Snort Won't Start After Upgrade

Cino

@ermal I noticed that snort was built to have ipv6 now… Can the alert and block page be setup to display ipv6 addresses down the road? I had a line under my block page that displayed NA for the ip. I couldn't remove it, so i went to the snort2c table and it was a ipv6 address. The alert looked like this:

4 2 PROTO:255 PSNG_TCP_PORTSWEEP_FILTERED Attempted Information Leak empty empty -> empty empty 122:7:1 09/05-21:40:01

[**] [122:7:1] PSNG_TCP_PORTSWEEP_FILTERED [**]
[Classification: Attempted Information Leak] [Priority: 2] 
09/05-21:40:01.891026 2001:0470:1f07:xxxx:0000:0000:0000:8c60 -> 2001:4860:b009:0000:0000:0000:0000:0065
PROTO:255 TTL:63 TOS:0x0 ID:0 IpLen:40 DgmLen:234

Go figure it was one of my internal ipv6s… When I get back in a week, i'll see if i can add ipv6 to the whitelist and netlist.

thanks again for all your hard work on snort!

another example of ipv6:

1 	1 	UDP 	BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt 	Attempted Administrator Privilege Gain 	empty 	29652 	-> 	empty 	52225 	3:13287:4 	09/05-22:17:32

Delete 	 2 	 empty 	 N\A

[**] [3:13287:4] BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
09/05-22:17:32.979947 2002:43b1:e866:0000:0000:0000:43b1:e866:29652 -> 2001:0470:1f07:xxxx:0000:0000:0000:0100:52225
UDP TTL:118 TOS:0x0 ID:0 IpLen:40 DgmLen:68
Len: 20
[Xref => http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0069]

P.S I only have my IPv4 interface configured within Snort. I use a HE tunnel so I find it a little odd but good to see it can work with IPv6 traffic now

breusshe

@Cino:

btw, all my testing is on i386.. Someone else will have to confirm amd64. also, i have not testing Barnyard2. When I get back from home next week, i'll play around with it.

I have pfsense on x64 and snort seems to work fine now.  I did as suggested and updated the firmware to the latest RC3 micro-version deleted the /usr/lib/snort/* folders after uninstalling the snort module.  I did not delete my settings, however.  Upon reinstalling Snort and doing the rules update, Snort came right up.  No issues at all.  I didn't even have to do the Snort fixes that I spoke of in earlier posts.  Oh, as with Cino, I am not running Barnyard2.

Looks like you guys got it, thanks pfSense Team!

marcelloc

At my x64 2.0 RC3 its working too, including block ofenders.

I'm just saw a delay when I press the "x" gif to start snort. The daemon starts but gui stays waiting…(not a big deal.)

Thanks again for the fix.

breusshe

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

valshare

Hi,

now i have reinstalled the snort package i386 package, deltet the configs and reconfig anything for snort. Choose the snort_p2p, snort_scan and snort_wb-client categorie. Switch the preprocessors on and startet the sensor.

Starting skype, portscanner and any web activitie. But snort doesn find anything and didn´t report anything unter the "Alert" page.

Whats wrong? Does it now run on other i386 machines? I´m running pfsense as a virtual machine under kvm. Because there are no virtio drivers i have choosen the rtl8139 network interfaces.

Regards,

Valle

eri--

@Cino,

yes during integration of Spoink i made it IPv6 capable so if an alert for an ipv6 address is triggered it will be entered on the table of pf(4) to be blocked.
As for a IPv6 capable GUI for snort, for now i do not have any plans.

As for the portscan it looks a bit different because snort 2.9 does it a little more differently to give more control apparently but that needs still more work to be integrated in the GUI.

As to why snort is detecting IPv6 its just a byproduct of how snort itself works in IPS mode. This would not have been possible in inline mode though :)

Again, thank you for your testing and help.

@breusshe,

i have no plans and never even used the snort widget.

serialdie

@breusshe:

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

It has nothing to do with snort config. Its just looks like the widget is way out dated.

digdug3

@serialdie:

@breusshe:

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

It has nothing to do with snort config. Its just looks like the widget is way out dated.

You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

serialdie

@digdug3:

@serialdie:

@breusshe:

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

It has nothing to do with snort config. Its just looks like the widget is way out dated.

You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

Thats not the case in 2.0

NightHawk007

@Cino:

@NightHawk007 I did a firmware update for other reasons, nothing to do with snort… probably shouldn't had mention it.. The Snort package has had its binary updated to a more recent version from Snort. A side effect it seems is that port scanning detecting isn't working. From my current testing, any attack that matches a rule is being detected.

I did a test after a snort reinstall and did a port scan and seem to be work fine now  :) :)

Thank You

serialdie

I am running i386 2.0-RC3. Is it safe now to update snort?

I just want to make sure everything is ok before updating as my box is under production env.

Thanks You!

serialdie

@digdug3:

@serialdie:

@breusshe:

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

It has nothing to do with snort config. Its just looks like the widget is way out dated.

You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

Funny… after a re install is started working.

bmeeks

Hi Ermal:

Just a quick post to say thank-you for the hard work you in getting Snort working again.  Everything appears to be working fine for me now on the i386 version of pfSense 2.0-RC3 running Snort 2.9.0.5.  The rules are updating now to the correct version, and all the rules I enable function for me.

I finally did a complete uninstall of Snort and did not save my settings.  I then installed Snort fresh and typed my settings back in.  During all of this I also found one self-inflicted wound that may have been part of my difficulties with Snort sporadically starting depending on which rules were selected.  I had altered the Memory Performance setting and changed it away from AC-BNFA.  That was causing Snort to sporadically run out of memory.  Once I realized that and restored the setting to the default of AC-BNFA, things became much more stable… ;D

th3r3isnospoon

Looks like SNORT on AMD64 is getting close.  I had SNORT working on an uninstall and reinstall.

I just upgraded from the Aug 30th snap to the latest snap today (sept 6th) and it broke again.

Here's the output:

Sep 6 22:55:06 snort[1686]: IIS Unicode Map Filename: /usr/local/etc/snort/snort_4256_em0/unicode.map
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Filename: /usr/local/etc/snort/snort_4256_em0/unicode.map
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Codepage: 1252
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Codepage: 1252
Sep 6 22:55:06 snort[1686]: Max Gzip Memory: 838860
Sep 6 22:55:06 snort[1686]: Max Gzip Memory: 838860
Sep 6 22:55:06 snort[1686]: Max Gzip Sessions: 191
Sep 6 22:55:06 snort[1686]: Max Gzip Sessions: 191
Sep 6 22:55:06 snort[1686]: Gzip Compress Depth: 1460
Sep 6 22:55:06 snort[1686]: Gzip Compress Depth: 1460
Sep 6 22:55:06 snort[1686]: Gzip Decompress Depth: 2920
Sep 6 22:55:06 snort[1686]: Gzip Decompress Depth: 2920
Sep 6 22:55:06 snort[1686]: FATAL ERROR: /usr/local/etc/snort/snort_4256_em0/snort.conf(168) => Invalid argument to 'flow_depth'.
Sep 6 22:55:06 snort[1686]: FATAL ERROR: /usr/local/etc/snort/snort_4256_em0/snort.conf(168) => Invalid argument to 'flow_depth'.
Sep 6 22:55:06 SnortStartup[1948]: Interface Rule START for 0_4256_em0…

Ideas?

Thanks,

-th3r3isnospoon

th3r3isnospoon

@th3r3isnospoon:

Looks like SNORT on AMD64 is getting close.  I had SNORT working on an uninstall and reinstall.

I just upgraded from the Aug 30th snap to the latest snap today (sept 6th) and it broke again.

Here's the output:

Sep 6 22:55:06 snort[1686]: IIS Unicode Map Filename: /usr/local/etc/snort/snort_4256_em0/unicode.map
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Filename: /usr/local/etc/snort/snort_4256_em0/unicode.map
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Codepage: 1252
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Codepage: 1252
Sep 6 22:55:06 snort[1686]: Max Gzip Memory: 838860
Sep 6 22:55:06 snort[1686]: Max Gzip Memory: 838860
Sep 6 22:55:06 snort[1686]: Max Gzip Sessions: 191
Sep 6 22:55:06 snort[1686]: Max Gzip Sessions: 191
Sep 6 22:55:06 snort[1686]: Gzip Compress Depth: 1460
Sep 6 22:55:06 snort[1686]: Gzip Compress Depth: 1460
Sep 6 22:55:06 snort[1686]: Gzip Decompress Depth: 2920
Sep 6 22:55:06 snort[1686]: Gzip Decompress Depth: 2920
Sep 6 22:55:06 snort[1686]: FATAL ERROR: /usr/local/etc/snort/snort_4256_em0/snort.conf(168) => Invalid argument to 'flow_depth'.
Sep 6 22:55:06 snort[1686]: FATAL ERROR: /usr/local/etc/snort/snort_4256_em0/snort.conf(168) => Invalid argument to 'flow_depth'.
Sep 6 22:55:06 SnortStartup[1948]: Interface Rule START for 0_4256_em0…

Ideas?

Thanks,

-th3r3isnospoon

Nevermind….typo !  I had a (-) instead of a (0)    :-[

Sorry!

Thanks!

-th3r3isnospoon

th3r3isnospoon

My only issue now is that SNORT will not start on its own after a reboot of the firewall.  I'll have to poke around some more :)

-th3r3isnospoon

serialdie

@ermal:

@breusshe,

i have no plans and never even used the snort widget.

ermal,

The problem is not the widget. The problem is that your latest update broke the ability to switch from full logging to short logging.
Can you please look in to it since is not the widget but the option in snort it self.

Thank you very much!

eri--

From what i have checked the snort config is correct.
Investigation where it breaks is up to you for now.

My target was to make snort run more fixes will have to wait someone backing it up or me having the time for it:)

digdug3

@serialdie:

@digdug3:

@serialdie:

@breusshe:

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

It has nothing to do with snort config. Its just looks like the widget is way out dated.

You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

Funny… after a re install is started working.

Great, did you CLEAR the log after you changed from FULL to SHORT before? A reinstall will automaticly clear the Snort log.

mschiek01

@bmeeks:

Hi Ermal:

Just a quick post to say thank-you for the hard work you in getting Snort working again.  Everything appears to be working fine for me now on the i386 version of pfSense 2.0-RC3 running Snort 2.9.0.5.  The rules are updating now to the correct version, and all the rules I enable function for me.

I finally did a complete uninstall of Snort and did not save my settings.  I then installed Snort fresh and typed my settings back in.  During all of this I also found one self-inflicted wound that may have been part of my difficulties with Snort sporadically starting depending on which rules were selected.  I had altered the Memory Performance setting and changed it away from AC-BNFA.  That was causing Snort to sporadically run out of memory.  Once I realized that and restored the setting to the default of AC-BNFA, things became much more stable… ;D

I was having non-stop problems of snort stopping and or the widget issue.  I have two systems both high end with 4gig of memeory running a carp setup but with the latest update snort just kept stopping and or refusing to start after a reboot.  I changed the memory setting from ac-std to the default ac-bnfa and the problems all stopped. So what changed to cause this?