Snort 2.9.2.3 pkg v. 2.2.2 - No Alert Description
-
Thanks, I will try this patch and Will come back.
-
Please note that I've updated the patch to fix a bug. See post: 273828.
Thanks
-
A8,
thanks for the patch. I've installed System: Patches, but testing your patch gives
Patch can be applied cleanly
which is good, but
Patch can NOT be reverted cleanly
which is probably bad. The details are:
Output of full patch revert test:
/usr/bin/patch –directory=/usr/local/www/snort/ -f -p0 -i /var/patches/4ff962e6d4837.patch --check --reverseHmm... Looks like a unified diff to me...
The text leading up to this was:-- /usr/local/www/snort/snort_blocked.php.broken 2012-07-07 21:54:14.000000000 -0600
+++ /usr/local/www/snort/snort_blocked.php 2012-07-08 03:38:13.000000000 -0600 Patching file /usr/local/www/snort/snort_blocked.php using Plan A... Hunk #1 failed at 39. Hunk #2 failed at 69. Hunk #3 failed at 131. Hunk #4 failed at 282. 4 out of 4 hunks failed--saving rejects to /usr/local/www/snort/snort_blocked.php.rej done Do I need to worry about this?
-
Gave it try this morning and its working for me. Thanks!
-
@Fesoj You don't need to worry about that because you didn't apply the patch. Once your apply, it will be the other way around
-
Cino,
thanx for the info–I just didn't want to run into more problems. Of course, deleting and reinstalling the package also doesn't take too much time.
The patch works for me as well. :)
-
Fesoj, whether this patch can be included in the next snort release?
-
It's not up to me to decide that. A8s patch seems to work, so it should be included to get the alert descriptions.
Unfortunately there is more to do to get snort running smoothly again. I am currently taking a crash course (coming from C/C++) on php in order to take care of some of the more peripheric issues myself and slowly learn more about the package. I have also started to setup a test environment for more experiments…
Maybe the ioctl error is currently the most severe problem. I cannot repeat it reliably yet, and it sometimes seems to be associated with a total freeze of the interface (so you can no longer log into the box, but existing connections are not affected).
-
installed 2.2.4 and added this patch.
Alert description have returned :-) Thank you for your efforts.
Cheers,
Dennis -
This patch on 2.2.4 (clean install, AMD64, 2.01) worked for me.
Descriptions in blocked IPs are back :-) Thanks again and as always for your efforts guys.
Cheers,
Dennis. -
Today reinstalled Snort 2.9.2.3 pkg v. 2.2.4,
In Blocked tab, Alert description still shows N/A.
But in Alerts tab, alerts are showing up.In Alerts tab, If I select Wan or Lan from the Instance to inspect, nothing shows up. If I click 'Alerts' tab again, list comes back.
I didn't tried the patch, as I could not install the System Patches package due to repository error. It shows, 'Unable to retrieve package info from www.pfsense.com. Cached data will be used.'
-
You do need the System Patches (or do a manual merge ;D).
I installed the package yesterday and all went well–-maybe it is a temporary problem.
The GUI Alert portion of the snort package still needs work. As described somewhere else in this forum, the php code that distinguishes the selected snort interface is incomplete. -
Applied the patch on v2.2.4 of snort and got back descriptions. Great work!!! Thx! :)
-
Today reinstalled Snort 2.9.2.3 pkg v. 2.2.4,
In Blocked tab, Alert description still shows N/A.
But in Alerts tab, alerts are showing up.In Alerts tab, If I select Wan or Lan from the Instance to inspect, nothing shows up. If I click 'Alerts' tab again, list comes back.
I didn't tried the patch, as I could not install the System Patches package due to repository error. It shows, 'Unable to retrieve package info from www.pfsense.com. Cached data will be used.'
Chowtamah,
Actually you can apply the patch from a terminal session. For this I've attached snort_blocked_patch.txt. To test that the patch is successful run:
patch -C -p0 -i snort_blocked_patch.txt
If no errors are output, perform the actual patch:
patch -p0 -i snort_blocked_patch.txt
I am happy to hear that this is working for most.
Thanks
-
I merged your regex into the 2.3.0 so please test if it fixes.
-
It seems like the Alert Descriptions changed from N/A to nothing. Also I'm now unable to save my suppression list. It just returns to the same form with no input in any of the fields.
-
Can you put from different people small part of your alert files?
They are in /var/log/snort* -
Thanks to 10101000, Fesoj and ermal for all your efforts.
I will test snort 2.3.0 and raise issues in cino's thread.
-
Alert Descriptions are shown on the alerts page, but not on blocked.
From /var/log/snort/snort_em033213/alert
[**] [1:2002157:10] ET POLICY Skype User-Agent detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 07/10-05:26:57.360499 MYIP:47603 -> 204.9.163.247:80 TCP TTL:50 TOS:0x0 ID:31437 IpLen:20 DgmLen:542 DF ***A**** Seq: 0x26B83575 Ack: 0x7AAE8D12 Win: 0x1FFE TcpLen: 20 [Xref => http://doc.emergingthreats.net/2002157] [**] [1:2002157:10] ET POLICY Skype User-Agent detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 07/10-05:26:57.597973 MYIP:14580 -> 78.141.177.158:80 TCP TTL:52 TOS:0x0 ID:13728 IpLen:20 DgmLen:538 DF ***AP*** Seq: 0xB70BDB31 Ack: 0x989F230F Win: 0x1FFE TcpLen: 20 [Xref => http://doc.emergingthreats.net/2002157] [**] [1:2002157:10] ET POLICY Skype User-Agent detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 07/10-05:26:57.747503 MYIP:62744 -> 92.122.50.146:80 TCP TTL:55 TOS:0x0 ID:57600 IpLen:20 DgmLen:570 DF ***A**** Seq: 0x9C4E1C36 Ack: 0x4B26A476 Win: 0x3CC0 TcpLen: 32 [Xref => http://doc.emergingthreats.net/2002157] [**] [1:2406417:287] ET RBN Known Russian Business Network IP UDP (209) [**] [Classification: Misc Attack] [Priority: 2] 07/10-05:27:01.426947 46.21.146.190:51413 -> MYIP:64284 UDP TTL:52 TOS:0x0 ID:0 IpLen:20 DgmLen:58 DF Len: 30 [Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork] [**] [1:2406823:287] ET RBN Known Russian Business Network IP UDP (412) [**] [Classification: Misc Attack] [Priority: 2] 07/10-05:27:14.971087 89.248.163.5:53340 -> MYIP:60685 UDP TTL:117 TOS:0x0 ID:6851 IpLen:20 DgmLen:58 Len: 30 [Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork] [**] [1:2520104:1165] ET TOR Known Tor Exit Node TCP Traffic (53) [**] [Classification: Misc Attack] [Priority: 2] 07/10-05:28:31.199256 77.247.181.165:50103 -> MYIP:64284 TCP TTL:50 TOS:0x0 ID:48027 IpLen:20 DgmLen:52 DF ******S* Seq: 0x85AA7429 Ack: 0x0 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 10 [Xref => http://doc.emergingthreats.net/bin/view/Main/TorRules]
-
Alert Descriptions are shown on the alerts page, but not on blocked.
ditto.
Nevertheless, with some emerging threats rules enabled, my pfsense system is snorting (snort 2.9.2.3 pkg v. 2.3.0).