Snort 2.9.2.3 pkg v. 2.4.2 Issues
-
@ermal:
Also, I did notice that the ALERT DESCRIPTION field on the Snort BLOCKED (tab) is displaying N/A instead of a blank field. Although this is an improvement, how can the functionality be restored to display the actual alert description text? In my global settings, I have this set to FULL which is did display correctly some time ago. Thanks.
That means that the ip is in the table and not in the alerts file
What does this mean – in the table and not in the alert file? doesn't the info in the alerts tab map to an IP listed in the BLOCKED tab? In the past, I've always had Alert Descriptions populated with actual full details as opposed to N/A or blank. Please elaborate for education. Thanks.
-
Getting this on AMD64 2.0.1 with a clean install of 2.4.2:
Jul 12 21:34:54 php: /snort/snort_interfaces.php: Interface Rule START for CABLE(re1)…
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.Snort exits on this.
If I uncheck a few .so rules (love the new categories interface!) Snort will start. Is this by design?
Cheers,
Dennis. -
snort dies when blocking is enabled
Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
1 1 TCP GPL SHELLCODE x86 inc ebx NOOP Executable Code was Detected 31.13.69.42 80 -> 68.172.210.112 56586 1:1390:6 07/12-20:28:37
-
snort dies when blocking is enabled
Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
1 1 TCP GPL SHELLCODE x86 inc ebx NOOP Executable Code was Detected 31.13.69.42 80 -> 68.172.210.112 56586 1:1390:6 07/12-20:28:37
All that are expiriencing this ioctl issue can confirm that are on 2.1?
-
Getting this on AMD64 2.0.1 with a clean install of 2.4.2:
Jul 12 21:34:54 php: /snort/snort_interfaces.php: Interface Rule START for CABLE(re1)…
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.Snort exits on this.
If I uncheck a few .so rules (love the new categories interface!) Snort will start. Is this by design?
Cheers,
Dennis.Can you post your config dwood?
Also does this happen if you start/stop snort or just on a restart after update? -
Updated snort to Snort 2.9.2.3 pkg v. 2.4.2
Interface looks good!
It is working fine. But when I start snort, I get this message in System Logs.
Jul 13 10:12:20 snort[32688]: Initializing daemon mode
Jul 13 10:12:20 snort[32688]: Initializing daemon mode
Jul 13 10:12:20 snort[32688]: Acquiring network traffic from "em0".
Jul 13 10:12:20 snort[32688]: Acquiring network traffic from "em0".
Jul 13 10:12:20 snort[32688]: The DAQ version does not support reload.
Jul 13 10:12:20 snort[32688]: The DAQ version does not support reload.
Jul 13 10:12:20 snort[32688]: pcap DAQ configured to passive.
Jul 13 10:12:20 snort[32688]: pcap DAQ configured to passive.
Jul 13 10:12:20 snort[32688]: [ Number of null byte prefixed patterns trimmed: 172 ]
Jul 13 10:12:20 snort[32688]: [ Number of null byte prefixed patterns trimmed: 172 ]Is it ok?
-
I think that line about DAQ has been there for a long long time. It should still work just fine.
-
I did a complete reinstall of snort (10min ago) and i have the same error of my last post.
snort[23088]: FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument
@ermal:
For all the others having issues with blocking please whenever you have system log of 'unable to parse', get the file under the /usr/local/etc/snort/snort_$iface*/$whitelistname and post it here.
cat /usr/local/etc/snort/snort_18407_pppoe0/whitlsit
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 10
suppress gen_id 122, sig_id 26
suppress gen_id 137, sig_id 1greetz HOD
EDIT: my System 2.0.1-RELEASE (amd64) Snort 2.9.2.3 pkg v. 2.4.2
-
@ermal:
All that are expiriencing this ioctl issue can confirm that are on 2.1?
2.1-BETA0 (i386)
built on Tue Jul 3 17:55:18 EDT 2012
FreeBSD 8.3-RELEASE-p3I'm about to upgrade to the latest snap here shortly
-
@ermal:
snort dies when blocking is enabled
Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device Jul 12 20:28:37 snort[4131]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
1 1 TCP GPL SHELLCODE x86 inc ebx NOOP Executable Code was Detected 31.13.69.42 80 -> 68.172.210.112 56586 1:1390:6 07/12-20:28:37
All that are expiriencing this ioctl issue can confirm that are on 2.1?
Ermal
I have not seen this error at all. I am on amd64 2.01
However snort does stop with blocking enabled here is the latest:
Jul 13 01:33:29 kernel: pid 56726 (snort), uid 0: exited on signal 11
Jul 13 01:33:29 snort[56726]: [1:2001219:18] ET SCAN Potential SSH Scan [Classification: Attempted Information Leak] [Priority: 2] {TCP}
Jul 13 01:33:29 snort[56726]: [1:2001219:18] ET SCAN Potential SSH Scan [Classification: Attempted Information Leak] [Priority: 2] {TCP}
Jul 13 01:07:04 kernel: pid 11612 (snort), uid 0: exited on signal 11
Jul 13 01:07:04 snort[11612]: [1:2406223:287] ET RBN Known Russian Business Network IP UDP (112) [Classification: Misc Attack] [Priority: 2] {UDP}
Jul 13 01:07:04 snort[11612]: [1:2406223:287] ET RBN Known Russian Business Network IP UDP (112) [Classification: Misc Attack]Snort is running on two external interfaces.
Here is the log:
[] [1:2001219:18] ET SCAN Potential SSH Scan []
[Classification: Attempted Information Leak] [Priority: 2]
07/13-01:33:29.677163 211.147.3.19:57698 -> nnn.nnn.4.162:22
TCP TTL:109 TOS:0x0 ID:31314 IpLen:20 DgmLen:48
*****S Seq: 0x3DBFE47C Ack: 0x678A7406 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
[Xref => http://doc.emergingthreats.net/2001219][Xref => http://en.wikipedia.org/wiki/Brute_force_attack][] [1:2406223:287] ET RBN Known Russian Business Network IP UDP (112) []
[Classification: Misc Attack] [Priority: 2]
07/13-01:07:04.034851 204.124.182.253:53 -> nn.nn.107.97:25021
UDP TTL:52 TOS:0x20 ID:0 IpLen:20 DgmLen:71 DF
Len: 43
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork] -
ermal,
I'd rather fixed the ioctl problem, but the clearing issue is within my capabilities. See whether you can live with this (/usr/local/www/snort/snort_alerts.php, line 82ff):
if ($_GET['action'] == "clear" || $_POST['delete']) { $log_this = FALSE; $fname = '/tmp/snort_alerts_clear.txt'; foreach ($a_instance as $id => $instance) { $snort_uuid_loop = $instance['uuid']; $if_real_loop = snort_get_real_interface($instance['interface']); if ($log_this) { file_put_contents($fname, "if_real = $if_real_loop\r\nsnort_uuid = $snort_uuid_loop\r\n", FILE_APPEND); } if (file_exists("/var/log/snort/snort_{$if_real_loop}{$snort_uuid_loop}/alert")) { if ($log_this) { file_put_contents($fname, "alert file = /var/log/snort/snort_{$if_real_loop}{$snort_uuid_loop}/alert\r\n\r\n", FILE_APPEND); } conf_mount_rw(); snort_post_delete_logs($snort_uuid_loop); @file_put_contents("/var/log/snort/snort_{$if_real_loop}{$snort_uuid_loop}/alert", ""); /* XXX: This is needed is snort is run as snort user */ //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); mwexec('/bin/chmod 660 /var/log/snort/*', true); mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real_loop}{$snort_uuid_loop}.pid -a"); conf_mount_ro(); } } header("Location: /snort/snort_alerts.php?instance={$instanceid}"); exit; }
-
Ermal, with regard to post #42, what config file are you looking for? If you can provide a path/name I'll post the file. I did install 2.4.2 with previous save settings toggled off. I also ran find /* | grep -i snort | xargs rm -rv to remove any snort references after removing the previous version. This is as clean an install I can figure out :-)
The error I posted occurs when attempting to start snort, either manually or after an update:
Jul 12 21:34:54 php: /snort/snort_interfaces.php: Interface Rule START for CABLE(re1)…
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.
Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.Other than this error..corrected by unchecking two .so rules, 2.4.2 has been running and blocking fine on two live AMD64 2.01 installations.
EDIT: It looks like both installations of 2.4.2 failed to start after a daily scheduled update. Starting interfaces manually worked OK.
Cheers,
Dennis. -
Please reinstall again!
You need a new snort binary for the alerts to be displayed correctly. -
Snort won't start after a reinstallation.
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(33): /usr/local/bin/snort /libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout
I've tried to pkg_delete libdnet and install snort again, but it still won't work. Is the package broken?
-
Also this: after an update, at the first event it looks crashing:
Jul 14 12:08:36 kernel: pid 47584 (snort), uid 0: exited on signal 11 Jul 14 12:08:36 snort[47584]: [1:2404102:2763] ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server TCP (group 2) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 212.239.73.15:22445 -> 141.8.224.61:25 Jul 14 12:08:36 snort[47584]: [1:2404102:2763] ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server TCP (group 2) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 212.239.73.15:22445 -> 141.8.224.61:25
Ciao,
Michele -
mdima nothing else on the logs?
-
I do not exactly know, if this is a feature or a bug:
When I leave Home NEt set as default in the GUI the Home Net variable is automagically set in the interfaces snort.conf.
There the whole subnet of the WAN interface gets added. Not only my WAN IP and the gateway, but the subnet with a 24 netmask. That can't be by design!?!Greetings, Judex
-
reinstalling 2.4.2, snort fails to start:
*** Welcome to pfSense 2.0.1-RELEASE-pfSense (amd64) on pfsense ***
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(1): /usr/local/bin/snort
/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layoutAlso, all .so rules were missing on this version, so not available to select.
Cheers,
Dennis. -
@ermal:
Please reinstall again!
You need a new snort binary for the alerts to be displayed correctly.Hi Ermal, nothing else AFAIK. If you want I can send you in private the full system log where that happened (I just saved it for reference).
Thanks,
Michele -
Please reinstall again in 30 minutes.
You need a new binary again.I think i fixed the alert_pf issues with the ioctl.