Snort…working on Bugs today.....
-
We ran into a couple commercial support customers who have run into an issue of the snort log filling up their hard drive (the same has been reported on the forums). There is no log rotation happening with the snort logs, is this something you're aware of and/or planning to fix?
-
Well, time to report about snort…
1.2.3-RELEASE
built on Sun Dec 6 23:38:21 EST 2009
FreeBSD 7.2-RELEASE-p5 i386
Snort 2.8.5.3 pkg v. 1.21specs:
Intel(R) Pentium(R) 4 CPU 2.00GHz
1 GB ram2 lan and 1 wan on ADSL 16bits/1mbits and 1 wan on Fibre 100mbits. Snort running on all interfaces.
300+ clients daily.
Snort installed well. No problems at all. Updates well also. Using whitelists with no problems.
Only issue I've discovered is lack of log rotation. Plus, when clicking clear button, seems to stop snort. It only logs again after stoping and starting snort again on all interfaces. Other than that, you're the man, James! ;)And a special thank's to ALL THAT PARTICIPATE AND MAKE PFSENSE GROW AND IMPROVE....
-
Running: pfSense 1.2.3
Upgraded Snort Today To: 2.8.5.3 pkg v. 1.22I was getting the following error when attempting to start any individual Snort service:
snort[1183]: FATAL ERROR: /usr/local/etc/snort/snort.conf(180) => Invalid ip_list to 'ignore_scanners' option
There was no comma being inserted after the localhost IP in HOME_NET, so it was running into the next address (127.0.0.155.55.55.55 instead of 127.0.0.1,55.55.55.55)
I edited /usr/local/pkg/snort/snort.inc, line 122, to add a comma at the end of 127.0.0.1 and that fixed it (though I suspect it's not really the proper fix):
$home_net .= "127.0.0.1,";
-
Thanks James.
All the other HOME_NET IPs (in my config at least) were comma separated, so I figured that one should be as well.
No issues starting Snort after that, though I admit I haven't tested it yet to see if it actually triggers alerts.
-
One more thing. I've updated and noticed that snort didn't kept my configurations. Is this supposed to be this way?
-
Low priority suggestion:
It would be nice to be able to have an "add similar ruleset to this one" button. Checking off all the rulesets to load when you're running on multiple interfaces can be time consuming.
-
Thank you James, for upgrading snort on pfsense.
A special thank's to all who improve pfsense.
-
Well, it sure seems like the whitelist is not working.
Anybody else have trouble with the whitelist?
-
Well, it sure seems like the whitelist is not working.
…working great for me. I've whitelisted a cpl websites (that were initially blocked by SNORT), and my work IP address (so I can VPN into my home stuff while at work); no problems whatsoever.
-
i am trying to create a new whitelist add the button doesn't function to add another entry tried on ff3.6 and chrome and ie 8
-
I just tested and verified that the add button on IE8, firefox 3.6.3 and chrome works. Im using the same code as firewall_aliases_edit.php does that work for you?
Do you have scripting enabled ?
Tell me more about the system your browsers are on.
James
-
i am running windows7 pro retested on chrome and ff3.6.3 and firewall_aliases_edit.php does work just fine
ie has this error blip Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Timestamp: Sun, 25 Apr 2010 23:13:43 UTCMessage: 'rowname' is undefined
Line: 147
Char: 2
Code: 0
URI: https://192.168.35.1/snort/snort_interfaces_whitelist_edit.php?id=0 -
I have a friend who is getting blocked by snort periodically. All he is accessing is my email server. With this going on, I also noticed that the logging is really not all that helpfull.. Here is what the log shows..
8 3 PROTO:255 (portscan) UDP Distributed Portscan Prep xxx.xxx.xxx.xxx empty -> xxx.xxx.xxx.xxx empty 122:20:0 04/25-20:44:30
Basically what rule is causing this false positive? I am guessing the port scan pre-processor? If so, I guess I just have to turn it off to not block legit users?
Anyone notice their memory usage go up since the .22 release? My memory usage went up, and seems to be creeping up every day now. With the old version (.20 last for me) it was lower and stable.
-
I confirm a problem with the box in whitelists. It works in IE 8 and 7. With Firefox it doesn't show the box to enter the ip. It works well in the aliases.
-
james my system is pfsense 2.0 I am seeing the box to enter 1 ip but cant get it to add more boxes the firewall_aliases_edit.php does work
-
Well, it sure seems like the whitelist is not working.
…working great for me. I've whitelisted a cpl websites (that were initially blocked by SNORT), and my work IP address (so I can VPN into my home stuff while at work); no problems whatsoever.
A VOIP authentication server keeps popping up on my alert and block list despite having it listed in the whitelist.
I wonder if it is due to some of the snort rules I have selected ??
-
I am going to look into it more but the latest rules have broke all versions of snort for pfsense due to a missing directory for so_rules. I was just wondering if anyone else was experinceing this or was it just me.
pfsence 1.2.3 release both versions of snort.
Edit: Just notice a 0 byte file called touch off of root. Not sure if this is due to snort script but I have not noticed it before.
Edit:Edit: I also noticed when I edit my VLAN interfaces in 2.8.5.3 pkg v. 1.22 it says "Snort: Interface Edit: 0 57641 vlan0" instead of what I have them aliased as.
Edit:Edit:Edit: Hmm I checked /usr/local/pkg/snort/snort_check_for_rules_updates.php and it seems that anything that would generate that error is already commented out. wth I am kinda scared to try and reboot pfsense and see if that will fix it.
-
James, as a side note or a suggested wish for the snort package. When I was diving through the update php file I noticed that there is an md5 check function in there. After running Update to see if I fixed it about a dozen times and it downloading the same file continuously do you think it would be possible to add code that would use the md5 routine to keep it from downloading the same file when a problem with the rules or a bug with the package occurs. Not a really huge deal but I fear getting banned due to excessive updates trying to see if I fixed the problem that I run into.
-
Ok I have tracked the problem down to it being a VLAN issue. In order to get snort running manually in the latest version I copied the rules from /usr/local/etc/snort/rules to my corresponding vlan directories ie. "/usr/local/etc/snort/snort_61611_vlan0/rules"
Still baffles me how snort_old was broken but oh well I got it up again with 2.8.5.3 pkg v. 1.22.
-
Seems like none of the "BLOCK" rules are working for me causing snort to fatal error on start. Is anyone else having this problem?
snort[3898]: FATAL ERROR: /usr/local/etc/snort/snort_61611_vlan0/rules/emerging-compromised-BLOCK.rules(49) Unknown rule option: 'fwsam'.