Just Update to Services: Snort 2.8.4.1 pkg v. 1.4 (But Snort has no blocking)
-
ok, I can try to upgrade to pfsense 7.2 and check
-
Thanks for the great update to 1.4 James , but there are some strange issues.
First all dynamic rules had a wrong path for me and Snort was refusing to start until I manually changed them to be /usr/local/lib/snort/dynamic (the original was /usr/local/lib/snort_dynamic ).
Then I went ahead and downloaded the new rules because the upgrade from 1.3 to 1.4 deleted the rules (why?).
Afterwards snort started but ate 80% of my RAM (256megs on alix2c2).
I rebooted the box and got into some kind of crash loop (snort would startup , work for a few seconds , shutdown and start again).
I had to manually stop the service.
Afterwards I changed the memory consumption method to ac-sparse bands and started the service from services tab and it started working properly (memory consumption is about 58-60% which is what it used to be with previous version).
Interestingly enough I don't see any evidence for the crashes in the logs.
I assume those were crashes because you would see snort starting and reaching the point where it detaches itself from console and in a few seconds it would start all over again.One more thing :
Contrary to what my signature says I am running 1.2.3RC2 (july 12th snapshot) full version.
All the other info in signature is correct :)What could be the problem?
-
i am now running the following, still only alert messages and no blocking.
1.2.3-RC2
built on Tue Jul 14 06:55:51 EDT 2009
FreeBSD 7.2-RELEASE-p2 i386 -
Thanks for the great update to 1.4 James , but there are some strange issues.
First all dynamic rules had a wrong path for me and Snort was refusing to start until I manually changed them to be /usr/local/lib/snort/dynamic (the original was /usr/local/lib/snort_dynamic ).
Then I went ahead and downloaded the new rules because the upgrade from 1.3 to 1.4 deleted the rules (why?).
Afterwards snort started but ate 80% of my RAM (256megs on alix2c2).
I rebooted the box and got into some kind of crash loop (snort would startup , work for a few seconds , shutdown and start again).
I had to manually stop the service.
Afterwards I changed the memory consumption method to ac-sparse bands and started the service from services tab and it started working properly (memory consumption is about 58-60% which is what it used to be with previous version).
Interestingly enough I don't see any evidence for the crashes in the logs.
I assume those were crashes because you would see snort starting and reaching the point where it detaches itself from console and in a few seconds it would start all over again.One more thing :
Contrary to what my signature says I am running 1.2.3RC2 (july 12th snapshot) full version.
All the other info in signature is correct :)What could be the problem?
Hey matrix2000
Here are the rule directories that I use in the snort package.
Sounds like something going on with your snort.conf.#Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/
dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort/dynamicrules/Make sure your Performance option is at ac-bnfa or lowmem.
Make sure you watch how manny rules you load bceasue of ALIX low memory specs.
James
-
i am now running the following, still only alert messages and no blocking.
1.2.3-RC2
built on Tue Jul 14 06:55:51 EDT 2009
FreeBSD 7.2-RELEASE-p2 i386Davc
Did you do a fresh install or a update ?
-
James,
I use the snapshot update: System>Firmware>autoupdate.
We have another PFsense box which run 1.2.2 FreeBSD 7.0-RELEASE-p8 i386 are working perfect on the Snort packages :D.
So, your suggestion is to do a fresh install on the 1.2.3-RC2 FreeBSD 7.2-RELEASE-p2 i386.
Davc
-
James,
I use the snapshot update: System>Firmware>autoupdate.
We have another PFsense box which run 1.2.2 FreeBSD 7.0-RELEASE-p8 i386 are working perfect on the Snort packages :D.
So, your suggestion is to do a fresh install on the 1.2.3-RC2 FreeBSD 7.2-RELEASE-p2 i386.
Davc
Great to here snort is working for you on one of your boxes.
Ya, do a fresh install and tell me how that goes.
James
-
James , yeah I think you are right.
It might have been that I had snort.conf from some other place (not sure but I could have overwritten the original file with one from a certain rules snapshot).
Thankfully your latest version has update working so I don't have to do that manually :)
So far (since the last report snort is working fine). -
Ok..this is the results i had…very frasturated..I upgrade the 1.2.2 to 1.2.3 the whole pf box crashed. ok..may not be the problems of the SNORT....but it is the update snapshot.
For the 1.2.3 RC1 & RC2 the snort only show alert but unable to block.
Spend the last 3 days install / uninstall the packages ...fresh install the whole box few times...then stuck in the extracting rules (which i previous do not have such problems).. so...i now got 2 very broken PF box. :-\
By the way...1.2.2 do not have such error on my box: snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
But happen in 1.2.3 RC1 & RC2.. It must be something to do with the FreeBSD
-
Ok..this is the results i had…very frasturated..I upgrade the 1.2.2 to 1.2.3 the whole pf box crashed. ok..may not be the problems of the SNORT....but it is the update snapshot.
For the 1.2.3 RC1 & RC2 the snort only show alert but unable to block.
Spend the last 3 days install / uninstall the packages ...fresh install the whole box few times...then stuck in the extracting rules (which i previous do not have such problems).. so...i now got 2 very broken PF box. :-\
By the way...1.2.2 do not have such error on my box: snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
But happen in 1.2.3 RC1 & RC2.. It must be something to do with the FreeBSD
I wish I was near you computer systems so I could trouble shoot your problems.
I am going to remove snort2c and add spoink which is snort2c built into snort binary today.
James
-
James,
Truly thanks for your great support. ;)
Today I make another fresh install and download the iso from the Germany Mirror site and snort now working properly in the Alert and blocking.
This is the version i now installed:
1.2.3-RC1
built on Wed Apr 22 15:36:34 EDT 2009
FreeBSD 7.1-RELEASE-p5 i386However, during the restore process I noticed there are fwrite error messages on the screen indicating issues the Pack_utitles files. Although at the end, it did not show the error messages again. Not sure there are something the development team to look at there. The error line is somewhere on 6xx .
By the way, a small suggestion. It will be nice to know the exact version to download. Coz I think there are version difference between the mirror sites.
-
Fresh install of 1.2.3 RC1 (which is the latest yes?) I see people using 1.2.3 RC2, but cant find it anywhere.
fresh install snort, and enabling outgoing rules, such as policy.rules / smpt relaying denied.
This is what comes up in the alert file:
09/03-11:02:19.771744 [ ** ] [ 1:10001:2 ] POLICY SMTP 550 Relaying denied [ ** ] [ Classification: Misc Attack ] [ Priority: 2 ] {TCP} 194.29.119.17:25 -> 193.183.18.10:55949But the dest IP does not pop up in the block list, and yes "block on alert" is checked.
But you guys are removing snort2c to replace with other stuff, that hopefully will work better, yes?
-
pfsense 1.2.3 RC1, BSD 7.1. Fresh install.
snort 2.8.4.1ps -aux | grep snort
root 8579 0.0 14.0 82176 34816 ?? Ss 11:00AM 0:00.65 snort -c /usr/lo
root 8583 0.0 0.4 3156 992 ?? Is 11:00AM 0:00.00 snort2c -w /var/
root 9272 0.0 0.1 376 256 p0 R+ 11:07AM 0:00.00 grep snortcat /usr/local/etc/rc.d/snort.sh
#!/bin/sh
This file was automatically generated
by the pfSense service handler.
rc_start() {
BEFORE_MEM=
top | grep Free | grep Wired | awk '{print $10}'
/bin/mkdir -p /var/log/snort
/usr/bin/killall snort2c
sleep 8
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i le1 -qsleep 8
snort2c -w /var/db/whitelist -a /var/log/snort/alertecho "Sleeping before final memory sampling…"
sleep 17
AFTER_MEM=top | grep Free | grep Wired | awk '{print $10}'echo "Ram free BEFORE starting Snort: ${BEFORE_MEM} -- Ram free AFTER starting Snort: ${AFTER_MEM}" -- Mode ac -- Snort memory usage: $TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup
}
rc_stop() {
/usr/bin/killall snort; killall snort2c
}case $1 in
start)
rc_start
;;
stop)
rc_stop
;;
restart)
rc_stop
rc_start
;;
esac -
Hi Hostmaster
I just moved us from snort2c to spoink.
Spoink is an out-plugin built into snort.
Let me contact the Pfsense core-team so they can rebuild the snort package.
James
-
Hi Hostmaster
I just moved us from snort2c to spoink.
Spoink is an out-plugin built into snort.
Let me contact the Pfsense core-team so they can rebuild the snort package.
James
James,
I just saw an update but I didnt see a change at all…
when I do ps aux|grep snort I get
snort2c -w /var/db/whitelist -a /var/log/snort/alert
Did the comit for the new snort pkg went threw?
Thank You!
-
Dont worry about it.
I removed snort2c and now were using spoink. Spoink is an out-put plugin coded into snort.
The core-team of pfsense is building snort again. As soon as they build snort aging I will update the code tonight.
Im also going to add barnyard2 tonight, crossing fingers.Moreover, Im testing snort-inline and all is going well.
We will never have worrie about startup issues again.
James
-
Hello,
Is this new snort package complete?
-
;D most of the coding is complete.
Check tomorrow morning…Snort2c is removed. Hopefully we will never have to see start-up issues again.
Sending the updated binaries to the core-team as we speak.
Crossing fingers.James
-
neat!
Will this also block destination IP addresses that pop up in the snort alert log?
-
- Reviving post
Will this also block destination IP addresses that pop up in the snort alert log?
My test of snort-inline does not block destination addresses. When will there be a fix for this?