quick_fix_pfsense/quick_fix.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="EN" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/xml; charset=utf-8" />

<title>Quick fix for pfSense/Snort enable/disable rules bug</title>

<style type = "text/css">
pre {background: #b8b8b8;}
</style>

</head>

<body>

<h1>Quick fix for pfSense/Snort enable/disable rules bug</h1>
<p>
<b>
Jack-Benny Persson
<br /><br />
<i>Originaly posted in the pfSense forum on 2012-04-17</i>
</b>
<br />
</p>
<table border = "1">
<caption>Revision history</caption>
<tr>
<th>Revision</th>
<th>Date</th>
<th>Decription</th>
<th>By</th>
</tr>
<tr>
<td>Rev. 5</td>
<td>2012-05-10</td>
<td>Added solution to emerging threats rules</td>
<td>jackbenny</td>
</tr>
<tr>
<td>Rev. 4</td>
<td>2012-05-09</td>
<td>Fixed headlines, TOC, marked code in gray etc</td>
<td>jackbenny</td>
</tr>
<tr>
<td>Rev. 3</td>
<td>2012-05-09</td>
<td>Added flow:established problem</td>
<td>jackbenny</td>
</tr>
<tr>
<td>Rev. 2</td>
<td>2012-05-08</td>
<td>Removed [rm *-e] and replaced it with [sed -i ""]</td>
<td>jackbenny</td>
</tr>
<tr>
<td>Rev. 1</td>
<td>2012-05-01</td>
<td>First release of this document</td>
<td>jackbenny</td>
</tr>
</table>
<h2>Table of contents</h2>
<p>
<a href="#enabledisable">Enable/disable rules bug</a>
<br />
<a href="#other">Other problemsi you might encounter</a>
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#established"><i>Rules with flow:established won't work?</i></a>
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#emerging"><i>What about Emerging Threats rules?</i></a>
<br />
<a href="#thanks">Thanks</a>
<br />
<a href="#contributions">Contributions</a>
</p>
<h2><a name="enabledisable">Enable/disable rules bug</a></h2>
<p>
I started using the Snort package for pfSense 2.0.1 (amd64) some days ago but as many others I noticed the problem with the enable/disabled rules resetting after updating the rules.<br />
So last night I started working on a quick fix for it, and came up with a nice and working solution. My solution involves enabling and disabling specific rules in a oinkmaster.conf file, so it&#039;s not a GUI solution. But at least now it&#039;s possible to have your own set of enabled/disabled rules.<br />
Anyway, here we go. I&#039;ll take it step by step here.<br /><br />
<b>First of all</b>, you&#039;ll need to install wget (so that oinkmaster.pl will work). 
For pfSense 2.0.1 amd64 use the following command (change URL according your platform and version).
<br />

</p>
<pre>fetch <a href="http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.2-release/ftp/wget-1.12_2.tbz">http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.2-release/ftp/wget-1.12_2.tbz</a>
<br />pkg_add wget-1.12_2.tbz
</pre>
<p>
<br />

<b>Next step</b> is to create a /etc/oinkmaster.conf file. Mine looks like this (change the Snort URL to include your oinkcode and change the snapshot version if you&#039;re a basic user or subscriber, look at the list on snort.org, for example use snapshot-2905 if you don&#039;t have a paid subscription).<br />
Note: Change your enabled/disabled rule at the bottom, this is just my own example, tweak to your needs.
<br />
</p>
<pre>
#oinkmaster.conf
############################# 
# Location of rules archive #
#############################

url = <a href="http://www.snort.org/pub-bin/oinkmaster.cgi/YOURCODEHERE/snortrules-snapshot-2922.tar.gz">http://www.snort.org/pub-bin/oinkmaster.cgi/YOURCODEHERE/snortrules-snapshot-2922.tar.gz</a>

#########################
# System configurationi #
#########################
path = /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbini
use_external_bins = 1
tmpdir = /tmp
umask = 0027

########################
# Extra configurationi #
########################
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$

# Sanity check
use_path_checks = 1

##################
# Rules handling #
##################

# Files to skip
skipfile local.rules
skipfile deleted.rules
skipfile snort.conf
# skipfile threshold.conf

# SIDs to enable
enablesid 19559, 20120

# SIDs to disable
disablesid 19110, 19139, 19140, 19138, 19155, 19137, 19157, 19168, 19209, 19826
</pre>
<p>

<br />
<b>Last step</b> is to create a small shell script (I've named it update_rules.sh) which will handle the update and coping of rules etc. Every time the script is being run it will download a new set of rules, enable/disable the rules you&#039;ve chosen in oinkmaster.conf, copy the files to /usr/local/etc/snort/rules and /usr/local/etc/snort/snort_YOURNIC/rules.<br />
<b>Note: You need to change the NIC variable!</b><br />
</p>

<pre>
#!/bin/sh
#################################################
# update_rules.sh                               #
# Solution to pfSense/Snort rule disable/enable #
# Written by Jack-Benny                         #
#################################################

# Define your Snort interface
SNORT_NIC=&quot;47399_em0&quot;

# Check if tmp dir exists, and if not, create it
if [ ! -d &quot;/tmp/snort_rules&quot; ]; then
/bin/mkdir /tmp/snort_rules
fi

# Time do download our new snort rules
/usr/local/bin/oinkmaster.pl -o /tmp/snort_rules

# Lets begin with adding the snort_ prefix to our rules
cd /tmp/snort_rules
for f in *
do /bin/mv &quot;$f&quot; &quot;snort_$f&quot;
done

# We must add a whitespace after every &quot;#&quot; to make it compatible
/usr/bin/sed -i "" -e &#039;s/^\#alert/\# alert/g&#039; snort_*

# Now move them all to the correct locations
/bin/mv /tmp/snort_rules/snort_* /usr/local/etc/snort/rules/ 
/bin/cp /usr/local/etc/snort/rules/snort_* \
/usr/local/etc/snort/snort_${SNORT_NIC}/rules/

# And finally, restart Snort
/usr/local/etc/rc.d/snort.sh start

echo &quot;Your new rules have been downloaded and Snort has been restarted&quot;
</pre>

<p>

<br />If you&#039;d like <b>automatic updates</b>, just put the shell script in your crontab and let it run every 12 hour or so. Here is an example of my crontab.
<br /><b>Don&#039;t forget to turn of automatic updates in the WebGUI</b>
<br />

</p>
<pre>0 */12 * * * /root/update_rules.sh &gt; /root/last_rule_update.log 2&gt;&amp;1
</pre>

<h2><a name="other">Other problems you might encounter</a></h2>
<h3><a name="established">Rules with flow:established won't work?</a></h3>
<p>
For some reason my Snort wouldn't trigger any alerts on rules that contained the <i>flow:established</i> keyword. I noticed something was wrong when my pfSense/Snort had been live for about week without any alerts at all. So I got suspicous and tested it thoroughly with various simple rules. Still nothing. I couldn't figure out what I was doing wrong. So just out of curiosity I started to modify the rules to see what happend. All of the sudden I've got a rule to trigger alerts! What had I done? I'd removed the <i>flow:established</i> keyword from the rule. I tried it out on some other rules aswell, and got the same effect. So instantly I started googling the problem and found out that many people were seeing this issue aswell (although it didn't seem to be affecting many pfSense users at all, mostly people running Snort on their Linux machines). But nonetheless, other people were seeing this issue aswell, so I was not alone.
Several people had been asking about it in various forums. Often the reply was that their box must be misconfigured somehow so that the TCP packages isn't properly assembled. I found out that there are several config options one could try to make Snort reassemble the packges. But these were all already activated in my config. So what's left to make it work now? Remove all the <i>flow:established</i> keywords from all the rules. After some reading, I've come to the conclusion that this shouldn't have any big negative side effects.
</p>
<p>
<b>To remove all <i>flow:established</i> keywords from all the rules</b> simply add the following lines to the pfSense/Snort rules bug fix script (above) after the lines <i>"# We must add a whitespace after every "#" to make it work with the GUI"</i>.
</p>
<pre>
# Next remove all of the flow:established keywords, it doesn't work...
/usr/bin/sed -i "" -f /root/no_established.sed /tmp/snort_rules/snort_*
</pre>
<p>
<b>The script should now look like this:</b>
</p>
<pre>
#!/bin/sh
#################################################
# update_rules.sh                               #
# Solution to pfSense/Snort rule disable/enable #
# Written by Jack-Benny                         #
#################################################

# Define your Snort interface
SNORT_NIC="47399_em0"

# Check if tmp dir exists, and if not, create it
if [ ! -d "/tmp/snort_rules" ]; then
/bin/mkdir /tmp/snort_rules
fi

# Time do download our new snort rules
/usr/local/bin/oinkmaster.pl -o /tmp/snort_rules

# Lets begin with adding the snort_ prefix to our rules
cd /tmp/snort_rules
for f in *
do /bin/mv "$f" "snort_$f"
done

# We must add a whitespace after every "#" to make it compatible
/usr/bin/sed -i "" -e 's/^\#alert/\# alert/g' snort_*

# Next remove all of the flow:established keywords, it doesn't work...
/usr/bin/sed -i "-e" -f /root/no_established.sed /tmp/snort_rules/snort_*

# Now move them all to the correct locations
/bin/mv /tmp/snort_rules/snort_* /usr/local/etc/snort/rules/ 
/bin/cp /usr/local/etc/snort/rules/snort_* \
/usr/local/etc/snort/snort_${SNORT_NIC}/rules/

# And finally, restart Snort
/usr/local/etc/rc.d/snort.sh start

echo "Your new rules have been downloaded and Snort has been restarted"
</pre>
<p>
<br />
<b>Next step</b> now is to create a new file with the sed replace commands in. As you can see from the script I've placed this file unde /root and named it <i>no_established.sed</i>.
This is a a sed script file which contains the following lines:
</p>
<pre>
s/\,established\;/\;/g
s/established\,//g
s/flow\:established\;//g
s/\, established\;/\;/g
</pre>
<p>
Next time you'll run the update_rules.sh script it will remove <i>flow:established</i> from all of the rules!
</p>
<h3><a name="emerging">What about Emerging Threats rules?</a></h3>
<p>
I later realized that I also wanted to use some Emerging Threats rules with my pfSense/Snort box. The principle to get Emerging Threats rules to work is pretty much the same, except we won't use oinkmaster here. Instead we download the rules in our update script we create below.
NOTE: For the below script you have to download and install Bash, the shell that comes with pfSense won't work! To download and install the Bash simply run these commands.
</p>
<pre>
ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/shells/bash-static-4.2.28.tbz

pkg_add bash-static-4.2.28.tbz
</pre>
<p>
And that's it, now you have Bash installed. Lets move on the script to enable emerging threats rule (I've named it The Judge, hence the rules).
</p>
<pre>
#!/usr/local/bin/bash

###############################################################
### The Judge                                               ###
### Enables and disables emerging threats rules for pfSense ###
### Author: Jack-Benny Persson                              ###
### Date: 2012-05-05                                        ###
### Version: 0.2                                            ###
###############################################################

### Begin config options ###

# Enter the SIDs to enable inside the parathenis below
ENABLE=( 2012410 2012450 )

# Enter the SIDs to disable inside the parathensis below
DISABLE=( 2003474 ) 

# Path to the rules
RULES="rules/"

# Prefix to our rules
PREFIX="emerging-"

# Download URL (emerging threas rules)
DLURL="http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz"

### End config options ###


# Santiy checks etc
if [ ! -d "/tmp/emerging_rules" ]; then
/bin/mkdir /tmp/emerging_rules
fi

# cd to temp dir
cd /tmp/emerging_rules

# Download the rules
/usr/local/bin/wget ${DLURL}

#Unpack them
/usr/bin/tar zxf emerging.rules.tar.gz

# Change "#alert" to "# alert" to make it work...
/usr/bin/sed -i "" -e 's/^\#alert/\# alert/g' ${RULES}${PREFIX}*

# Remove established keyword
/usr/bin/sed -i "" -f /root/no_established.sed /tmp/emerging_rules/rules/${PREFIX}*

# Enable the rules we've chosen
for i in "${ENABLE[@]}"
do
/usr/bin/sed -i "" -e "/$i/ s/^\# alert/alert/" ${RULES}${PREFIX}*
done

#Disable the rules we've chosen
for i in "${DISABLE[@]}"
do
/usr/bin/sed -i "" -e "/$i/ s/^alert/\# alert/" ${RULES}${PREFIX}*
done

#Move them to /usr/local/etc/snor/rules...
/bin/mv /tmp/emerging_rules/rules/${PREFIX}* /usr/local/etc/snort/rules

#And finally, delete the tar.gz
/bin/rm emerging.rules.tar.gz
</pre>
<p>
As you can see from the script you'll have to have the sed script file "no_established.sed" in your root home directory. If you don't need to or don't want to remove the established keywords from the rules, just comment out that part in the script above. The sed file is the same as the one for the Snort rule in the <a href="#enabledisable">Enable/disable rules bug</a>.

</p>
<h2><a name="thanks">Thanks</a></h2>
<p>
I hope this could be useful to someone out there!
<br />
And thanks to all the pfSense developer and to the Snort package maintainer! I <b>really</b> like the Snort package, so keep up the good work!<br />
</p>
<h2><a name="contributions">Contributions</a></h2>
<p>
If you have found an error in this documents or if you whish to contribute to it in any way, please visit <a href="http://code.jackbenny.se/quick_fix_pfsense">code.jackbenny.se/quick_fix_pfsense</a> for this document's git repo.
</p>

</body>
</html>