Snort…working on Bugs today.....
-
I will be working on snort bugs today lets see how much I get done for pkg v. 1.23.
Users are asking for;
Snort block table should survive reboots. Dont know how Im going to do this.
Create Upload GUI
Use Chroot for snort.
Add log rotation and log dir size display
Update snort binary to 2.8.6
Known Issues;
IE is having trouble in download rules tab. Find out why.
Auto download rules needs to be updated.Fixed in Version Snort package v. 1.22 Please help check my work !
bug: ~~snort_whitelist.xml is causing deinstall issues because of it being in /usr/local/pkg/
solution: move and recode snort_whitelist.xml to snort_whitelist.php. This will be hard…..~~
bug:
when snort or barnyard are running and the user clears the logs, snort and barnyard become out of sync and do not log to alert file.solution:
redo the code and warn the user a interface restart my be needed.Fixedbug:
Whitelist file does not have the right permissions on bootup causing snort not to read the file.solution:
move the default whitelist file from /var/db to /usr/local/etc/snort, make sure permissions are set.Fixedbug:
/usr/local/pkg/snort/snort_check_for_rule_updates.php has require gui.inc.solution:
remove gui.inc from snort_check_for_rule_updates.php FixedJames
-
how hard is it to add the autoshun rules I tried to do it my manually adding them but caused snort not to start because it said snort didn't recognize the autoshun rules not sure if the snort binary has to be patched to get them to work?
-
how hard is it to add the autoshun rules I tried to do it my manually adding them but caused snort not to start because it said snort didn't recognize the autoshun rules not sure if the snort binary has to be patched to get them to work?
You need a patch binary with autoshun code to use there rules.
I will add that at some point mainly because I want that p0f code.
James
-
ok I think i'll wait being mainly versed in windows not sure I am ready to try this level change to pfsense
thanks for the info and hard work -
We ran into a couple commercial support customers who have run into an issue of the snort log filling up their hard drive (the same has been reported on the forums). There is no log rotation happening with the snort logs, is this something you're aware of and/or planning to fix?
-
Well, time to report about snort…
1.2.3-RELEASE
built on Sun Dec 6 23:38:21 EST 2009
FreeBSD 7.2-RELEASE-p5 i386
Snort 2.8.5.3 pkg v. 1.21specs:
Intel(R) Pentium(R) 4 CPU 2.00GHz
1 GB ram2 lan and 1 wan on ADSL 16bits/1mbits and 1 wan on Fibre 100mbits. Snort running on all interfaces.
300+ clients daily.
Snort installed well. No problems at all. Updates well also. Using whitelists with no problems.
Only issue I've discovered is lack of log rotation. Plus, when clicking clear button, seems to stop snort. It only logs again after stoping and starting snort again on all interfaces. Other than that, you're the man, James! ;)And a special thank's to ALL THAT PARTICIPATE AND MAKE PFSENSE GROW AND IMPROVE....
-
Running: pfSense 1.2.3
Upgraded Snort Today To: 2.8.5.3 pkg v. 1.22I was getting the following error when attempting to start any individual Snort service:
snort[1183]: FATAL ERROR: /usr/local/etc/snort/snort.conf(180) => Invalid ip_list to 'ignore_scanners' option
There was no comma being inserted after the localhost IP in HOME_NET, so it was running into the next address (127.0.0.155.55.55.55 instead of 127.0.0.1,55.55.55.55)
I edited /usr/local/pkg/snort/snort.inc, line 122, to add a comma at the end of 127.0.0.1 and that fixed it (though I suspect it's not really the proper fix):
$home_net .= "127.0.0.1,";
-
Thanks James.
All the other HOME_NET IPs (in my config at least) were comma separated, so I figured that one should be as well.
No issues starting Snort after that, though I admit I haven't tested it yet to see if it actually triggers alerts.
-
One more thing. I've updated and noticed that snort didn't kept my configurations. Is this supposed to be this way?
-
Low priority suggestion:
It would be nice to be able to have an "add similar ruleset to this one" button. Checking off all the rulesets to load when you're running on multiple interfaces can be time consuming.
-
Thank you James, for upgrading snort on pfsense.
A special thank's to all who improve pfsense.
-
Well, it sure seems like the whitelist is not working.
Anybody else have trouble with the whitelist?
-
Well, it sure seems like the whitelist is not working.
…working great for me. I've whitelisted a cpl websites (that were initially blocked by SNORT), and my work IP address (so I can VPN into my home stuff while at work); no problems whatsoever.
-
i am trying to create a new whitelist add the button doesn't function to add another entry tried on ff3.6 and chrome and ie 8
-
I just tested and verified that the add button on IE8, firefox 3.6.3 and chrome works. Im using the same code as firewall_aliases_edit.php does that work for you?
Do you have scripting enabled ?
Tell me more about the system your browsers are on.
James
-
i am running windows7 pro retested on chrome and ff3.6.3 and firewall_aliases_edit.php does work just fine
ie has this error blip Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Timestamp: Sun, 25 Apr 2010 23:13:43 UTCMessage: 'rowname' is undefined
Line: 147
Char: 2
Code: 0
URI: https://192.168.35.1/snort/snort_interfaces_whitelist_edit.php?id=0 -
I have a friend who is getting blocked by snort periodically. All he is accessing is my email server. With this going on, I also noticed that the logging is really not all that helpfull.. Here is what the log shows..
8 3 PROTO:255 (portscan) UDP Distributed Portscan Prep xxx.xxx.xxx.xxx empty -> xxx.xxx.xxx.xxx empty 122:20:0 04/25-20:44:30
Basically what rule is causing this false positive? I am guessing the port scan pre-processor? If so, I guess I just have to turn it off to not block legit users?
Anyone notice their memory usage go up since the .22 release? My memory usage went up, and seems to be creeping up every day now. With the old version (.20 last for me) it was lower and stable.
-
I confirm a problem with the box in whitelists. It works in IE 8 and 7. With Firefox it doesn't show the box to enter the ip. It works well in the aliases.
-
james my system is pfsense 2.0 I am seeing the box to enter 1 ip but cant get it to add more boxes the firewall_aliases_edit.php does work
-
Well, it sure seems like the whitelist is not working.
…working great for me. I've whitelisted a cpl websites (that were initially blocked by SNORT), and my work IP address (so I can VPN into my home stuff while at work); no problems whatsoever.
A VOIP authentication server keeps popping up on my alert and block list despite having it listed in the whitelist.
I wonder if it is due to some of the snort rules I have selected ??