Snort bugs
-
Hi all,
As it's the 2nd time I have this issue, let's discuss about it ! :)
After few months of good service, I had exactly this issue
http://www.mail-archive.com/support@pfsense.com/msg15583.htmlNot sure about the age of my CF card I decided to change it with a brand new one.
Then yesterday, exactly the same crash, 6 months after the new installation !
Just before the "last" reboot of the machine I could see that my /var/ partition was 101% full (yes… -4.6mb free...). The size of the partition is around 58MB and there was 5 fat files (around 10mb each) in the /var/log/snort/ folder.
Do you think that SNORT could cause a kind of "disk overflow" by writing too much ?! This could eventually be explain the complete crash of the system (and config lose) after reboot !
config.xml file was ok before reboot but all the fields were blank in the webadmin!By chance I have a 2nd CF card ready as a backup but if somebody could explain this issue it could be cool... and I will kick out SNORT from now !
Here is the config
- Mini-itx
- 2GB CF card
- 2GB RAM
- Embedded PFSense (latest version)
- 1 GB LAN
- 3 WAN with 3 different static IP and "load balancing"
- 2mb symmetric total internet line
- Only 5 computers are using this gateway
And I'm in Argentina while the system is in Switzerland ! Yeah lucky me ! :-)
-
Fixed the whitelist bug.
Fixed Snort not completely uninstalling in 2.0 was do to bug outside of Snort Package. Fix will be in latter snapshots.
TODO:
Snort Package causing errors in CF card installs win log dir gets over 10mb. Going to add a cron job that monitors the directory and clears it
when /var/log/snort gets over 10mb.James
-
-
I can t start snort on x64 pfSense 2.0B4 last build (i have disable bad-traffic.so and bad-traffic, and i have the same problem): What can i do?
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: Detection:
Sep 4 23:28:01 snort[11754]: Detection:
Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
Sep 4 23:28:01 snort[11754]: done
Sep 4 23:28:01 snort[11754]: done
Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
Sep 4 23:28:01 SnortStartup[12043]: Interface Rule START for 0_25855_em1…
Sep 4 23:28:04 check_reload_status: syncing firewall -
Simby
Precompiled shared object rules ("so.rules") are rules that private companies have given to snort.org in binary format. Snort.org is currently only building freebsd 32 bit versions of said rules.
I have to turn off so.rules for Pfsense 2.0 64 bit until snort.org builds 64 bit versions of said rules.
James
-
what is the difference on rules
.snort
.so
.emergenty?
-
-
emerging-* Are the emerging threats rules maintained by emergingthreats.net
-
snort*.so Are precompiled shared object rules that private companies have given to snort.org in binary format
-
snort* Without .so rules are Sourcefire VRT Certified Rules that have been developed, tested and approved by the Sourcefire Vulnerability Research Team (VRT).
-
pfsense* Are the only ones and am not so sure about. I thought they were rules exclusive to the pfSense build of snort. Me only having one pfsense-voip.rules category now makes me think I might have something wrong.
-
-
There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.
I have never had this issue before.
Thanks for any help.
-
There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.
I have never had this issue before.
Thanks for any help.
I have the same problem after updating to the new 1.34
-
Sorry about that.
Doing code clean up.
Fixed
James
-
Thanks once again James !