Just Update to Services: Snort 2.8.4.1 pkg v. 1.4 (But Snort has no blocking)
-
James,
Truly thanks for your great support. ;)
Today I make another fresh install and download the iso from the Germany Mirror site and snort now working properly in the Alert and blocking.
This is the version i now installed:
1.2.3-RC1
built on Wed Apr 22 15:36:34 EDT 2009
FreeBSD 7.1-RELEASE-p5 i386However, during the restore process I noticed there are fwrite error messages on the screen indicating issues the Pack_utitles files. Although at the end, it did not show the error messages again. Not sure there are something the development team to look at there. The error line is somewhere on 6xx .
By the way, a small suggestion. It will be nice to know the exact version to download. Coz I think there are version difference between the mirror sites.
-
Fresh install of 1.2.3 RC1 (which is the latest yes?) I see people using 1.2.3 RC2, but cant find it anywhere.
fresh install snort, and enabling outgoing rules, such as policy.rules / smpt relaying denied.
This is what comes up in the alert file:
09/03-11:02:19.771744 [ ** ] [ 1:10001:2 ] POLICY SMTP 550 Relaying denied [ ** ] [ Classification: Misc Attack ] [ Priority: 2 ] {TCP} 194.29.119.17:25 -> 193.183.18.10:55949But the dest IP does not pop up in the block list, and yes "block on alert" is checked.
But you guys are removing snort2c to replace with other stuff, that hopefully will work better, yes?
-
pfsense 1.2.3 RC1, BSD 7.1. Fresh install.
snort 2.8.4.1ps -aux | grep snort
root 8579 0.0 14.0 82176 34816 ?? Ss 11:00AM 0:00.65 snort -c /usr/lo
root 8583 0.0 0.4 3156 992 ?? Is 11:00AM 0:00.00 snort2c -w /var/
root 9272 0.0 0.1 376 256 p0 R+ 11:07AM 0:00.00 grep snortcat /usr/local/etc/rc.d/snort.sh
#!/bin/sh
This file was automatically generated
by the pfSense service handler.
rc_start() {
BEFORE_MEM=
top | grep Free | grep Wired | awk '{print $10}'
/bin/mkdir -p /var/log/snort
/usr/bin/killall snort2c
sleep 8
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i le1 -qsleep 8
snort2c -w /var/db/whitelist -a /var/log/snort/alertecho "Sleeping before final memory sampling…"
sleep 17
AFTER_MEM=top | grep Free | grep Wired | awk '{print $10}'
echo "Ram free BEFORE starting Snort: ${BEFORE_MEM} -- Ram free AFTER starting Snort: ${AFTER_MEM}" -- Mode ac -- Snort memory usage: $TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup
}
rc_stop() {
/usr/bin/killall snort; killall snort2c
}case $1 in
start)
rc_start
;;
stop)
rc_stop
;;
restart)
rc_stop
rc_start
;;
esac -
Hi Hostmaster
I just moved us from snort2c to spoink.
Spoink is an out-plugin built into snort.
Let me contact the Pfsense core-team so they can rebuild the snort package.
James
-
Hi Hostmaster
I just moved us from snort2c to spoink.
Spoink is an out-plugin built into snort.
Let me contact the Pfsense core-team so they can rebuild the snort package.
James
James,
I just saw an update but I didnt see a change at all…
when I do ps aux|grep snort I get
snort2c -w /var/db/whitelist -a /var/log/snort/alert
Did the comit for the new snort pkg went threw?
Thank You!
-
Dont worry about it.
I removed snort2c and now were using spoink. Spoink is an out-put plugin coded into snort.
The core-team of pfsense is building snort again. As soon as they build snort aging I will update the code tonight.
Im also going to add barnyard2 tonight, crossing fingers.Moreover, Im testing snort-inline and all is going well.
We will never have worrie about startup issues again.
James
-
Hello,
Is this new snort package complete?
-
;D most of the coding is complete.
Check tomorrow morning…Snort2c is removed. Hopefully we will never have to see start-up issues again.
Sending the updated binaries to the core-team as we speak.
Crossing fingers.James
-
neat!
Will this also block destination IP addresses that pop up in the snort alert log?
-
- Reviving post
Will this also block destination IP addresses that pop up in the snort alert log?
My test of snort-inline does not block destination addresses. When will there be a fix for this?