Re: Snort package should work now…Post problems here.

jamesdean

@webdork:

1.2.3-RC2,  Snort 2.8.4.1 pkg v. 1.2

Snort do not update correctly. From the GUI, it appears to download the rules but never creates the ../rules folder (and I only see the Snort tar.gz.md5 file in the snort folder).

I'm having to manually download the rules manually, and place them in /usr/local/etc/snort/rules everytime I want to update.

My falt I was updating code yesturday and broke snort for a little while when I was updating code and I forgot to update the version number.

Just reinstall snort package and the probem will go away.

I just did a test and its working for me with the latest code.

James

JDC

Snort 2.8.4.1 pkg v. 1.3
PFSense version  1.2.1 built on Thu Dec 25 14:48:40 EST 2008
Hardware: VIA ITX, VIA C3 Samuel 2 800 Mhz

Rules updates are not working correctly.  The script downloads the latest rules, but watching the drive activity light on the machine, it stops during the 'extracting the rules' stage.

I have rebooted, no change.
I have reinstalled the package, tried removing and reinstalling the package, no change.

I am fairly sure it is not a space or memory issue as the drive the PFSense install is on is largely unused and the system has a gig of physical memory.

Example stats from top:
Mem: 48M Active, 39M Inact, 129M Wired, 1212K Cache, 109M Buf, 759M Free

Using firefox, the throbber stops and top doesn't show tar running.  Using IE (shudder), it seems to get further but exhibits the same end result.  This makes me think that it's timing out, but it's never been a problem previously.

Using the script as a guide, I manually installed the rules but now have the error of "FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules" appearing in the logs.  snort2c does end up running in the end.

jamesdean

@JDC:

Snort 2.8.4.1 pkg v. 1.3
PFSense version  1.2.1 built on Thu Dec 25 14:48:40 EST 2008
Hardware: VIA ITX, VIA C3 Samuel 2 800 Mhz

Rules updates are not working correctly.  The script downloads the latest rules, but watching the drive activity light on the machine, it stops during the 'extracting the rules' stage.

I have rebooted, no change.
I have reinstalled the package, tried removing and reinstalling the package, no change.

I am fairly sure it is not a space or memory issue as the drive the PFSense install is on is largely unused and the system has a gig of physical memory.

Example stats from top:
Mem: 48M Active, 39M Inact, 129M Wired, 1212K Cache, 109M Buf, 759M Free

Using firefox, the throbber stops and top doesn't show tar running.  Using IE (shudder), it seems to get further but exhibits the same end result.  This makes me think that it's timing out, but it's never been a problem previously.

Using the script as a guide, I manually installed the rules but now have the error of "FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules" appearing in the logs.  snort2c does end up running in the end.

PFSense version  1.2.1 ?

Can you please tell me the output of
uname -a

ls /usr/local/etc/snort/rules

james

JDC

uname -a:

FreeBSD 7.0-RELEASE-p7 FreeBSD 7.0-RELEASE-p7 #0: Thu Dec 25 14:39:15 EST 2008    sullrich@freebsd7-releng_1_2_1.pfsense.org:/usr/obj.pfSense/usr/src/sys/pfSense_SMP.7  i386

ls /usr/local/etc/snort/rules

Makefile.am            ddos.rules              icmp-info.rules        mysql.rules            pfsense-voip.rules      smtp.rules              voip.rules              web-misc.so.rules
VRT-License.txt        deleted.rules          icmp.rules              netbios.rules          policy.rules            smtp.so.rules          web-activex.rules      web-php.rules
attack-responses.rules  dns.rules              imap.rules              netbios.so.rules        pop2.rules              snmp.rules              web-attacks.rules      x11.rules
backdoor.rules          dos.rules              imap.so.rules          nntp.rules              pop3.rules              specific-threats.rules  web-cgi.rules
bad-traffic.rules      dos.so.rules            info.rules              nntp.so.rules          porn.rules              spyware-put.rules      web-client.rules
bad-traffic.so.rules    experimental.rules      local.rules            open-test.conf          rpc.rules              sql.rules              web-client.so.rules
cgi-bin.list            exploit.rules          misc.rules              oracle.rules            rservices.rules        sql.so.rules            web-coldfusion.rules
chat.rules              exploit.so.rules        misc.so.rules          other-ids.rules        scada.rules            telnet.rules            web-frontpage.rules
chat.so.rules          finger.rules            multimedia.rules        p2p.rules              scan.rules              tftp.rules              web-iis.rules
content-replace.rules  ftp.rules              multimedia.so.rules    p2p.so.rules            shellcode.rules        virus.rules            web-misc.rules

jamesdean

I cant figure out why your system is not seeing /usr/local/etc/snort/rules/local.rules. Even when the file exists.
I cant reproduce this type of error.

Do me a fav in the terminal type.

ee /usr/local/etc/snort/rules/local.rules

add a # i the file.

and then restart snort through the terminal

snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -v -i ng0

JDC

Contents of /usr/local/etc/snort/rules/local.rules:

# $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

# ls -l /usr/local/etc/snort/rules/local.rules
-rw-r--r--  1 root  wheel  199 Jun 27 16:59 /usr/local/etc/snort/rules/local.rules

Where would I put the addition?  Beginning or end?

EDIT: I tried restarting snort via the GUI again and this time it worked without any errors.  Go figure.

And as for the automagic update failing, am I correct in my idea that it's just timing out?  I could rerun the extract commands and time it (something I should have done, sorry).

jamesdean

I'm glad snort package is  working for you.

Timing out ? Make shure you wait 15 min befor trying to update.

James

JDC

That's the download stage that needs to wait 15 minutes I believe.

The download phase works fine, it's during the extraction that the apparent timeout happens.

jamesdean

@JDC:

That's the download stage that needs to wait 15 minutes I believe.

The download phase works fine, it's during the extraction that the apparent timeout happens.

I'm using a ALIX 2d3 board that's 500 mhz and 256 ram and it takes around 5 minus to extract.

Give it some more time….

James

JDC

@jamesdean:

I'm using a ALIX 2d3 board that's 500 mhz and 256 ram and it takes around 5 minus to extract.

Give it some more time….

I gave it several hours during one attempt and it never progressed beyond the extracting rules phase.