Snort Updated to 2.7

shaddow501

Hello All

SNORT IS FIXED !!!!

After long hours with reading and testing, I was finally able to find and to fix the problems.

In order that snort will work also in your system, and till sullrich will upload my snort.inc instead of the older one you will need to do some things in order that snort will work in your pfsense box as well.

the easiest way is enter to the edit file tab in pfsense web gui and open this file: /usr/local/pkg/snort.inc

Replace its full consents with the text file I have added to this post, and dont forget to press save.

then update the rules, enter to setting and press save, it will set the snort.inc setting into your configuration file and from now snort is operational.

Please update to know that the file work for you all.

Ilan.

snort_inc.txt

sullrich

Commited, thanks a million for the efforts.

A Former User

;D I just did a snort package install and the new version works 100% Thank You !!! ;D ;D

yozh

It works and the rules seems to be downloading, but it takes a very long time to install them and it seems to be stuck in the middle of the install and then says that rules never were updated its cosmetic I belive at this time, but what happenes when it tried to auto update the rules ?

AhnHEL

Mine is working fantastic and i even used Morbus' edit to add the ac-bnfa mode to the Snort Settings Performance mode list.  Now if we could just get this Mozilla Browser Bug Fix committed, Snort would be working perfectly.

yozh

Hmm also the blocking doesnt seem to fully work. I see TCP portsweeps in the alerts but no blocked hosts and in settings the "Block offenders" is checked. Strange

shiftyjoe

Hi all,

Just switch to pfsense 1.2-RC3 from IP cop and I am having issues with the snort package.  I have installed the latest, 2.7.0.1_3 and I don't seem to be getting any alerts (which I know should be there, ipcop reported a number of hits per day)  I have snort running with the ac method and most of the rules selected.  Below is the log when I start snort.

Dec 12 09:06:39 snort2c[21009]: snort2c running in daemon mode pid: 21009
Dec 12 09:06:39 snort2c[21009]: snort2c running in daemon mode pid: 21009
Dec 12 09:06:39 snort2c[20088]: SIGTERM received - exiting
Dec 12 09:06:39 snort2c[20088]: SIGTERM received - exiting
Dec 12 09:01:23 SnortStartup[20115]: Ram free BEFORE starting Snort: 402M – Ram free AFTER starting Snort: 822M -- Mode ac -- Snort memory usage:
Dec 12 09:01:07 snort[19527]: ACSM-No Memory: acsmCompile!
Dec 12 09:01:07 snort[19527]: ACSM-No Memory: acsmCompile!
Dec 12 09:01:05 snort2c[20088]: snort2c running in daemon mode pid: 20088
Dec 12 09:01:05 snort2c[20088]: snort2c running in daemon mode pid: 20088
Dec 12 09:01:05 snort[20007]: Daemon parent exiting
Dec 12 09:01:05 snort[20007]: Daemon parent exiting
Dec 12 09:01:05 snort[20007]: Child exited unexpectedly
Dec 12 09:01:05 snort[20007]: Child exited unexpectedly
Dec 12 09:01:04 snort[20026]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_fxp1.pid" for PID "20026"
Dec 12 09:01:04 snort[20026]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_fxp1.pid" for PID "20026"
Dec 12 09:01:04 snort[20026]: PID path stat checked out ok, PID path set to /var/run/
Dec 12 09:01:04 snort[20026]: PID path stat checked out ok, PID path set to /var/run/

I am confused by the fatal error and the report of 402m of free memory before snort run… and 822m after it starts.  fxp1 is my wan nic.

Any suggestions?

AhnHEL

I've gotten that type of error in the past.  X out any blocked IPs in the Blocked tab, Clear the log on the Alerts tab, and hit Save again in the Categories tab.  Also, if you're using a majority of the categories, read page 1 of this post on using ac-bnfa mode.  Mine craps out when using ac mode and using a lot of categories

A Former User

Well snort did work ,Now it crashes pfsense .So i did a reinstall of pfsense and installed snort and tryed to update now i get this snort rules: md5 signature of rules mismatch.So i guess i will go back to my d-link . >:(

shiftyjoe

onhel - Thanks for the help, changed to ac-bnfa and snort is much happier now.

cdx304 - "Well snort did work ,Now it crashes pfsense .So i did a reinstall of pfsense and installed snort and tryed to update now i get this snort rules: md5 signature of rules mismatch.So i guess i will go back to my d-link . Angry"

Not sure if it will help, but I've gotten this message.  After a fifteen minute wait, I could re download the rules without an issue.

AhnHEL

Yes, I have gotten the md5 mismatch a couple of times as well during the testing of Snort 2.7.0.1_1 and 2.7.0.1_2.  A second attempt to download rules always cleared up this error.

While I have this post up, I'd like to give my thanks to Sullrich for maintaining the package and Shaddow501 for his help to Sullrich in getting the problems with 2.7 resolved so quickly for all of us end-users.  Great job guys.

rt_rex

@onhel:

Yes, I have gotten the md5 mismatch a couple of times as well during the testing of Snort 2.7.0.1_1 and 2.7.0.1_2.  A second attempt to download rules always cleared up this error.

While I have this post up, I'd like to give my thanks to Sullrich for maintaining the package and Shaddow501 for his help to Sullrich in getting the problems with 2.7 resolved so quickly for all of us end-users.  Great job guys.

There is a 2.7.0.1_3 version working ok here

A Former User

Pfsense crashes now with snort installed .

AhnHEL

Define @cdx304:

Pfsense crashes now with snort installed .

Define "crash."

Please elaborate.

Mine is running great, possibly a hardware issue?

shaddow501

Hi All

After a few days working with snort i have found that it doesnt remove the blocked IP after 60 min, maybe it is something with the configuration i am nit sure yet.

i do think that should be a line in the cron configuration that after a specific time it removes the blocked IPs, or maybe i am wrong…

Did anyone notice that problem or is it just something messed up in my system.

anyway any information where i should write this line i will appreciate.

shiftyjoe

This post (http://forum.pfsense.org/index.php/topic,5902.0.html) is talking about how to change the time it take before the ip's are removed.

Sullrich says "You can change the reset time by modifying /cf/conf/config.xml from Diagnostics -> Edit File.

Look for the cron entry that runs the command /usr/local/sbin/expiretable -t 1800 snort2c.

Change the <minute>60</minute> to whatever you like.  Then go to Diagnostics -> Command Prompt and in the PHP command box issue the command:

configure_cron();"

I'ld check to make sure the cron job is schedualed.

AhnHEL

Watched a blocked IP and noticed it was removed after around 87 minutes.  Performed a second test and this one went beyond 115 minutes before I gave up on babysitting the GUI so I can confirm your experiences Shaddow501.  One thing I noticed while tinkering around with this is that "top" doesnt show snort2c running when an IP is blocked.  I can verify that the IP is in fact blocked so I can only assume snort2c is doing its job but strange that I dont see it running when I know I've seen snort2c by running Top in the past.

shaddow501

Hi OnHel

Well i do think that the reason because snort crash (i do see strange line in my log that refer to snort exited core dump , well something like that, i do thing it isnt a very stable release, any way i am working on snort.inc file to see if by removing some items it will make snort work better…  (like the SMTP check that i have added and FTP processor that i have added, so far i have removed the SMTP and will try to check it for a few days to see if it will make the release more stale.
if you would like to "play" also with the file then it is located at /usr/local/pkg/snort.inc (just use edit file in snort gui)

also i did modification in cron that will remove the blocked ip after 10 min, and i guess it does work...

shaddow501

Hi Guys

I have started to work with snort version-2.8.0.1, since I didnt like much the 2.7.0.1, i have made a new package based on the snort 2.7.0.1 but with files of the new last version i mention above.
In the terminal ssh software i just pkg_delete the old version and did pkg_add to my version.

the new version seem to work so far, but i still not have much information of how stable it is.
It also require a change in the snort.inc file.

anyone that wish to try it may contact me

trendchiller

Perhaps give scott a link if it runs fine ;-)