Snort 2.9.2.3 pkg v. 2.4.2 Issues
-
I just updated to 2.9.2.3 pkg v. 2.4.2. Installation worked fine. ET rules seem to work for me, but the alert messages seem to be scrambled, i.e. instead of p2p related messages (because I enabled the p2p rules), I got some vague gzip related message. I've seen that before. Blocking is working, though no alert descriptions in the "Blocked" tab.
I haven't tested the Snort rules yet.
-
Can you put the alert file here and tell me if its full alert style logging or fast?
-
Things I've noticed with the latest version:
-
Going to interface settings -> categories, click on a category -> "no rules found" and when you return to categories none are selected. If you save, snort makes a new interface.
-
There's some code poking trough the top of the categories page:
";
-
I'm not seeing anything blocked by snort or ET rules, only PSNG_-stuff.
-
White list doesn't seem to whitelist my WAN IP at all.
Custom whitelist with all options checked (ADD WAN IP, etc) doesn't seem to whitelist my WAN IP correctly.From alert
[**] [122:22:1] PSNG_UDP_FILTERED_DECOY_PORTSCAN [**] [Classification: Attempted Information Leak] [Priority: 2] 07/12-13:22:47.715290 66.8.211.46 -> my wan ip PROTO:255 TTL:114 TOS:0x0 ID:18376 IpLen:20 DgmLen:171
Edit:
-
Interface settings -> Home net and External net -drop menus lists default and my whitelist lists, which I'm fairly sure weren't there before.
-
Old issues with Suppress page, adding a space at the start of the main textbox and small font.
-
-
Hi ermal,
I'll be out of town for a couple of hours. When I'll be back I'll check the system again and post the messages and the relevant parts of the system log.
Also, trying to clear the alert messages currently freezes the GUI (actually the interface, but existing connections are not affected).
-
ermal,
here are some screenshots–-more to come.
-
Life would be sooo boring without snort testing:
2.4.2 kicked me completely out after installation. I did not even start it. After rule update my VPN connection dropped.
Lets see what surprises arsise when I get back home. -
Pressing the start/stop button on the interface page doesn't stop snort or barnyard.
-
1.) 2.4.2 log returns the following error:
snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.
The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):
FILE_DATA_PORTS [$HTTP_PORTS,110,143]
2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank
-
1.) 2.4.2 log returns the following error:
snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.
The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):
FILE_DATA_PORTS [$HTTP_PORTS,110,143]
2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
I had the same error, someone suggested that commas are now required even though it says spaces this corrected the problem.
-
The cron jobs are not being created for either of these functions:
1. Update rules automatically
2. Remove blocked hosts every
The old trick of selecting never then saving the reselecting a time does not work either.
-
and, another thing if I can help.
Using the same rules/configuration, now Snort eats about 20-25% of CPU, before was about 4-5%. I don't know if it's only me or also some other user is experiencing that.
Thanks,
Michele -
1.) 2.4.2 log returns the following error:
snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.
The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):
FILE_DATA_PORTS [$HTTP_PORTS,110,143]
2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
I had the same error, someone suggested that commas are now required even though it says spaces this corrected the problem.
Thank you. This resolved the SSL_IGNORE issue. Hope they update the UI to explain that commas are now REQUIRED.
-
I have problems with the suppression list. when auto blocking is disabled on interface it's starts fine. but when i enable auto blocking i become this error.
FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument
here is my suppression list
suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 31 suppress gen_id 119, sig_id 32 suppress gen_id 120, sig_id 3 suppress gen_id 120, sig_id 6 suppress gen_id 120, sig_id 8 suppress gen_id 120, sig_id 10 suppress gen_id 122, sig_id 26 suppress gen_id 137, sig_id 1
(everytime i save this it becomes one more leading space)
greetz
-
Issues:
1.) Alert Descriptions are now blank on the BLOCKED tab
2.) Snort doesn't appear to be referencing the WHITELIST and/or SUPPRESS rules. For example, Snort is currently blocking my internet gateway IP for the first time ever. Despite adding both a suppress rule for the PORTSWEEP (it's reporting from my router) and adding the gateway IP to the WHITELIST, snort keeps adding it back to the BLOCKED tab.
-
@HOD:
I have problems with the suppression list. when auto blocking is disabled on interface it's starts fine. but when i enable auto blocking i become this error.
FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument
here is my suppression list
suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 31 suppress gen_id 119, sig_id 32 suppress gen_id 120, sig_id 3 suppress gen_id 120, sig_id 6 suppress gen_id 120, sig_id 8 suppress gen_id 120, sig_id 10 suppress gen_id 122, sig_id 26 suppress gen_id 137, sig_id 1
(everytime i save this it becomes one more leading space)
greetz
I concur - same behavior on my system with 2.4.2.
-
I am not experiencing the fatal error messages that are reported here. I have 2 interfaces defined, non-default whitelists and different suppression lists for each interface. I have attached the associated system logs for the startup procedure of each interface. There is nothing really unusual (except that there are duplicated lines and a minor warning).
I've been very careful lately when I update the package. First, I stop all running snort instances, then I deinstall the package. Then I check for any remaining debris (find / -name 'snort*' –- the latest deinstall procedure works fine, though), then and only then I install the updated package, followed by a rule update. Maybe this helps a bit to sort out things.
I cannot confirm the high CPU load that mdima reported.
The next thing to look at will be a normal client session, followed by a malicious session that should trigger blocking. Once I'll have done that, I'll report.
-
I always tell snort to retain the configuring on uninstall (global, checkbox) when upgrading from one version to the next. is this not a good practice? while it usually works, lately it may be causing the nightmares. just trying to avoid manually entering suppress, settings and whitelists, redefining categories by interface, etc.
-
I always tell snort to retain the configuring on uninstall (global, checkbox) when upgrading from one version to the next. is this not a good practice?
I am doing the same–no problems so far.
-
updated today and still no blocking nor alerts. snort itswelf starts without "problems". Snort logs are empty.
I'm retaining my config between updates too, never had any problem with it.
-
At least I'm not alone in that practice of retaining configuration from one version to another. Has anyone figured out a fix for blank alert descriptions on the BLOCKED tab? Mine only shows an IP with no alert description. Hasn't included a description for the past several months. Thanks.