Snort 2.8.4.1 pkg v. 1.5 blocking hosts even if blocking not set
-
I'll fix it, I see the problem.
-
Fix should be in now. :)
Haven't seen you posting in a while, jamesdean, it's good to see you back around!
-
Thanx for the nice words jimp
Heres my fix.
$start .= "sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert\n";
But, your code may work better.
Im removing snort2c tonight and replacing it with http://spoink.sourceforge.net/.
Im going to modify the code a little though.
james
-
Using ; to pipeline the commands didn't work out too well.
For whatever reason it was causing certain commands to not start or be ignored. It led to snort2c not starting on bootup, due to packages being initialized twice (a more general pfSense problem not specific to snort)
See this redmine entry:
http://redmine.pfsense.org/issues/show/53It's an issue that needs addressed in pfSense itself and not necessarily in the snort package, at least any more than I've already done, until a fix is made for the larger issue.
The changes I made to the snort package allowed it to more gracefully handle being started twice concurrently. Not as pretty as a real fix, but it did fix the other issue for people who reported it at the time.
-
jimp, if you could add the patches that you stated (http://redmine.pfsense.org/issues/show/53) to the mainline ASAP that would be great.
James
-
Hi jimp, jamesdean,
Thanks for all your work. I will gladly offer my time to test the new snort package once the fix is in. Just tell me when the new version is available at the snort packages page and I will install it ASAP and test it.
-
Jimp fixed the said issue an hour ago. So, you can reinstall the package now if you want.
James
-
Hi James,
Yup, saw it already. I'll install it now and give you guys feedback about it later.
sicnarf
-
Hi james,
Downloaded the new package (Its still Snort 2.8.4.1 pkg v. 1.5 but the package installer says 2.8.4.1_2), installed it and now it works. Thanks for all the hard work in this. I and a lot of other snort pfsense package users out there will really benefit from this fix. So much for the auto-blocking, now I have to troubleshoot the CIDR problem i'm having on my other post.
Thanks to jimp too. :)
sicnarf
-
jimp, if you could add the patches that you stated (http://redmine.pfsense.org/issues/show/53) to the mainline ASAP that would be great.
I need to work on it a bit more, I'm not sure that is the best way to fix the core issue. It may be, though. If I can't come up with a better solution in a few days I will commit that to 2.0.
-
This brings up another question: How do you implement Snort2c if one wanted to go that route? I don't see any reference to it on the settings page in Snort.
But thanks for the fix. Snort2c was blocking everything and I found myself having to whitelist everything under the sun.
-
The Block offenders option on the setting tab.
james
