Snort
-
Hello All
Does any one know why snort doesnt show any alerts in the alerts tab?
the service is running and all seem to work but i still dont see any alerts..
-
I seem to have the same problems
I'm running 1.2 RC2 on an X86 box
here are some of the logs
don't understand why fxp1 would have "promiscuous mode disabled", I'd thought it would need to be in promiscuous mode to monitor the traffic, or does snort pick it up from the ip stack or something ?
Sep 26 07:51:12 kernel: fxp1: promiscuous mode disabled
Sep 26 07:49:50 SnortStartup[58572]: Ram free BEFORE starting Snort: 569M – Ram free AFTER starting Snort: 436M -- Mode ac -- Snort memory usage:
Sep 26 07:49:32 snort2c[58553]: snort2c running in daemon mode pid: 58553
Sep 26 07:49:32 snort2c[58553]: snort2c running in daemon mode pid: 58553
Sep 26 07:49:32 snort[58550]: Daemon initialized, signaled parent pid: 58548
Sep 26 07:49:32 snort[58550]: Daemon initialized, signaled parent pid: 58548
Sep 26 07:49:32 snort[58548]: Daemon parent exiting
Sep 26 07:49:32 snort[58548]: Daemon parent exiting
Sep 26 07:49:32 snort[58550]: Writing PID "58550" to file "/var/run//snort_fxp1.pid"
Sep 26 07:49:32 snort[58550]: Writing PID "58550" to file "/var/run//snort_fxp1.pid"
Sep 26 07:49:32 snort[58550]: PID path stat checked out ok, PID path set to /var/run/
Sep 26 07:49:32 snort[58550]: PID path stat checked out ok, PID path set to /var/run/
Sep 26 07:49:32 kernel: fxp1: promiscuous mode enabled
Sep 26 07:49:32 snort[58548]: Initializing daemon mode
Sep 26 07:49:32 snort[58548]: Initializing daemon mode
Sep 26 07:49:32 kernel: fxp1: promiscuous mode disabled
Sep 26 07:49:32 kernel: fxp1: promiscuous mode enabled
Sep 26 07:49:32 snort[58548]: 329 out of 512 flowbits in use.
Sep 26 07:49:32 snort[58548]: 329 out of 512 flowbits in use.
Sep 26 07:49:32 snort[58548]: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Sep 26 07:49:32 snort[58548]: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Sep 26 07:49:32 snort[58548]: Warning: flowbits key 'dce.bind.ca-alert' is checked but not ever set.
Sep 26 07:49:32 snort[58548]: Warning: flowbits key 'dce.bind.ca-alert' is checked but not ever set.
Sep 26 07:49:32 snort[58548]: Log directory = /var/log/snort
Sep 26 07:49:32 snort[58548]: Log directory = /var/log/snort
Sep 26 07:49:32 snort[58548]: Rule application order: ->activation->dynamic->pass->drop->alert->log
Sep 26 07:49:32 snort[58548]: Rule application order: ->activation->dynamic->pass->drop->alert->log
Sep 26 07:49:32 snort[58548]: –-----------------------------------------------------------------------------
Sep 26 07:49:32 snort[58548]: –-----------------------------------------------------------------------------
Sep 26 07:49:32 snort[58548]: | none
Sep 26 07:49:32 snort[58548]: | none
Sep 26 07:49:32 snort[58548]: +–---------------------[suppression]–----------------------------------------
Sep 26 07:49:32 snort[58548]: +–---------------------[suppression]–----------------------------------------
Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=12121 type=Limit tracking=src count=1 seconds=300
Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=12121 type=Limit tracking=src count=1 seconds=300
Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=8358 type=Limit tracking=src count=1 seconds=300
Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=8358 type=Limit tracking=src count=1 seconds=300
Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=5801 type=Limit tracking=src count=1 seconds=300
Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=5801 type=Limit tracking=src count=1 seconds=300 -
Had this same problem, which one of the rule categories was causing.
Disable all categories, and save.
Start enabling categories one by one and hit save and watch the logs for a successful snort initialization until you find the rule category that is causing the problem.
Anytime snort says promiscuous mode disabled, snort is running but its not going to work.
If after a restart it says snort exiting as a final log notice to a restart then same thing, its running but its not working. -
I too have noticed nothing being logged, I dont have the issue of "promiscuous mode disabled" in my logs, I've tried onhel's solution, with no joy, even to the point of deinstalling, rebooting, reinstalling, I also tested by enabling the "scan.rules" and performed a full scan, nothing showed up in the snort alerts or was the online scan host block.
Also nothing out of the ordinary shows up on my system log in regards to snort.
1.2-RC2
built on Wed Sep 26 15:54:17 EDT 2007Slam
-
The log entries below is what i get when snort starts up correctly along with squid, this is copied from my syslog server so the entries run from top to bottom. I have all rules enabled except netbios, backdoor, and misc, those 3 categories all caused snort to exit for unknown reason. I have 2 gigs of RAM so I use ac method because it allows snort to start up faster, the other methods use less ram but with a lot of rules enabled, it can take up to 2 minutes sometimes for snort to initialize, which is way to slow especially if you're trying to troubleshoot. With all those rule categories enabled, I'm only utilizing 34% of my RAM.
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | gen-id=1 sig-id=5980 type=Limit tracking=src count=1 seconds=300
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | gen-id=1 sig-id=5804 type=Limit tracking=src count=1 seconds=300
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | gen-id=1 sig-id=7515 type=Limit tracking=src count=1 seconds=300
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | gen-id=1 sig-id=7515 type=Limit tracking=src count=1 seconds=300
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | none
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | none
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: –-----------------------------------------------------------------------------
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: –-----------------------------------------------------------------------------
Sep-23-2007 6:40:49 AM Daemon.Notice Sep 23 06:40:49 snort[62782]: Rule application order: ->activation->dynamic->pass->drop->alert->log
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: 67 out of 512 flowbits in use.
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: 67 out of 512 flowbits in use.
Sep-23-2007 6:40:49 AM Kernel.Info UDP Sep 23 06:40:49 kernel: fxp1: promiscuous mode enabled
Sep-23-2007 6:40:49 AM Kernel.Info UDP Sep 23 06:40:49 kernel: fxp1: promiscuous mode disabled
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Initializing daemon mode
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Initializing daemon mode
Sep-23-2007 6:40:49 AM Kernel.Info UDP Sep 23 06:40:49 kernel: fxp1: promiscuous mode enabled
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: PID path stat checked out ok, PID path set to /var/run/
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: PID path stat checked out ok, PID path set to /var/run/
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: Writing PID "62783" to file "/var/run//snort_fxp1.pid"
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: Writing PID "62783" to file "/var/run//snort_fxp1.pid"
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: Daemon initialized, signaled parent pid: 62782
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: Daemon initialized, signaled parent pid: 62782
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Daemon parent exiting
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Daemon parent exiting
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort2c[62786]: snort2c running in daemon mode pid: 62786
Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort2c[62786]: snort2c running in daemon mode pid: 62786
Sep-23-2007 6:41:06 AM Daemon.Info UDP Sep 23 06:41:07 SnortStartup[62798]: Ram free BEFORE starting Snort: 1847M – Ram free AFTER starting Snort: 1625M -- Mode ac -- Snort memory usage:
Sep-23-2007 6:41:17 AM Daemon.Notice UDP Sep 23 06:41:17 snort[62783]: Snort initialization completed successfully (pid=62783)
Sep-23-2007 6:41:17 AM Daemon.Notice UDP Sep 23 06:41:17 snort[62783]: Snort initialization completed successfully (pid=62783)
Sep-23-2007 6:41:17 AM Daemon.Notice UDP Sep 23 06:41:17 snort[62783]: Not Using PCAP_FRAMES
Sep-23-2007 6:41:17 AM Daemon.Notice UDP Sep 23 06:41:17 snort[62783]: Not Using PCAP_FRAMES
Sep-23-2007 6:41:20 AM Local0.Info UDP Sep 23 06:41:21 pf: 27. 852854 rule 81/0(match): block in on fxp1: (tos 0x0, ttl 100, id 8462, offset 0, flags [none], proto: ICMP (1), length: 61) 218.253.166.193 > xx.xx.xx.xx: ICMP echo request, id 512, seq 26976, length 41
Sep-23-2007 6:41:22 AM Local0.Info UDP Sep 23 06:41:23 pf: 2. 252989 rule 81/0(match): block in on fxp1: (tos 0x0, ttl 99, id 22353, offset 0, flags [none], proto: ICMP (1), length: 61) 218.253.166.193 > xx.xx.xx.xx: ICMP echo request, id 512, seq 63584, length 41
Sep-23-2007 6:42:56 AM Daemon.Notice UDP Sep 23 06:42:57 snort2c[62786]: attack detected non-whitelisted ip: xx.xx.xx.xx blocked !
Sep-23-2007 6:42:57 AM Daemon.Notice UDP Sep 23 06:42:57 snort2c[62786]: attack detected non-whitelisted ip: xx.xx.xx.xx blocked !Sometimes, I get this error if I reboot pfSense and Snort attempts to initialize:
FATAL ERROR: Failed to Lock PID File "/var/run//snort_fxp1.pid" for PID "6624"
I clear all the IPs in the Snort Blocked Tab, clear the snort logs, and then restart Snort and Squid together and this error goes away.
Hope this helps.
-
The steps I took was to back up my config w/out package information, removed ALL packages (NTOP, IMSpector and Snort), rebooted, restored my config, rebooted again, installed the 3 packages I removed, I probably didnt have to do all those steps but eh, now Snort is working.
Slam
-
Making several reboots and also many changes to my config, I've had snort restarted several times and from what I can see, clearing the blocked list and clearing the snort logs and going to the first snort tab and hitting save is a sure thing for me when it doesnt start right.
-
I am still having problems, I have done a full clean install of pfsense using 1.2-RC2 ISO
built on Sun Sep 30 19:44:27 EDT 2007, because both Snort and IMSpector were giving me problems.Oct 1 07:43:09 ntop[1170]: THREADMGMT[t134610944]: ntop RUNSTATE: INIT(2) Oct 1 07:43:09 ntop[1170]: THREADMGMT[t134610944]: ntop RUNSTATE: PREINIT(1) Oct 1 07:43:09 snort[1178]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_ath0.pid" for PID "1178" Oct 1 07:43:09 snort[1178]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_ath0.pid" for PID "1178" Oct 1 07:43:09 snort[1178]: PID path stat checked out ok, PID path set to /var/run/ Oct 1 07:43:09 snort[1178]: PID path stat checked out ok, PID path set to /var/run/ Oct 1 07:43:09 snort[1177]: Initializing daemon mode Oct 1 07:43:09 snort[1177]: Initializing daemon mode Oct 1 07:43:09 snort[1177]: *** *** interface device lookup found: ath0 *** Oct 1 07:43:09 snort[1177]: *** *** interface device lookup found: ath0 *** Oct 1 07:43:09 snort[1177]: 0 out of 512 flowbits in use. Oct 1 07:43:09 snort[1177]: 0 out of 512 flowbits in use. Oct 1 07:43:09 snort[1177]: Log directory = /var/log/snort Oct 1 07:43:09 snort[1177]: Log directory = /var/log/snort
From what I can tell, its listening to the wrong interface, it should be listening to bfe0 (WAN) instead its listening to ath0 (WLAN), when I manually change it to the correct interface, the logs show up the correct thing
Oct 1 07:45:06 SnortStartup[1637]: Ram free BEFORE starting Snort: 29M -- Ram free AFTER starting Snort: 29M -- Mode ac-sparsebands -- Snort memory usage: Oct 1 07:44:49 snort[1607]: Not Using PCAP_FRAMES Oct 1 07:44:49 snort[1607]: Not Using PCAP_FRAMES Oct 1 07:44:49 snort[1607]: Snort initialization completed successfully (pid=1607) Oct 1 07:44:49 snort[1607]: Snort initialization completed successfully (pid=1607) Oct 1 07:44:49 snort2c[1610]: snort2c running in daemon mode pid: 1610 Oct 1 07:44:49 snort2c[1610]: snort2c running in daemon mode pid: 1610 Oct 1 07:44:49 snort[1607]: Daemon initialized, signaled parent pid: 1606 Oct 1 07:44:49 snort[1607]: Daemon initialized, signaled parent pid: 1606 Oct 1 07:44:49 snort[1606]: Daemon parent exiting Oct 1 07:44:49 snort[1606]: Daemon parent exiting Oct 1 07:44:49 snort[1607]: Writing PID "1607" to file "/var/run//snort_bfe0.pid" Oct 1 07:44:49 snort[1607]: Writing PID "1607" to file "/var/run//snort_bfe0.pid" Oct 1 07:44:49 snort[1607]: PID path stat checked out ok, PID path set to /var/run/ Oct 1 07:44:49 snort[1607]: PID path stat checked out ok, PID path set to /var/run/ Oct 1 07:44:49 snort[1606]: Initializing daemon mode Oct 1 07:44:49 snort[1606]: Initializing daemon mode
However, after a reboot it reverts back to ath0, I have double checked the settings in /cf/conf/config.xml, tried deleting /tmp/config.cache and rebooting but the problem still occurs.
Also I've just noticed something else thats strange, the log is showing:
Ram free BEFORE starting Snort: 29M -- Ram free AFTER starting Snort: 29M -- Mode ac-sparsebands -- Snort memory usage:
I have 1 GB of ram on the box, but on my dashboard its showing mem usage 16% and in phpsysinfo Physical Memory 16% - 850.51 MB - 163.91 MB - 1014.41 MB
EDIT: disabling a rule (P2P) and hitting save generates the following```
Warning: Invalid argument supplied for foreach() in /usr/local/www/snort_rulesets.php on line 40Slam
-
I see the same exact thing on a reboot. Snort apparently takes some coaxing to run properly and yes I've seen that line 40 error as well as of late.
This is not specific to just your system Slam, so no more clean installs, ok? ;)