Snort bugs

simby · Aug 28, 2010, 6:29 AM

Hi,

on v 1.33 snort i have problem with link to pfSense index page and under tab update, Rule Update i can t open
* Upload Custom Rules
* Gui Update

grandrivers · Aug 28, 2010, 1:03 PM

I don't think james is done with the code for those features

jamesdean · Aug 28, 2010, 10:04 PM

Code not done yet, maybe in a week.

James

tester_02 · Aug 30, 2010, 3:50 AM

found another snort bug. existed before…
Whilelists, edit, add another entry. link is to..
http://x.x.x.x/snort/snort_interfaces_whitelist_edit.php?id=0# (xx is correct address)
but does not do anything. I can't add another entry.
Is there a limit to the number of entries, or the add is broken again?

Anyone else having issues here?

darklogic · Aug 31, 2010, 12:44 PM

I have a issue I have been dealing with for a while that happens on all the pfsense systems I have running SNORT. This is not a new bug, it seems to have been around for a while and was wondering if anyone has any idea on how to correct it?

SNORT for some reason will not release a blocked offender after the set time to release. I have offenders set to release after 1 hour and I will notice every IP that was blocked never gets removed after the set time. I have tried different setting, uninstall of the package, reinstall of the package, reboots, and restarts of the service. I can reproduce the issue on multiple boxes and even after fresh installs of the 1.2.3-release. I will noticed IP's still in the blocked section that has a time of being blocked like 35 hr's ago and should of released after 1 hour.

The problem has put me in a position to disable SNORT for the time being, because I have some IP's getting blocked that belong to remote site locations. This is how I discovered the proble a while ago.

Any ideas on this?

Thanks

TreeTopFlyer · Aug 31, 2010, 1:40 PM

SNORT for some reason will not release a blocked offender after the set time to release.

Are you sure that the blocked IP is not releasing (correctly) and then immediately being put back on the block list when it tries to gain access?

darklogic · Aug 31, 2010, 6:13 PM

Yeah I am sure it is not that, because I will look at the alert log and can match it up that way. Because that very thought crossed my head, but that is not it. I even would write down a series of blocked IP's and wait for a few hours and then check to see if all matched up and not one thing changed or released. I am currently using SNORT 2.8.6.1 pkg v. 1.33 with premium VRT rules.

JustinTime · Aug 31, 2010, 9:31 PM

@tester_02:

found another snort bug. existed before…
Whilelists, edit, add another entry. link is to..
http://x.x.x.x/snort/snort_interfaces_whitelist_edit.php?id=0# (xx is correct address)
but does not do anything. I can't add another entry.
Is there a limit to the number of entries, or the add is broken again?

Anyone else having issues here?

I just upgraded to 2.8.6.1 pkg v. 1.33 and am experiencing a similar issue. I can add 2 whitelist entries; when I try to add a third, it replaces the second. I tried it several times and it was always repeatable.

JustinTime · Aug 31, 2010, 9:46 PM

@darklogic:

Yeah I am sure it is not that, because I will look at the alert log and can match it up that way. Because that very thought crossed my head, but that is not it. I even would write down a series of blocked IP's and wait for a few hours and then check to see if all matched up and not one thing changed or released. I am currently using SNORT 2.8.6.1 pkg v. 1.33 with premium VRT rules.

I saw this issue after I upgraded to 2.8.6.1 pkg v. 1.33. I looked at syslog and noticed the cron job to expire the blocked items (/usr/local/sbin/expiretable) was not running, even though the entry in /etc/crontab seemed ok. I also noticed that the cron job to update the rules (/usr/local/pkg/snort/snort_check_for_rule_updates.php) was not running even though the crontab entry seemed ok.

The fix that worked for me was to go into the Services: Snort: Global Settings, change the values I had chosen for "Update rules automatically" and "Remove blocked hosts every" entries, then save/apply. I'm sorry that I can't remember at this point whether I stopped and restarted the Snort interface after that before it began working.

btw, many thanks to jamesdean for this excellent package! I recently chose pfSense in part because of this Snort capability.

Justin

darxmurf · Sep 1, 2010, 11:37 PM

Hi all,

As it's the 2nd time I have this issue, let's discuss about it ! :)
After few months of good service, I had exactly this issue
http://www.mail-archive.com/support@pfsense.com/msg15583.html

Not sure about the age of my CF card I decided to change it with a brand new one.

Then yesterday, exactly the same crash, 6 months after the new installation !

Just before the "last" reboot of the machine I could see that my /var/ partition was 101% full (yes… -4.6mb free...). The size of the partition is around 58MB and there was 5 fat files (around 10mb each) in the /var/log/snort/ folder.
Do you think that SNORT could cause a kind of "disk overflow" by writing too much ?! This could eventually be explain the complete crash of the system (and config lose) after reboot !
config.xml file was ok before reboot but all the fields were blank in the webadmin!

By chance I have a 2nd CF card ready as a backup but if somebody could explain this issue it could be cool... and I will kick out SNORT from now !

Here is the config

Mini-itx
2GB CF card
2GB RAM
Embedded PFSense (latest version)
1 GB LAN
3 WAN with 3 different static IP and "load balancing"
2mb symmetric total internet line
Only 5 computers are using this gateway

And I'm in Argentina while the system is in Switzerland ! Yeah lucky me ! :-)

jamesdean · Sep 4, 2010, 12:26 AM

Fixed the whitelist bug.

Fixed Snort not completely uninstalling in 2.0 was do to bug outside of Snort Package. Fix will be in latter snapshots.

TODO:
Snort Package causing errors in CF card installs win log dir gets over 10mb. Going to add a cron job that monitors the directory and clears it
when /var/log/snort gets over 10mb.

James

TreeTopFlyer · Sep 4, 2010, 4:31 AM

@jamesdean:

Fixed the whitelist bug.

Mucho gracias mi amigo

simby · Sep 5, 2010, 8:58 AM

I can t start snort on x64 pfSense 2.0B4 last build (i have disable bad-traffic.so and bad-traffic, and i have the same problem): What can i do?

Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: Detection:
Sep 4 23:28:01 snort[11754]: Detection:
Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
Sep 4 23:28:01 snort[11754]: done
Sep 4 23:28:01 snort[11754]: done
Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
Sep 4 23:28:01 SnortStartup[12043]: Interface Rule START for 0_25855_em1…
Sep 4 23:28:04 check_reload_status: syncing firewall

jamesdean · Sep 5, 2010, 11:41 PM

Simby

Precompiled shared object rules ("so.rules") are rules that private companies have given to snort.org in binary format. Snort.org is currently only building freebsd 32 bit versions of said rules.

I have to turn off so.rules for Pfsense 2.0 64 bit until snort.org builds 64 bit versions of said rules.

James

simby · Sep 8, 2010, 12:58 PM

what is the difference on rules

.snort
.so
.emergenty

?

g4m3c4ck · Sep 8, 2010, 9:04 PM

emerging-* Are the emerging threats rules maintained by emergingthreats.net
snort*.so Are precompiled shared object rules that private companies have given to snort.org in binary format
snort* Without .so rules are Sourcefire VRT Certified Rules that have been developed, tested and approved by the Sourcefire Vulnerability Research Team (VRT).
pfsense* Are the only ones and am not so sure about. I thought they were rules exclusive to the pfSense build of snort. Me only having one pfsense-voip.rules category now makes me think I might have something wrong.

darklogic · Sep 10, 2010, 12:55 PM

There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.

I have never had this issue before.

Thanks for any help.

firewold · Sep 10, 2010, 1:07 PM

@darklogic:

There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.

I have never had this issue before.

Thanks for any help.

I have the same problem after updating to the new 1.34

jamesdean · Sep 10, 2010, 5:41 PM

Sorry about that.

Doing code clean up.

Fixed

James

DigitalJer · Sep 10, 2010, 5:51 PM

Thanks once again James !