Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.8.4.1 pkg v. 1.5 blocking hosts even if blocking not set

    Scheduled Pinned Locked Moved pfSense Packages
    17 Posts 5 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sicnarf
      last edited by

      Hi,

      screece, jimp is right, your issue is different from mine but I do get this type of alerts also. This is only a minor problem though, my main problem is on the topic above.

      Regardless, to answer your question about how many rules i'm running, I run almost all rules except those recommended by jamesdean to be turned off. Its a pretty powerful box, intel server SR1530HSH with 4GB DDR2 RAM, quad core processor at 2.13GHz and 2x250GB SATA hard drives in raid 1 configuration. Its our ISP gateway router and firewall machine, handling about 25Mbps of bandwidth. I tried full rules before, it consumed about 50% of memory and 30% cpu.

      sicnarf

      1 Reply Last reply Reply Quote 0
      • J Offline
        jamesdean
        last edited by

        jim-p made some changes to the snort package and as a result snort2c is starting without permission.
        I'll fix it tonight….......
        jim-p is a way better coder than me so its not his fault.

        james

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          I'll fix it, I see the problem.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            Fix should be in now. :)

            Haven't seen you posting in a while, jamesdean, it's good to see you back around!

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J Offline
              jamesdean
              last edited by

              Thanx for the nice words jimp

              Heres my fix.

              $start .= "sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert\n";

              But, your code may work better.

              Im removing snort2c tonight and replacing it with http://spoink.sourceforge.net/.

              Im going to modify the code a little though.

              james

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                Using ; to pipeline the commands didn't work out too well.

                For whatever reason it was causing certain commands to not start or be ignored. It led to snort2c not starting on bootup, due to packages being initialized twice (a more general pfSense problem not specific to snort)

                See this redmine entry:
                http://redmine.pfsense.org/issues/show/53

                It's an issue that needs addressed in pfSense itself and not necessarily in the snort package, at least any more than I've already done, until a fix is made for the larger issue.

                The changes I made to the snort package allowed it to more gracefully handle being started twice concurrently. Not as pretty as a real fix, but it did fix the other issue for people who reported it at the time.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jamesdean
                  last edited by

                  jimp, if you could add the patches that you stated (http://redmine.pfsense.org/issues/show/53) to the mainline ASAP that would be great.

                  James

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    sicnarf
                    last edited by

                    Hi jimp, jamesdean,

                    Thanks for all your work. I will gladly offer my time to test the new snort package once the fix is in. Just tell me when the new version is available at the snort packages page and I will install it ASAP and test it.

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jamesdean
                      last edited by

                      Jimp fixed the said issue an hour ago. So, you can reinstall the package now if you want.

                      James

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        sicnarf
                        last edited by

                        Hi James,

                        Yup, saw it already. I'll install it now and give you guys feedback about it later.

                        sicnarf

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          sicnarf
                          last edited by

                          Hi james,

                          Downloaded the new package (Its still Snort 2.8.4.1 pkg v. 1.5 but the package installer says 2.8.4.1_2), installed it and now it works. Thanks for all the hard work in this. I and a lot of other snort pfsense package users out there will really benefit from this fix. So much for the auto-blocking, now I have to troubleshoot the CIDR problem i'm having on my other post.

                          Thanks to jimp too. :)

                          sicnarf

                          1 Reply Last reply Reply Quote 0
                          • jimpJ Offline
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            @jamesdean:

                            jimp, if you could add the patches that you stated (http://redmine.pfsense.org/issues/show/53) to the mainline ASAP that would be great.

                            I need to work on it a bit more, I'm not sure that is the best way to fix the core issue. It may be, though. If I can't come up with a better solution in a few days I will commit that to 2.0.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • R Offline
                              Roodawakening
                              last edited by

                              This brings up another question: How do you implement Snort2c if one wanted to go that route? I don't see any reference to it on the settings page in Snort.

                              But thanks for the fix. Snort2c was blocking everything and I found myself having to whitelist everything under the sun.

                              "The descent to hell is easy. The gates stand open day and night. But to reclimb the slope and escape to the upper air: This is labor."
                              –Virgil, Aeneid, Book 6

                              Rob

                              1 Reply Last reply Reply Quote 0
                              • J Offline
                                jamesdean
                                last edited by

                                The Block offenders option on the setting tab.

                                james

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.