting from the command is

Code: [Select]
15824  -  S       0:00.00 sh -c ps -ax | grep snort 2>&1
16030  -  S       0:00.00 grep snort
60105  -  SNs   182:42.94 /usr/local/bin/snort -R 12902 -D -q --suppress-config

Yeah, the rest of the command is getting clipped by the 80-column display limit.  The interface name is out on the end of the line.  If you had Snort "stopped" in the GUI when you got this output, then the listed process (60105) is a zombie and you should kill it.  However, if Snort was running in the GUI when you ran the command then things look OK.

Snort can't generate alerts when it is not running on an interface (as in the CLI shows no active Snort processes when the GUI shows Snort is "down").

So to review what you did -- you first set up Snort on your WAN, and then you later added a LAN interface.  After a day you decided to delete the LAN interface but kept the WAN interface.  Is that correct?

Bill

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #4 on: January 24, 2018, 01:27:55 am »
Yes, that is correct. I've also removed snort and reinstalled but that made no difference. Once I receive another Snort LAN alert I will post a screenshot. The last alert I remember was my ip phone as the source and the destination was the sip server in the firewall logs. Obviously there is no alerts in the snort application because there is no LAN interface and nothing is getting blocked just alerts.

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #5 on: January 24, 2018, 01:45:18 am »
I ran that command again in full screen and yes it is only showing em1, which is my WAN interface

Code: [Select]
36373  -  SNs      5:46.10 /usr/local/bin/snort -R 12902 -D -q --suppress-config-log -l /var/log/snort/snort_em112902 --pid-path /var/run --nolock-pidfile -G 12902 -c /usr/local/etc/snort/snort_12902_em1/snort.conf -i em1
14119  0  S+       0:00.00 grep snort


The only response i'm getting from the command is

Code: [Select]
15824  -  S       0:00.00 sh -c ps -ax | grep snort 2>&1
16030  -  S       0:00.00 grep snort
60105  -  SNs   182:42.94 /usr/local/bin/snort -R 12902 -D -q --suppress-config

Yeah, the rest of the command is getting clipped by the 80-column display limit.  The interface name is out on the end of the line.  If you had Snort "stopped" in the GUI when you got this output, then the listed process (60105) is a zombie and you should kill it.  However, if Snort was running in the GUI when you ran the command then things look OK.

Snort can't generate alerts when it is not running on an interface (as in the CLI shows no active Snort processes when the GUI shows Snort is "down").

So to review what you did -- you first set up Snort on your WAN, and then you later added a LAN interface.  After a day you decided to delete the LAN interface but kept the WAN interface.  Is that correct?

Bill

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #6 on: January 24, 2018, 05:48:00 am »
See the attached screen shot

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: Snort LAN Alert
« Reply #7 on: January 24, 2018, 08:41:49 am »
Are you also getting alerts labelled WAN, or is everything showing up as LAN?  If everything is LAN, one possibility is that during the LAN deletion the array indexes got messed up.  The package stores information about all the configured interfaces in an array.  The first interface you create is array index 0, the next is array index 1 and so on.  Maybe that index got messed up with the interface deletion ???.

If you are getting both WAN and LAN alerts, then I am really baffled.  If you are getting just alerts labelled LAN only, then it is likely the index problem I mentioned.  If the latter case is true, then PM me and I can have you send me the pertinent section of your config.xml file via email and I can fix it up.  Or, if it's not too much trouble, just remove the Snort package and reinstall.  Before you do that, go to GLOBAL SETTTINGS and uncheck the "Save settings" checkbox near the bottom of the page so that Snort will remove all traces of itself including this current configuration.  Install the package fresh and configure it again and you should be good to go.

Bill


Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #8 on: January 24, 2018, 01:40:49 pm »
Yes i'm getting WAN and LAN alerts. I did remove the package then reinstalled it but that didn't make any difference. I'll do it again and make sure that I reboot after each operation.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: Snort LAN Alert
« Reply #9 on: January 24, 2018, 04:25:29 pm »
Yes i'm getting WAN and LAN alerts. I did remove the package then reinstalled it but that didn't make any difference. I'll do it again and make sure that I reboot after each operation.

In your case, just in the event your current Snort configuration is borked somehow, uncheck that "Save Settings" checkbox so Snort will remove the current configuration when the package uninstall routine runs.  Then when you reinstall, it will be a virgin installation with no pre-existing confguration.  As long as the "Save Settings" box is checked (and checked is the default), the configuration information will be saved and used again when the package is reinstalled.  So any corruption, if present, will keep coming back.

Bill

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #10 on: January 24, 2018, 04:27:36 pm »
I did as you said and I just checked the logs, see the attached pic. Loads of snort LAN alerts.

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #11 on: January 24, 2018, 04:55:21 pm »
I would like to add that even though I unticked the box in GLOBAL SETTINGS "Keep Snort Settings After Deinstall" and after rebooting and reinstalling snort my configuration was still there. I didn't have to insert my snort code and I didn't have to add the WAN interface because it was already there. The only thing i had to do was to download the rule and start snort.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: Snort LAN Alert
« Reply #12 on: January 24, 2018, 08:40:13 pm »
I would like to add that even though I unticked the box in GLOBAL SETTINGS "Keep Snort Settings After Deinstall" and after rebooting and reinstalling snort my configuration was still there. I didn't have to insert my snort code and I didn't have to add the WAN interface because it was already there. The only thing i had to do was to download the rule and start snort.

You have a demon in that box!   :D.  That should never happen.  With that box unchecked (and I assume you did a "Save" after unchecking it), Snort deletes the entire Snort configuration section of your config.xml file for the firewall.  That removes everything for Snort including Oinkmaster code, rule selections, interfaces and everything; even including log files.

So if that did not happen, I am truly and fully perplexed.  Are you sure you clicked SAVE at the bottom of the GLOBAL SETTINGS page when you unchecked that "save settings" checkbox before doing the uninstall?

Bill

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #13 on: January 25, 2018, 01:32:52 am »
Yes 100%, i triple checked, because I remember the first time i removed the package it did the same.

I think the best thing to do is save the the config.xml and do a fresh install, i think it's easiest and quickest method the fix the problem.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: Snort LAN Alert
« Reply #14 on: January 25, 2018, 09:05:58 am »
Yes 100%, i triple checked, because I remember the first time i removed the package it did the same.

I think the best thing to do is save the the config.xml and do a fresh install, i think it's easiest and quickest method the fix the problem.

Don't import that saved config or you will bring the problem right back.  Everything for Snort is contained in that config file.  So if it is corrupted in some fashion and you import the saved one into a fresh install, your fresh install is going to get corrupted again.

Bill

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #15 on: January 26, 2018, 06:27:29 am »
I did a fresh install, I installed squid then squidguard and then snort and i'm still getting LAN alerts

« Last Edit: January 26, 2018, 07:18:19 am by slim2016 »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: Snort LAN Alert
« Reply #16 on: January 29, 2018, 03:00:15 pm »
I did a fresh install, I installed squid then squidguard and then snort and i'm still getting LAN alerts

What is showing on your ALERTS tab in Snort for the LAN?  Your screenshot is from the firewall system log.

Bill

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Snort LAN Alert
« Reply #17 on: February 05, 2018, 04:05:34 pm »
There are no LAN alerts in snort alert tab. I've just left it as it is, everything is working just fine.