Snort Updated to 2.7

trendchiller

until now it seems to run on 2 machines without issues after scott patched the interface problem  ;D

cp8

I have 2.7.0.1_1 installed… and I get this error:

/usr/local/etc/rc.d/snort.sh start

/libexec/ld-elf.so.1: snort: Undefined symbol "__sbtoupper"
Sleeping before final memory sampling...

FreeBSD pfsense.local 6.2-RELEASE-p8 FreeBSD 6.2-RELEASE-p8 #0: Wed Nov  7 18:38:17 EST 2007    sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense.6  i386

Any ideas?

try

I tried several time to update today.
The uninstall of the previous version run smoothly, but I cannot install the new version (2.7)
The process always stop in downloading snort.

Downloading package configuration file… done.
Saving updated package information... done.
Downloading snort and its dependencies...

anyone knows what happen? any help appreciated

Regards,

AhnHEL

The /usr/local/www/snort_rules.php file hasnt been updated either to fix the Browser problem with Snort Rules editing.

http://forum.pfsense.org/index.php/topic,6809.msg38729.html#msg38729

try

@onhel:

The /usr/local/www/snort_rules.php file hasnt been updated either to fix the Browser problem with Snort Rules editing.

http://forum.pfsense.org/index.php/topic,6809.msg38729.html#msg38729

onhel,
yes, i am aware about this and perform the suggested fixed along with the snort udp incompatibility (sorry, i forget the detail, its about incompatibility in snort v2.6 with snort rules for v2.7) when I used the snort 2.6.
still I am having problem when try installing snort 2.7.
It seem that the installation process always stop there (like I mentioned b4)

When I look at the /tmp directory, I got apkg_snort-2.7.0.1_1.tbz with size 1,618,193 but the install process just sit there, doing nothing.

I already tried the installation process using Firefox and IE, both come out with the same result.

any help?

shaddow501

Hello All

I am using the last release of pfsense (RC3), and I didnt have any problems with installing this last version of snort.
The installation proccess worked fine and snort was installed and updated sucsessfully.

But, and here is the big but, I do see the snort loading in the system logs:
Dec 4 03:53:15 SnortStartup[20888]: Ram free BEFORE starting Snort: 60M – Ram free AFTER starting Snort: 60M -- Mode lowmem -- Snort memory usage:
Dec 4 03:52:58 snort2c[20709]: snort2c running in daemon mode pid: 20709
Dec 4 03:52:58 snort2c[20709]: snort2c running in daemon mode pid: 20709
Dec 4 03:52:56 snort2c[20376]: SIGTERM received - exiting
Dec 4 03:52:56 snort2c[20376]: SIGTERM received - exiting

But I do not see it "work" it doesnt show any alerts and dont block anything.

I did try to "play" with the categories and change them, each time selected only one category, but still there isnt any alerts, with the older version the minute it was installed it started to give me alerts and blocked IPs, anyone know what is the problem?

AhnHEL

Shaddow501:

Thats exactly what I'm getting so you're not alone.  Install and update worked flawlessly but I dont get the Snort Initiated Successfully in my Syslog and its not blocking anything.  So in other words, its running but not exactly working.  Trendchiller has got it running and he's mentioning a patch for an interface problem that probably hasnt made it into the package manager yet.  One of the perks of being a Hero Member?

In response to you "Try":

I'm not getting your problem at all.  You could try backing up your config, without backing up your package information and try and format and reinstall pfSense and see if that clears up your problem.  With this new version of Snort you shouldnt have to update the /usr/local/www/snort_download_rules.php file to fix the "flow:to_client" incompatibility.

morbus

I am seeing the same as onhel and Shaddow501 snort tries to start but fails so I went to the shell to check what was up and did

snort -V

/libexec/ld-elf.so.1: snort: Undefined symbol "__sbtoupper"

so it looks like ld-elf.so.1 is missing some bits and it looks like the snapshots wont help as no one has recently committed anything to fix this

AhnHEL

While we're waiting for this to get resolved, anyone have any insight as to why Snort wasnt updated straight to 2.8 since that seems to be the most current stable version.  Not complaining, just curious.

n1ko

Is ac-bnfa in the webgui also now? It seems to be the best option atm with not-so-highend machines and it has been stable with 2.6

AhnHEL

No, its not, unfortunately.

morbus

it is pretty easy to add if you want it.

Just edit /usr/local/pkg/snort.xml
and in the performance fields add an extra option for this mode

I haven't tested it on mine yet as snort is broke but can't see why it won't (the value of that field is just put into the config detection: search-method bit of the conf)

#Use lower memory models
config detection: search-method {$snort_performance}

try

@onhel:

In response to you "Try":

I'm not getting your problem at all.  You could try backing up your config, without backing up your package information and try and format and reinstall pfSense and see if that clears up your problem.  With this new version of Snort you shouldnt have to update the /usr/local/www/snort_download_rules.php file to fix the "flow:to_client" incompatibility.

I tried your suggestion today.
Fresh install pfSense (RC3), after basic setting (lan, wan) i go to package and install snort 2.7.
But still the installation process stop at the:
Downloading snort and its dependencies…

The same apkg_snort*.tbz is downloaded to /tmp dir.  But just sit there like my earlier post.

I am confused?!?

AhnHEL

I'm at a loss "Try"

Hopefully a Hero member will chime in and be able to help you out.  Even if you did get a successful install, Snort isnt working for any of us anyway so maybe when the issue does get resolved, it will fix your install problem as well.

sullrich

Please try again in 10+ minutes.  I just changed the package to pull from pfsense.org

AhnHEL

Once I reinstall Snort, and Update Rules I get the following error:

2007-12-06 16:01:40 Daemon.Error Dec  6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(33) unknown dynamic preprocessor "frag2"
2007-12-06 16:01:40 Daemon.Error Dec  6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(33) unknown dynamic preprocessor "frag2"
2007-12-06 16:01:40 Daemon.Error Dec  6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(65) unknown dynamic preprocessor "telnet_decode"
2007-12-06 16:01:40 Daemon.Error Dec  6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(65) unknown dynamic preprocessor "telnet_decode"
2007-12-06 16:01:40 Daemon.Error Dec  6 15:59:50 snort[84877]: FATAL ERROR: Misconfigured dynamic preprocessor(s)
2007-12-06 16:01:40 Daemon.Error Dec  6 15:59:50 snort[84877]: FATAL ERROR: Misconfigured dynamic preprocessor(s)

sullrich

Grr.  I wish they would stop changing all the configuration directives.  I'll put this on my list but it will be a bit before I get to it.  In the meantime patches accepted.

shaddow501

Hello all

I have managed to set snort working but with some limitations, till a new working version will go be available
please note that it is only temporary option till the kind pfsense experts will get snort to work good but till then you can still have some kind of protection using snort
Here is what I did:

First on the snort setting page I have removed the mark for update rules automatically (this is for the changes I made will not be ruined by the next update)

Second:
I have made a change in the snort.conf file and removed the lines:

preprocessor frag2
preprocessor telnet_decode

now there is a catch, when you press save on the snort settings those lines are coming back to the snort.conf file, so make sure you do it last.

Third:
Entered the rule sets that I have enabled and removed all the lines referring to the UDP ports.
I did it using the edit file option in the pfsense.

Example: (you can copy and paste it into the using “edit file” option in pfsense  /usr/local/etc/snort/rules/scan.rules)

Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved

This file may contain proprietary rules that were created, tested and

certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as

rules that were created by Sourcefire and other third parties and

distributed under the GNU General Public License (the "GPL Rules").  The

VRT Certified Rules contained in this file are the property of

Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.

The GPL Rules created by Sourcefire, Inc. are the property of

Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights

Reserved.  All other GPL Rules are owned and copyrighted by their

respective owners (please see www.snort.org/contributors for a list of

owners and their respective copyrights).  In order to determine what

rules are VRT Certified Rules or GPL Rules, please refer to the VRT

Certified Rules License Agreement.

$Id: scan.rules,v 1.39 2007/10/17 20:10:08 vrtbuild Exp $

#–---------

SCAN RULES

#-----------

These signatures are representitive of network scanners.  These include

port scanning, ip mapping, and various application scanners.

NOTE: This does NOT include web scanners such as whisker.  Those are

in web*

alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:7;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:7;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:7;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SCAN UPnP service discover attempt"; flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:8081; rev:1;)

#anyway I hope it will help for some users#

dont forget to restart/start again the snort service
I have attached some files for some snort rules, just copy and paste it at the right place....
also attached snort.conf for you to view

Update:  to aviod changing all the time the snort.conf, just do that change in snort.inc that is placed at: /usr/local/pkg/snort.inc
then it will apply into the snort.conf forever.
I have added the snort.inc file so you can copy and paste it into your system using again... edit file in pfsense gui.

snort_conf.txt
scan.txt
DOS.txt
DDOS.txt
Snort_inc.txt

shaddow501

Hello All

Please report if it does help for you as well…..

shaddow501

Hello All

Whoever that build the last version of snort can build it with this line and post it?

./configure –enable-stream4udp

?