Snort 2.9.2.3 pkg v. 2.3.0 Issue Thread
-
I've crossed out what has been resolved on the first post and added some…
@10101000 your patch worked for me.. thank you
-
Cron Job Issue:
After every install/reinstall, you have to save the Global Settings and Interface page (with Blocked Enabled) for the Cron job to be created. Is there a way to fix it so the package does a check automatically to see if that setting is set?Maybe -if- the Global settings was saved, after an update of the package, automatically updates the rules before starting Snort.
-
If you have more than a single snort interface running, only the message of the 1st instance can be cleared (already described somewhere else). I noticed some code changes in snort_alert.php, but the code does not work correctly.
It looks as if the state of the settings are not properly maintained. $instanceid does receive the correct value, but after hitting the clear-button the value is back to its default value 0 before the clear action gets executed, so other interfaces never get a chance to get rid of their messages (to study this behavior I am dumping some diagnostics into a temporary file).
Not being familiar with php, I'd say the problem is due to the way php scripts get initialized and executed and after hitting a button like "Clear", your're essentially back to a fresh page. With the proper knowledge this can probably be fixed easily.
-
With this version the Emerging Threats rules are working for me, but the Snort rules don't.
I did some tests with the p2p rules, and the Snort rules neither generated alerts nor did blocking work.
-
In 2.4.0 all these issues should be solved apart the colors in the interface page
-
-
on and off snort does quits when it tries to block an IP
Jul 11 14:24:32 snort[22453]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device Jul 11 14:24:32 snort[22453]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device -
That is rather awkward.
Can you identify the line that caused that? In alerts? -
the alert at 14:24.
2 2 UDP ET SCAN Sipvicious User-Agent Detected (friendly-scanner) Attempted Information Leak 98.172.131.198 5071 -> x.x.x.x 5060 1:2011716:3 07/11-14:24:32 3 2 UDP ET SCAN Sipvicious User-Agent Detected (friendly-scanner) Attempted Information Leak 98.172.131.198 5067 -> x.x.x.x 5060 1:2011716:3 07/11-09:07:36going to update to 2.4.1 shortly.. but this kind of issue I would think is because of the binary
-
Is this afetr a snort soft restart(with HUP signal)?