PPS:

Wanted to have a look at the firewall logs, but apparently size is fixed to 500 kB, and the log was filled with nonsense "allow multicast" messages (IGMP 224.0.0.22 and stuff like that, no rule indicated why this nonsense is logged…), so that all relevant info from yesterday is gone.

I tried to find the place where I can increase the log-size, but without success... Any suggestion where to increase the size of the log files?

Many thanx in advance!

chemlud...

Found it! Increased log size, but it still logs this 224.0.0.22 IGMP although I have for more than a year now an "allow" rule for that without (!) logging (to stop flooding the logs), but pfSense simply doesn't care and logs this traffic anyway. Don't know what to do with that....

PPPS: Erased the allow rule for IGMP from LAN to 224.0.0.22 and set it up newly, but again this traffic was in the log file. Switched to "block" and now it subsided... Strange....

The update has been approved and posted.  See the Release Notes thread in this forum for information.

Bill

After a couple of reboots, Snort started with no errors.

Looking forward to 2.2.2 :D

You guys are GENIUS! Just to take a chance, I disabled IPV6 on my WAN, rebooted, and ba-bam! It's working now! Thanks!  ;D

Hello,

Well if you are refering to the classtype, these are just pre-defined categories with a priority from 1-4

http://manual.snort.org/node31.html

If you want to know what a specific rule is alerting for, youll have to look at the rule it self. In the GUI, go to your snort interface, select the Rules tab, and browse the categories youll be able to select the rule.

Most rule have a reference part with a URL or a CVE number, that could give you some info on what the rule in looking for.

Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2;)

See the reference part ?

F.

Cool, Ill do that, thanks for your support Bill.

F.

I have the same feeling as you. I really do not know how barnyard2 perform with several sensors and do some queries/update.
I definitively have to put some monitoring on the mysql/mariadb database to know exactly what's going on a do better things than "drop the database and reinstall snorby" :)

Maybe barnyard2 itself should produce some alerting info when it sees that there is an issue with the database.

Well, I will start to find some good monitoring solution for mysql and keep you updated.

Romain

The latest pfSense stable release is 2.2.  Upgrade to that, and the Snort package will show up in the Packages listing.  The current Snort version is 2.9.7.0 for the binary and 3.2.3 for the GUI package.

Bill

@thx2000:

Thank you!  The last paragraph was my problem.  For some reason, I assumed when adding the pass list that was modifying the default pass list.  For future reference, what is the recommended procedure for adding hosts to the whitelist?  I'm assuming I just need to update the alias, and restart the daemon on the interface?  Are there any other tricks I should be aware of?

Thanks again.

Yep, update the assigned alias and restart the interface.

I think I will put some notifications and/or extra text on the PASS LIST tab in a future release to make this more clear.  It has tripped up several folks.

Bill

Hi Bill,

No, no duplicates otherwise, just snort alerts (but not, eg. snort startup notices).

@canyonnetworks:

UPDATE: I changed the Performance mode to AC-BFNA and now the interfaces start in 30 seconds. I used the GUI re-install now and it has fully restored everything back to normal now. Thanks again for your assistance.

Ah…your Snort process was probably running out of memory and/or using swap and getting super slow.  Any Performance Mode other than AC-BFNA or AC-BFNA-NQ is a problem it seems.  Lots of folks have reported issues when changing it to something else.  Most of the other settings will eat memory like crazy, especially with lots of enabled rules.

Bill

The fix for this (provided by Phil, thanks  ;)) was merged into production today.  The package version was NOT bumped because the change was so minor and really did not impact Snort itself.  If you want the fix, simply do a GUI Components reinstall of Snort using the XML icon on the System > Packages > Installed Packages tab.

Bill