Preview of Snort-dev snort pkg 1.7 alpha
-
Hummm… do you have dual wans ?
Please explain it again.
James
-
James,
No dual wan, but three physical LAN (I use snort on internal devices to reduce alert verbosity)
- LAN (the default)
- DMZ1 (OPT1)
- DMZ2 (OPT2)
In firewall rules or nat screens, these 2 other interfaces are shown as DMZ1/DMZ1 ($config['interfaces'][xxx]['descr']). In snort screens, when adding a new interface, the GUI also shows DMZ1/DMZ2 in the dropdown list to select the interface. But in the snort interface tab, with $natent['interface'], OPT1/2 is shown.
Really not an issue, it is only a "look" issue.
Pierre
-
I hear you.
I want to fallow the Interfaces drop-down menu in Pfsense.
But, If people complain, I'll change it to your suggestion.James
James,
No dual wan, but three physical LAN (I use snort on internal devices to reduce alert verbosity)
- LAN (the default)
- DMZ1 (OPT1)
- DMZ2 (OPT2)
In firewall rules or nat screens, these 2 other interfaces are shown as DMZ1/DMZ1 ($config['interfaces'][xxx]['descr']). In snort screens, when adding a new interface, the GUI also shows DMZ1/DMZ2 in the dropdown list to select the interface. But in the snort interface tab, with $natent['interface'], OPT1/2 is shown.
Really not an issue, it is only a "look" issue.
Pierre
-
Hi James,
Ok, thanks !
I installed the RC3, I think I found a little issue in the "update" tab (which was maybe there in RC2): the GUI always says the rule directory is empty, even when it is not. I checked the php code, and this messages is not conditional to a "file_exists" call.
Very very little issue ;-)
Pierre
-
Another feedback, I decided to test all I could !
In my test, I have three interfaces. I activated the auto update of rules every 6 hours, and when an update is done, none of the three snort is restarting. The cron log file seems ok :
#########################
Thursday 10th of December 2009 12:03:27 AM
#########################Removing old tmp files…
Downloading md5 file...
Done. downloading md5
Downloading md5 file...
Done. downloading md5
Downloading pfsense md5 file...
Done. downloading md5
Your rules are up to date...
You may start Snort now, check update.
You are NOT up to date...
Stopping All Snort Package services...
There is a new set of Emergingthreats rules posted. Downloading...
May take 4 to 10 min...
Done downloading Emergingthreats rules file.
Extracting rules...
May take a while...
Copying md5 sig to snort directory...
Updating Alert Messages...
Please Wait...
Your first set of rules are being copied...
May take a while...
Your first set of rules are being copied...
May take a while...
Your first set of rules are being copied...
May take a while...
Cleaning up...
The Rules update finished...
Snort has restarted with your new set of rules...But no snort is running :
ps aux | grep snort
Nothing is system logs, so it seems the script /usr/local/pkg/snort/snort_check_for_rule_updates.php did not start anything (I mean: there is no snort startup error on logs, so I guess the script did not restart instances).
I think the following line is not correct when there is more than one interface:
exec("/bin/sh /usr/local/etc/rc.d/snort* start");
Trying "/bin/sh /usr/local/etc/rc.d/snort* start" at the shell prompt deos nothing (maybe causing "/bin/sh /usr/local/etc/rc.d/snort_0re0.sh /usr/local/etc/rc.d/snort_1re2.sh /usr/local/etc/rc.d/snort_2re1.sh start")
At the shell, the following is working :
for i in
ls /usr/local/etc/rc.d/snort*do; sh $i start; doneHope this helps !
Pierre -
I'm on it Pierre.
Please post the Pfsense viresion you are using.
Thank you for making the snort package better.
James
Another feedback, I decided to test all I could !
In my test, I have three interfaces. I activated the auto update of rules every 6 hours, and when an update is done, none of the three snort is restarting. The cron log file seems ok :
#########################
Thursday 10th of December 2009 12:03:27 AM
#########################Removing old tmp files…
Downloading md5 file...
Done. downloading md5
Downloading md5 file...
Done. downloading md5
Downloading pfsense md5 file...
Done. downloading md5
Your rules are up to date...
You may start Snort now, check update.
You are NOT up to date...
Stopping All Snort Package services...
There is a new set of Emergingthreats rules posted. Downloading...
May take 4 to 10 min...
Done downloading Emergingthreats rules file.
Extracting rules...
May take a while...
Copying md5 sig to snort directory...
Updating Alert Messages...
Please Wait...
Your first set of rules are being copied...
May take a while...
Your first set of rules are being copied...
May take a while...
Your first set of rules are being copied...
May take a while...
Cleaning up...
The Rules update finished...
Snort has restarted with your new set of rules...But no snort is running :
ps aux | grep snort
Nothing is system logs, so it seems the script /usr/local/pkg/snort/snort_check_for_rule_updates.php did not start anything (I mean: there is no snort startup error on logs, so I guess the script did not restart instances).
I think the following line is not correct when there is more than one interface:
exec("/bin/sh /usr/local/etc/rc.d/snort* start");
Trying "/bin/sh /usr/local/etc/rc.d/snort* start" at the shell prompt deos nothing (maybe causing "/bin/sh /usr/local/etc/rc.d/snort_0re0.sh /usr/local/etc/rc.d/snort_1re2.sh /usr/local/etc/rc.d/snort_2re1.sh start")
At the shell, the following is working :
for i in
ls /usr/local/etc/rc.d/snort*do; sh $i start; doneHope this helps !
Pierre -
I'm on it Pierre.
Please post the Pfsense viresion you are using.
Thank you for making the snort package better.
James
Hi James,
I am using 1.2.3RC3. The lines I was talking about are in /usr/local/pkg/snort/snort_check_for_rule_updates.php, in the snort package.
In the meanwhile, I did some test in the shell:
sh -x
sh -x
sh /usr/local/etc/rc.d/snort* start
- sh /usr/local/etc/rc.d/snort_0re0.sh /usr/local/etc/rc.d/snort_1re2.sh /usr/local/etc/rc.d/snort_2re1.sh start
So I think the problem is the one I suspected yesterday, and only affets snort installation with multi interfaces.
Hope this helps !
Pierre -
jamesdean how can i complete remove the snort RC, snort has 4 service listed under Status: Services
and it wont start I tried removing it from System: Package Manager it uninstall but snort is still listed in service snort and when click it open Services: Snort 2.8.4.1_7 pkg v. 1.8 RC4 -
jamesdean how can i complete remove the snort RC, snort has 4 service listed under Status: Services
and it wont start I tried removing it from System: Package Manager it uninstall but snort is still listed in service snort and when click it open Services: Snort 2.8.4.1_7 pkg v. 1.8 RC4Hey are you using nanobsd ?
Try reinstalling the snort package then deinstalling it now.
James
-
james
no not using nanobsd. full install, this scrip doesn't work to enable all rules
/usr/local/bin/perl -pi -e 's/# alert/alert/g' /usr/local/etc/snort/rules/*.rules
can you post another script
james thank you for all your hard work I know its not easy but we all do appreciate all your hard work
-
I will add a option to disable or enable all rules for an interface.
Please be Patient.James
-
Snort 2.8.4.1_7 pkg v. 1.8 RC4
their seem to be something wrong with the Emergingthreats rules It will download but they are not listed in Categories or rules
also their are no alerts or blocking also what would you recommend for HTTP server flow depth I have it set to 0