Snort 2.9.2.3 pkg v. 2.4.2 Issues
-
Life would be sooo boring without snort testing:
2.4.2 kicked me completely out after installation. I did not even start it. After rule update my VPN connection dropped.
Lets see what surprises arsise when I get back home. -
Pressing the start/stop button on the interface page doesn't stop snort or barnyard.
-
1.) 2.4.2 log returns the following error:
snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.
The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):
FILE_DATA_PORTS [$HTTP_PORTS,110,143]
2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank
-
1.) 2.4.2 log returns the following error:
snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.
The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):
FILE_DATA_PORTS [$HTTP_PORTS,110,143]
2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
I had the same error, someone suggested that commas are now required even though it says spaces this corrected the problem.
-
The cron jobs are not being created for either of these functions:
1. Update rules automatically
2. Remove blocked hosts every
The old trick of selecting never then saving the reselecting a time does not work either.
-
and, another thing if I can help.
Using the same rules/configuration, now Snort eats about 20-25% of CPU, before was about 4-5%. I don't know if it's only me or also some other user is experiencing that.
Thanks,
Michele -
1.) 2.4.2 log returns the following error:
snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.
The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):
FILE_DATA_PORTS [$HTTP_PORTS,110,143]
2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
I had the same error, someone suggested that commas are now required even though it says spaces this corrected the problem.
Thank you. This resolved the SSL_IGNORE issue. Hope they update the UI to explain that commas are now REQUIRED.
-
I have problems with the suppression list. when auto blocking is disabled on interface it's starts fine. but when i enable auto blocking i become this error.
FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument
here is my suppression list
suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 31 suppress gen_id 119, sig_id 32 suppress gen_id 120, sig_id 3 suppress gen_id 120, sig_id 6 suppress gen_id 120, sig_id 8 suppress gen_id 120, sig_id 10 suppress gen_id 122, sig_id 26 suppress gen_id 137, sig_id 1
(everytime i save this it becomes one more leading space)
greetz
-
Issues:
1.) Alert Descriptions are now blank on the BLOCKED tab
2.) Snort doesn't appear to be referencing the WHITELIST and/or SUPPRESS rules. For example, Snort is currently blocking my internet gateway IP for the first time ever. Despite adding both a suppress rule for the PORTSWEEP (it's reporting from my router) and adding the gateway IP to the WHITELIST, snort keeps adding it back to the BLOCKED tab.
-
@HOD:
I have problems with the suppression list. when auto blocking is disabled on interface it's starts fine. but when i enable auto blocking i become this error.
FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument
here is my suppression list
suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 31 suppress gen_id 119, sig_id 32 suppress gen_id 120, sig_id 3 suppress gen_id 120, sig_id 6 suppress gen_id 120, sig_id 8 suppress gen_id 120, sig_id 10 suppress gen_id 122, sig_id 26 suppress gen_id 137, sig_id 1
(everytime i save this it becomes one more leading space)
greetz
I concur - same behavior on my system with 2.4.2.
-
I am not experiencing the fatal error messages that are reported here. I have 2 interfaces defined, non-default whitelists and different suppression lists for each interface. I have attached the associated system logs for the startup procedure of each interface. There is nothing really unusual (except that there are duplicated lines and a minor warning).
I've been very careful lately when I update the package. First, I stop all running snort instances, then I deinstall the package. Then I check for any remaining debris (find / -name 'snort*' –- the latest deinstall procedure works fine, though), then and only then I install the updated package, followed by a rule update. Maybe this helps a bit to sort out things.
I cannot confirm the high CPU load that mdima reported.
The next thing to look at will be a normal client session, followed by a malicious session that should trigger blocking. Once I'll have done that, I'll report.
-
I always tell snort to retain the configuring on uninstall (global, checkbox) when upgrading from one version to the next. is this not a good practice? while it usually works, lately it may be causing the nightmares. just trying to avoid manually entering suppress, settings and whitelists, redefining categories by interface, etc.
-
I always tell snort to retain the configuring on uninstall (global, checkbox) when upgrading from one version to the next. is this not a good practice?
I am doing the same–no problems so far.
-
updated today and still no blocking nor alerts. snort itswelf starts without "problems". Snort logs are empty.
I'm retaining my config between updates too, never had any problem with it.
-
At least I'm not alone in that practice of retaining configuration from one version to another. Has anyone figured out a fix for blank alert descriptions on the BLOCKED tab? Mine only shows an IP with no alert description. Hasn't included a description for the past several months. Thanks.
-
… I started a client session with simple internet access (no p2p offenses, etc). On the server I disabled blocking, just in case, and because I wanted to study the normal reporting. After a few seconds the client connection was dead and on the pfsense box one of the interfaces went down with the well known system log message:
snort[53641]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
Is this Kafkaesque or just plain good old Greek mythology? I mean the story about Σίσυφος who was Aeolus of Thessaly's and Enarete's son.
-
No blocking could be caused by broken libpcap package.
-
updated today and still no blocking nor alerts. snort itswelf starts without "problems". Snort logs are empty.
I'm retaining my config between updates too, never had any problem with it.
I'm having the same issue.
I have a custom NETLIST so it includes the cable modem private subnet, my config file isn't picking it up, normally it would be under HOME_NET. I've noticed the Whitelist interface doesn't allow you to pick from NETLIST or WHITELIST.. Shouldn't that be there?
noticed the home_net doesn't include wan,gateway ips either
my snort.conf btw
# snort configuration file # generated automatically by the pfSense subsystems do not modify manually # Define Local Network # var HOME_NET [209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24] var EXTERNAL_NET [!$HOME_NET] # Define Rule Paths # var RULE_PATH /usr/local/etc/snort/snort_39737_em3/rules var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules # Define Servers # var DNS_SERVERS [$HOME_NET] var SMTP_SERVERS [$HOME_NET] var HTTP_SERVERS [$HOME_NET] var WWW_SERVERS [$HOME_NET] var SQL_SERVERS [$HOME_NET] var TELNET_SERVERS [$HOME_NET] var SNMP_SERVERS [$HOME_NET] var FTP_SERVERS [$HOME_NET] var SSH_SERVERS [$HOME_NET] var POP_SERVERS [$HOME_NET] var IMAP_SERVERS [$HOME_NET] var SIP_PROXY_IP [$HOME_NET] var SIP_SERVERS [$HOME_NET] var RPC_SERVERS [$HOME_NET] var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Define Server Ports # portvar DNS_PORTS [53] portvar SMTP_PORTS [25] portvar MAIL_PORTS [25,143,465,691] portvar HTTP_PORTS [80] portvar ORACLE_PORTS [1521] portvar MSSQL_PORTS [1433] portvar TELNET_PORTS [23] portvar SNMP_PORTS [161] portvar FTP_PORTS [21] portvar SSH_PORTS [22] portvar POP2_PORTS [109] portvar POP3_PORTS [110] portvar IMAP_PORTS [143] portvar SIP_PROXY_PORTS [5060:5090,16384:32768] portvar SIP_PORTS [5060:5090,16384:32768] portvar AUTH_PORTS [113] portvar FINGER_PORTS [79] portvar IRC_PORTS [6665,6666,6667,6668,6669,7000] portvar SMB_PORTS [139,445] portvar NNTP_PORTS [119] portvar RLOGIN_PORTS [513] portvar RSH_PORTS [514] portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995] portvar SSL_PORTS_IGNORE [443,465,563,636,989,990,992,993,994,995] portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] portvar SHELLCODE_PORTS [!80] portvar SUN_RPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] portvar DCERPC_NCACN_IP_TCP [139,445] portvar DCERPC_NCADG_IP_UDP [138,1024:] portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] portvar DCERPC_NCACN_UDP_LONG [135,1024:] portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] portvar DCERPC_NCACN_TCP [2103,2105,2107] portvar DCERPC_BRIGHTSTORE [6503,6504] # Configure the snort decoder # config checksum_mode: all config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops # Configure the detection engine # config detection: search-method ac-bnfa max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor dynamicengine directory /usr/local/lib/snort/dynamicengine dynamicdetection directory /usr/local/lib/snort/dynamicrules # Flow and stream # preprocessor frag3_global: max_frags 8192 preprocessor frag3_engine: policy bsd detect_anomalies preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes preprocessor stream5_tcp: policy BSD, ports both all preprocessor stream5_udp: preprocessor stream5_icmp: # Performance Statistics # preprocessor perfmonitor: time 300 file /var/log/snort/snort_em339737/em3.stats pktcnt 10000 # HTTP Inspect # preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ ports { 80 8080 } \ non_strict \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ flow_depth 0 \ apache_whitespace no \ directory no \ iis_backslash no \ u_encode yes \ extended_response_inspection \ inspect_gzip \ normalize_utf \ normalize_javascript \ unlimited_decompress \ ascii no \ chunk_length 500000 \ bare_byte yes \ double_decode yes \ iis_unicode no \ iis_delimiter no \ multi_slash no # Other preprocs # preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 preprocessor bo # ftp preprocessor # preprocessor ftp_telnet: global \ inspection_type stateless preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: \ ftp server default \ def_max_param_len 100 \ ports { 21 } \ ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ ftp_cmds { FEAT CEL CMD MACB } \ ftp_cmds { MDTM REST SIZE MLST MLSD } \ ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ alt_max_param_len 256 { RNTO CWD } \ alt_max_param_len 400 { PORT } \ alt_max_param_len 512 { SIZE } \ chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ chk_str_fmt { FEAT CEL CMD } \ chk_str_fmt { MDTM REST SIZE MLST MLSD } \ chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ cmd_validity MODE < char ASBCZ > \ cmd_validity STRU < char FRP > \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity PORT < host_port > preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes # SMTP preprocessor # preprocessor SMTP: \ ports { 25 465 691 } \ inspection_type stateful \ normalize cmds \ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ max_header_line_len 1000 \ max_response_line_len 512 \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ xlink2state { enable } # sf Portscan # preprocessor sfportscan: scan_type { all } \ proto { all } \ memcap { 10000000 } \ sense_level { medium } \ ignore_scanners { $HOME_NET } # DCE/RPC 2 # preprocessor dcerpc2: memcap 102400, events [smb, co, cl] preprocessor dcerpc2_server: default, policy WinXP, \ detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ smb_max_chain 3 # DNS preprocessor # preprocessor dns: \ ports { 53 } \ enable_rdata_overflow # Ignore SSL and Encryption # preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted # Snort Output Logs # output unified: filename snort_39737_em3.log, limit 128 output alert_full: alert output unified2: filename snort_39737_em3.u2, limit 128 output alert_pf: /usr/local/etc/snort/snort_39737_em3/MainWhiteList,snort2c,src,kill # Misc Includes # include /usr/local/etc/snort/snort_39737_em3/reference.config include /usr/local/etc/snort/snort_39737_em3/classification.config include /usr/local/etc/snort/snort_39737_em3/MainSuppressList # Snort user pass through configuration # Rules Selection # include $RULE_PATH/snort_attack-responses.rules include $RULE_PATH/snort_bad-traffic.so.rules include $RULE_PATH/emerging-attack_response.rules include $RULE_PATH/snort_backdoor.rules include $RULE_PATH/emerging-botcc.rules include $RULE_PATH/snort_bad-traffic.rules include $RULE_PATH/snort_blacklist.rules include $RULE_PATH/snort_exploit.so.rules include $RULE_PATH/emerging-ciarmy.rules include $RULE_PATH/snort_botnet-cnc.rules include $RULE_PATH/emerging-compromised.rules include $RULE_PATH/emerging-current_events.rules include $RULE_PATH/snort_content-replace.rules include $RULE_PATH/snort_misc.so.rules include $RULE_PATH/snort_ddos.rules include $RULE_PATH/emerging-dos.rules include $RULE_PATH/snort_dos.rules include $RULE_PATH/emerging-dshield.rules include $RULE_PATH/emerging-exploit.rules include $RULE_PATH/snort_exploit.rules include $RULE_PATH/snort_specific-threats.so.rules include $RULE_PATH/snort_web-client.so.rules include $RULE_PATH/snort_web-misc.so.rules include $RULE_PATH/emerging-malware.rules include $RULE_PATH/emerging-misc.rules include $RULE_PATH/emerging-mobile_malware.rules include $RULE_PATH/snort_indicator-compromise.rules include $RULE_PATH/snort_indicator-obfuscation.rules include $RULE_PATH/snort_misc.rules include $RULE_PATH/emerging-rpc.rules include $RULE_PATH/emerging-scan.rules include $RULE_PATH/emerging-shellcode.rules include $RULE_PATH/snort_other-ids.rules include $RULE_PATH/snort_phishing-spam.rules include $RULE_PATH/emerging-trojan.rules include $RULE_PATH/emerging-user_agents.rules include $RULE_PATH/emerging-virus.rules include $RULE_PATH/emerging-web_client.rules include $RULE_PATH/emerging-worm.rules include $RULE_PATH/snort_scan.rules include $RULE_PATH/snort_shellcode.rules include $RULE_PATH/snort_specific-threats.rules include $RULE_PATH/snort_spyware-put.rules include $RULE_PATH/snort_virus.rules include $RULE_PATH/snort_web-attacks.rules include $RULE_PATH/snort_web-client.rules include $RULE_PATH/snort_web-misc.rules
PS Neither block or update rule cron jobs are created. I've re-saved every page
-
Cino you are missing
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rulesProbably from issues of install reinstalling!?
I also fixed your issue of cronjobs.
For all the others having issues with blocking please whenever you have system log of 'unable to parse', get the file under the /usr/local/etc/snort/snort_$iface*/$whitelistname and post it here.
Also the HOME_NET issue has been fixed.
-
thanks Ermal! next time i'll read the whole config file ;)
I'm thinking from the all the (de)(re)installing…
I did uninstall... Search/delete anything reference to snort then install... I may just wipe my config out all together and start from fresh if it happen again.