Snort Update and Oinkmaster.conf
-
Getting same issue, going to snort.org it appears that they have changed their website somewhat
I know it worked this morning on another install I have but my unit at home gives me this;
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /usr/local/www/snort_download_rules.php on line 105
-
Getting same issue, going to snort.org it appears that they have changed their website somewhat
I know it worked this morning on another install I have but my unit at home gives me this;
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /usr/local/www/snort_download_rules.php on line 105
You have an older version of snort package. Yes snort.org changed there urls.
Please reinstall.
This question has been asked befor.
james
-
yes sir, indeed. further searching I see it posted. guess I was expecting pfsense to catch the update notice on the "install pkgs" screen..
reinstall snort all is good
thank you
-
uninstalled and cleaned up all old snort folders, re-installed and am back in business
-
I had a similar problem, and so I read this, uninstalled, rebooted, reinstalled after reading the above post about fixed package.
Took 30 minutes to update, stalled on 'extracting rules', and rebooted without warning.
When I try to re-update the rules, it says that its removing TMP files, and does that without changing. Left it like that for over an hour before giving up.
Perhaps I'll update my snapshot, as I also don't have any system logs. (using June 5th one)
"Last 100 system log entries
Segmentation fault (core" -
I had a similar problem, and so I read this, uninstalled, rebooted, reinstalled after reading the above post about fixed package.
Took 30 minutes to update, stalled on 'extracting rules', and rebooted without warning.
When I try to re-update the rules, it says that its removing TMP files, and does that without changing. Left it like that for over an hour before giving up.
Perhaps I'll update my snapshot, as I also don't have any system logs. (using June 5th one)
"Last 100 system log entries
Segmentation fault (core"Can you you post your system spec and pfsense version.
thanx
-
Can you you post your system spec and pfsense version.
thanxThank ya sir!
1.2.3-RC2 built on Fri Jun 5 01:10:29 EDT 2009
FreeBSD 7.1-RELEASE-p5 i386
snapshot from http://snapshots.pfsense.org/FreeBSD_RELENG_7_1/pfSense_RELENG_1_2/updates/pfSense-Full-Update-1.2.3-20090605-0110.tgzprocessor- VIA Samuel 2 (800mhz)
RAM - 512mb pc133Its an IP3 Gateway (series 100) that I modded and loaded PFsense on about 3 months ago. I've never had problem with it before, Snort has worked perfectly until this last week. Also, I've made no signifigant system changes aside from the snapshot version I updated yesterday because I thought that might help (I had run out of ideas and had some time on my hands)
Thank you in advance for your input. I've seen you've been working on this a lot lately!
-
Can you you post your system spec and pfsense version.
thanxThank ya sir!
1.2.3-RC2 built on Fri Jun 5 01:10:29 EDT 2009
FreeBSD 7.1-RELEASE-p5 i386
snapshot from http://snapshots.pfsense.org/FreeBSD_RELENG_7_1/pfSense_RELENG_1_2/updates/pfSense-Full-Update-1.2.3-20090605-0110.tgzprocessor- VIA Samuel 2 (800mhz)
RAM - 512mb pc133Its an IP3 Gateway (series 100) that I modded and loaded PFsense on about 3 months ago. I've never had problem with it before, Snort has worked perfectly until this last week. Also, I've made no signifigant system changes aside from the snapshot version I updated yesterday because I thought that might help (I had run out of ideas and had some time on my hands)
Thank you in advance for your input. I've seen you've been working on this a lot lately!
No Problem, Thanx for the feed back.
Your system specs are low. I still need to ajust my code for you type of system.
In a few hours I'll upload code to reduce system resouces for users with your system specs.
Dont say sir to, you make me feel old. ;)thanx
james -
No Problem, Thanx for the feed back.
Your system specs are low. I still need to ajust my code for you type of system.
In a few hours I'll upload code to reduce system resouces for users with your system specs.
Dont say sir to, you make me feel old. ;)thanx
jamesActually, I only use a few rule sets and its worked wonderfully for the past 3 months, maybe 4. So I'm not sure the specs would be the problem unless there has been a major change in code? I thought perhaps there were some remnant files left over, and that is what was causing it to hang. But if you think its the code I'll just wait.
I should have included this before, but my box only uses about 40%-50% memory usage and 30-40% CPU usage. I use AC-sparcebands (the others usually don't let Snort start)
I have the following things running
SSH (I'm always tunneled in, I travel for work)
Radius (sometimes on, usually not)
VN statAs for 'Sir', its a work habit. I call them 'Sir' by default so I don't accidentally call them the names I use for them in my head….. :p
Thanks again.
-
Hey jerrygoldsmith
You should try "ac-bnfa" its the best setting.
Hope to finnish coding some time ealy this morning.james
-
No rush dude. I'm off work for 2 weeks so I'm just geeking out on some projects. Thanks again for your help.
-
James,
This the same problem I had with the "extracting rules"… I am using lowmem... I am going to try your suggestion... I am also interested in your new code it might help me as well with my setup...
TIA!
-
New code going up in 10 min.
Added or fixed:
Hopefully improved rule extraction.
Advanced Shared Obect Rules from private companies.
Fixed old snort double start error. Snort should start faster.
ToDo:
Backup rules option (finished coding, testing). (so after reinstalls no more downloading.)
www.emergingthreats.net rules will be added.
New RSS tab. -
Reinstelld Snort 2.4.8.1 v1.0
Rules updates went grate but I still get this error:snort[20732]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules
Which require a restart from the system to get fix…
-
This time the system is not blocking anything on the alerts tab…
IE:
06/07-10:00:27.491182 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.220.11:80 -> MY IP:36482
06/07-10:00:29.492106 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.220.11:80 -> MY IP:26976
06/07-10:01:03.507222 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.218.11:80 -> MY IP:19943The IP
76.13.218.11
Is not being blocked
Ok is official Is not blocking for me at all…
There are currently no items being blocked by snort.Anybody else having the same problem?
Update: changed to lowmem and now it blocks some of the IP's but not all.
-
serialdie
The go to www.grc.com and use "shelds up" to test your firewall.
do a port scan there.james
-
James,
Thank you for your reply. I did the port scan and it came back stealth and snort catch the IP and blocked it….
Funny part is when I am doing the test and I get different IP's doing the same exploit it only blocks one IP and not the other IP.Update: here is an example:
06/07-10:10:17.526632 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.212.11:80 -> MY IP:41951
06/07-10:22:28.385658 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 74.6.104.11:80 -> MY IP:14127In this case IP 74.6.104.11 was blocked but IP 76.13.212.11 was not blocked.
-
Forgot to mentiion, after reboots.
You need to start snort again from the settings tab. (click the save)
This is because snort wont start snort2c after reboots. (snort2c is the app the bloacks alerts.)
Snort2c not starting after reboots has been in snort package as long as I can remember.Im glad that the snort updates finnished.
This error meand that your system for somereson isnt seeing the new files.
Going to add a "rehash" after installs hopfully that will fix issue.
"snort[20732]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules"James
-
James,
Thank you for the fast reply. Blocking is now working.
Thank you for your hard work! -
Sweeeeet…..
Its working, though my services list shows it as stopped even though its actively logging/blocking. Now I just have to fix my syslog (update of snapshot probably) so I can get a more detailed look at my Snort logs.
But since its up and blocking I think that means its 100% :D And mine has always started after reboot. Just tested it, and it started automatically after reboot as its logging/blocking, though it shows as stopped in the Services tab and won't start there. But as its working I'll leave it alone!
Thanks man, you rock. And roll. All night long.
edit
with no traffic
CPU usage - 29%
Memory usage - 34%
Not bad. Slight usage drop after switching to the different memory usage, might be able to fit in a few more rule sets…...