Snort bugs
-
Fixed the whitelist bug.
Fixed Snort not completely uninstalling in 2.0 was do to bug outside of Snort Package. Fix will be in latter snapshots.
TODO:
Snort Package causing errors in CF card installs win log dir gets over 10mb. Going to add a cron job that monitors the directory and clears it
when /var/log/snort gets over 10mb.James
-
-
I can t start snort on x64 pfSense 2.0B4 last build (i have disable bad-traffic.so and bad-traffic, and i have the same problem): What can i do?
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: Detection:
Sep 4 23:28:01 snort[11754]: Detection:
Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
Sep 4 23:28:01 snort[11754]: done
Sep 4 23:28:01 snort[11754]: done
Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
Sep 4 23:28:01 SnortStartup[12043]: Interface Rule START for 0_25855_em1…
Sep 4 23:28:04 check_reload_status: syncing firewall -
Simby
Precompiled shared object rules ("so.rules") are rules that private companies have given to snort.org in binary format. Snort.org is currently only building freebsd 32 bit versions of said rules.
I have to turn off so.rules for Pfsense 2.0 64 bit until snort.org builds 64 bit versions of said rules.
James
-
what is the difference on rules
.snort
.so
.emergenty?
-
-
emerging-* Are the emerging threats rules maintained by emergingthreats.net
-
snort*.so Are precompiled shared object rules that private companies have given to snort.org in binary format
-
snort* Without .so rules are Sourcefire VRT Certified Rules that have been developed, tested and approved by the Sourcefire Vulnerability Research Team (VRT).
-
pfsense* Are the only ones and am not so sure about. I thought they were rules exclusive to the pfSense build of snort. Me only having one pfsense-voip.rules category now makes me think I might have something wrong.
-
-
There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.
I have never had this issue before.
Thanks for any help.
-
There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.
I have never had this issue before.
Thanks for any help.
I have the same problem after updating to the new 1.34
-
Sorry about that.
Doing code clean up.
Fixed
James
-
Thanks once again James !