Snort Updated to 2.7
-
Hello All
I am using the last release of pfsense (RC3), and I didnt have any problems with installing this last version of snort.
The installation proccess worked fine and snort was installed and updated sucsessfully.But, and here is the big but, I do see the snort loading in the system logs:
Dec 4 03:53:15 SnortStartup[20888]: Ram free BEFORE starting Snort: 60M – Ram free AFTER starting Snort: 60M -- Mode lowmem -- Snort memory usage:
Dec 4 03:52:58 snort2c[20709]: snort2c running in daemon mode pid: 20709
Dec 4 03:52:58 snort2c[20709]: snort2c running in daemon mode pid: 20709
Dec 4 03:52:56 snort2c[20376]: SIGTERM received - exiting
Dec 4 03:52:56 snort2c[20376]: SIGTERM received - exitingBut I do not see it "work" it doesnt show any alerts and dont block anything.
I did try to "play" with the categories and change them, each time selected only one category, but still there isnt any alerts, with the older version the minute it was installed it started to give me alerts and blocked IPs, anyone know what is the problem?
-
Shaddow501:
Thats exactly what I'm getting so you're not alone. Install and update worked flawlessly but I dont get the Snort Initiated Successfully in my Syslog and its not blocking anything. So in other words, its running but not exactly working. Trendchiller has got it running and he's mentioning a patch for an interface problem that probably hasnt made it into the package manager yet. One of the perks of being a Hero Member?
In response to you "Try":
I'm not getting your problem at all. You could try backing up your config, without backing up your package information and try and format and reinstall pfSense and see if that clears up your problem. With this new version of Snort you shouldnt have to update the /usr/local/www/snort_download_rules.php file to fix the "flow:to_client" incompatibility.
-
I am seeing the same as onhel and Shaddow501 snort tries to start but fails so I went to the shell to check what was up and did
snort -V
/libexec/ld-elf.so.1: snort: Undefined symbol "__sbtoupper"
so it looks like ld-elf.so.1 is missing some bits and it looks like the snapshots wont help as no one has recently committed anything to fix this
-
While we're waiting for this to get resolved, anyone have any insight as to why Snort wasnt updated straight to 2.8 since that seems to be the most current stable version. Not complaining, just curious.
-
Is ac-bnfa in the webgui also now? It seems to be the best option atm with not-so-highend machines and it has been stable with 2.6
-
No, its not, unfortunately.
-
it is pretty easy to add if you want it.
Just edit /usr/local/pkg/snort.xml
and in the performance fields add an extra option for this modeI haven't tested it on mine yet as snort is broke but can't see why it won't (the value of that field is just put into the config detection: search-method bit of the conf)
#Use lower memory models config detection: search-method {$snort_performance}
-
@onhel:
In response to you "Try":
I'm not getting your problem at all. You could try backing up your config, without backing up your package information and try and format and reinstall pfSense and see if that clears up your problem. With this new version of Snort you shouldnt have to update the /usr/local/www/snort_download_rules.php file to fix the "flow:to_client" incompatibility.
I tried your suggestion today.
Fresh install pfSense (RC3), after basic setting (lan, wan) i go to package and install snort 2.7.
But still the installation process stop at the:
Downloading snort and its dependencies…The same apkg_snort*.tbz is downloaded to /tmp dir. But just sit there like my earlier post.
I am confused?!?
-
I'm at a loss "Try"
Hopefully a Hero member will chime in and be able to help you out. Even if you did get a successful install, Snort isnt working for any of us anyway so maybe when the issue does get resolved, it will fix your install problem as well.
-
Please try again in 10+ minutes. I just changed the package to pull from pfsense.org
-
Once I reinstall Snort, and Update Rules I get the following error:
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(33) unknown dynamic preprocessor "frag2"
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(33) unknown dynamic preprocessor "frag2"
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(65) unknown dynamic preprocessor "telnet_decode"
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: /usr/local/etc/snort/snort.conf(65) unknown dynamic preprocessor "telnet_decode"
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: FATAL ERROR: Misconfigured dynamic preprocessor(s)
2007-12-06 16:01:40 Daemon.Error Dec 6 15:59:50 snort[84877]: FATAL ERROR: Misconfigured dynamic preprocessor(s) -
Grr. I wish they would stop changing all the configuration directives. I'll put this on my list but it will be a bit before I get to it. In the meantime patches accepted.
-
Hello all
I have managed to set snort working but with some limitations, till a new working version will go be available
please note that it is only temporary option till the kind pfsense experts will get snort to work good but till then you can still have some kind of protection using snort
Here is what I did:First on the snort setting page I have removed the mark for update rules automatically (this is for the changes I made will not be ruined by the next update)
Second:
I have made a change in the snort.conf file and removed the lines:preprocessor frag2
preprocessor telnet_decodenow there is a catch, when you press save on the snort settings those lines are coming back to the snort.conf file, so make sure you do it last.
Third:
Entered the rule sets that I have enabled and removed all the lines referring to the UDP ports.
I did it using the edit file option in the pfsense.Example: (you can copy and paste it into the using “edit file” option in pfsense /usr/local/etc/snort/rules/scan.rules)
Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
This file may contain proprietary rules that were created, tested and
certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
rules that were created by Sourcefire and other third parties and
distributed under the GNU General Public License (the "GPL Rules"). The
VRT Certified Rules contained in this file are the property of
Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
The GPL Rules created by Sourcefire, Inc. are the property of
Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
Reserved. All other GPL Rules are owned and copyrighted by their
respective owners (please see www.snort.org/contributors for a list of
owners and their respective copyrights). In order to determine what
rules are VRT Certified Rules or GPL Rules, please refer to the VRT
Certified Rules License Agreement.
$Id: scan.rules,v 1.39 2007/10/17 20:10:08 vrtbuild Exp $
#–---------
SCAN RULES
#-----------
These signatures are representitive of network scanners. These include
port scanning, ip mapping, and various application scanners.
NOTE: This does NOT include web scanners such as whisker. Those are
in web*
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SCAN UPnP service discover attempt"; flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:8081; rev:1;)#anyway I hope it will help for some users#
dont forget to restart/start again the snort service
I have attached some files for some snort rules, just copy and paste it at the right place....
also attached snort.conf for you to viewUpdate: to aviod changing all the time the snort.conf, just do that change in snort.inc that is placed at: /usr/local/pkg/snort.inc
then it will apply into the snort.conf forever.
I have added the snort.inc file so you can copy and paste it into your system using again... edit file in pfsense gui. -
Hello All
Please report if it does help for you as well…..
-
Hello All
Whoever that build the last version of snort can build it with this line and post it?
./configure –enable-stream4udp
?
-
SO as of right now snort is not working ?
-
Hello All
SNORT IS FIXED !!!!
After long hours with reading and testing, I was finally able to find and to fix the problems.
In order that snort will work also in your system, and till sullrich will upload my snort.inc instead of the older one you will need to do some things in order that snort will work in your pfsense box as well.
the easiest way is enter to the edit file tab in pfsense web gui and open this file: /usr/local/pkg/snort.inc
Replace its full consents with the text file I have added to this post, and dont forget to press save.
then update the rules, enter to setting and press save, it will set the snort.inc setting into your configuration file and from now snort is operational.
Please update to know that the file work for you all.
Ilan.
-
Commited, thanks a million for the efforts.
-
;D I just did a snort package install and the new version works 100% Thank You !!! ;D ;D
-
It works and the rules seems to be downloading, but it takes a very long time to install them and it seems to be stuck in the middle of the install and then says that rules never were updated its cosmetic I belive at this time, but what happenes when it tried to auto update the rules ?
-
Mine is working fantastic and i even used Morbus' edit to add the ac-bnfa mode to the Snort Settings Performance mode list. Now if we could just get this Mozilla Browser Bug Fix committed, Snort would be working perfectly.
-
Hmm also the blocking doesnt seem to fully work. I see TCP portsweeps in the alerts but no blocked hosts and in settings the "Block offenders" is checked. Strange
-
Hi all,
Just switch to pfsense 1.2-RC3 from IP cop and I am having issues with the snort package. I have installed the latest, 2.7.0.1_3 and I don't seem to be getting any alerts (which I know should be there, ipcop reported a number of hits per day) I have snort running with the ac method and most of the rules selected. Below is the log when I start snort.
Dec 12 09:06:39 snort2c[21009]: snort2c running in daemon mode pid: 21009
Dec 12 09:06:39 snort2c[21009]: snort2c running in daemon mode pid: 21009
Dec 12 09:06:39 snort2c[20088]: SIGTERM received - exiting
Dec 12 09:06:39 snort2c[20088]: SIGTERM received - exiting
Dec 12 09:01:23 SnortStartup[20115]: Ram free BEFORE starting Snort: 402M – Ram free AFTER starting Snort: 822M -- Mode ac -- Snort memory usage:
Dec 12 09:01:07 snort[19527]: ACSM-No Memory: acsmCompile!
Dec 12 09:01:07 snort[19527]: ACSM-No Memory: acsmCompile!
Dec 12 09:01:05 snort2c[20088]: snort2c running in daemon mode pid: 20088
Dec 12 09:01:05 snort2c[20088]: snort2c running in daemon mode pid: 20088
Dec 12 09:01:05 snort[20007]: Daemon parent exiting
Dec 12 09:01:05 snort[20007]: Daemon parent exiting
Dec 12 09:01:05 snort[20007]: Child exited unexpectedly
Dec 12 09:01:05 snort[20007]: Child exited unexpectedly
Dec 12 09:01:04 snort[20026]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_fxp1.pid" for PID "20026"
Dec 12 09:01:04 snort[20026]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_fxp1.pid" for PID "20026"
Dec 12 09:01:04 snort[20026]: PID path stat checked out ok, PID path set to /var/run/
Dec 12 09:01:04 snort[20026]: PID path stat checked out ok, PID path set to /var/run/I am confused by the fatal error and the report of 402m of free memory before snort run… and 822m after it starts. fxp1 is my wan nic.
Any suggestions?
-
I've gotten that type of error in the past. X out any blocked IPs in the Blocked tab, Clear the log on the Alerts tab, and hit Save again in the Categories tab. Also, if you're using a majority of the categories, read page 1 of this post on using ac-bnfa mode. Mine craps out when using ac mode and using a lot of categories
-
Well snort did work ,Now it crashes pfsense .So i did a reinstall of pfsense and installed snort and tryed to update now i get this snort rules: md5 signature of rules mismatch.So i guess i will go back to my d-link . >:(
-
onhel - Thanks for the help, changed to ac-bnfa and snort is much happier now.
cdx304 - "Well snort did work ,Now it crashes pfsense .So i did a reinstall of pfsense and installed snort and tryed to update now i get this snort rules: md5 signature of rules mismatch.So i guess i will go back to my d-link . Angry"
Not sure if it will help, but I've gotten this message. After a fifteen minute wait, I could re download the rules without an issue.
-
Yes, I have gotten the md5 mismatch a couple of times as well during the testing of Snort 2.7.0.1_1 and 2.7.0.1_2. A second attempt to download rules always cleared up this error.
While I have this post up, I'd like to give my thanks to Sullrich for maintaining the package and Shaddow501 for his help to Sullrich in getting the problems with 2.7 resolved so quickly for all of us end-users. Great job guys.
-
@onhel:
Yes, I have gotten the md5 mismatch a couple of times as well during the testing of Snort 2.7.0.1_1 and 2.7.0.1_2. A second attempt to download rules always cleared up this error.
While I have this post up, I'd like to give my thanks to Sullrich for maintaining the package and Shaddow501 for his help to Sullrich in getting the problems with 2.7 resolved so quickly for all of us end-users. Great job guys.
There is a 2.7.0.1_3 version working ok here
-
Pfsense crashes now with snort installed .
-
Define @cdx304:
Pfsense crashes now with snort installed .
Define "crash."
Please elaborate.
Mine is running great, possibly a hardware issue?
-
Hi All
After a few days working with snort i have found that it doesnt remove the blocked IP after 60 min, maybe it is something with the configuration i am nit sure yet.
i do think that should be a line in the cron configuration that after a specific time it removes the blocked IPs, or maybe i am wrong…
Did anyone notice that problem or is it just something messed up in my system.
anyway any information where i should write this line i will appreciate.
-
This post (http://forum.pfsense.org/index.php/topic,5902.0.html) is talking about how to change the time it take before the ip's are removed.
Sullrich says "You can change the reset time by modifying /cf/conf/config.xml from Diagnostics -> Edit File.
Look for the cron entry that runs the command /usr/local/sbin/expiretable -t 1800 snort2c.
Change the <minute>60</minute> to whatever you like. Then go to Diagnostics -> Command Prompt and in the PHP command box issue the command:
configure_cron();"
I'ld check to make sure the cron job is schedualed.
-
Watched a blocked IP and noticed it was removed after around 87 minutes. Performed a second test and this one went beyond 115 minutes before I gave up on babysitting the GUI so I can confirm your experiences Shaddow501. One thing I noticed while tinkering around with this is that "top" doesnt show snort2c running when an IP is blocked. I can verify that the IP is in fact blocked so I can only assume snort2c is doing its job but strange that I dont see it running when I know I've seen snort2c by running Top in the past.
-
Hi OnHel
Well i do think that the reason because snort crash (i do see strange line in my log that refer to snort exited core dump , well something like that, i do thing it isnt a very stable release, any way i am working on snort.inc file to see if by removing some items it will make snort work better… (like the SMTP check that i have added and FTP processor that i have added, so far i have removed the SMTP and will try to check it for a few days to see if it will make the release more stale.
if you would like to "play" also with the file then it is located at /usr/local/pkg/snort.inc (just use edit file in snort gui)also i did modification in cron that will remove the blocked ip after 10 min, and i guess it does work...
-
Hi Guys
I have started to work with snort version-2.8.0.1, since I didnt like much the 2.7.0.1, i have made a new package based on the snort 2.7.0.1 but with files of the new last version i mention above.
In the terminal ssh software i just pkg_delete the old version and did pkg_add to my version.the new version seem to work so far, but i still not have much information of how stable it is.
It also require a change in the snort.inc file.anyone that wish to try it may contact me
-
Perhaps give scott a link if it runs fine ;-)
-
Shaddow501, I've been studying the snort.inc file, and trust me I'm not in your league at all in understanding it, nor would I have been able to fix it the way you did previously when the preprocessors were causing Snort to crash.
But I did notice that some alerts werent properly being set off. For instance, ICMP pings to my WAN IP werent setting off a Snort Alert even though I have the same ICMP rules enabled as I did with 2.6
Then I noticed that you had the preprocessor flow enabled in the snort.inc file. According to this site http://cvs.snort.org/viewcvs.cgi/snort/doc/README.stream5?rev=1.2
The Stream5 preprocessor is a target-based TCP reassembly module
for Snort. It is intended to replace both the stream4 and flow
preprocessors, and it is capable of tracking sessions for both
TCP and UDP. With Stream5, the rule 'flow' and 'flowbits' keywords
are usable with TCP as well as UDP traffic.Since Stream5 replaces stream4, both cannot be used simultaneously.
Remove the stream4 and flow configurations from snort.conf when the
stream5 configuration is added.I commented out the flow preprocessor and I'm now seeing ICMP ping alerts again.
-
Hi OnHeL
Well you are right, with the last version of snort 2.8.0.1 i did disable the flow preprocessor, i did compile the 2.8.0.1 that will also support stream4udp packets so it does work with both stream5 and stream4 configuration (but will not work together, you must select if you want to use stram4 or stream5 option)
With the both versions (2.7.0.1 & 2.8.0.1) i still have a problem after some time (could be hours and could be minutes) snort exit with this message:
" (snort), uid 0: exited on signal 11 (core dumped)" I havent got any clue what could cause it and looking into web (google and such) didnt resolved much information…I am curious if it is just me that get this error or some of you do get it as well, if someone have got any clue how to debug it and see what cause this fault i could have a bit more progress, but as for now i am kinda stuck with lack of information.
I did try snort with almost all the working methods but again i do get the message and snort stop doing what it should be doing (blocking :))
anyone?
-
i have a Similar problem that some of the others are having with Snort
version of PFsense
1.2-RC2
built on Fri Aug 17 17:46:06 EDT 2007Some of the goofy errors that i am getting with snort
Dec 19 07:54:49 SnortStartup[63790]: Ram free BEFORE starting Snort: 73M – Ram free AFTER starting Snort: 73M -- Mode ac-std -- Snort memory usage:
Dec 19 07:54:43 kernel: xl0: promiscuous mode disabled
Dec 19 07:54:32 snort[63624]: Daemon parent exiting
Dec 19 07:54:32 snort[63624]: Daemon parent exiting
Dec 19 07:54:32 snort[63638]: Daemon initialized, signaled parent pid: 63624
Dec 19 07:54:32 snort[63638]: Daemon initialized, signaled parent pid: 63624
Dec 19 07:54:32 snort[63638]: Writing PID "63638" to file "/var/run//snort_xl0.pid"
Dec 19 07:54:32 snort[63638]: Writing PID "63638" to file "/var/run//snort_xl0.pid"
Dec 19 07:54:32 snort[63638]: PID path stat checked out ok, PID path set to /var/run/
Dec 19 07:54:32 snort[63638]: PID path stat checked out ok, PID path set to /var/run/
Dec 19 07:54:32 kernel: xl0: promiscuous mode enabled
Dec 19 07:54:32 snort[63624]: Initializing daemon mode
Dec 19 07:54:32 snort[63624]: Initializing daemon mode
Dec 19 07:54:32 kernel: xl0: promiscuous mode disabled
Dec 19 07:54:32 kernel: xl0: promiscuous mode enabledalso it does not stop any thing or set off any alerts i am just useing default rules pulled in from snort. let me know what you are all thinking.
Thanks
-
Shaddow501
http://forum.pfsense.org/index.php/topic,2624.15.html
In the above thread, PC_Arcade was having that exact problem. Personally I'm not experiencing this error at all. Sending you a PM
Chazers18:
You're running Snort on your LAN interface, should be your WAN. Go to Services/Snort/Settings, reselect WAN interface and then hit Save. Sometimes deleting any currently blocked IPs and making sure the Snort logs are cleared and then going to the Categories tab and hitting Save again will stop this error and give you a successful initialization. Read this entire thread and you'll see information on setting up Snort to use ac-bnfa mode, this is highly recommended.