Snort Problem !!!!!
-
An Alix, sweeeet, I'd like to get my hands on a WRAP board to install in my car (dual wifi radios).
Sry the proc in my Nokia IP330 is a K6-II 500, not K6-II 400.
The gui seems to time out at extraction - at about the 9 minute mark, give or take 10 - 20 seconds.
Dunno if this means anything, but with top running in an SSH session, bsdtar keeps running for several minutes after the gui times out.
ls /usr/local/etc/snort/
classification.config sid-msg.map-sample
classification.config-sample snort.conf
gen-msg.map snort.conf-sample
gen-msg.map-sample threshold.conf
reference.config threshold.conf-sample
reference.config-sample unicode.map
rules unicode.map-sample
sid-msg.map…and
ls /usr/local/etc/snort/rules
doc etc rules so_rules
Thanks James. Been struggling and searching for a while before posting…pretty sure I've just missed something silly.
-
NP DigitalJer
There GUI errors you get are because the rules have not extracted to /usr/local/etc/snort/rules.
Dont touch the gui do this for me.
rm /usr/local/etc/snort/rules/*
and
ls /tmp/snort_rules_up/
James
-
rm /usr/local/etc/snort/rules/*
rm: /usr/local/etc/snort/rules/doc: is a directory
rm: /usr/local/etc/snort/rules/etc: is a directory
rm: /usr/local/etc/snort/rules/rules: is a directory
rm: /usr/local/etc/snort/rules/so_rules: is a directory..and
ls /tmp/snort_rules_up/
etc snortrules-snapshot-2.8.tar.gz
pfsense_rules.tar.gz snortrules-snapshot-2.8.tar.gz.md5
pfsense_rules.tar.gz.md5 so_rules
rules…looking into Alix / WRAP, I see the WRAPs are discontinued in favour of the Alix, since the last time I looked. The Alix looks sharp. waaaaannnnt!!
-
rm /usr/local/etc/snort/rules/*
rm: /usr/local/etc/snort/rules/doc: is a directory
rm: /usr/local/etc/snort/rules/etc: is a directory
rm: /usr/local/etc/snort/rules/rules: is a directory
rm: /usr/local/etc/snort/rules/so_rules: is a directory..and
ls /tmp/snort_rules_up/
etc snortrules-snapshot-2.8.tar.gz
pfsense_rules.tar.gz snortrules-snapshot-2.8.tar.gz.md5
pfsense_rules.tar.gz.md5 so_rules
rules…looking into Alix / WRAP, I see the WRAPs are discontinued in favour of the Alix, since the last time I looked. The Alix looks sharp. waaaaannnnt!!
Good news, looks like the rules are downloading fine, but your system cant handle the extraction processes.
Do this
rm -r /usr/local/etc/snort/rules/*
and
ls /tmp/snort_rules_up/rules
James
-
ls /tmp/snort_rules_up/rules
Makefile.am local.rules snmp.rules
VRT-License.txt misc.rules specific-threats.rules
attack-responses.rules multimedia.rules spyware-put.rules
backdoor.rules mysql.rules sql.rules
bad-traffic.rules netbios.rules telnet.rules
cgi-bin.list nntp.rules tftp.rules
chat.rules open-test.conf virus.rules
content-replace.rules oracle.rules voip.rules
ddos.rules other-ids.rules web-activex.rules
deleted.rules p2p.rules web-attacks.rules
dns.rules policy.rules web-cgi.rules
dos.rules pop2.rules web-client.rules
experimental.rules pop3.rules web-coldfusion.rules
exploit.rules porn.rules web-frontpage.rules
finger.rules rpc.rules web-iis.rules
ftp.rules rservices.rules web-misc.rules
icmp-info.rules scada.rules web-php.rules
icmp.rules scan.rules x11.rules
imap.rules shellcode.rules
info.rules smtp.rules…my Nokia can't handle the truth?? boo! Oh well it was only $20.
-
ls /tmp/snort_rules_up/rules
Makefile.am local.rules snmp.rules
VRT-License.txt misc.rules specific-threats.rules
attack-responses.rules multimedia.rules spyware-put.rules
backdoor.rules mysql.rules sql.rules
bad-traffic.rules netbios.rules telnet.rules
cgi-bin.list nntp.rules tftp.rules
chat.rules open-test.conf virus.rules
content-replace.rules oracle.rules voip.rules
ddos.rules other-ids.rules web-activex.rules
deleted.rules p2p.rules web-attacks.rules
dns.rules policy.rules web-cgi.rules
dos.rules pop2.rules web-client.rules
experimental.rules pop3.rules web-coldfusion.rules
exploit.rules porn.rules web-frontpage.rules
finger.rules rpc.rules web-iis.rules
ftp.rules rservices.rules web-misc.rules
icmp-info.rules scada.rules web-php.rules
icmp.rules scan.rules x11.rules
imap.rules shellcode.rules
info.rules smtp.rules…my Nokia can't handle the truth?? boo! Oh well it was only $20.
Never give up DigitalJer…...
Do this
cp /tmp/snort_rules_up/rules/ /usr/local/etc/snort/rules*
and
rm /usr/local/lib/snort/dynamicrules/*
cp /tmp/snort_rules_up/so_rules/ /usr/local/lib/snort/dynamicrules/*
and start snort by clicking save on the Settings Tab.
-
Heck no, not giving up, just mildly disappointed.
…and that worked - tyvm!!
How did you know that it was failing on the extraction? Going forward - will it update automatically, do you think, or should I bookmark this thread.
-
snort will not update automatically for you, so bookmark this thread.
The main problem is that your system cant handle extracting snortrules-snapshot-2.8.tar.gz.
Hope you understand that I cant fix bsd tar problem, because your on a low end system.Just remember to
rm /usr/local/etc/snort/rules/*
cp /tmp/snort_rules_up/rules/ /usr/local/etc/snort/rules*rm /usr/local/lib/snort/dynamicrules/*
cp /tmp/snort_rules_up/so_rules/ /usr/local/lib/snort/dynamicrules/*cp /tmp/snort_rules_up/pfsense_rules.tar.gz.md5 /usr/local/etc/snort/
cp /tmp/snort_rules_up/snortrules-snapshot-2.8.tar.gz.md5 /usr/local/etc/snort/James
P.S.
You could write a small script to do this after snort package downloads the rules.
-
Got it.
Thanks again :)
-
UPDATE: You're right, the Nokia IP330 firewall turned out to be considerably less powerful than I thought.
I recently ordered Shaw's 100 mbps service, and with just ONE decently seeded torrent the pfsense f/w CPU held steady at about 55%. Even just surfing at the same time resulted in 100% CPU, saturation, and laaaag :(
So, that's been retired, and an Athlon XP 64 3000+ with a gig of RAM moved in instead, and all is well. I did the math, this should just slightly exceed requirements…so ought to be just about right.
Anyway, thanks again jamesdean, for taking the time to help me out! Happy Holidays :)