Snort service stops - wrong rules used?
-
I'll ask again, do you have all the preprocessors enabled?
snort on pfsense is a little behind but it is 2.9.0.5 and is pulling snortrules-snapshot-2905.tar.gz check the files at /usr/local/pkg/snort
There are no ISO installations for snort on pfsense, only packages. The ISO is for pfSense only.
-
Sorry. I must have read over the preprocessor question. I left it at the default settings from the package installation. It looks like
RPC Decoded and Back Orifice detector is off.
FTP and TElnet Normalizer is off.
SMTP Normalizer is off.
Portscan Detection is On.
DCE/RPC2 Detection is off.
DNS Detection is On.Should they all be turned on?
Sorry but I don't understand the difference between an installation and a package but yes, I was done by installing (is that the wrong word?) the Snort package from inside pfsense. It's a great combination BTW and I'm really happy it's here. Does the snort package get funded separately from pfsense? I'd like to support the continuation of this combination, but that's probably a different thread.
-
turn them all on… I can't remember which is for what but a lot of the rules depend on the pre-processors being on.
I would start a new thread about donating because there are 2 packages right now. The original package dev is working on snort-dev while the old snort package was created by him, the pfsense core dev team has picked up support for it. The core pfsense dev team goal is to make sure that the original package works... Nothing else, no add-ons and such. While the new package will include samsnort in it i believe and some other goodies.
-
Ah! That must have been it. I turned on all the preprocessors then enabled that rule again and it didn't stop.
I will go post about the funding.
Thanks again!
Jerry
-
Your welcome!
-
My AMD64 Snort 2.9.1 pkg v. 2.0 is loading snort ruleset 2.9.0.5. Any snort catagories enabled yields snort won't start. I can use emerging threats rules but no snort rules. Tried to edit /usr/local/pkg/snort/snort_check_for_rule_updates.php with 2905, 2910, 2911, 2912 and edge but while they update, snort won't start with any snort catagories selected.
Also, update log button doesn't do anything and when I look at the html source "sexybuttons disabled". Odd.
-
having the same issue as ac3243 on amd64. on v2.0.2
-
I'm assuming you've read the rest of this thread. The fix for me was turning the preprocessors on. If that didn't solve your problem then it's not the same as mine was.
-
all preprocessors on, and barnyard off.
-
Remove snort
Install snort, it often solve these issuesYou could also start from scratch:
Uncheck Keep snort settings after deinstall, Save, Reset, Save, remove snort, install snortI do not use Reinstall this package as it never reinstall ok.
-
done that . no luck
