Snort…working on Bugs today.....
-
i am running windows7 pro retested on chrome and ff3.6.3 and firewall_aliases_edit.php does work just fine
ie has this error blip Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Timestamp: Sun, 25 Apr 2010 23:13:43 UTCMessage: 'rowname' is undefined
Line: 147
Char: 2
Code: 0
URI: https://192.168.35.1/snort/snort_interfaces_whitelist_edit.php?id=0 -
I have a friend who is getting blocked by snort periodically. All he is accessing is my email server. With this going on, I also noticed that the logging is really not all that helpfull.. Here is what the log shows..
8 3 PROTO:255 (portscan) UDP Distributed Portscan Prep xxx.xxx.xxx.xxx empty -> xxx.xxx.xxx.xxx empty 122:20:0 04/25-20:44:30
Basically what rule is causing this false positive? I am guessing the port scan pre-processor? If so, I guess I just have to turn it off to not block legit users?
Anyone notice their memory usage go up since the .22 release? My memory usage went up, and seems to be creeping up every day now. With the old version (.20 last for me) it was lower and stable.
-
I confirm a problem with the box in whitelists. It works in IE 8 and 7. With Firefox it doesn't show the box to enter the ip. It works well in the aliases.
-
james my system is pfsense 2.0 I am seeing the box to enter 1 ip but cant get it to add more boxes the firewall_aliases_edit.php does work
-
Well, it sure seems like the whitelist is not working.
…working great for me. I've whitelisted a cpl websites (that were initially blocked by SNORT), and my work IP address (so I can VPN into my home stuff while at work); no problems whatsoever.
A VOIP authentication server keeps popping up on my alert and block list despite having it listed in the whitelist.
I wonder if it is due to some of the snort rules I have selected ??
-
I am going to look into it more but the latest rules have broke all versions of snort for pfsense due to a missing directory for so_rules. I was just wondering if anyone else was experinceing this or was it just me.
pfsence 1.2.3 release both versions of snort.
Edit: Just notice a 0 byte file called touch off of root. Not sure if this is due to snort script but I have not noticed it before.
Edit:Edit: I also noticed when I edit my VLAN interfaces in 2.8.5.3 pkg v. 1.22 it says "Snort: Interface Edit: 0 57641 vlan0" instead of what I have them aliased as.
Edit:Edit:Edit: Hmm I checked /usr/local/pkg/snort/snort_check_for_rules_updates.php and it seems that anything that would generate that error is already commented out. wth I am kinda scared to try and reboot pfsense and see if that will fix it.
-
James, as a side note or a suggested wish for the snort package. When I was diving through the update php file I noticed that there is an md5 check function in there. After running Update to see if I fixed it about a dozen times and it downloading the same file continuously do you think it would be possible to add code that would use the md5 routine to keep it from downloading the same file when a problem with the rules or a bug with the package occurs. Not a really huge deal but I fear getting banned due to excessive updates trying to see if I fixed the problem that I run into.
-
Ok I have tracked the problem down to it being a VLAN issue. In order to get snort running manually in the latest version I copied the rules from /usr/local/etc/snort/rules to my corresponding vlan directories ie. "/usr/local/etc/snort/snort_61611_vlan0/rules"
Still baffles me how snort_old was broken but oh well I got it up again with 2.8.5.3 pkg v. 1.22.
-
Seems like none of the "BLOCK" rules are working for me causing snort to fatal error on start. Is anyone else having this problem?
snort[3898]: FATAL ERROR: /usr/local/etc/snort/snort_61611_vlan0/rules/emerging-compromised-BLOCK.rules(49) Unknown rule option: 'fwsam'.
-
Directory so_rules does not exist…
Error copying so_rules...pfsense 2.0 beta 1 and snort .22
-
Do you use VLANs?