Upgrade Snort ASAP
-
it REALLY works !
I installed at all my 3 systems… but I deleted it before on my systems and then reinstalled... so there are no packages left when looking at the shell by using pkg_info
Good to hear I'm not going crazy :).
-
I've updated Snort again. The changes I made will now automatically insert the WAN Gateway, DNS servers, and loopback address into your whitelist. This change will prevent issues with RRD graphs, DNS lookups and ftp-helper. I also modified the portscan detection so it should function properly now.
Please reinstall using the procedures listed above and test it out :).
-
;D
really cool !
I love you for that ::)
Now it really works like a charm 8)
-
Now it really works like a charm 8)
Couldn't agree more - Great work, thanks sdale :)
-
I finally got my Snort to work, but had to uninstall and reinstall PFsense again. I tried everything else you suggested, but perhaps I installed/uninstalled snort too many times because it was giving me some errors. So, format/reload and it worked for a bit.
then it shut down again and won't start up unless I keep pestering it to start over and over. Takes it about 30 minutes to go again. No logs on it, oddly enough.
Perhaps I'm using too much memory for this version? I have about 460mb ram (pc133) on a 777mhz celeron bastard box. Only using 10-20% at any given time. Using AC-sparsebands, and loading up all but 2 rulesets on startup. Didn't have problems before. I've trimmed it down to loading 5 rulesets but it still randomly stops and won't start again. I'll keep tinkering and see if I can figure it out on my own.
-
Sounds like memory issues to me. Try to disable some rules or test with only few rules enabled just to confirm this assumption.
-
I uninstalled it and reinstalled it yet again…. and now it works fine (for now) going on an hour without messing up. I have all the rulesets enabled and AC-sparcebands, same setup i had last time.
So, I'm chalking it up to gremlins. That and the fact that Comcast scans me about a trillion times a day :p Probably testing out that exploit on their customers..... jerks.
Thanks for your help.
-
I would not advise running all rulesets with only 460 Ram. That might be part of your problem. If Snort starts eating up a lot of memory, processes will start to be killed, including snort. I have 1gig and having all rulesets checked pushes me over 600mb.
-
hmmm My upgraded snort instance runnig fine until today morning, that I saw in my logs
Feb 23 07:23:17 snort[45790]: FATAL ERROR: Unable to allocate memory! (7566277 bytes in use) Feb 23 07:23:17 snort[45790]: FATAL ERROR: Unable to allocate memory! (7566277 bytes in use) Feb 23 07:13:20 snort2c[45793]: attack detected non-whitelisted ip: 86.97.202.41 blocked !:-
Does anybody experienced this? -
crazy… when looking at >STATUS >SERVICES snort seems to be stopped... ?
when starting it with the button it tells me to be started and the status still tells me snort to be stopped...
cosmetic error or serious bug ?
When starting in in the CLI it tells me in the last lines:
ERROR: /usr/local/etc/snort/snort.conf(xx) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Fatal Error, Quitting..What has happened ?
It's the same error on all my 2 local systems…
Seems to have something to do with the xxx-sample-files in /usr/local/etc/snort/ because snort cannot find the xxx.map-files, because they are NOT present... only the samples...
I have no idea how they are generated, but perhaps it helps ?You can get it running MANUALLY FROM THE CLI by changing manually in /usr/local/etc/snort/snort.conf
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 to preprocessor http_inspect: global iis_unicode_map unicode.map-sample 1252
include classification.config-sample to include classification.config-sample
include reference.config-sample to include reference.config-sampleor just rename the files above…
-
crazy… when looking at >STATUS >SERVICES snort seems to be stopped... ?
when starting it with the button it tells me to be started and the status still tells me snort to be stopped...
cosmetic error or serious bug ?
When starting in in the CLI it tells me in the last lines:
ERROR: /usr/local/etc/snort/snort.conf(xx) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Fatal Error, Quitting..What has happened ?
It's the same error on all my 2 local systems…
Seems to have something to do with the xxx-sample-files in /usr/local/etc/snort/ because snort cannot find the xxx.map-files, because they are NOT present... only the samples...
I have no idea how they are generated, but perhaps it helps ?You can get it running MANUALLY FROM THE CLI by changing manually in /usr/local/etc/snort/snort.conf
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 to preprocessor http_inspect: global iis_unicode_map unicode.map-sample 1252
include classification.config-sample to include classification.config-sample
include reference.config-sample to include reference.config-sampleor just rename the files above…
That is wierd. Never had that trouble. Reinstall Snort and those files will be regenerated.
-
yes !
looking better :-) -
Hi , just upgraded but snort wont start? when i'm trying to start it form comandline "snort -d" i get this error msg :
ERROR: /usr/local/etc/snort/snort.conf(42) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Fatal Error, Quitting..Is it a minor bug ??
-
Configure it first…
-
Configure it first…
I reinstalled the pakage , and when i looked at the settings it semed like it was configured ( aka: all settings was the same as before )
after i read your answer i just hit the save button aka resaving the configuration and now it works :-)Thank you for superb support :-)