Snort 2.9.2.3 pkg v. 2.4.2 Issues
-
ermal,
looks like a very minor thing. I just compared the HOME_NET strings for different interfaces and in case of a modified HOME_NET there is a separator (,) missing when the modified ips/nets are added to the default settings.
UPDATE: looks as if one of the ".=" concatenations in function snort_build_list() in snort.inc is responsible for this one.
-
Also, I did notice that the ALERT DESCRIPTION field on the Snort BLOCKED (tab) is displaying N/A instead of a blank field. Although this is an improvement, how can the functionality be restored to display the actual alert description text? In my global settings, I have this set to FULL which is did display correctly some time ago. Thanks.
-
Also, I did notice that the ALERT DESCRIPTION field on the Snort BLOCKED (tab) is displaying N/A instead of a blank field. Although this is an improvement, how can the functionality be restored to display the actual alert description text? In my global settings, I have this set to FULL which is did display correctly some time ago. Thanks.
That means that the ip is in the table and not in the alerts file
-
ermal,
looks like a very minor thing. I just compared the HOME_NET strings for different interfaces and in case of a modified HOME_NET there is a separator (,) missing when the modified ips/nets are added to the default settings.
UPDATE: looks as if one of the ".=" concatenations in function snort_build_list() in snort.inc is responsible for this one.
Fixed, update after 15 minutes and should be ok.
-
If you are using an augmented home net, the interface doesn't start.
The problem is possibly the line 105 in /usr/local/pkg/snort/snort.inc:
$home_net .= trim($whitelist['address'])which should be replaced by
$home_net .= trim($whitelist['address']) . ' ';
.i.e. the concatenated string should be terminated by space (so that the array building stuff at the end of the function works properly).
-
https://github.com/bsdperimeter/pfsense-packages/commit/80167e60d36acd613a083bbea6e2fbfd5f180f89 That i what i did already :)
-
@ermal:
Cino you are missing
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rulesProbably from issues of install reinstalling!?
I also fixed your issue of cronjobs.
For all the others having issues with blocking please whenever you have system log of 'unable to parse', get the file under the /usr/local/etc/snort/snort_$iface*/$whitelistname and post it here.
Also the HOME_NET issue has been fixed.
I still do not see the cron jobs being created.
-
neyn, you allowed for string interpolation, which is not necessary here. ;)
-
With "Blocking" is enabled, the system still freezes. I guess it is the old ioctl problem, but I still need to verfy this.
-
Well, blocking triggers
snort[15653]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
so, currently, blocking should be disabled.
-
Also, you can still not clear alert messages for interfaces other than the first one.
If nobody minds, I'd like to hand in my quick&dirty solution tomorrow…
-
@ermal:
Cino you are missing
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rulesI also fixed your issue of cronjobs.
Also the HOME_NET issue has been fixed.
I removed my interface config and built a new one…they still aren't there. cron looks fixed, noticed a new cron job for a file i haven't seen before.. have to check that out. HOME_NET looks good so far... still testing
# snort configuration file # generated automatically by the pfSense subsystems do not modify manually # Define Local Network # var HOME_NET [127.0.0.1,10.0.0.0/8,x.x.x.x/22,192.168.0.1/24,192.168.200.1/32,172.16.50.1/32,192.168.5.1/24,x.x.x.x,209.18.47.61,209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24] var EXTERNAL_NET [!$HOME_NET] # Define Rule Paths # var RULE_PATH /usr/local/etc/snort/snort_60770_em3/rules var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules # Define Servers # var DNS_SERVERS [$HOME_NET] var SMTP_SERVERS [$HOME_NET] var HTTP_SERVERS [$HOME_NET] var WWW_SERVERS [$HOME_NET] var SQL_SERVERS [$HOME_NET] var TELNET_SERVERS [$HOME_NET] var SNMP_SERVERS [$HOME_NET] var FTP_SERVERS [$HOME_NET] var SSH_SERVERS [$HOME_NET] var POP_SERVERS [$HOME_NET] var IMAP_SERVERS [$HOME_NET] var SIP_PROXY_IP [$HOME_NET] var SIP_SERVERS [$HOME_NET] var RPC_SERVERS [$HOME_NET] var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Define Server Ports # portvar DNS_PORTS [53] portvar SMTP_PORTS [25] portvar MAIL_PORTS [25,143,465,691] portvar HTTP_PORTS [80] portvar ORACLE_PORTS [1521] portvar MSSQL_PORTS [1433] portvar TELNET_PORTS [23] portvar SNMP_PORTS [161] portvar FTP_PORTS [21] portvar SSH_PORTS [22] portvar POP2_PORTS [109] portvar POP3_PORTS [110] portvar IMAP_PORTS [143] portvar SIP_PROXY_PORTS [5060:5090,16384:32768] portvar SIP_PORTS [5060:5090,16384:32768] portvar AUTH_PORTS [113] portvar FINGER_PORTS [79] portvar IRC_PORTS [6665,6666,6667,6668,6669,7000] portvar SMB_PORTS [139,445] portvar NNTP_PORTS [119] portvar RLOGIN_PORTS [513] portvar RSH_PORTS [514] portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995] portvar SSL_PORTS_IGNORE [443,465,563,636,989,990,992,993,994,995] portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] portvar SHELLCODE_PORTS [!80] portvar SUN_RPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] portvar DCERPC_NCACN_IP_TCP [139,445] portvar DCERPC_NCADG_IP_UDP [138,1024:] portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] portvar DCERPC_NCACN_UDP_LONG [135,1024:] portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] portvar DCERPC_NCACN_TCP [2103,2105,2107] portvar DCERPC_BRIGHTSTORE [6503,6504] # Configure the snort decoder # config checksum_mode: all config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops # Configure the detection engine # config detection: search-method ac-bnfa max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor dynamicengine directory /usr/local/lib/snort/dynamicengine dynamicdetection file /usr/local/lib/snort/dynamicrules/bad-traffic.so dynamicdetection file /usr/local/lib/snort/dynamicrules/exploit.so dynamicdetection file /usr/local/lib/snort/dynamicrules/misc.so dynamicdetection file /usr/local/lib/snort/dynamicrules/specific-threats.so dynamicdetection file /usr/local/lib/snort/dynamicrules/web-client.so dynamicdetection file /usr/local/lib/snort/dynamicrules/web-misc.so # Flow and stream # preprocessor frag3_global: max_frags 8192 preprocessor frag3_engine: policy bsd detect_anomalies preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes preprocessor stream5_tcp: policy BSD, ports both all preprocessor stream5_udp: preprocessor stream5_icmp: # Performance Statistics # preprocessor perfmonitor: time 300 file /var/log/snort/snort_em360770/em3.stats pktcnt 10000 # HTTP Inspect # preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ ports { 80 8080 } \ non_strict \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ flow_depth 0 \ apache_whitespace no \ directory no \ iis_backslash no \ u_encode yes \ extended_response_inspection \ inspect_gzip \ normalize_utf \ normalize_javascript \ unlimited_decompress \ ascii no \ chunk_length 500000 \ bare_byte yes \ double_decode yes \ iis_unicode no \ iis_delimiter no \ multi_slash no # Other preprocs # preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 # Back Orifice preprocessor bo # ftp preprocessor # preprocessor ftp_telnet: global \ inspection_type stateless preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: \ ftp server default \ def_max_param_len 100 \ ports { 21 } \ ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ ftp_cmds { FEAT CEL CMD MACB } \ ftp_cmds { MDTM REST SIZE MLST MLSD } \ ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ alt_max_param_len 256 { RNTO CWD } \ alt_max_param_len 400 { PORT } \ alt_max_param_len 512 { SIZE } \ chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ chk_str_fmt { FEAT CEL CMD } \ chk_str_fmt { MDTM REST SIZE MLST MLSD } \ chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ cmd_validity MODE < char ASBCZ > \ cmd_validity STRU < char FRP > \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity PORT < host_port > preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes # SMTP preprocessor # preprocessor SMTP: \ ports { 25 465 691 } \ inspection_type stateful \ normalize cmds \ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ max_header_line_len 1000 \ max_response_line_len 512 \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ xlink2state { enable } # sf Portscan # preprocessor sfportscan: scan_type { all } \ proto { all } \ memcap { 10000000 } \ sense_level { medium } \ ignore_scanners { $HOME_NET } # DCE/RPC 2 # preprocessor dcerpc2: memcap 102400, events [smb, co, cl] preprocessor dcerpc2_server: default, policy WinXP, \ detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ smb_max_chain 3 # DNS preprocessor # preprocessor dns: \ ports { 53 } \ enable_rdata_overflow # Ignore SSL and Encryption # preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted # Snort Output Logs # output unified: filename snort_60770_em3.log, limit 128 output alert_full: alert output unified2: filename snort_60770_em3.u2, limit 128 output alert_pf: /usr/local/etc/snort/snort_60770_em3/MainWhiteList,snort2c,src,kill # Misc Includes # include /usr/local/etc/snort/snort_60770_em3/reference.config include /usr/local/etc/snort/snort_60770_em3/classification.config include /usr/local/etc/snort/snort_60770_em3/MainSuppressList # Snort user pass through configuration # Rules Selection # include $RULE_PATH/snort_attack-responses.rules include $RULE_PATH/snort_bad-traffic.so.rules include $RULE_PATH/emerging-attack_response.rules include $RULE_PATH/snort_backdoor.rules include $RULE_PATH/emerging-botcc.rules include $RULE_PATH/snort_bad-traffic.rules include $RULE_PATH/snort_blacklist.rules include $RULE_PATH/snort_exploit.so.rules include $RULE_PATH/emerging-ciarmy.rules include $RULE_PATH/snort_botnet-cnc.rules include $RULE_PATH/emerging-compromised.rules include $RULE_PATH/emerging-current_events.rules include $RULE_PATH/snort_content-replace.rules include $RULE_PATH/snort_misc.so.rules include $RULE_PATH/snort_ddos.rules include $RULE_PATH/emerging-dos.rules include $RULE_PATH/snort_dos.rules include $RULE_PATH/emerging-dshield.rules include $RULE_PATH/emerging-exploit.rules include $RULE_PATH/snort_exploit.rules include $RULE_PATH/snort_specific-threats.so.rules include $RULE_PATH/snort_web-client.so.rules include $RULE_PATH/snort_web-misc.so.rules include $RULE_PATH/emerging-misc.rules include $RULE_PATH/emerging-mobile_malware.rules include $RULE_PATH/snort_indicator-compromise.rules include $RULE_PATH/snort_misc.rules include $RULE_PATH/emerging-rpc.rules include $RULE_PATH/emerging-scan.rules include $RULE_PATH/emerging-shellcode.rules include $RULE_PATH/snort_other-ids.rules include $RULE_PATH/snort_phishing-spam.rules include $RULE_PATH/emerging-trojan.rules include $RULE_PATH/emerging-user_agents.rules include $RULE_PATH/emerging-virus.rules include $RULE_PATH/emerging-web_client.rules include $RULE_PATH/emerging-worm.rules include $RULE_PATH/snort_scan.rules include $RULE_PATH/snort_shellcode.rules include $RULE_PATH/snort_specific-threats.rules include $RULE_PATH/snort_spyware-put.rules include $RULE_PATH/snort_virus.rules include $RULE_PATH/snort_web-attacks.rules include $RULE_PATH/snort_web-client.rules include $RULE_PATH/snort_web-misc.rulesoverall its looking good, thank again for this package re-write
-
@ermal:
Also, I did notice that the ALERT DESCRIPTION field on the Snort BLOCKED (tab) is displaying N/A instead of a blank field. Although this is an improvement, how can the functionality be restored to display the actual alert description text? In my global settings, I have this set to FULL which is did display correctly some time ago. Thanks.
That means that the ip is in the table and not in the alerts file
What does this mean – in the table and not in the alert file? doesn't the info in the alerts tab map to an IP listed in the BLOCKED tab? In the past, I've always had Alert Descriptions populated with actual full details as opposed to N/A or blank. Please elaborate for education. Thanks.
-
Getting this on AMD64 2.0.1 with a clean install of 2.4.2:
Jul 12 21:34:54 php: /snort/snort_interfaces.php: Interface Rule START for CABLE(re1)…
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.Snort exits on this.
If I uncheck a few .so rules (love the new categories interface!) Snort will start. Is this by design?
Cheers,
Dennis. -
snort dies when blocking is enabled
Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device1 1 TCP GPL SHELLCODE x86 inc ebx NOOP Executable Code was Detected 31.13.69.42 80 -> 68.172.210.112 56586 1:1390:6 07/12-20:28:37 -
snort dies when blocking is enabled
Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device1 1 TCP GPL SHELLCODE x86 inc ebx NOOP Executable Code was Detected 31.13.69.42 80 -> 68.172.210.112 56586 1:1390:6 07/12-20:28:37All that are expiriencing this ioctl issue can confirm that are on 2.1?
-
Getting this on AMD64 2.0.1 with a clean install of 2.4.2:
Jul 12 21:34:54 php: /snort/snort_interfaces.php: Interface Rule START for CABLE(re1)…
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.Snort exits on this.
If I uncheck a few .so rules (love the new categories interface!) Snort will start. Is this by design?
Cheers,
Dennis.Can you post your config dwood?
Also does this happen if you start/stop snort or just on a restart after update? -
Updated snort to Snort 2.9.2.3 pkg v. 2.4.2
Interface looks good!
It is working fine. But when I start snort, I get this message in System Logs.
Jul 13 10:12:20 snort[32688]: Initializing daemon mode
Jul 13 10:12:20 snort[32688]: Initializing daemon mode
Jul 13 10:12:20 snort[32688]: Acquiring network traffic from "em0".
Jul 13 10:12:20 snort[32688]: Acquiring network traffic from "em0".
Jul 13 10:12:20 snort[32688]: The DAQ version does not support reload.
Jul 13 10:12:20 snort[32688]: The DAQ version does not support reload.
Jul 13 10:12:20 snort[32688]: pcap DAQ configured to passive.
Jul 13 10:12:20 snort[32688]: pcap DAQ configured to passive.
Jul 13 10:12:20 snort[32688]: [ Number of null byte prefixed patterns trimmed: 172 ]
Jul 13 10:12:20 snort[32688]: [ Number of null byte prefixed patterns trimmed: 172 ]Is it ok?
-
I think that line about DAQ has been there for a long long time. It should still work just fine.
-
I did a complete reinstall of snort (10min ago) and i have the same error of my last post.
snort[23088]: FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument
@ermal:
For all the others having issues with blocking please whenever you have system log of 'unable to parse', get the file under the /usr/local/etc/snort/snort_$iface*/$whitelistname and post it here.
cat /usr/local/etc/snort/snort_18407_pppoe0/whitlsit
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 10
suppress gen_id 122, sig_id 26
suppress gen_id 137, sig_id 1greetz HOD
EDIT: my System 2.0.1-RELEASE (amd64) Snort 2.9.2.3 pkg v. 2.4.2