Snort Update and Oinkmaster.conf
-
James,
This the same problem I had with the "extracting rules"… I am using lowmem... I am going to try your suggestion... I am also interested in your new code it might help me as well with my setup...
TIA!
-
New code going up in 10 min.
Added or fixed:
Hopefully improved rule extraction.
Advanced Shared Obect Rules from private companies.
Fixed old snort double start error. Snort should start faster.
ToDo:
Backup rules option (finished coding, testing). (so after reinstalls no more downloading.)
www.emergingthreats.net rules will be added.
New RSS tab. -
Reinstelld Snort 2.4.8.1 v1.0
Rules updates went grate but I still get this error:snort[20732]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules
Which require a restart from the system to get fix…
-
This time the system is not blocking anything on the alerts tab…
IE:
06/07-10:00:27.491182 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.220.11:80 -> MY IP:36482
06/07-10:00:29.492106 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.220.11:80 -> MY IP:26976
06/07-10:01:03.507222 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.218.11:80 -> MY IP:19943The IP
76.13.218.11
Is not being blocked
Ok is official Is not blocking for me at all…
There are currently no items being blocked by snort.Anybody else having the same problem?
Update: changed to lowmem and now it blocks some of the IP's but not all.
-
serialdie
The go to www.grc.com and use "shelds up" to test your firewall.
do a port scan there.james
-
James,
Thank you for your reply. I did the port scan and it came back stealth and snort catch the IP and blocked it….
Funny part is when I am doing the test and I get different IP's doing the same exploit it only blocks one IP and not the other IP.Update: here is an example:
06/07-10:10:17.526632 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.212.11:80 -> MY IP:41951
06/07-10:22:28.385658 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 74.6.104.11:80 -> MY IP:14127In this case IP 74.6.104.11 was blocked but IP 76.13.212.11 was not blocked.
-
Forgot to mentiion, after reboots.
You need to start snort again from the settings tab. (click the save)
This is because snort wont start snort2c after reboots. (snort2c is the app the bloacks alerts.)
Snort2c not starting after reboots has been in snort package as long as I can remember.Im glad that the snort updates finnished.
This error meand that your system for somereson isnt seeing the new files.
Going to add a "rehash" after installs hopfully that will fix issue.
"snort[20732]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules"James
-
James,
Thank you for the fast reply. Blocking is now working.
Thank you for your hard work! -
Sweeeeet…..
Its working, though my services list shows it as stopped even though its actively logging/blocking. Now I just have to fix my syslog (update of snapshot probably) so I can get a more detailed look at my Snort logs.
But since its up and blocking I think that means its 100% :D And mine has always started after reboot. Just tested it, and it started automatically after reboot as its logging/blocking, though it shows as stopped in the Services tab and won't start there. But as its working I'll leave it alone!
Thanks man, you rock. And roll. All night long.
edit
with no traffic
CPU usage - 29%
Memory usage - 34%
Not bad. Slight usage drop after switching to the different memory usage, might be able to fit in a few more rule sets…... -
Glad to see you guys with low system specs are running snort package.
Snort2c starting for some of us and not starting for some of us might be realted to system memory.
Im going to add more memory to my system and see if it helps.James
-
Ok now after I get more than one block in the Blocked tab the system CPU shoots off the roof rendering the system almost unusable.
It was not doing that in the previous pkg…. Any idea whats going?Edit:
Top shows that php is whats driving the cpu load crazy... and it only does it when I go to the blocked tab..
Any ideas?Edit 2:
I let the Blocked Page load and after of 4 Min trying to load it finally did to revel a few IP's blocked... Once the page load it the CPU load went down to the avg of 1% to 5%.... It looks like something is not right...
-
Ok now after I get more than one block in the Blocked tab the system CPU shoots off the roof rendering the system almost unusable.
It was not doing that in the previous pkg…. Any idea whats going?Edit:
Top shows that php is whats driving the cpu load crazy... and it only does it when I go to the blocked tab..
Any ideas?Edit 2:
I let the Blocked Page load and after of 4 Min trying to load it finally did to revel a few IP's blocked... Once the page load it the CPU load went down to the avg of 1% to 5%.... It looks like something is not right...
I have not touched any code related to the blocked tab. I have tryed to reproduce the error but every thing looks fine.
At most my system uses 3% when I click on the block tab. (I'm using firefox.)
Holy crap, just used IE8 on the pfsense gui, the gui responds 4x faster. wow.What web browser are you using ?
james
-
I try all of them and they do the same thing… Opera, Firefox, IE, Konqueror, Safari, etc....
Should I reinstall?
-
No dont reinstall, your killing your flash card.
I suspect all your problems are related to you hardware specs.
When I get the board you mailed me I'll install pfsense on there.
I should start to see the same gliches. Then I'll be able to fix the hickups asap.Just run snort as is for now. Don't worry I'll get to the bottom of this.
Also, Im still adding features, so dont reinstall for a while.james
-
Got it James.
Thank You very much!