Quick fix for pfSense/Snort enable/disable rules bug

Jack-Benny Persson

Originaly posted in the pfSense forum on 2012-04-17

Revision history
Revision Date Decription By
Rev. 5 2012-05-10 Added solution to emerging threats rules jackbenny
Rev. 4 2012-05-09 Fixed headlines, TOC, marked code in gray etc jackbenny
Rev. 3 2012-05-09 Added flow:established problem jackbenny
Rev. 2 2012-05-08 Removed [rm *-e] and replaced it with [sed -i ""] jackbenny
Rev. 1 2012-05-01 First release of this document jackbenny

Table of contents

Enable/disable rules bug
Other problemsi you might encounter
     Rules with flow:established won't work?
     What about Emerging Threats rules?
Thanks
Contributions

Enable/disable rules bug

I started using the Snort package for pfSense 2.0.1 (amd64) some days ago but as many others I noticed the problem with the enable/disabled rules resetting after updating the rules.
So last night I started working on a quick fix for it, and came up with a nice and working solution. My solution involves enabling and disabling specific rules in a oinkmaster.conf file, so it's not a GUI solution. But at least now it's possible to have your own set of enabled/disabled rules.
Anyway, here we go. I'll take it step by step here.

First of all, you'll need to install wget (so that oinkmaster.pl will work). For pfSense 2.0.1 amd64 use the following command (change URL according your platform and version). 

fetch http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.2-release/ftp/wget-1.12_2.tbz

pkg_add wget-1.12_2.tbz


Next step is to create a /etc/oinkmaster.conf file. Mine looks like this (change the Snort URL to include your oinkcode and change the snapshot version if you're a basic user or subscriber, look at the list on snort.org, for example use snapshot-2905 if you don't have a paid subscription).
Note: Change your enabled/disabled rule at the bottom, this is just my own example, tweak to your needs. 

#oinkmaster.conf
############################# 
# Location of rules archive #
#############################

url = http://www.snort.org/pub-bin/oinkmaster.cgi/YOURCODEHERE/snortrules-snapshot-2922.tar.gz

#########################
# System configurationi #
#########################
path = /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbini
use_external_bins = 1
tmpdir = /tmp
umask = 0027

########################
# Extra configurationi #
########################
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$

# Sanity check
use_path_checks = 1

##################
# Rules handling #
##################

# Files to skip
skipfile local.rules
skipfile deleted.rules
skipfile snort.conf
# skipfile threshold.conf

# SIDs to enable
enablesid 19559, 20120

# SIDs to disable
disablesid 19110, 19139, 19140, 19138, 19155, 19137, 19157, 19168, 19209, 19826


Last step is to create a small shell script (I've named it update_rules.sh) which will handle the update and coping of rules etc. Every time the script is being run it will download a new set of rules, enable/disable the rules you've chosen in oinkmaster.conf, copy the files to /usr/local/etc/snort/rules and /usr/local/etc/snort/snort_YOURNIC/rules.
Note: You need to change the NIC variable!

#!/bin/sh
#################################################
# update_rules.sh                               #
# Solution to pfSense/Snort rule disable/enable #
# Written by Jack-Benny                         #
#################################################

# Define your Snort interface
SNORT_NIC="47399_em0"

# Check if tmp dir exists, and if not, create it
if [ ! -d "/tmp/snort_rules" ]; then
/bin/mkdir /tmp/snort_rules
fi

# Time do download our new snort rules
/usr/local/bin/oinkmaster.pl -o /tmp/snort_rules

# Lets begin with adding the snort_ prefix to our rules
cd /tmp/snort_rules
for f in *
do /bin/mv "$f" "snort_$f"
done

# We must add a whitespace after every "#" to make it compatible
/usr/bin/sed -i "" -e 's/^\#alert/\# alert/g' snort_*

# Now move them all to the correct locations
/bin/mv /tmp/snort_rules/snort_* /usr/local/etc/snort/rules/ 
/bin/cp /usr/local/etc/snort/rules/snort_* \
/usr/local/etc/snort/snort_${SNORT_NIC}/rules/

# And finally, restart Snort
/usr/local/etc/rc.d/snort.sh start

echo "Your new rules have been downloaded and Snort has been restarted"


If you'd like automatic updates, just put the shell script in your crontab and let it run every 12 hour or so. Here is an example of my crontab.
Don't forget to turn of automatic updates in the WebGUI 

0 */12 * * * /root/update_rules.sh > /root/last_rule_update.log 2>&1

Other problems you might encounter

Rules with flow:established won't work?

For some reason my Snort wouldn't trigger any alerts on rules that contained the flow:established keyword. I noticed something was wrong when my pfSense/Snort had been live for about week without any alerts at all. So I got suspicous and tested it thoroughly with various simple rules. Still nothing. I couldn't figure out what I was doing wrong. So just out of curiosity I started to modify the rules to see what happend. All of the sudden I've got a rule to trigger alerts! What had I done? I'd removed the flow:established keyword from the rule. I tried it out on some other rules aswell, and got the same effect. So instantly I started googling the problem and found out that many people were seeing this issue aswell (although it didn't seem to be affecting many pfSense users at all, mostly people running Snort on their Linux machines). But nonetheless, other people were seeing this issue aswell, so I was not alone. Several people had been asking about it in various forums. Often the reply was that their box must be misconfigured somehow so that the TCP packages isn't properly assembled. I found out that there are several config options one could try to make Snort reassemble the packges. But these were all already activated in my config. So what's left to make it work now? Remove all the flow:established keywords from all the rules. After some reading, I've come to the conclusion that this shouldn't have any big negative side effects.

To remove all flow:established keywords from all the rules simply add the following lines to the pfSense/Snort rules bug fix script (above) after the lines "# We must add a whitespace after every "#" to make it work with the GUI". 

# Next remove all of the flow:established keywords, it doesn't work...
/usr/bin/sed -i "" -f /root/no_established.sed /tmp/snort_rules/snort_*

The script should now look like this: 

#!/bin/sh
#################################################
# update_rules.sh                               #
# Solution to pfSense/Snort rule disable/enable #
# Written by Jack-Benny                         #
#################################################

# Define your Snort interface
SNORT_NIC="47399_em0"

# Check if tmp dir exists, and if not, create it
if [ ! -d "/tmp/snort_rules" ]; then
/bin/mkdir /tmp/snort_rules
fi

# Time do download our new snort rules
/usr/local/bin/oinkmaster.pl -o /tmp/snort_rules

# Lets begin with adding the snort_ prefix to our rules
cd /tmp/snort_rules
for f in *
do /bin/mv "$f" "snort_$f"
done

# We must add a whitespace after every "#" to make it compatible
/usr/bin/sed -i "" -e 's/^\#alert/\# alert/g' snort_*

# Next remove all of the flow:established keywords, it doesn't work...
/usr/bin/sed -i "-e" -f /root/no_established.sed /tmp/snort_rules/snort_*

# Now move them all to the correct locations
/bin/mv /tmp/snort_rules/snort_* /usr/local/etc/snort/rules/ 
/bin/cp /usr/local/etc/snort/rules/snort_* \
/usr/local/etc/snort/snort_${SNORT_NIC}/rules/

# And finally, restart Snort
/usr/local/etc/rc.d/snort.sh start

echo "Your new rules have been downloaded and Snort has been restarted"


Next step now is to create a new file with the sed replace commands in. As you can see from the script I've placed this file unde /root and named it no_established.sed. This is a a sed script file which contains the following lines: 

s/\,established\;/\;/g
s/established\,//g
s/flow\:established\;//g
s/\, established\;/\;/g

Next time you'll run the update_rules.sh script it will remove flow:established from all of the rules!

What about Emerging Threats rules?

I later realized that I also wanted to use some Emerging Threats rules with my pfSense/Snort box. The principle to get Emerging Threats rules to work is pretty much the same, except we won't use oinkmaster here. Instead we download the rules in our update script we create below. NOTE: For the below script you have to download and install Bash, the shell that comes with pfSense won't work! To download and install the Bash simply run these commands. 

ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/shells/bash-static-4.2.28.tbz

pkg_add bash-static-4.2.28.tbz

And that's it, now you have Bash installed. Lets move on the script to enable emerging threats rule (I've named it The Judge, hence the rules). 

#!/usr/local/bin/bash

###############################################################
### The Judge                                               ###
### Enables and disables emerging threats rules for pfSense ###
### Author: Jack-Benny Persson                              ###
### Date: 2012-05-05                                        ###
### Version: 0.2                                            ###
###############################################################

### Begin config options ###

# Enter the SIDs to enable inside the parathenis below
ENABLE=( 2012410 2012450 )

# Enter the SIDs to disable inside the parathensis below
DISABLE=( 2003474 ) 

# Path to the rules
RULES="rules/"

# Prefix to our rules
PREFIX="emerging-"

# Download URL (emerging threas rules)
DLURL="http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz"

### End config options ###


# Santiy checks etc
if [ ! -d "/tmp/emerging_rules" ]; then
/bin/mkdir /tmp/emerging_rules
fi

# cd to temp dir
cd /tmp/emerging_rules

# Download the rules
/usr/local/bin/wget ${DLURL}

#Unpack them
/usr/bin/tar zxf emerging.rules.tar.gz

# Change "#alert" to "# alert" to make it work...
/usr/bin/sed -i "" -e 's/^\#alert/\# alert/g' ${RULES}${PREFIX}*

# Remove established keyword
/usr/bin/sed -i "" -f /root/no_established.sed /tmp/emerging_rules/rules/${PREFIX}*

# Enable the rules we've chosen
for i in "${ENABLE[@]}"
do
/usr/bin/sed -i "" -e "/$i/ s/^\# alert/alert/" ${RULES}${PREFIX}*
done

#Disable the rules we've chosen
for i in "${DISABLE[@]}"
do
/usr/bin/sed -i "" -e "/$i/ s/^alert/\# alert/" ${RULES}${PREFIX}*
done

#Move them to /usr/local/etc/snor/rules...
/bin/mv /tmp/emerging_rules/rules/${PREFIX}* /usr/local/etc/snort/rules

#And finally, delete the tar.gz
/bin/rm emerging.rules.tar.gz

As you can see from the script you'll have to have the sed script file "no_established.sed" in your root home directory. If you don't need to or don't want to remove the established keywords from the rules, just comment out that part in the script above. The sed file is the same as the one for the Snort rule in the Enable/disable rules bug.

Thanks

I hope this could be useful to someone out there!
And thanks to all the pfSense developer and to the Snort package maintainer! I really like the Snort package, so keep up the good work!

Contributions

If you have found an error in this documents or if you whish to contribute to it in any way, please visit code.jackbenny.se/quick_fix_pfsense for this document's git repo.