Snort 2.9.2.3 pkg v. 2.2.2 - No Alert Description

chowtamah

thanks, I will try it tomorrow.

chowtamah

I did what you told,

I checked the snort instances (pid) but there is no additional processes. I made the correction in snort.inc file and restarted the snort. But when snort blocked the ip, no alert description (in Blocked tab)

1 172.16.1.152 N\A

In 'Alerts' Tab, there is no alerts. If I change interface to lan, it comes back to Wan.

Fesoj

In 'Alerts' Tab, there is no alerts. If I change interface to lan, it comes back to Wan.

Yes, the interface is a bit stubborn. If there aren't any messages, it doesn't want to switch to LAN, but this is only GUI stuff.

The next thing to try is to deinstall and reinstall the entire package.

BTW, my pfSense2 system are all running on x86 Intel processors (32-bit) and I just checked whether snort works correctly on one of the boxes. It does. All the alerts I triggered were displayed with messages and I was blocked correctly (because I enabled blocking).

chowtamah

From last one month, every day morning I am doing the same work. As I am having standby box with Pfsense 1.2.3, I am using that for production and 2.0 box for testing snort.

During early updates, (snort 2.2.1), there was a setting to clear alert on removal of blocked host. I don't remember it correctly. But whenever I re-install the snort, my old settings are automatically restored.

Should I remove this setting (save settings for re install) and reinstall snort?

Fesoj

chowtamah,

see my thread http://forum.pfsense.org/index.php/topic,51217.0.html. I'd say the package probably needs some fixes, maybe some code restructuring to make updates more generic, and what works and what doesn't probably depends to a high degree on which rules you activate.

In your case it looks benefitial to reinstall the the package by not allowing to keep the settings after reinstallation. If Snort runs fine without any rules activated (and hopefully without any stuff left from previous installations), you can be sure your problem is related to specific rules (aka update related code). Then you can continue to add rules and see what happens.

chowtamah

Thanks Fesoj, tomorrow I will try it again.

–------------------------------------------
I re-installed snort after doing a uninstall.

Now snort is - Snort 2.9.2.3 pkg v. 2.2.3, but the problem still continues. It blocks, but there are no alert descriptions.

After upgrading to this version (2.2.3), it is not downloading Emerging Threats rules.

_igor_

same here: No emerging threats rules. Trying to redownload rules results in a message "Rules not up to date", "Emerging threats rules are up to date"

Fesoj

Trying to redownload rules results in a message "Rules not up to date", "Emerging threats rules are up to date"

I saw the same messages when I updated from 2.2.1. Did you remove the out of sync files from /usr/local/lib/snort/dynamicrules? The emerging threats rules work currently fine for me.

Fesoj

… since 2.3.2 ET no longer works.

10101000

Hello,

Please give this patch a try. I haven't tested it anywhere but my own system so as usual, USE AT YOUR OWN RISK. For patching information, please read: http://doc.pfsense.org/index.php/System_Patches. This should work with or without the "Ignore Whitespace" option enabled. Use 0 for "Path Strip Count" and /usr/local/www/snort/ for "Base Directory". Let me know if you find any problems.

UPDATE: Fixed a bug with $blocked_ips_array:

--- /usr/local/www/snort/snort_blocked.php.broken	2012-07-07 21:54:14.000000000 -0600
+++ /usr/local/www/snort/snort_blocked.php	2012-07-08 03:38:13.000000000 -0600
@@ -39,6 +39,7 @@

 $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
 $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
+$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype'];

 if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0')
 	$bnentries = '500';
@@ -69,7 +70,7 @@
 	exec('/bin/mkdir /tmp/snort_blocked');
 	exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf');

-	$blocked_ips_array_save = str_replace('   ', '', explode("\n", file_get_contents('/tmp/snort_block.pf')));
+	$blocked_ips_array_save = preg_replace("\s+", '', file('/tmp/snort_block.pf'));

 	if ($blocked_ips_array_save[0] != '') {
 		/* build the list */
@@ -131,7 +132,7 @@
 function get_snort_alert_disc($fileline)
 {
 	/* disc */
-	if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+	if (preg_match("/\[\*\*\]\s+(\[[0-9:]+\])\s+(.+)\s+(\[\*\*\])/", $fileline, $matches))
 		$alert_disc =  "$matches[2]";

 	return $alert_disc;
@@ -282,27 +283,31 @@

 				/* set the arrays */
 				exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
-				$blocked_ips_array = explode("\n", str_replace('   ', '', file_get_contents('/tmp/snort_block.cache')));
+				$blocked_ips_array = preg_replace("/\s+/", '', file('/tmp/snort_block.cache'));
 			if (!empty($blocked_ips_array)) {
 				$input = array();
 				$alert_ip_src_array = array();
 				foreach (glob("/var/log/snort/*/alert") as $alert) {
-					$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
-					if (!empty($alerts_array[0])) {
+					if ($pconfig['snortalertlogtype'] == 'full') {
+						$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
+					} else {
+						$alerts_array = array_reverse(file($alert));
+					}
+					if (!empty($alerts_array)) {
 						/* build the list and compare blocks to alerts */
 						$counter = 0;
 						foreach($alerts_array as $fileline) {
+							if (!empty($fileline)) {
+								$counter++;

-							$counter++;
-
-							$alert_ip_src =  get_snort_alert_ip_src($fileline);
-							$alert_ip_disc = get_snort_alert_disc($fileline);
-							$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
-
-							if (in_array("$alert_ip_src", $blocked_ips_array))
-								$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+								$alert_ip_src =  get_snort_alert_ip_src($fileline);
+								$alert_ip_disc = get_snort_alert_disc($fileline);
+								$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
+
+								if (in_array("$alert_ip_src", $blocked_ips_array))
+										$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+							}
 						}
-
 					}
 				}

~~Original patch:~~

--- /usr/local/www/snort/snort_blocked.php.broken	2012-07-07 21:54:14.000000000 -0600
+++ /usr/local/www/snort/snort_blocked.php	2012-07-07 22:46:54.000000000 -0600
@@ -39,6 +39,7 @@

 $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
 $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
+$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype'];

 if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0')
 	$bnentries = '500';
@@ -131,7 +132,7 @@
 function get_snort_alert_disc($fileline)
 {
 	/* disc */
-	if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+	if (preg_match("/\[\*\*\]\s+(\[[0-9:]+\])\s+(.+)\s+(\[\*\*\])/", $fileline, $matches))
 		$alert_disc =  "$matches[2]";

 	return $alert_disc;
@@ -287,22 +288,26 @@
 				$input = array();
 				$alert_ip_src_array = array();
 				foreach (glob("/var/log/snort/*/alert") as $alert) {
-					$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
-					if (!empty($alerts_array[0])) {
+					if ($pconfig['snortalertlogtype'] == 'full') {
+						$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
+					} else {
+						$alerts_array = array_reverse(file($alert));
+					}
+					if (!empty($alerts_array)) {
 						/* build the list and compare blocks to alerts */
 						$counter = 0;
 						foreach($alerts_array as $fileline) {
+							if (!empty($fileline)) {
+								$counter++;

-							$counter++;
-
-							$alert_ip_src =  get_snort_alert_ip_src($fileline);
-							$alert_ip_disc = get_snort_alert_disc($fileline);
-							$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
-
-							if (in_array("$alert_ip_src", $blocked_ips_array))
-								$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+								$alert_ip_src =  get_snort_alert_ip_src($fileline);
+								$alert_ip_disc = get_snort_alert_disc($fileline);
+								$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
+
+								if (in_array("$alert_ip_src", $blocked_ips_array))
+										$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+							}
 						}
-
 					}
 				}

Sincerely,

10101000

chowtamah

Thanks, I will try this patch and Will come back.

10101000

Please note that I've updated the patch to fix a bug. See post: 273828.

Thanks

Fesoj

A8,

thanks for the patch. I've installed System: Patches, but testing your patch gives

Patch can be applied cleanly

which is good, but

Patch can NOT be reverted cleanly

which is probably bad. The details are:

Output of full patch revert test:
/usr/bin/patch –directory=/usr/local/www/snort/ -f -p0 -i /var/patches/4ff962e6d4837.patch --check --reverse

Hmm... Looks like a unified diff to me...
The text leading up to this was:

-- /usr/local/www/snort/snort_blocked.php.broken 2012-07-07 21:54:14.000000000 -0600

+++ /usr/local/www/snort/snort_blocked.php 2012-07-08 03:38:13.000000000 -0600

Patching file /usr/local/www/snort/snort_blocked.php using Plan A...

Hunk #1 failed at 39.

Hunk #2 failed at 69.

Hunk #3 failed at 131.

Hunk #4 failed at 282.

4 out of 4 hunks failed--saving rejects to /usr/local/www/snort/snort_blocked.php.rej

done

Do I need to worry about this?

Cino

Gave it try this morning and its working for me. Thanks!

Cino

@Fesoj You don't need to worry about that because you didn't apply the patch. Once your apply, it will be the other way around

Fesoj

Cino,

thanx for the info–I just didn't want to run into more problems. Of course, deleting and reinstalling the package also doesn't take too much time.

The patch works for me as well. :)

chowtamah

Fesoj, whether this patch can be included in the next snort release?

Fesoj

It's not up to me to decide that. A8s patch seems to work, so it should be included to get the alert descriptions.

Unfortunately there is more to do to get snort running smoothly again. I am currently taking a crash course (coming from C/C++) on php in order to take care of some of the more peripheric issues myself and slowly learn more about the package. I have also started to setup a test environment for more experiments…

Maybe the ioctl error is currently the most severe problem. I cannot repeat it reliably yet, and it sometimes seems to be associated with a total freeze of the interface (so you can no longer log into the box, but existing connections are not affected).

dwood

installed 2.2.4 and added this patch.

Alert description have returned :-) Thank you for your efforts.

Cheers,
Dennis

dwood

This patch on 2.2.4 (clean install, AMD64, 2.01) worked for me.

Descriptions in blocked IPs are back :-) Thanks again and as always for your efforts guys.

Cheers,
Dennis.

Snort 2.9.2.3 pkg v. 2.2.2 - No Alert Description

Hmm... Looks like a unified diff to me... The text leading up to this was:

Hmm... Looks like a unified diff to me...
The text leading up to this was: