Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New Snort Package - Issues & Suggested Fixes

    Scheduled Pinned Locked Moved pfSense Packages
    20 Posts 14 Posters 21.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevross33
      last edited by

      Hi,

      First of all thanks for updating the package and the great job of providing this functionality.

      For reference this is the Snort version installed:

      ,,_    -> Snort! <-
        o"  )~  Version 2.9.2.3 IPv6 GRE (Build 205) FreeBSD
        ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
                Copyright (C) 1998-2012 Sourcefire, Inc., et al.
                Using libpcap version 1.1.1
                Using PCRE version: 8.30 2012-02-04
                Using ZLIB version: 1.2.3

      1. It isn't updating the latest snort rules even with a subscription oinkcode. I am not sure where the pulledpork/oinkmaster configuration file is but I think you need to point it at the 2.9.2.3 rules. New rules and new rules files such as INDICATION_OBFUSCATION by VRT are not available.

      2. Javascript deobfuscation (deobfuscation) should be enabled in the HTTP preprocessor. Not really an issue but something worth while doing as it helps to remove obfuscation layers on potential web client/malware type attacks: http://blog.snort.org/2012/01/snort-2920-javascript-normalization.html. It is just a normalize_javascript added to the HTTP preprocessor as shown in the previous blog yet the returns are so great.

      3. ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined.
        Fatal Error, Quitting..

      I don't even have this rule enabled yet it appears to be causing issues loading the shared object rules (in fact I have disabled all shared object rules: WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability

      include $RULE_PATH/emerging-attack_response.rules
      include $RULE_PATH/emerging-current_events.rules
      include $RULE_PATH/emerging-info.rules
      include $RULE_PATH/emerging-malware.rules
      include $RULE_PATH/emerging-netbios.rules
      include $RULE_PATH/emerging-scan.rules
      include $RULE_PATH/emerging-shellcode.rules
      include $RULE_PATH/emerging-trojan.rules
      include $RULE_PATH/emerging-user_agents.rules
      include $RULE_PATH/emerging-web_client.rules
      include $RULE_PATH/emerging-worm.rules
      include $RULE_PATH/snort_attack-responses.rules
      include $RULE_PATH/snort_backdoor.rules
      include $RULE_PATH/snort_bad-traffic.rules
      include $RULE_PATH/snort_blacklist.rules
      include $RULE_PATH/snort_botnet-cnc.rules
      include $RULE_PATH/snort_exploit.rules
      include $RULE_PATH/snort_file-identify.rules
      include $RULE_PATH/snort_netbios.rules
      include $RULE_PATH/snort_rpc.rules
      include $RULE_PATH/snort_rservices.rules
      include $RULE_PATH/snort_specific-threats.rules
      include $RULE_PATH/snort_spyware-put.rules
      include $RULE_PATH/snort_web-activex.rules
      include $RULE_PATH/snort_web-client.rules
      include $RULE_PATH/snort_x11.rules

      Thank you again for providing this pfsense package.

      Kindest Regards,
      Kevin Ross

      1 Reply Last reply Reply Quote 0
      • C
        Cino
        last edited by

        for item 1, look at my post here if you dont mind changing some code:
        http://forum.pfsense.org/index.php/topic,50313.msg268002.html#msg268002

        i dont have a sub, so i can't download 2923 rules, only 2922; which produced the same error as your item 3

        1 Reply Last reply Reply Quote 0
        • M
          miles267
          last edited by

          Is there a fix for #3 yet?

          1 Reply Last reply Reply Quote 0
          • C
            Cino
            last edited by

            @miles267:

            Is there a fix for #3 yet?

            with latest re-install, it looks like it is

            1 Reply Last reply Reply Quote 0
            • C
              cjbujold
              last edited by

              Getting following error with latest install of snort after i do a Rule update.

              snort[15232]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_1267_em0//usr/local/etc/snort/snort_1267_em0/rules/snort_attack-responses.rules": No such file or directory.

              Cjb

              1 Reply Last reply Reply Quote 0
              • C
                Cino
                last edited by

                @cjbujold:

                Getting following error with latest install of snort after i do a Rule update.

                snort[15232]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_1267_em0//usr/local/etc/snort/snort_1267_em0/rules/snort_attack-responses.rules": No such file or directory.

                Cjb

                goto every page and click 'Save'…also make sure you check off every pre-processor

                1 Reply Last reply Reply Quote 0
                • G
                  Gradius
                  last edited by

                  @Cino:

                  goto every page and click 'Save'…also make sure you check off every pre-processor

                  Checking off pre-processor just kill the good use of Snort!

                  Besides is NOT the solution.

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cino
                    last edited by

                    @Gradius:

                    @Cino:

                    goto every page and click 'Save'…also make sure you check off every pre-processor

                    Checking off pre-processor just kill the good use of Snort!

                    Besides is NOT the solution.

                    i didn't mean to turn off every pre-processor… check off, meaning to click on every check box...

                    1 Reply Last reply Reply Quote 0
                    • M
                      miles267
                      last edited by

                      The fun continues.  Now an even newer snort package has been released: Stable 2.9.2.3 pkg v. 2.2 platform: 2.0.  Not able to install due to barnyard2-1.9_2 failure.  Please advise of resolution.

                      Beginning package installation for snort…
                      Downloading package configuration file... done.
                      Saving updated package information... done.
                      Downloading snort and its dependencies...
                      Checking for package installation...
                      Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.9_2.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/barnyard2-1.9_2.tbz.
                      of barnyard2-1.9_2 failed!

                      Installation aborted.Backing up libraries...
                      Removing package...
                      Starting package deletion for mysql-client-5.1.53...done.
                      Starting package deletion for barnyard2-1.9_2...done.
                      Starting package deletion for snort-2.9.2.3...done.
                      Starting package deletion for perl-threaded-5.12.4_4...done.
                      Removing snort components...
                      Menu items... done.
                      Services... done.
                      Loading package instructions...
                      Include file snort.inc could not be found for inclusion.
                      Deinstall commands...
                      Not executing custom deinstall hook because an include is missing.
                      Removing package instructions...done.
                      Auxiliary files... done.
                      Package XML... done.
                      Configuration... done.
                      Cleaning up... Failed to install package.

                      Installation halted.

                      1 Reply Last reply Reply Quote 0
                      • I
                        Ibor Daru
                        last edited by

                        Come on, what is happening with the various "failed to install" Snort packages lately… isn't there any debug and unit/system testing done before releasing it to the wild (we the end-users) with no return possibility to the previous version that was working?

                        I'm very sorry but even though it is a package it is not the least package. IMHO not good for the credibility of PFSense and almost an amateuristic way of working ....

                        1 Reply Last reply Reply Quote 0
                        • S
                          sronsen
                          last edited by

                          @Ibor:

                          Come on, what is happening with the various "failed to install" Snort packages lately… isn't there any debug and unit/system testing done before releasing it to the wild (we the end-users) with no return possibility to the previous version that was working?

                          I'm very sorry but even though it is a package it is not the least package. IMHO not good for the credibility of PFSense and almost an amateuristic way of working ....

                          . . .or a way to roll back to the last working package.  Three days so far and no relief.  Please just put the last working version back with the proper updates until this is all fixed.  We all appreciate the voluntary contributions to the user community, but many of us have considerable $$$ invested in hardware and are dependent upon pfSense, Snort and other packages for our security.

                          1 Reply Last reply Reply Quote 0
                          • A
                            asterix
                            last edited by

                            Not sure why everything has to be changed in production packages and there is no dev/test environments for pfSense packages.
                            Considerable time and effort is wasted to troubleshoot and find out issue is with the package and not the user install and only to find out later that the package was changed/updated.

                            I appreciate the effort in providing voluntary help in developing packages.. but production environment is not the right place to update without testing the package with a good number of test users.

                            Also, why is there not a dedicated repository with 8.0, 8.1..etc compiled packages. Packages are referenced to FreeBSD sites rather than storing and referencing local pfsense repository. Anytime there is change at FreeBSD site pfSense packages get corrupted.

                            1 Reply Last reply Reply Quote 0
                            • T
                              tritron
                              last edited by

                              There is http://files.pfsense.org/packages/8/All/barnyard2 file so maybe we can work around the issue fetch http://files.pfsense.org/packages/8/All/barnyard2 mv barnyard2 barnyard2-1.9_2.tbz then pkg_add -r barnyard2-1.9_2.tbz
                              What if for i386 we use http://mirrors.syringanetworks.net/pub/FreeBSD/ports/i386/packages-stable/security/barnyard2-1.9_2.tbz
                              or http://mirrors.syringanetworks.net/pub/FreeBSD/ports/amd64/packages-stable/security/barnyard2-1.9_2.tbz for 64 bit

                              1 Reply Last reply Reply Quote 0
                              • E
                                eri--
                                last edited by

                                I added the javascript feature to the standard config option in newest snort.

                                For #1 i do not have an oink code so when its present it will get bumped to that version.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  moe2006
                                  last edited by

                                  Hi,

                                  installing 2.9.2.3 pkg 2.2 worked after uninstalling and new installing the package on my system (with removing all settings).

                                  But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
                                  Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

                                  Thanks in advance...

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    miles267
                                    last edited by

                                    @moe2006:

                                    Hi,

                                    installing 2.9.2.3 pkg 2.2 worked after deinstalling and new installing the package on my system (with removing all settings).

                                    But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
                                    Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

                                    Thanks in advance...

                                    Moe, good find.  Have you been able to resolve this?  I too have encountered this same issue and have had no choice to add suppression rules for each HHTP inspect alert else SNORT fails to run for longer than a few minutes at a time.  Since adding the suppress rules, it seems to stay running longer though fails at some point overnight and I must re-start.  Have yet to pinpoint the cause.

                                    Regardless, managing snort has become a painful process.  If only there were a way within the UI to gracefully uninstall 2.9.2.3 pkg v. 2.2 and return to the last stable version.

                                    Thanks.

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      digdug3
                                      last edited by

                                      @miles267:

                                      @moe2006:

                                      Hi,

                                      installing 2.9.2.3 pkg 2.2 worked after deinstalling and new installing the package on my system (with removing all settings).

                                      But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
                                      Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

                                      Thanks in advance...

                                      Moe, good find.  Have you been able to resolve this?  I too have encountered this same issue and have had no choice to add suppression rules for each HHTP inspect alert else SNORT fails to run for longer than a few minutes at a time.  Since adding the suppress rules, it seems to stay running longer though fails at some point overnight and I must re-start.  Have yet to pinpoint the cause.

                                      Regardless, managing snort has become a painful process.  If only there were a way within the UI to gracefully uninstall 2.9.2.3 pkg v. 2.2 and return to the last stable version.

                                      Thanks.

                                      Have the same preprocessor issues (AMD64). By looking at them it looks like there is some kind of decoding issue. Did not have them on the previous stable build.
                                      Just add these to your suppression list:

                                      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

                                      suppress gen_id 120, sig_id 3

                                      (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED

                                      suppress gen_id 120, sig_id 6

                                      (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

                                      suppress gen_id 120, sig_id 8

                                      (smtp) Base64 Decoding failed.

                                      suppress gen_id 124, sig_id 10

                                      (smtp) Quoted-Printable Decoding failed

                                      suppress gen_id 124, sig_id 11

                                      (smtp) 7bit/8bit/binary/text Extraction failed.

                                      suppress gen_id 124, sig_id 12

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        moe2006
                                        last edited by

                                        @digdug3:

                                        @miles267:

                                        @moe2006:

                                        Hi,

                                        installing 2.9.2.3 pkg 2.2 worked after deinstalling and new installing the package on my system (with removing all settings).

                                        But since the new version of snort is running on my network the are lots of (http_inspect) alerts… Is there any way to tune the preprocessor http_inspect without using suppression or turning http inspect off?
                                        Trying to add code to "Advanced configuration pass through" to change the preprocessor settings just doesnt let the interface start. It tells me that I can't configure the global settings twice.

                                        Thanks in advance...

                                        Moe, good find.  Have you been able to resolve this?  I too have encountered this same issue and have had no choice to add suppression rules for each HHTP inspect alert else SNORT fails to run for longer than a few minutes at a time.  Since adding the suppress rules, it seems to stay running longer though fails at some point overnight and I must re-start.  Have yet to pinpoint the cause.

                                        Regardless, managing snort has become a painful process.  If only there were a way within the UI to gracefully uninstall 2.9.2.3 pkg v. 2.2 and return to the last stable version.

                                        Thanks.

                                        Have the same preprocessor issues (AMD64). By looking at them it looks like there is some kind of decoding issue. Did not have them on the previous stable build.
                                        Just add these to your suppression list:

                                        (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

                                        suppress gen_id 120, sig_id 3

                                        (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED

                                        suppress gen_id 120, sig_id 6

                                        (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

                                        suppress gen_id 120, sig_id 8

                                        (smtp) Base64 Decoding failed.

                                        suppress gen_id 124, sig_id 10

                                        (smtp) Quoted-Printable Decoding failed

                                        suppress gen_id 124, sig_id 11

                                        (smtp) 7bit/8bit/binary/text Extraction failed.

                                        suppress gen_id 124, sig_id 12

                                        Okay, suppressing these alerts seems to fix the problem for a while, but you always risk to miss attacks which use these kind of decoding… Hope this will be fixed when the snort package team has finished the snort_dev tests.

                                        Moreover, when starting snort I'm getting some of these messages never seen before:
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13790, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13790, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 15117, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 15117, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 18660, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 18660, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 16563, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 16563, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13802, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13802, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13975, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13975, GID: 3 not registered properly. Disabling this rule.
                                        Jun 20 16:03:49 snort[45910]: Encoded Rule Plugin SID: 13879, GID: 3 not registered properly. Disabling this rule.

                                        perhaps something is wrong with the encoding / decoding…

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          ronnieredd Rebel Alliance
                                          last edited by

                                          I have the following in my suppress list and still getting the http_inspect alerts:

                                          
                                          suppress gen_id 120, sig_id 3
                                          suppress gen_id 120, sig_id 6
                                          suppress gen_id 120, sig_id 8
                                          suppress gen_id 124, sig_id 10
                                          suppress gen_id 124, sig_id 11
                                          suppress gen_id 124, sig_id 12
                                          suppress gen_id 1, sig_id 2013054
                                          
                                          

                                          Screenshot.png
                                          Screenshot.png_thumb
                                          Screenshot-1.png
                                          Screenshot-1.png_thumb

                                          Looking over the wall
                                                    \ | /
                                                    ~   ~
                                             {~(@) (@)~}
                                          –-oOO-(_)-OOo---

                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            humps
                                            last edited by

                                            (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

                                            suppress gen_id 120, sig_id 3

                                            (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED

                                            suppress gen_id 120, sig_id 6

                                            (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

                                            suppress gen_id 120, sig_id 8

                                            (smtp) Base64 Decoding failed.

                                            suppress gen_id 124, sig_id 10

                                            (smtp) Quoted-Printable Decoding failed

                                            suppress gen_id 124, sig_id 11

                                            (smtp) 7bit/8bit/binary/text Extraction failed.

                                            suppress gen_id 124, sig_id 12

                                            Thank You
                                            I also received those http_inspect alerts.
                                            Pfsense 2.0.1 X64 + Snort 2.9.2.3 pkg v. 2.5.1

                                            I also had to add these as well:
                                            #(http_inspect) UNKNOWN METHOD - 0
                                            suppress gen_id 119, sig_id 31
                                            #(http_inspect) SIMPLE REQUEST
                                            suppress gen_id 119, sig_id 32

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.