Snort Updated to 2.7

AhnHEL

Shaddow501, I've been studying the snort.inc file, and trust me I'm not in your league at all in understanding it, nor would I have been able to fix it the way you did previously when the preprocessors were causing Snort to crash.

But I did notice that some alerts werent properly being set off.  For instance, ICMP pings to my WAN IP werent setting off a Snort Alert even though I have the same ICMP rules enabled as I did with 2.6

Then I noticed that you had the preprocessor flow enabled in the snort.inc file.  According to this site http://cvs.snort.org/viewcvs.cgi/snort/doc/README.stream5?rev=1.2

The Stream5 preprocessor is a target-based TCP reassembly module
for Snort.  It is intended to replace both the stream4 and flow
preprocessors, and it is capable of tracking sessions for both
TCP and UDP.  With Stream5, the rule 'flow' and 'flowbits' keywords
are usable with TCP as well as UDP traffic.

Since Stream5 replaces stream4, both cannot be used simultaneously.
Remove the stream4 and flow configurations from snort.conf when the
stream5 configuration is added.

I commented out the flow preprocessor and I'm now seeing ICMP ping alerts again.

shaddow501

Hi OnHeL

Well you are right, with the last version of snort 2.8.0.1 i did disable the flow preprocessor, i did compile the 2.8.0.1 that will also support stream4udp packets so it does work with both stream5 and stream4 configuration (but will not work together, you must select if you want to use stram4 or stream5 option)

With the both versions (2.7.0.1 & 2.8.0.1) i still have a problem after some time  (could be hours and could be minutes) snort exit with this message:
" (snort), uid 0: exited on signal 11 (core dumped)"  I havent got any clue what could cause it and looking into web (google and such) didnt resolved much information…

I am curious if it is just me that get this error or some of you do get it as well, if someone have got any clue how to debug it and  see what cause this fault i could have a bit more progress, but as for now i am kinda stuck with lack of information.

I did try snort with almost all the working methods but again i do get the message and snort stop doing what it should be doing (blocking :))

anyone?

chazers18

i have a Similar problem that some of the others are having with Snort

version of PFsense

1.2-RC2
built on Fri Aug 17 17:46:06 EDT 2007

Some of the goofy errors that i am getting with snort

Dec 19 07:54:49 SnortStartup[63790]: Ram free BEFORE starting Snort: 73M – Ram free AFTER starting Snort: 73M -- Mode ac-std -- Snort memory usage:
Dec 19 07:54:43 kernel: xl0: promiscuous mode disabled
Dec 19 07:54:32 snort[63624]: Daemon parent exiting
Dec 19 07:54:32 snort[63624]: Daemon parent exiting
Dec 19 07:54:32 snort[63638]: Daemon initialized, signaled parent pid: 63624
Dec 19 07:54:32 snort[63638]: Daemon initialized, signaled parent pid: 63624
Dec 19 07:54:32 snort[63638]: Writing PID "63638" to file "/var/run//snort_xl0.pid"
Dec 19 07:54:32 snort[63638]: Writing PID "63638" to file "/var/run//snort_xl0.pid"
Dec 19 07:54:32 snort[63638]: PID path stat checked out ok, PID path set to /var/run/
Dec 19 07:54:32 snort[63638]: PID path stat checked out ok, PID path set to /var/run/
Dec 19 07:54:32 kernel: xl0: promiscuous mode enabled
Dec 19 07:54:32 snort[63624]: Initializing daemon mode
Dec 19 07:54:32 snort[63624]: Initializing daemon mode
Dec 19 07:54:32 kernel: xl0: promiscuous mode disabled
Dec 19 07:54:32 kernel: xl0: promiscuous mode enabled

also  it does not stop any thing or set off any alerts i am just useing default rules pulled in from snort. let me know what you are all thinking.

Thanks

AhnHEL

Shaddow501

http://forum.pfsense.org/index.php/topic,2624.15.html

In the above thread, PC_Arcade was having that exact problem.  Personally I'm not experiencing this error at all.  Sending you a PM

Chazers18:

You're running Snort on your LAN interface, should be your WAN.  Go to Services/Snort/Settings, reselect WAN interface and then hit Save.  Sometimes deleting any currently blocked IPs and making sure the Snort logs are cleared and then going to the Categories tab and hitting Save again will stop this error and give you a successful initialization.  Read this entire thread and you'll see information on setting up Snort to use ac-bnfa mode, this is highly recommended.

chazers18

the funny thing is… that is not my lan. well atleast via the GUi i didnt select the lan i did both wans and then just one wan and that is what happpens the premicous starts and then after a while it kicks out.

this is a production device and i am gun shy on hacking the xml backup i will give it a shot and let you know what happens.

AhnHEL

For some reason, when you select WAN, Snort tries to start on another interface.  Sometimes its necessary to hit Save twice on the Settings tab to make it stick.  Where it says in your logs:

Dec 19 07:54:32    snort[63638]: Writing PID "63638" to file "/var/run//snort_xl0.pid"
Dec 19 07:54:32    snort[63638]: Writing PID "63638" to file "/var/run//snort_xl0.pid"

It shouldnt say snort_xl0.pid.  It should say snort_(WAN interface name).pid

As of right now until the package is updated, its going to be necessary to edit /usr/local/pkg/snort.inc and commenting out the following line so Snort can work properly with certain rules.:

#Flow and stream
preprocessor flow: stats_interval 0 hash 2

Comment the above line out with a # before the word "preprocessor"

morbus

It shouldnt say snort_xl0.pid.  It should say snort_(WAN interface name).pid

That is exactly what it should say (assuming xl0 is your wan interface) I guess chazers18 is using 3com nics or something that uses the xl driver

Comment the above line out with a # before the word "preprocessor"

I don't see any reason why you can't use stream5 and flow on the same snort. Snort won't normally trigger for every ICMP packet it receives unless you add a rule for that eg```
alert icmp any any -> any any (msg:"ICMP test"; sid:1000005;)

shaddow501

Hello morbus

Well you are right the snort version 2.7.0.1 will work also with that line and will detect ICMP, also when using stream5.

But !!! in snort version 2.8.0.1 that i have created and implemented this package on my pfsense box (currently just testing its reliability) you will nor able to use the flow anymore when you use stream5 so you  will need to disable that line if you want that snort will work " preprocessor flow: stats_interval 0 hash 2"

are there others that would like to be testing the snort-2.8.0.1.tbz that i have compiled ?
i have compiled it so it will able to use stream4udp, and currently i am checking it with stream4, but i am one tester and i dont know how it will affect on others.

also i did some modifications in the last snort.inc file that i have created before…

currently the only problem that i have had with it and with the older version is that line " (snort), uid 0: exited on signal 11 (core dumped)"

so other didnt report that thay had this error, so maybe it is just my machine that doing something wrong.

AhnHEL

@morbus:

It shouldnt say snort_xl0.pid.  It should say snort_(WAN interface name).pid

That is exactly what it should say (assuming xl0 is your wan interface) I guess chazers18 is using 3com nics or something that uses the xl driver

Comment the above line out with a # before the word "preprocessor"

I don't see any reason why you can't use stream5 and flow on the same snort. Snort won't normally trigger for every ICMP packet it receives unless you add a rule for that

xl0 would be his LAN interface would it not and his WAN would be xl1?  Common bug in Snort not using the correct interface with multiple posts here in pfSense documenting it and his exact error

A google search of stream5 gives numerous hits on disabling both stream4 AND flow when using stream5 ever since Stream5 was introduced with 2.7. I'm definitely seeing an improvement in rules detection/alerts (not just ICMP) since disabling flow

morbus

xl0 would be his LAN interface would it not and his WAN would be xl1?  Common bug in Snort not using the correct interface with multiple posts here in pfSense documenting it and his exact error

The WAN interface is only a name assigned in the webGUI to a network device. You can assign any nic in your system as WAN and you can also run snort on the lan if you wanted to detect threats from that side. I have Snort running on my WAN interface and that is bound to my xl0 interface. If you go to interfaces ->assign you will find you can bind any nic to any name

chazers18

so let me get this straight

uninstall snort…

any way thats what i did yesterday i dont need it bringing my company down to a halt.

so xl0 is the lan interface and yes 3coms are what are in my machine.

i will try the install again and see what happens when i kick out some lines of code.

did the reinstall and the edit to the files and here is what i get when i fire this pig up
Dec 20 08:07:39 snort[15138]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_xl1.pid" for PID "15138"
Dec 20 08:07:39 snort[15138]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_xl1.pid" for PID "15138"

that is with only one interface started
Dec 20 08:09:44 snort[15802]: Child exited unexpectedly
Dec 20 08:09:44 snort[15802]: Child exited unexpectedly
Dec 20 08:09:43 snort[15865]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_xl2.pid" for PID "15865"
Dec 20 08:09:43 snort[15865]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_xl2.pid" for PID "15865"
Dec 20 08:09:43 snort[15865]: PID path stat checked out ok, PID path set to /var/run/
Dec 20 08:09:43 snort[15865]: PID path stat checked out ok, PID path set to /var/run/

this is my other wan when just selected the thing.

personally screw snort and the pig…

morbus

so xl0 is the lan interface

It depends xl0 is the interface name for the freeBSD part of pf in the webGUI you can assign any interface to any interface name in pf ie xl0 can be LAN, WAN, OPT1 or any other name you want.

the same applies to xl1 xl2 xl…...  fxp0 em0, you get the idea

In pf you have to have one interface assigned to LAN and one to WAN but after that it is up to you

AhnHEL

@shaddow501:

With the both versions (2.7.0.1 & 2.8.0.1) i still have a problem after some time  (could be hours and could be minutes) snort exit with this message:
" (snort), uid 0: exited on signal 11 (core dumped)"  I havent got any clue what could cause it and looking into web (google and such) didnt resolved much information…

Just to keep everyone posted, Shaddow501 has gotten this problem resolved and has a stable, running Snort 2.8 on his system as well as mine.  Seems Sullrich is understandably very busy putting the finishing touches on the 1.2 Release so he cant assist in the package creation which to a FreeBSD noob is extremely daunting.  Any other takers out there who are familiar in packaging?

shaddow501

Hello

As OnHel said
we both have snort version 2.8.0.1 working stable and the new version have fixed some errors.

I have added 2 files snort.inc that also works with 2.8.0.1 and 2.7.0.1 versions.

and also added snort.xml that also give the users option to select ac-bnfa mode in snort.
i must say though that the ac-bnfa option in the snort.xml file i got from OnHel.

have a nice day.

snort.inc.txt
snort.xml.txt

David_W

onhel was asking for help. What sort of help do you need?

If you have got Snort 2.8.0.1 building correctly as a FreeBSD port - that is, you've updated the security/snort port to 2.8.0.1 and have managed to build a FreeBSD package that works correctly - you should seriously consider submitting a FreeBSD PR to bring the port up to date.

To give you an idea of what this looks like, the PR with the 2.7.0.1 update is here. You can submit PRs on the web - you don't have to use the send-pr tool.

David

AhnHEL

We dont have a package at all, which is what we need done.  The 2.7 package was modified by Shaddow501 to use 2.8 files.  While this isnt the obvious upgrade method, it allowed the testing of 2.8 to see what changes in the config file were necessary.  There are some serious flaws with the snort.inc file that comes with the pfSense 2.7 package.  These flaws have been worked out and as of now is very stable.  All we need is someone who is fluent in FreeBSD and package creation to properly package the 2.8 port and then use the snort.inc file that Shaddow501 has tweaked.

Hilozer

I installed RC4 and reinstalled snort using the latest package (2.7.0.1_3). I checked the rule download code and it is still pulling the wrong rule versions. Please see, http://forum.pfsense.org/index.php/topic,6873.0.html. In short, the code is set to download the CURRENT rule set, which it should not do. The CURRENT rule set should only be used if the snort version is also current. The pfSense package should always be hardcoded to pull the version of the rules that match the version of snort contained in the package.

Jim L.

mbedyn

hello. I have tried everything to force snort deamon to run properly. Tried diffrent working modes, posted .inc files
.. finaly it's starts, and working for couple of hours.. and I got logs like this```

Jan 26 20:15:11 192.168.3.1 snort[6993]: S5: Pruned 5 sessions from cache. 7 ssns for memcap: 8374482/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 8392276/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 8392276/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 8418898/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 8418898/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 64/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 64/8388608

before snort crash…
or difrerent behavior, it's hang causing 100% processor utilisation... like on attached pictures.. with no logs at all.. After that I have to kill the porcess snort by myself..

Second question I have.. where I can find rule responsible to this snort log.. Please notice that, I keep scan.rules unchecked..

[ ** ] [ 122:22:0 ] (portscan) UDP Filtered Decoy Portscan [ ** ] 
[ Priority: 3 ] 
01/28-14:26:06.788632 194.204.152.21 -> 83.19.104.98
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF

Any suggestions ?

![snort.jpg](/public/_imported_attachments_/1/snort.jpg)
![snort.jpg_thumb](/public/_imported_attachments_/1/snort.jpg_thumb)

AhnHEL

Wow, I havent seen any of your issues before mbedyn, that cpu utilization is pegged alright.

First off, what kind of hardware are we talking about here?

Secondly, that rule your setting off is in your snort.inc file, not in your rule categories.  Apparently this rule has to do with preventing NMap scans of your network.

Go to Diagnostics/Edit File.  Load the /usr/local/pkg/snort.inc file and scroll down until you see #sf Portscan.  See if you have your sense level set to medium or high.  If it is, then edit setting to low, and then press save.  While you're there in the snort.inc file, make sure under #Flow and stream, put a # symbol before "preprocessor flow: stats_interval 0 hash 2"

Hit save again and Go to Services/Snort.

Blocked tab - X out any entries, then
Alerts tab - hit clear, then
Settings tab - hit save.

mbedyn

Yeah.. before upgrading snort to 2.7 everything works flawless.. After upgrade I can't manage with the package..
Tried reilstall, changing inc files…
Maybe I should try clean install package from scratch.... I do not know...

I can not find preprocessor flow code in my snort.inc... so I do not have nothing to comment by #  :)

Thanks for direction about scan rules.. I was just curious.. nothing else... I do not want to disable this behavior... ;-)

best regards
Michael