Snort Updated to 2.7
-
Is ac-bnfa in the webgui also now? It seems to be the best option atm with not-so-highend machines and it has been stable with 2.6
-
No, its not, unfortunately.
-
it is pretty easy to add if you want it.
Just edit /usr/local/pkg/snort.xml
and in the performance fields add an extra option for this modeI haven't tested it on mine yet as snort is broke but can't see why it won't (the value of that field is just put into the config detection: search-method bit of the conf)
#Use lower memory models config detection: search-method {$snort_performance} -
@onhel:
In response to you "Try":
I'm not getting your problem at all. You could try backing up your config, without backing up your package information and try and format and reinstall pfSense and see if that clears up your problem. With this new version of Snort you shouldnt have to update the /usr/local/www/snort_download_rules.php file to fix the "flow:to_client" incompatibility.
I tried your suggestion today.
Fresh install pfSense (RC3), after basic setting (lan, wan) i go to package and install snort 2.7.
But still the installation process stop at the:
Downloading snort and its dependencies…The same apkg_snort*.tbz is downloaded to /tmp dir. But just sit there like my earlier post.
I am confused?!?
-
I'm at a loss "Try"
Hopefully a Hero member will chime in and be able to help you out. Even if you did get a successful install, Snort isnt working for any of us anyway so maybe when the issue does get resolved, it will fix your install problem as well.
-
Please try again in 10+ minutes. I just changed the package to pull from pfsense.org
-
Once I reinstall Snort, and Update Rules I get the following error:
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(33) unknown dynamic preprocessor "frag2"
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(33) unknown dynamic preprocessor "frag2"
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(65) unknown dynamic preprocessor "telnet_decode"
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(65) unknown dynamic preprocessor "telnet_decode"
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: FATAL ERROR: Misconfigured dynamic preprocessor(s)
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: FATAL ERROR: Misconfigured dynamic preprocessor(s) -
Grr. I wish they would stop changing all the configuration directives. I'll put this on my list but it will be a bit before I get to it. In the meantime patches accepted.
-
Hello all
I have managed to set snort working but with some limitations, till a new working version will go be available
please note that it is only temporary option till the kind pfsense experts will get snort to work good but till then you can still have some kind of protection using snort
Here is what I did:First on the snort setting page I have removed the mark for update rules automatically (this is for the changes I made will not be ruined by the next update)
Second:
I have made a change in the snort.conf file and removed the lines:preprocessor frag2
preprocessor telnet_decodenow there is a catch, when you press save on the snort settings those lines are coming back to the snort.conf file, so make sure you do it last.
Third:
Entered the rule sets that I have enabled and removed all the lines referring to the UDP ports.
I did it using the edit file option in the pfsense.Example: (you can copy and paste it into the using “edit file” option in pfsense /usr/local/etc/snort/rules/scan.rules)
Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
This file may contain proprietary rules that were created, tested and
certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
rules that were created by Sourcefire and other third parties and
distributed under the GNU General Public License (the "GPL Rules"). The
VRT Certified Rules contained in this file are the property of
Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
The GPL Rules created by Sourcefire, Inc. are the property of
Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
Reserved. All other GPL Rules are owned and copyrighted by their
respective owners (please see www.snort.org/contributors for a list of
owners and their respective copyrights). In order to determine what
rules are VRT Certified Rules or GPL Rules, please refer to the VRT
Certified Rules License Agreement.
$Id: scan.rules,v 1.39 2007/10/17 20:10:08 vrtbuild Exp $
#–---------
SCAN RULES
#-----------
These signatures are representitive of network scanners. These include
port scanning, ip mapping, and various application scanners.
NOTE: This does NOT include web scanners such as whisker. Those are
in web*
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SCAN UPnP service discover attempt"; flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:8081; rev:1;)#anyway I hope it will help for some users#
dont forget to restart/start again the snort service
I have attached some files for some snort rules, just copy and paste it at the right place....
also attached snort.conf for you to viewUpdate: to aviod changing all the time the snort.conf, just do that change in snort.inc that is placed at: /usr/local/pkg/snort.inc
then it will apply into the snort.conf forever.
I have added the snort.inc file so you can copy and paste it into your system using again... edit file in pfsense gui. -
Hello All
Please report if it does help for you as well…..
-
Hello All
Whoever that build the last version of snort can build it with this line and post it?
./configure –enable-stream4udp
?
-
SO as of right now snort is not working ?
-
Hello All
SNORT IS FIXED !!!!
After long hours with reading and testing, I was finally able to find and to fix the problems.
In order that snort will work also in your system, and till sullrich will upload my snort.inc instead of the older one you will need to do some things in order that snort will work in your pfsense box as well.
the easiest way is enter to the edit file tab in pfsense web gui and open this file: /usr/local/pkg/snort.inc
Replace its full consents with the text file I have added to this post, and dont forget to press save.
then update the rules, enter to setting and press save, it will set the snort.inc setting into your configuration file and from now snort is operational.
Please update to know that the file work for you all.
Ilan.
-
Commited, thanks a million for the efforts.
-
;D I just did a snort package install and the new version works 100% Thank You !!! ;D ;D
-
It works and the rules seems to be downloading, but it takes a very long time to install them and it seems to be stuck in the middle of the install and then says that rules never were updated its cosmetic I belive at this time, but what happenes when it tried to auto update the rules ?
-
Mine is working fantastic and i even used Morbus' edit to add the ac-bnfa mode to the Snort Settings Performance mode list. Now if we could just get this Mozilla Browser Bug Fix committed, Snort would be working perfectly.
-
Hmm also the blocking doesnt seem to fully work. I see TCP portsweeps in the alerts but no blocked hosts and in settings the "Block offenders" is checked. Strange
-
Hi all,
Just switch to pfsense 1.2-RC3 from IP cop and I am having issues with the snort package. I have installed the latest, 2.7.0.1_3 and I don't seem to be getting any alerts (which I know should be there, ipcop reported a number of hits per day) I have snort running with the ac method and most of the rules selected. Below is the log when I start snort.
Dec 12 09:06:39 snort2c[21009]: snort2c running in daemon mode pid: 21009
Dec 12 09:06:39 snort2c[21009]: snort2c running in daemon mode pid: 21009
Dec 12 09:06:39 snort2c[20088]: SIGTERM received - exiting
Dec 12 09:06:39 snort2c[20088]: SIGTERM received - exiting
Dec 12 09:01:23 SnortStartup[20115]: Ram free BEFORE starting Snort: 402M – Ram free AFTER starting Snort: 822M -- Mode ac -- Snort memory usage:
Dec 12 09:01:07 snort[19527]: ACSM-No Memory: acsmCompile!
Dec 12 09:01:07 snort[19527]: ACSM-No Memory: acsmCompile!
Dec 12 09:01:05 snort2c[20088]: snort2c running in daemon mode pid: 20088
Dec 12 09:01:05 snort2c[20088]: snort2c running in daemon mode pid: 20088
Dec 12 09:01:05 snort[20007]: Daemon parent exiting
Dec 12 09:01:05 snort[20007]: Daemon parent exiting
Dec 12 09:01:05 snort[20007]: Child exited unexpectedly
Dec 12 09:01:05 snort[20007]: Child exited unexpectedly
Dec 12 09:01:04 snort[20026]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_fxp1.pid" for PID "20026"
Dec 12 09:01:04 snort[20026]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_fxp1.pid" for PID "20026"
Dec 12 09:01:04 snort[20026]: PID path stat checked out ok, PID path set to /var/run/
Dec 12 09:01:04 snort[20026]: PID path stat checked out ok, PID path set to /var/run/I am confused by the fatal error and the report of 402m of free memory before snort run… and 822m after it starts. fxp1 is my wan nic.
Any suggestions?
-
I've gotten that type of error in the past. X out any blocked IPs in the Blocked tab, Clear the log on the Alerts tab, and hit Save again in the Categories tab. Also, if you're using a majority of the categories, read page 1 of this post on using ac-bnfa mode. Mine craps out when using ac mode and using a lot of categories
