Snort Updated to 2.7

shaddow501

Hello

As OnHel said
we both have snort version 2.8.0.1 working stable and the new version have fixed some errors.

I have added 2 files snort.inc that also works with 2.8.0.1 and 2.7.0.1 versions.

and also added snort.xml that also give the users option to select ac-bnfa mode in snort.
i must say though that the ac-bnfa option in the snort.xml file i got from OnHel.

have a nice day.

snort.inc.txt
snort.xml.txt

David_W

onhel was asking for help. What sort of help do you need?

If you have got Snort 2.8.0.1 building correctly as a FreeBSD port - that is, you've updated the security/snort port to 2.8.0.1 and have managed to build a FreeBSD package that works correctly - you should seriously consider submitting a FreeBSD PR to bring the port up to date.

To give you an idea of what this looks like, the PR with the 2.7.0.1 update is here. You can submit PRs on the web - you don't have to use the send-pr tool.

David

AhnHEL

We dont have a package at all, which is what we need done.  The 2.7 package was modified by Shaddow501 to use 2.8 files.  While this isnt the obvious upgrade method, it allowed the testing of 2.8 to see what changes in the config file were necessary.  There are some serious flaws with the snort.inc file that comes with the pfSense 2.7 package.  These flaws have been worked out and as of now is very stable.  All we need is someone who is fluent in FreeBSD and package creation to properly package the 2.8 port and then use the snort.inc file that Shaddow501 has tweaked.

Hilozer

I installed RC4 and reinstalled snort using the latest package (2.7.0.1_3). I checked the rule download code and it is still pulling the wrong rule versions. Please see, http://forum.pfsense.org/index.php/topic,6873.0.html. In short, the code is set to download the CURRENT rule set, which it should not do. The CURRENT rule set should only be used if the snort version is also current. The pfSense package should always be hardcoded to pull the version of the rules that match the version of snort contained in the package.

Jim L.

mbedyn

hello. I have tried everything to force snort deamon to run properly. Tried diffrent working modes, posted .inc files
.. finaly it's starts, and working for couple of hours.. and I got logs like this```

Jan 26 20:15:11 192.168.3.1 snort[6993]: S5: Pruned 5 sessions from cache. 7 ssns for memcap: 8374482/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 8392276/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 8392276/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 8418898/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 8418898/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 64/8388608
Jan 26 20:15:12 192.168.3.1 snort[6993]: S5: Pruned 1 sessions from cache. 1 ssns for memcap: 64/8388608

before snort crash…
or difrerent behavior, it's hang causing 100% processor utilisation... like on attached pictures.. with no logs at all.. After that I have to kill the porcess snort by myself..

Second question I have.. where I can find rule responsible to this snort log.. Please notice that, I keep scan.rules unchecked..

[ ** ] [ 122:22:0 ] (portscan) UDP Filtered Decoy Portscan [ ** ] 
[ Priority: 3 ] 
01/28-14:26:06.788632 194.204.152.21 -> 83.19.104.98
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF

Any suggestions ?

![snort.jpg](/public/_imported_attachments_/1/snort.jpg)
![snort.jpg_thumb](/public/_imported_attachments_/1/snort.jpg_thumb)

AhnHEL

Wow, I havent seen any of your issues before mbedyn, that cpu utilization is pegged alright.

First off, what kind of hardware are we talking about here?

Secondly, that rule your setting off is in your snort.inc file, not in your rule categories.  Apparently this rule has to do with preventing NMap scans of your network.

Go to Diagnostics/Edit File.  Load the /usr/local/pkg/snort.inc file and scroll down until you see #sf Portscan.  See if you have your sense level set to medium or high.  If it is, then edit setting to low, and then press save.  While you're there in the snort.inc file, make sure under #Flow and stream, put a # symbol before "preprocessor flow: stats_interval 0 hash 2"

Hit save again and Go to Services/Snort.

Blocked tab - X out any entries, then
Alerts tab - hit clear, then
Settings tab - hit save.

mbedyn

Yeah.. before upgrading snort to 2.7 everything works flawless.. After upgrade I can't manage with the package..
Tried reilstall, changing inc files…
Maybe I should try clean install package from scratch.... I do not know...

I can not find preprocessor flow code in my snort.inc... so I do not have nothing to comment by #  :)

Thanks for direction about scan rules.. I was just curious.. nothing else... I do not want to disable this behavior... ;-)

best regards
Michael

Matts

I'm not able to remove, reinstall the package at all on a RC4 machine.

It just keeps saying the following:

Removing package…
Loading package configuration snort.xml...
Loading package instructions...

And it hangs for hours...

AhnHEL

Perform a manual uninstall:

Go to Diagnostics/Command and in the command line execute

pkg_info

Find the exact package name of snort, should be snort-2.7.0.1_1, then in the command line again execute:

pkg_delete (followed by the exact snort install name you noted with pkg_info)

Should look like this:

pkg_delete snort-2.7.0.1_1

pkg_info after that to confirm its uninstalled.  Try to reinstall now, if it still gives you problems, perform the above again then do the following.

Go to Diagnosics, Backup/Restore, download the config.xml and edit out the snort package from <installedpackages><snort><config><iface_array>wan</iface_array>
<performance>ac-bnfa</performance>
<oinkmastercode>xxxxxxxxxxxxxxxxxxxxxx</oinkmastercode>
<subscriber>on</subscriber>
<blockoffenders>on</blockoffenders>
<automaticrulesupdate><whitelistvpns><clickablalerteurls>on</clickablalerteurls>
<associatealertip>on</associatealertip></whitelistvpns></automaticrulesupdate></config>
<last_ruleset_download>2008-01-20</last_ruleset_download>
<rulesets>attack-responses.rules||backdoor.rules||bad-traffic.rules||chat.rules||content-replace.rules||ddos.rules||dns.rules||dos.rules||experimental.rules||exploit.rules||finger.rules||ftp.rules||icmp-info.rules||icmp.rules||imap.rules||info.rules||local.rules||misc.rules||multimedia.rules||mysql.rules||netbios.rules||nntp.rules||oracle.rules||other-ids.rules||policy.rules||pop2.rules||pop3.rules||rpc.rules||rservices.rules||scan.rules||shellcode.rules||smtp.rules||snmp.rules||specific-threats.rules||spyware-put.rules||sql.rules||telnet.rules||tftp.rules||virus.rules||voip.rules||web-attacks.rules||web-cgi.rules||web-client.rules||web-coldfusion.rules||web-frontpage.rules||web-iis.rules||web-misc.rules||web-php.rules||x11.rules</rulesets></snort>

Restore configuration from the GUI and reboot.</installedpackages>

Matts

Hi,

The problem for now is that the package SNORT is not shown after the "pkg_info" command.

I will first try to reboot the system, if that will not help… I will place back a backup config file and do what you described above.

Thanks.