Snort 2.9.2.3 pkg v. 2.3.0 Issue Thread
-
@ermal:
Missed those.
I am not sure about the small font all looks good to me?Or you mean inised the textarea?
Inside the textarea/textbox in the Suppression list edit page. It's now set to
.formpre { font-family: Courier New,Courier,monospaced; font-size: 10px; }
It used to be
.formpre { font-family: arial; font-size: 1.1em; }
..I think.
-
looking at lot better.. uninstalled, removed any trace of snort on the hard-drive… installed... updated rules and guess what, it started with no errors =D
I think I found what the issue is with barnyard2 not stopping.. It doesn't stop for anything now.. Its creating a PID file this: barnyard2_39737_em339737.pid when I think the code is looking to stop barnyard2_em339737.pid. I think the PID file should be 'barnyard2_em3_39737.pid'
I'll do some more testing later but hopefully other users will report there findings.
thanks again!!!
-
I think i found the issue with barnyard2 pid file.
Just re-install snort after 15 minutes and check it out.Thank you for the testing.
But after this cleanup more things are manageable with less effort. -
That did it for barnyard2! Able to stop and start via Snort GUI and Services. Haven't tried a reboot yet.. But since Services uses /usr/local/etc/rc.d/snort.sh as well, I would think it would work also.
I'll have to do a deep drive later but I think its all small stuff..but..
I see now on the Snort Interface page, Barnyard2 is shaded Red when its turn off and White when its enabled. Could it be Green when its enabled? Also, can we do the same for the Interface also? Don't know if it should go under 'If' or 'Snort' columns. It was under 'If' but to keep it the same as barnyard2, i would put it under 'Snort'…idk.. you decide on what is easier and looks more functionally.
thankyou for getting barnyard2 working correctly..
-
Tested upgrading from v2.2.4 to v2.3.0 on AMD64 works without any problems.
As soon as everything works I will upgrade my production machine from Snort 2.9.1 pkg v. 2.1.1 (AMD64) to this version.As Cino said, I too would prefer green/red colors, just like the stop and play buttons.
-
Aside from the problems listed in the original post, version 2.3.0 is running smoothly for myself. For a quick "blocked alerts description" fix see post 274405.
Thanks for the hard work Ermal!
-
I've crossed out what has been resolved on the first post and added some…
@10101000 your patch worked for me.. thank you
-
Cron Job Issue:
After every install/reinstall, you have to save the Global Settings and Interface page (with Blocked Enabled) for the Cron job to be created. Is there a way to fix it so the package does a check automatically to see if that setting is set?Maybe -if- the Global settings was saved, after an update of the package, automatically updates the rules before starting Snort.
-
If you have more than a single snort interface running, only the message of the 1st instance can be cleared (already described somewhere else). I noticed some code changes in snort_alert.php, but the code does not work correctly.
It looks as if the state of the settings are not properly maintained. $instanceid does receive the correct value, but after hitting the clear-button the value is back to its default value 0 before the clear action gets executed, so other interfaces never get a chance to get rid of their messages (to study this behavior I am dumping some diagnostics into a temporary file).
Not being familiar with php, I'd say the problem is due to the way php scripts get initialized and executed and after hitting a button like "Clear", your're essentially back to a fresh page. With the proper knowledge this can probably be fixed easily.
-
With this version the Emerging Threats rules are working for me, but the Snort rules don't.
I did some tests with the p2p rules, and the Snort rules neither generated alerts nor did blocking work.
-
In 2.4.0 all these issues should be solved apart the colors in the interface page
-
-
on and off snort does quits when it tries to block an IP
Jul 11 14:24:32 snort[22453]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device Jul 11 14:24:32 snort[22453]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
-
That is rather awkward.
Can you identify the line that caused that? In alerts? -
the alert at 14:24.
2 2 UDP ET SCAN Sipvicious User-Agent Detected (friendly-scanner) Attempted Information Leak 98.172.131.198 5071 -> x.x.x.x 5060 1:2011716:3 07/11-14:24:32 3 2 UDP ET SCAN Sipvicious User-Agent Detected (friendly-scanner) Attempted Information Leak 98.172.131.198 5067 -> x.x.x.x 5060 1:2011716:3 07/11-09:07:36
going to update to 2.4.1 shortly.. but this kind of issue I would think is because of the binary
-
Is this afetr a snort soft restart(with HUP signal)?