Read this befor you install snort 2.8.2.1 package for pfsense 1.2.1 and above

jamesdean · Aug 5, 2008, 12:39 AM

The snort 2.8.2.1 alpha package was resently added to the pfsense package system.
This should answer any qustions you have right now. Snort works perfectly for me, but give back info on any errors
you have so that I or some one can work on the snort package.

1. On first install snort will not start untill you update the rules.

2. Snort for right now, will not start on pfsense bootup. Memory is not enough errors.
I'm working on it, may just need a delayed startup script.

3. Rules update downloads are limited to what www.snort.org wants. That is to say, you are limited to 3 updates an hour.
If you exceed the limit snort.org will make you wait 15 min before you can try again. This may or may not break the rules again
Please leave feed back. This should not be a problem to 90%, but to those with more than one pfsens installs you a warned.

4. Snort is configured in inline mode by default. Meaning that loging and blocking of alerts will take less cpu time. Please leave feed back.

5. Snort default snort.conf file needs to be tested, if any of you guys are getting weird alerts that you don't understand, please post.
Snort.conf file may need to be trimed to fit the vast majority of users.

Tikimotel · Aug 16, 2008, 3:36 PM

I've installed snapshot 1.2.1 (aug 15) (woohoo, proxy+upnp works again)
I installed the snort package 2.8.2.1.
after install it tries and fails to download rules!
Seems the snort version isn't new enough. (2.8.2.2 was the latest when i checked, also dblchecked my oink code)
So i edited the "snapshot" part to "2.8" in the phpscript manually.
Downloaded the rules and none were enabled in GUI. (snort.conf??? not updating web page? vice versa?)
I enabled a few rule sets. (note: not all rule sets…)
Started snort,voila and memory and CPU hogging mayhem. 1400Mb for snort??? and it kills itself.
Tried ac, lowmem eventually tried all settings it just eats CPU time and floods memory and dies.

Sorry this package is pre-alpha at best...

I've used snort before on smoothwall and it never used 1400Mb ram... something is wrong wih this package.

jamesdean · Aug 16, 2008, 8:25 PM

Hey Tikimotel

Sorry your setup is not working out for you.

I am using;

pfsense 1.2.1-RC1 built on Fri Aug 8 01:22:08 EDT 2008
Snort 2.8.2.1

Snort stats are;

ac-bnfa <–----- Important

140M 101M bpf 0:07 2.00% snort

Im using almost all the rules.

Snort updates work;

Last snort.org rule update: 2008-08-12
You last updated the ruleset: 2008-08-16
Your snort rulesets are up to date.

So in my case everything works. Can you check your oink code and memory again.
It might might be your setup. Can you list all the packages you have and any changes to configs you might have done.

Tikimotel · Aug 17, 2008, 11:12 AM

Ok,

Mainboard mini-itx

jetway J7F4K1G2E (7Watt!!!) (2x realtek 8110SC(L) shitty chipsets but they work!)
1Gb RAM (DDR2 533Mhz)
shared videoram as low as possible 16Mb

I installed the full 1.2.1-RC1 snapshot, august 15.
All factory default, except the LAN 192.168.0.1

manual mod:

Adzapper redirector for Squid
created dnsmasq.conf in /usr/local/etc :

# increase DNS cache size
cache-size=10000
#
# Extra : Blackhole DNS adresses.
conf-file=/etc/blackhole.conf
#

sorta working modified blackholeDNS update script in Perl 5.8.8 (too big to quote here)
(touch and chown commands were linux, modded to freeBSD location and commandline options)

Packages:

Squid 2.6.21
Snort STABLE 2.8.2.1 (deinstalled yesterday, after posting here)

Squid setup ->

1000Mb (hdd cache)(I know it takes up some ram in order to manage cache)
128Mb (mem)
16384Kb Max objectsize
policy heap GDSF (ram) (gui php BUG: won't stick to : heap LFUDA checked it in squid.conf, stays at default?!?)
policy heap LFUDA (hdd cache)
custom options:

redirect_program /usr/local/libexec/adzap;redirect_children 8;maximum_object_size_in_memory 512 KB

All working fine.

Tikimotel · Aug 17, 2008, 11:17 AM

@jamesdean:

Hey Tikimotel

Sorry your setup is not working out for you.

I am using;

pfsense 1.2.1-RC1 built on Fri Aug 8 01:22:08 EDT 2008
Snort 2.8.2.1

Snort stats are;

ac-bnfa <–----- Important

140M 101M bpf 0:07 2.00% snort

Im using almost all the rules.

Snort updates work;

Last snort.org rule update: 2008-08-12
You last updated the ruleset: 2008-08-16
Your snort rulesets are up to date.

So in my case everything works. Can you check your oink code and memory again.
It might might be your setup. Can you list all the packages you have and any changes to configs you might have done.

Gonna try the "ac-bnfa" option.. will report back.

Tikimotel · Aug 17, 2008, 11:30 AM

This did the trick ! ;D
Why are the other options even available? (if they don't seem to work anyway…)
Indeed "ac-bnfa" was the only option I did not try yesterday....

AudiAddict · Aug 19, 2008, 8:36 PM

I removed snort some time ago.. and I would love to give it another go.. but it's not listed in the packages list anymore..

Does it not work on the latest stable release?? Can I install it manualy? If so? how?