Snort bugs

jamesdean

Fixed the whitelist bug.

Fixed Snort not completely uninstalling in 2.0 was do to bug outside of Snort Package. Fix will be in latter snapshots.

TODO:
Snort Package causing errors in CF card installs win log dir gets over 10mb. Going to add a cron job that monitors the directory and clears it
when /var/log/snort gets over 10mb.

James

TreeTopFlyer

@jamesdean:

Fixed the whitelist bug.

Mucho gracias mi amigo

simby

I can t start snort on x64 pfSense 2.0B4 last build (i have disable bad-traffic.so and bad-traffic, and i have the same problem): What can i do?

Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]:
Sep 4 23:28:01 snort[11754]: Detection:
Sep 4 23:28:01 snort[11754]: Detection:
Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
Sep 4 23:28:01 snort[11754]: done
Sep 4 23:28:01 snort[11754]: done
Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
Sep 4 23:28:01 SnortStartup[12043]: Interface Rule START for 0_25855_em1…
Sep 4 23:28:04 check_reload_status: syncing firewall

jamesdean

Simby

Precompiled shared object rules ("so.rules") are rules that private companies have given to snort.org in binary format. Snort.org is currently only building freebsd 32 bit versions of said rules.

I have to turn off so.rules for Pfsense 2.0 64 bit until snort.org builds 64 bit versions of said rules.

James

simby

what is the difference on rules

.snort
.so
.emergenty

?

g4m3c4ck

• emerging-* Are the emerging threats rules maintained by emergingthreats.net

• snort*.so    Are precompiled shared object rules that private companies have given to snort.org in binary format

• snort*        Without .so rules are Sourcefire VRT Certified Rules that have been developed, tested and approved by the Sourcefire Vulnerability Research Team (VRT).

• pfsense*    Are the only ones and am not so sure about. I thought they were rules exclusive to the pfSense build of snort. Me only having one pfsense-voip.rules category now makes me think I might have something wrong.

darklogic

There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.

I have never had this issue before.

Thanks for any help.

firewold

@darklogic:

There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.

I have never had this issue before.

Thanks for any help.

I have the same problem after updating to the new 1.34

jamesdean

Sorry about that.

Doing code clean up.

Fixed

James

DigitalJer

Thanks once again James !