Snort Won't Start After Upgrade

strasharo

@Jare:

@strasharo:

With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:

[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn
[2.0-RC3][root@kainak]/usr/local/bin(7):

I didn't have time to examine the real cause why barnyard2 binary fails to install. Since it's just a single binary file you can download and "install" it manually by executing one of these commands:

amd64

/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2

i386

/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2

At least for me it seems to be working and logging now just like it should…  ;)

Thanks a lot for the tip, Jare! ;D At last I got it running with Snorby.  ::)

P.S. Portscan detection still isn't working, I launched a portscan from GRC.com + a remote full portscan with nmap and the only alerts that I got from that are those who match specific rules from the signature (for example ET SCAN Potential VNC Scan 5900-5920 ).  :-[

valshare

Hi,

if i want edit a rule, i get this error:

Fatal error: Call to undefined function get_middle() in /usr/local/www/snort/snort_rules_edit.php on line 99

Regards, Valle

eri--

Reinstall, already fixed.

Cino

Not realy a bug but I noticed when I try to shutdown snort from the main snort page, I have to refresh the page for the status to update. Before the recent changes were made; i would click on the little icon to disable snort, the page would refresh after snort was shutdown for that interface.

digdug3

Snort and EM update work like they did before. (2.0-RC3 (i386) built on Mon Sep 5 04:07:51 EDT 2011)

I disabled the 'keep settings after update' and this reinstalls Snort without any problems.
Of course you have to setup Snort every time after each update…

Thanks Ermal for all you effort!

eri--

Portscan and other preprocessors should work ok now.
Just reinstall the package files.
It is not needed a full upgrade.

Cino

@ermal:

Portscan and other preprocessors should work ok now.
Just reinstall the package files.
It is not needed a full upgrade.

Thanks ermal!! I did a uninstall, install… The port scan detection is working, looks a little different in the alert log. But its good!

2 2 PROTO:255 PSNG_TCP_FILTERED_PORTSCAN Attempted Information Leak 4.79.142.206 empty -> xx.xx.xx.xx empty 122:5:1 09/05-17:23:39

I see you added a sleep timer when disabling snort, thank you.... So far so good. Only issue left is being able to clear the alerts from the gui.

btw, all my testing is on i386.. Someone else will have to confirm amd64. also, i have not testing Barnyard2. When I get back home next week, i'll play around with it.

hmishra

ermal,

As per your suggestion, I ran ps -ax | grep snort and here is the output:

56884  0  S+    0:00.02 grep snort

Doesn't this mean snort is not running on my system?

Thanks!

Cino

@ermal I noticed that snort was built to have ipv6 now… Can the alert and block page be setup to display ipv6 addresses down the road? I had a line under my block page that displayed NA for the ip. I couldn't remove it, so i went to the snort2c table and it was a ipv6 address. The alert looked like this:

4 2 PROTO:255 PSNG_TCP_PORTSWEEP_FILTERED Attempted Information Leak empty empty -> empty empty 122:7:1 09/05-21:40:01

[**] [122:7:1] PSNG_TCP_PORTSWEEP_FILTERED [**]
[Classification: Attempted Information Leak] [Priority: 2] 
09/05-21:40:01.891026 2001:0470:1f07:xxxx:0000:0000:0000:8c60 -> 2001:4860:b009:0000:0000:0000:0000:0065
PROTO:255 TTL:63 TOS:0x0 ID:0 IpLen:40 DgmLen:234

Go figure it was one of my internal ipv6s… When I get back in a week, i'll see if i can add ipv6 to the whitelist and netlist.

thanks again for all your hard work on snort!

another example of ipv6:

1 	1 	UDP 	BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt 	Attempted Administrator Privilege Gain 	empty 	29652 	-> 	empty 	52225 	3:13287:4 	09/05-22:17:32

Delete 	 2 	 empty 	 N\A

[**] [3:13287:4] BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
09/05-22:17:32.979947 2002:43b1:e866:0000:0000:0000:43b1:e866:29652 -> 2001:0470:1f07:xxxx:0000:0000:0000:0100:52225
UDP TTL:118 TOS:0x0 ID:0 IpLen:40 DgmLen:68
Len: 20
[Xref => http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0069]

P.S I only have my IPv4 interface configured within Snort. I use a HE tunnel so I find it a little odd but good to see it can work with IPv6 traffic now

breusshe

@Cino:

btw, all my testing is on i386.. Someone else will have to confirm amd64. also, i have not testing Barnyard2. When I get back from home next week, i'll play around with it.

I have pfsense on x64 and snort seems to work fine now.  I did as suggested and updated the firmware to the latest RC3 micro-version deleted the /usr/lib/snort/* folders after uninstalling the snort module.  I did not delete my settings, however.  Upon reinstalling Snort and doing the rules update, Snort came right up.  No issues at all.  I didn't even have to do the Snort fixes that I spoke of in earlier posts.  Oh, as with Cino, I am not running Barnyard2.

Looks like you guys got it, thanks pfSense Team!

marcelloc

At my x64 2.0 RC3 its working too, including block ofenders.

I'm just saw a delay when I press the "x" gif to start snort. The daemon starts but gui stays waiting…(not a big deal.)

Thanks again for the fix.

breusshe

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

valshare

Hi,

now i have reinstalled the snort package i386 package, deltet the configs and reconfig anything for snort. Choose the snort_p2p, snort_scan and snort_wb-client categorie. Switch the preprocessors on and startet the sensor.

Starting skype, portscanner and any web activitie. But snort doesn find anything and didn´t report anything unter the "Alert" page.

Whats wrong? Does it now run on other i386 machines? I´m running pfsense as a virtual machine under kvm. Because there are no virtio drivers i have choosen the rtl8139 network interfaces.

Regards,

Valle

eri--

@Cino,

yes during integration of Spoink i made it IPv6 capable so if an alert for an ipv6 address is triggered it will be entered on the table of pf(4) to be blocked.
As for a IPv6 capable GUI for snort, for now i do not have any plans.

As for the portscan it looks a bit different because snort 2.9 does it a little more differently to give more control apparently but that needs still more work to be integrated in the GUI.

As to why snort is detecting IPv6 its just a byproduct of how snort itself works in IPS mode. This would not have been possible in inline mode though :)

Again, thank you for your testing and help.

@breusshe,

i have no plans and never even used the snort widget.

serialdie

@breusshe:

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

It has nothing to do with snort config. Its just looks like the widget is way out dated.

digdug3

@serialdie:

@breusshe:

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

It has nothing to do with snort config. Its just looks like the widget is way out dated.

You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

serialdie

@digdug3:

@serialdie:

@breusshe:

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

It has nothing to do with snort config. Its just looks like the widget is way out dated.

You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

Thats not the case in 2.0

NightHawk007

@Cino:

@NightHawk007 I did a firmware update for other reasons, nothing to do with snort… probably shouldn't had mention it.. The Snort package has had its binary updated to a more recent version from Snort. A side effect it seems is that port scanning detecting isn't working. From my current testing, any attack that matches a rule is being detected.

I did a test after a snort reinstall and did a port scan and seem to be work fine now  :) :)

Thank You

serialdie

I am running i386 2.0-RC3. Is it safe now to update snort?

I just want to make sure everything is ok before updating as my box is under production env.

Thanks You!

serialdie

@digdug3:

@serialdie:

@breusshe:

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

It has nothing to do with snort config. Its just looks like the widget is way out dated.

You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

Funny… after a re install is started working.