Just Update to Services: Snort 2.8.4.1 pkg v. 1.4 (But Snort has no blocking)
-
This is my Pfsense Spec:
version: 1.2.3-RC1
Kernel Version FreeBSD 7.1-RELEASE-p5
Model Intel(R) Pentium(R) 4 CPU 3.00GHz
CI Devices atapci0: Intel ICH6 UDMA100 controller
em1: Intel(R) PRO/1000 Network Connection 6.9.6
em2: Intel(R) PRO/1000 Network Connection 6.9.6
Physical Memory Free2.64 GB Used347.19 MB Size2.98 GB Percent Capacity11%Snort: Services: Snort 2.8.4.1 pkg v. 1.4
Currently I only enabled ddos.rules / emerging-rbn.rules to test.I also installed Squid+SquidGuard+Rate+bandwidthd+phpSysInfo
I got the Snort package reinstall today and reboot the box. Now I got a numbers of Alert messages but still no ip blocking.
In the V1.3 which I can upto 350 blocked IP within an hour.
Cheers,
David -
Agree, the new features of "Threshold " is excellent. We now no need to edit file on /usr/local/etc/snort/threshold.conf. The GUI make life a lot easier to implement. Many Thanks to James. ;)
I now just easily suppress the 2 frequent alerts on
(smtp) Attempted data header buffer overflow: 1014 chars [ ** ] & the
(ftp_telnet) FTP command parameters were malformed [ ** ] through the GUIGreat Works!!!
-
Thanks for the nice words Davc.
snort not blocking.I enabled ddos.rules and emerging-rbn.rules and other rules and snort is blocking.
Please post the output of
ps -aux | grep snort
and
cat /usr/local/etc/rc.d/snort.sh
James
-
Hi James, this is the info
$ ps -aux | grep snort
root 42733 0.0 2.2 98976 67396 ?? Ss 12:59AM 0:41.56 snort -c /usr/lo$ cat /usr/local/etc/rc.d/snort.sh
#!/bin/shThis file was automatically generated
by the pfSense service handler.
rc_start() {
BEFORE_MEM=
top | grep Free | grep Wired | awk '{print $10}'
/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em1 -q
sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
echo "Sleeping before final memory sampling…"
sleep 17
AFTER_MEM=top | grep Free | grep Wired | awk '{print $10}'echo "Ram free BEFORE starting Snort: ${BEFORE_MEM} -- Ram free AFTER starting Snort: ${AFTER_MEM}" -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup
}
rc_stop() {
/usr/bin/killall snort; killall snort2c
}case $1 in
start)
rc_start
;;
stop)
rc_stop
;;
restart)
rc_stop
rc_start
;;
esac -
In the Setting Tab, I selected the follow:
Interface: Wan
Performance: ac-bnfa
Oinkmaster Code: 8eexxxxxxxxxxxxx
Block Offenders: Check
Update rules automatically: check
Whitelist VPNs automatically: uncheck
Convert Snort alerts urls to Clickable links: check
Associate events on Blocked tab: check
Sync Snort configuration to secondary cluster memeber: uncheck
Install emergingthreats rules: uncheck -
Hi James, this is the info
$ ps -aux | grep snort
root 42733 0.0 2.2 98976 67396 ?? Ss 12:59AM 0:41.56 snort -c /usr/lo$ cat /usr/local/etc/rc.d/snort.sh
#!/bin/shThis file was automatically generated
by the pfSense service handler.
rc_start() {
BEFORE_MEM=
top | grep Free | grep Wired | awk '{print $10}'
/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em1 -q
sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
echo "Sleeping before final memory sampling…"
sleep 17
AFTER_MEM=top | grep Free | grep Wired | awk '{print $10}'echo "Ram free BEFORE starting Snort: ${BEFORE_MEM} -- Ram free AFTER starting Snort: ${AFTER_MEM}" -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup
}
rc_stop() {
/usr/bin/killall snort; killall snort2c
}case $1 in
start)
rc_start
;;
stop)
rc_stop
;;
restart)
rc_stop
rc_start
;;
esacDavc snort2c is not running.
Make sure Block offenders is checked in the settings tab.
Click on the save button on the Settings tab after you made sure Block offenders is checked.
Lastly uncheck the auto update box in the settings tab.
James
-
James,
I have checked the Block Offenders is activated on the GUI , and i have now saved the setting again.
This is the output:
$ ps -aux | grep snort
root 3914 0.0 1.3 85664 41344 ?? Ss 4:40AM 0:00.46 snort -c /usr/lo
root 4371 0.0 0.0 3356 1156 ?? S 4:44AM 0:00.00 grep snort$ cat /usr/local/etc/rc.d/snort.sh
#!/bin/shThis file was automatically generated
by the pfSense service handler.
rc_start() {
BEFORE_MEM=
top | grep Free | grep Wired | awk '{print $10}'
/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em1 -q
sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
echo "Sleeping before final memory sampling…"
sleep 17
AFTER_MEM=top | grep Free | grep Wired | awk '{print $10}'echo "Ram free BEFORE starting Snort: ${BEFORE_MEM} -- Ram free AFTER starting Snort: ${AFTER_MEM}" -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup
}
rc_stop() {
/usr/bin/killall snort; killall snort2c
}case $1 in
start)
rc_start
;;
stop)
rc_stop
;;
restart)
rc_stop
rc_start
;;
esac -
Davc this is weird all your settings are right and /usr/local/etc/rc.d/snort.sh looks good.
Davc please type this in the command prompt.
snort2c -w /var/db/whitelist -a /var/log/snort/alert
then see if snort2c is running by typing this in.
ps -aux | grep snort
Lastly check you logs for anying doing with snort2c.
James
-
Dear James,
Thankyou for the help. This is the output:
$ ps -aux | grep snort
root 7516 0.3 2.4 117408 73656 ?? Ss 2:04PM 0:03.72 snort -c /usr/lo
root 7790 0.0 0.0 3156 972 ?? Is 2:05PM 0:00.01 snort2c -w /var/
root 7796 0.0 0.0 3156 972 ?? Ss 2:06PM 0:00.01 snort2c -w /var/
root 7800 0.0 0.0 1676 1044 ?? R 2:06PM 0:00.00 grep snortFurthermore i also tried to deinstall just the Gui Packages and update the rules again. But still no blocking with just alert messages, hope this is not something to do with the Bridge mode. Some say Pfsense work better in NAT mode than bridge mode.
This is the system log:
Jul 11 02:35:33 syslogd: exiting on signal 15
Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
Jul 11 00:59:44 SnortStartup[42762]: Ram free BEFORE starting Snort: 112M – Ram free AFTER starting Snort: 112M -- Mode ac-bnfa -- Snort memory usage:
Jul 11 00:59:27 snort2c[42737]: snort2c running in daemon mode pid: 42737
Jul 11 00:59:27 snort2c[42737]: snort2c running in daemon mode pid: 42737
Jul 11 00:59:19 snort[42733]: Not Using PCAP_FRAMES
Jul 11 00:59:19 snort[42733]: Not Using PCAP_FRAMES
Jul 11 00:59:19 snort[42733]: Snort initialization completed successfully (pid=42733)
Jul 11 00:59:19 snort[42733]: Snort initialization completed successfully (pid=42733) -
Dear James,
Thankyou for the help. This is the output:
$ ps -aux | grep snort
root 7516 0.3 2.4 117408 73656 ?? Ss 2:04PM 0:03.72 snort -c /usr/lo
root 7790 0.0 0.0 3156 972 ?? Is 2:05PM 0:00.01 snort2c -w /var/
root 7796 0.0 0.0 3156 972 ?? Ss 2:06PM 0:00.01 snort2c -w /var/
root 7800 0.0 0.0 1676 1044 ?? R 2:06PM 0:00.00 grep snortFurthermore i also tried to deinstall just the Gui Packages and update the rules again. But still no blocking with just alert messages, hope this is not something to do with the Bridge mode. Some say Pfsense work better in NAT mode than bridge mode.
This is the system log:
Jul 11 02:35:33 syslogd: exiting on signal 15
Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
Jul 11 00:59:44 SnortStartup[42762]: Ram free BEFORE starting Snort: 112M – Ram free AFTER starting Snort: 112M -- Mode ac-bnfa -- Snort memory usage:
Jul 11 00:59:27 snort2c[42737]: snort2c running in daemon mode pid: 42737
Jul 11 00:59:27 snort2c[42737]: snort2c running in daemon mode pid: 42737
Jul 11 00:59:19 snort[42733]: Not Using PCAP_FRAMES
Jul 11 00:59:19 snort[42733]: Not Using PCAP_FRAMES
Jul 11 00:59:19 snort[42733]: Snort initialization completed successfully (pid=42733)
Jul 11 00:59:19 snort[42733]: Snort initialization completed successfully (pid=42733)Looks like snort2c and snort are running you should now see ips being blocked.
James
-
Dear James,
Still not able to block. I made some search and there are also report after update version 2.8.4.1 has the same problems to block. May be this is the cause?
Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
This is the post i found (without solutions)
http://www.mail-archive.com/support@pfsense.com/msg16831.html -
Dear James,
Still not able to block. I made some search and there are also report after update version 2.8.4.1 has the same problems to block. May be this is the cause?
Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
This is the post i found (without solutions)
http://www.mail-archive.com/support@pfsense.com/msg16831.htmlI seen this before, seems snort2c is having trouble inserting ips to the firewall table snort2c.
Installed all your packages and snort2c is working on Pfsense 7.2.
I will do the something on Pfsense 7.1.
James
-
ok, I can try to upgrade to pfsense 7.2 and check
-
Thanks for the great update to 1.4 James , but there are some strange issues.
First all dynamic rules had a wrong path for me and Snort was refusing to start until I manually changed them to be /usr/local/lib/snort/dynamic (the original was /usr/local/lib/snort_dynamic ).
Then I went ahead and downloaded the new rules because the upgrade from 1.3 to 1.4 deleted the rules (why?).
Afterwards snort started but ate 80% of my RAM (256megs on alix2c2).
I rebooted the box and got into some kind of crash loop (snort would startup , work for a few seconds , shutdown and start again).
I had to manually stop the service.
Afterwards I changed the memory consumption method to ac-sparse bands and started the service from services tab and it started working properly (memory consumption is about 58-60% which is what it used to be with previous version).
Interestingly enough I don't see any evidence for the crashes in the logs.
I assume those were crashes because you would see snort starting and reaching the point where it detaches itself from console and in a few seconds it would start all over again.One more thing :
Contrary to what my signature says I am running 1.2.3RC2 (july 12th snapshot) full version.
All the other info in signature is correct :)What could be the problem?
-
i am now running the following, still only alert messages and no blocking.
1.2.3-RC2
built on Tue Jul 14 06:55:51 EDT 2009
FreeBSD 7.2-RELEASE-p2 i386 -
Thanks for the great update to 1.4 James , but there are some strange issues.
First all dynamic rules had a wrong path for me and Snort was refusing to start until I manually changed them to be /usr/local/lib/snort/dynamic (the original was /usr/local/lib/snort_dynamic ).
Then I went ahead and downloaded the new rules because the upgrade from 1.3 to 1.4 deleted the rules (why?).
Afterwards snort started but ate 80% of my RAM (256megs on alix2c2).
I rebooted the box and got into some kind of crash loop (snort would startup , work for a few seconds , shutdown and start again).
I had to manually stop the service.
Afterwards I changed the memory consumption method to ac-sparse bands and started the service from services tab and it started working properly (memory consumption is about 58-60% which is what it used to be with previous version).
Interestingly enough I don't see any evidence for the crashes in the logs.
I assume those were crashes because you would see snort starting and reaching the point where it detaches itself from console and in a few seconds it would start all over again.One more thing :
Contrary to what my signature says I am running 1.2.3RC2 (july 12th snapshot) full version.
All the other info in signature is correct :)What could be the problem?
Hey matrix2000
Here are the rule directories that I use in the snort package.
Sounds like something going on with your snort.conf.#Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/
dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort/dynamicrules/Make sure your Performance option is at ac-bnfa or lowmem.
Make sure you watch how manny rules you load bceasue of ALIX low memory specs.
James
-
i am now running the following, still only alert messages and no blocking.
1.2.3-RC2
built on Tue Jul 14 06:55:51 EDT 2009
FreeBSD 7.2-RELEASE-p2 i386Davc
Did you do a fresh install or a update ?
-
James,
I use the snapshot update: System>Firmware>autoupdate.
We have another PFsense box which run 1.2.2 FreeBSD 7.0-RELEASE-p8 i386 are working perfect on the Snort packages :D.
So, your suggestion is to do a fresh install on the 1.2.3-RC2 FreeBSD 7.2-RELEASE-p2 i386.
Davc
-
James,
I use the snapshot update: System>Firmware>autoupdate.
We have another PFsense box which run 1.2.2 FreeBSD 7.0-RELEASE-p8 i386 are working perfect on the Snort packages :D.
So, your suggestion is to do a fresh install on the 1.2.3-RC2 FreeBSD 7.2-RELEASE-p2 i386.
Davc
Great to here snort is working for you on one of your boxes.
Ya, do a fresh install and tell me how that goes.
James
-
James , yeah I think you are right.
It might have been that I had snort.conf from some other place (not sure but I could have overwritten the original file with one from a certain rules snapshot).
Thankfully your latest version has update working so I don't have to do that manually :)
So far (since the last report snort is working fine).