Post snort package problems here
-
I'm having an issue with snort on both my pfSense boxes and I'm not sure how to resolve it or if it's an issue with the current build. I'm running 1.2.3-rc3 with the latest build of snort.
I can not access the blocked address page and I seem to be having an issue with snort blocking internal traffic out as well as traffic in that should not be blocked. Road warriors are getting blocked when trying to access PPTP, FTP users are getting blocked and the internal mail server seems to be having it's DNS requests blocked. I've tried disabling rules that didn't apply to our setup, but it doesn't seem to be helping.
I'm not sure where to go from here, but if anyone needs any info that might be useful please let me know and I'll post. Thanks for any help anyone can give.
-
netmethods
Are you using snorts white list to protect ips you do not want to block ?
James
-
yes, but it seems to be blocking IP's that should not be being blocked. For example, getting random emails from outside people or my internal mail server being blocked from sending out. Snort is set to listen to the WAN interface.
-
yes, but it seems to be blocking IP's that should not be being blocked. For example, getting random emails from outside people or my internal mail server being blocked from sending out. Snort is set to listen to the WAN interface.
netmethods
Can you see if the file /var/db/whitelist has all the ips you want to protect.
James
-
If I add an IP to the whitelist, it will work. The problem is that one site has 150 employee's and the other has 60 or so, so they are emailing to all types of companies all over the world. It would be impossible to know all the IP's without having them be blocked first. Shouldn't snort only block IP's that are actually violating a rule?
-
Ahh got it, post the Alert in full that is giving you the problem.
We will use thresholding to solve your problem.
Heres an example http://forum.pfsense.org/index.php/topic,20137.0.html.
James
-
I'm not sure what rules are being triggered, I'll have to install it and see what I can do to get something to show up in the logs. I've tried disabling the rules that didn't apply to our setup, but haven't had any luck with that so far. This will probably have to wait until the weekend, as I can't afford any additional downtime and I don't have a way to replicate this in a test environment.
Thanks for the help with this.
-
Hi,
On my pfsense system snort fails to start after an automatic rules update. However it will start correctly after a manual rules update from web conf. Any suggestions? Something to do with the crontab entry?
syslog:
Nov 16 18:05:48 SnortStartup[20730]: Ram free BEFORE starting Snort: 738M -- Ram free AFTER starting Snort: 738M -- Mode ac-bnfa -- Snort memory usage: Nov 16 18:03:06 snort[49800]: Snort exiting Nov 16 18:03:06 snort[49800]: Snort exiting
snort_update.log:
#########################Monday 16th of November 2009 06:03:01 PM#########################Downloading md5 file... Done. downloading md5 Downloading md5 file... Done. downloading md5 Downloading pfsense md5 file... Done. downloading md5 Your rules are up to date... You may start Snort now, check update. You are NOT up to date... Stopping Snort service... There is a new set of Emergingthreats rules posted. Downloading... May take 4 to 10 min... Done downloading Emergingthreats rules file. Extracting rules... May take a while... Copying md5 sig to snort directory... Updating Alert Messages... Please Wait... Your first set of rules are being copied... May take a while... Cleaning up... The Rules update finished... Snort has restarted with your new set of rules...
Edit:
The restart script works perfectly, when running as root from shell. If I try to run it as a cronjob, it seems that "start_service("snort")" function doesn't work correctly with cron.Edit2:
Ok, found the problem and fixed it by myself. "snort.inc" should have full paths to snort and barnyard2 binaries in $start variable.Before:
$start .= "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n";
After:
$start .= "/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; $start .= "\nsleep 4;/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n";
You can find those on lines 149 and 153 in "snort.inc".
-
Updated the snort package so full paths to binaries are in snort.inc.
James
-
Hmm I also have restart issues (after wan ip change).
The packages still shows 1.7 (the previous memleak update).
How can I be sure this is the right one?
Or should I wait a little longer for the update to appear?Ok please ignore my message I checked snort.inc and it is apparently fixed there :)