Re: Snort package should work now…Post problems here.
-
Now that the snort package is working pretty well not perfect but well. Here is some adivce for our userbase.
This is for people who just started using the snort package.Write down all external ips that are very important to you and make shure they are in the white list tab. Don't write down every webpage you visit, just mail servers and ftp servers that are yours.
Do not click Block offenders right away. Leave it off for a few days and write down all the rules you know are giving false possitives.
For example alot of the web-client.rules always gives me false possitives. Then I turn off those rules that I know are noisy by clicking on the rules tab.
Then after a few days turn on the Block offenders option and you should see a reduction in the amount of alerts that are false possitives.Never be affraid to as questions here just make shure you check the Snort FAQ first. I or someone else usally respond pretty quickly.
James
-
1.2.3-RC2, Snort 2.8.4.1 pkg v. 1.2
Snort do not update correctly. From the GUI, it appears to download the rules but never creates the ../rules folder (and I only see the Snort tar.gz.md5 file in the snort folder).
I'm having to manually download the rules manually, and place them in /usr/local/etc/snort/rules everytime I want to update.
-
1.2.3-RC2, Snort 2.8.4.1 pkg v. 1.2
Snort do not update correctly. From the GUI, it appears to download the rules but never creates the ../rules folder (and I only see the Snort tar.gz.md5 file in the snort folder).
I'm having to manually download the rules manually, and place them in /usr/local/etc/snort/rules everytime I want to update.
My falt I was updating code yesturday and broke snort for a little while when I was updating code and I forgot to update the version number.
Just reinstall snort package and the probem will go away.
I just did a test and its working for me with the latest code.
James
-
Snort 2.8.4.1 pkg v. 1.3
PFSense version 1.2.1 built on Thu Dec 25 14:48:40 EST 2008
Hardware: VIA ITX, VIA C3 Samuel 2 800 MhzRules updates are not working correctly. The script downloads the latest rules, but watching the drive activity light on the machine, it stops during the 'extracting the rules' stage.
I have rebooted, no change.
I have reinstalled the package, tried removing and reinstalling the package, no change.I am fairly sure it is not a space or memory issue as the drive the PFSense install is on is largely unused and the system has a gig of physical memory.
Example stats from top:
Mem: 48M Active, 39M Inact, 129M Wired, 1212K Cache, 109M Buf, 759M FreeUsing firefox, the throbber stops and top doesn't show tar running. Using IE (shudder), it seems to get further but exhibits the same end result. This makes me think that it's timing out, but it's never been a problem previously.
Using the script as a guide, I manually installed the rules but now have the error of "FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules" appearing in the logs. snort2c does end up running in the end.
-
@JDC:
Snort 2.8.4.1 pkg v. 1.3
PFSense version 1.2.1 built on Thu Dec 25 14:48:40 EST 2008
Hardware: VIA ITX, VIA C3 Samuel 2 800 MhzRules updates are not working correctly. The script downloads the latest rules, but watching the drive activity light on the machine, it stops during the 'extracting the rules' stage.
I have rebooted, no change.
I have reinstalled the package, tried removing and reinstalling the package, no change.I am fairly sure it is not a space or memory issue as the drive the PFSense install is on is largely unused and the system has a gig of physical memory.
Example stats from top:
Mem: 48M Active, 39M Inact, 129M Wired, 1212K Cache, 109M Buf, 759M FreeUsing firefox, the throbber stops and top doesn't show tar running. Using IE (shudder), it seems to get further but exhibits the same end result. This makes me think that it's timing out, but it's never been a problem previously.
Using the script as a guide, I manually installed the rules but now have the error of "FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules" appearing in the logs. snort2c does end up running in the end.
PFSense version 1.2.1 ?
Can you please tell me the output of
uname -als /usr/local/etc/snort/rules
james
-
uname -a:
FreeBSD 7.0-RELEASE-p7 FreeBSD 7.0-RELEASE-p7 #0: Thu Dec 25 14:39:15 EST 2008 sullrich@freebsd7-releng_1_2_1.pfsense.org:/usr/obj.pfSense/usr/src/sys/pfSense_SMP.7 i386
ls /usr/local/etc/snort/rules
Makefile.am ddos.rules icmp-info.rules mysql.rules pfsense-voip.rules smtp.rules voip.rules web-misc.so.rules
VRT-License.txt deleted.rules icmp.rules netbios.rules policy.rules smtp.so.rules web-activex.rules web-php.rules
attack-responses.rules dns.rules imap.rules netbios.so.rules pop2.rules snmp.rules web-attacks.rules x11.rules
backdoor.rules dos.rules imap.so.rules nntp.rules pop3.rules specific-threats.rules web-cgi.rules
bad-traffic.rules dos.so.rules info.rules nntp.so.rules porn.rules spyware-put.rules web-client.rules
bad-traffic.so.rules experimental.rules local.rules open-test.conf rpc.rules sql.rules web-client.so.rules
cgi-bin.list exploit.rules misc.rules oracle.rules rservices.rules sql.so.rules web-coldfusion.rules
chat.rules exploit.so.rules misc.so.rules other-ids.rules scada.rules telnet.rules web-frontpage.rules
chat.so.rules finger.rules multimedia.rules p2p.rules scan.rules tftp.rules web-iis.rules
content-replace.rules ftp.rules multimedia.so.rules p2p.so.rules shellcode.rules virus.rules web-misc.rules -
I cant figure out why your system is not seeing /usr/local/etc/snort/rules/local.rules. Even when the file exists.
I cant reproduce this type of error.Do me a fav in the terminal type.
ee /usr/local/etc/snort/rules/local.rules
add a # i the file.
and then restart snort through the terminal
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -v -i ng0
-
Contents of /usr/local/etc/snort/rules/local.rules:
# $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $ # ---------------- # LOCAL RULES # ---------------- # This file intentionally does not come with signatures. Put your local # additions here.# ls -l /usr/local/etc/snort/rules/local.rules -rw-r--r-- 1 root wheel 199 Jun 27 16:59 /usr/local/etc/snort/rules/local.rulesWhere would I put the addition? Beginning or end?
EDIT: I tried restarting snort via the GUI again and this time it worked without any errors. Go figure.
And as for the automagic update failing, am I correct in my idea that it's just timing out? I could rerun the extract commands and time it (something I should have done, sorry).
-
I'm glad snort package is working for you.
Timing out ? Make shure you wait 15 min befor trying to update.
James
-
That's the download stage that needs to wait 15 minutes I believe.
The download phase works fine, it's during the extraction that the apparent timeout happens.
-
@JDC:
That's the download stage that needs to wait 15 minutes I believe.
The download phase works fine, it's during the extraction that the apparent timeout happens.
I'm using a ALIX 2d3 board that's 500 mhz and 256 ram and it takes around 5 minus to extract.
Give it some more time….
James
-
I'm using a ALIX 2d3 board that's 500 mhz and 256 ram and it takes around 5 minus to extract.
Give it some more time….
I gave it several hours during one attempt and it never progressed beyond the extracting rules phase.