Snort package will be Under Heavy Development this labor day weekend.
-
Make sure you deinstall snort before installing snort-dev.
Hostmaster
Update your rules before starting the snort-dev package. If you did update the rules you may need a reboot.
Blocking both source and destination will be add latter, I have to add an option that disables white listing of home networks and I have
to add custom C++ code. Its on my list of things to do please be patient.keeper
Update your rules and do a reboot.
Roodawakening
Barnyard2 is already installed.
Barnyard only supports loging to mysql, but I will add logging to
odbc
postgresql
mssql
oracleCommon Event Format (CEF)
prelude: log to the Prelude Hybrid IDS system
sguilShould be very easy.
Make sure these are enabled in the Advanced tab.
Enable Barnyard2.
Barnyard2 Log Mysql Database.
Log Alerts to a snort unified file. -
I appreciate your efforts. We all do, I'm sure.
-
NP, doing what I can when I have free time.
James
-
thanks sir for the hard work :) :)
more power to your team
-
I been asked by the Pfsense core-team not touch the snort package and make a separate package called Snort-dev
until we are sure my changes have not broken the package.De-install the snort package and install the snort-dev package if you want to see my changes.
Changes.
Replace Snort2c with spoink (done)…
Replace snorts myslq output with barnyard2 (done)…
Add GUI changes for spoink and barnyard2 (done)…
Add oinkmaster perl files. (done)…
Fix the double start-up issues during boot-up. (done)…
Add autogen of sid-msg.map. (work started…..)
Add auto block time adjustments. (work started....)
Add auto rule updates. (work not started)
Add tracking of rule file changes after rule upgrades. (work started....) (High priority for me)
Add AJAX to the Snort GUI to improve performance and add more sub-menus.
James
-
Nice. Installing snort-dev now.
-
Not sure if its supposed to error on this, but her is my system log output:
I think these goes away after a rules update. [update] - Yes they do vanish after snort rule update.
And the double / in the path is cute :Ppfsense 1.2.3 RC1
snort-devSep 8 15:01:29 SnortStartup[44697]: Ram free BEFORE starting Snort: 34M – Ram free AFTER starting Snort: 34M -- Mode ac -- Snort memory usage:
Sep 8 15:01:12 snort[44676]: FATAL ERROR: Dynamic detection lib /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort/dynamicengine/libsf_engine.so 1.10. The dynamic detection lib is compiled with an older version of the dynamic engine.
Sep 8 15:01:12 snort[44676]: FATAL ERROR: Dynamic detection lib /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort/dynamicengine/libsf_engine.so 1.10. The dynamic detection lib is compiled with an older version of the dynamic engine.
Sep 8 15:01:12 snort[44676]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/
Sep 8 15:01:12 snort[44676]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so…
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so…
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so…
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so…
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so…
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so…
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dcerpc_preproc.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dcerpc_preproc.so…
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so…
Sep 8 15:01:12 snort[44676]: Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/…
Sep 8 15:01:12 snort[44676]: Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/…
Sep 8 15:01:12 snort[44676]: Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/
Sep 8 15:01:12 snort[44676]: Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so…
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: done
Sep 8 15:01:12 snort[44676]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-misc.so…
Sep 8 15:01:12 snort[44676]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-misc.so…
Sep 8 15:01:12 snort[44676]: done -
Outgoing data rules test:
Used rule: policy.smtp_relay. Matches "relaying denied" RESPONSE data, and the receiver (remote) should be blocked.
Log:
09/08-15:08:55.559440 [ ** ] [ 1:10001:2 ] POLICY SMTP 550 Relaying denied [ ** ] [ Classification: Misc Attack ] [ Priority: 2 ] {TCP} 194.29.119.17:25 -> 193.183.18.10:7809Nothing pops up in the BLOCK tab tho. So it is still only checking the source IP, instead of both.
Services: Snort 2.8.4.1_1 pkg v. 1.6 Beta
-
I have also an error from the Snort-dev
here's the system logs
Sep 8 21:16:35 SnortStartup[4782]: Ram free BEFORE starting Snort: 56M – Ram free AFTER starting Snort: 56M -- Mode ac-sparsebands -- Snort memory usage:
Sep 8 21:16:17 snort[4758]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules
Sep 8 21:16:17 snort[4758]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules
Sep 8 21:16:17 snort[4758]: alert_multiple_requests: ACTIVE
Sep 8 21:16:17 snort[4758]: alert_multiple_requests: ACTIVE
Sep 8 21:16:17 snort[4758]: alert_incomplete: ACTIVE
Sep 8 21:16:17 snort[4758]: alert_incomplete: ACTIVE
Sep 8 21:16:17 snort[4758]: alert_large_fragments: ACTIVE
Sep 8 21:16:17 snort[4758]: alert_large_fragments: ACTIVE
Sep 8 21:16:17 snort[4758]: alert_fragments: INACTIVE
Sep 8 21:16:17 snort[4758]: alert_fragments: INACTIVE
Sep 8 21:16:17 snort[4758]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Sep 8 21:16:17 snort[4758]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Sep 8 21:16:17 snort[4758]: rpc_decode arguments:
Sep 8 21:16:17 snort[4758]: rpc_decode arguments:
Sep 8 21:16:17 snort[4758]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d
Sep 8 21:16:17 snort[4758]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d
Sep 8 21:16:17 snort[4758]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Sep 8 21:16:17 snort[4758]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Sep 8 21:16:17 snort[4758]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Sep 8 21:16:17 snort[4758]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Sep 8 21:16:17 snort[4758]: IIS Delimiter: YES alert: NO
Sep 8 21:16:17 snort[4758]: IIS Delimiter: YES alert: NO
Sep 8 21:16:17 snort[4758]: Apache WhiteSpace: YES alert: NO
Sep 8 21:16:17 snort[4758]: Apache WhiteSpace: YES alert: NO
Sep 8 21:16:17 snort[4758]: Web Root Traversal: YES alert: NO
Sep 8 21:16:17 snort[4758]: Web Root Traversal: YES alert: NO
Sep 8 21:16:17 snort[4758]: Directory Traversal: YES alert: NO
Sep 8 21:16:17 snort[4758]: Directory Traversal: YES alert: NO
Sep 8 21:16:17 snort[4758]: IIS Backslash: YES alert: NO
Sep 8 21:16:17 snort[4758]: IIS Backslash: YES alert: NO
Sep 8 21:16:17 snort[4758]: Multiple Slash: YES alert: NO
Sep 8 21:16:17 snort[4758]: Multiple Slash: YES alert: NO
Sep 8 21:16:17 snort[4758]: IIS Unicode: YES alert: NO
Sep 8 21:16:17 snort[4758]: IIS Unicode: YES alert: NO
Sep 8 21:16:17 snort[4758]: UTF 8: YES alert: NO
Sep 8 21:16:17 snort[4758]: UTF 8: YES alert: NO
Sep 8 21:16:17 snort[4758]: Base36: OFF
Sep 8 21:16:17 snort[4758]: Base36: OFF
Sep 8 21:16:17 snort[4758]: Bare Byte: YES alert: NO
Sep 8 21:16:17 snort[4758]: Bare Byte: YES alert: NO
Sep 8 21:16:17 snort[4758]: %U Encoding: YES alert: YES
Sep 8 21:16:17 snort[4758]: %U Encoding: YES alert: YES
Sep 8 21:16:17 snort[4758]: Double Decoding: YES alert: NO
Sep 8 21:16:17 snort[4758]: Double Decoding: YES alert: NO
Sep 8 21:16:17 snort[4758]: Ascii: YES alert: NO
Sep 8 21:16:17 snort[4758]: Ascii: YES alert: NO
Sep 8 21:16:17 snort[4758]: Normalize HTTP Cookies: NO
Sep 8 21:16:17 snort[4758]: Normalize HTTP Cookies: NO
Sep 8 21:16:17 snort[4758]: Normalize HTTP Headers: NO -
Thanks, James, for working on this.
Now another question: If we enable Barnyard2, do we have to manually download Barnyard2 or is there a package already available for pfSense? I went to http://www.securixlive.com/barnyard2/docs/manual.php to read up on how Barnyard2 works but I'm going to have to experiment with it and don't know where to start.
