Snort 2.9.2.3 pkg v. 2.4.2 Issues

Cino

there a couple of rules that are missing but I figured out what happen to them. They are preprocessors.. I would prefer sensitive data be an option that we can turn on or off.. At first I commented it out in snort.inc but because its rule file loads, snort failed to start.. I guess we could suppress them but wouldn't that mean memory would be wasted?

@breusshe I thought of doing that a while ago…If it gets fix, let me know how it works for you.. I will have to try it.

Fesoj

The fatal error

Jul 15 14:53:56 snort[62849]: FATAL ERROR: Unable to load pf args: No such file or directory

seems to occur randomly, but a manual restart of the interface works.

So far I was not successful to make the snort p2p rules work.

The ET p2p rules work on the WAN interface. Even blocking is working. On the LAN interface nothing is working: no alerts and blocking a fortiori. Maybe this is due to a different behavior of the latest snort version. It could be that the HOME_NET is always considered "white" such that no alerts occur, but this would mean that company policy violations can not be tracked (on the WAN side you would typically see only the gateway). Can somebody confirm this?

dwood

Fesoj, saw the same error :```
Jul 15 14:53:56 snort[62849]: FATAL ERROR: Unable to load pf args: No such file or directory

simby

fresh install pfsense + snort, and snort wont block any ip or send alert to snort log.

what is the problem.

PFsense x64 2.0.1

Fesoj

simby:

my current experience is that some rules work and others don't. It seems that I cannot activate a second interface. On the first interface (WAN side), only the emerging threat rules work (alerting & blocking), but not the snort rules. I have tested essentially only the p2p rules.

What rules are you using?

simby

ALL rules of snort premium & E.

My snort is crashing on 2-5 min. from on to off ???

On 8GB memory and quad cpu

simby

from system log:

Jul 15 19:35:03 snort[40704]: FATAL ERROR: Unable to load pf args: Interrupted system call
Jul 15 19:35:03 snort[40704]: FATAL ERROR: Unable to load pf args: Interrupted system call
Jul 15 19:35:02 snort[40704]: [ Number of null byte prefixed patterns trimmed: 11328 ]
Jul 15 19:35:02 snort[40704]: [ Number of null byte prefixed patterns trimmed: 11328 ]
Jul 15 19:35:02 snort[40704]: +–-----------------------------------------------
Jul 15 19:35:02 snort[40704]: +–-----------------------------------------------

Cino

Added some more suggestions/issues to post http://forum.pfsense.org/index.php/topic,51387.msg275159.html#msg275159

@breusshe

If you dont mind changing commenting out some php code, you can get your 2nd WAN interface back:

lines 82 and 83 in /usr/local/www/snort/snort_interfaces_edit.php

make them look like this:


#		if ($natent['interface'] == $_POST['interface'])
#			$input_errors[] = "This interface is already configured for another instance";

This allowed me to create another WAN interface, and it has a different ID:


 ps -aux | grep snort
root   61341 23.7    ??  Ss    1:56PM   0:01.29 /usr/pbi/snort-i386/bin/snort -R 36745 -D -q -l /var/log/snort/snort_em336745 --pid-path /var/run --nolock-pidfile -G 36745 -c /usr/
root   59209  0.2    ??  Ss    1:54PM   0:01.13 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/
root    3143  0.0  0.3 13048  8384  ??  Ss    1:54PM   0:00.06 /usr/local/bin/barnyard2 -r 60770 -f snort_60770_em3.u2 --pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_60770_em3
root   35410  0.0  0.0  3536  1256   0  S+    1:56PM   0:00.01 grep snort

Fesoj

simby:

have you tried deactivating all rules (such that only the preprocessors are active)?

The message

Jul 15 19:35:03 snort[40704]: FATAL ERROR: Unable to load pf args: Interrupted system call

has been observed by myself and others, but, after manually restarting the interface, snort remains stable (on my machine).

eri--

@Fesoj:

simby:

have you tried deactivating all rules (such that only the preprocessors are active)?

The message

Jul 15 19:35:03 snort[40704]: FATAL ERROR: Unable to load pf args: Interrupted system call

has been observed by myself and others, but, after manually restarting the interface, snort remains stable (on my machine).

Please reinstall the new binary this has been fixed.

eri--

@Cino:

Added some more suggestions/issues to post http://forum.pfsense.org/index.php/topic,51387.msg275159.html#msg275159

@breusshe

If you dont mind changing commenting out some php code, you can get your 2nd WAN interface back:

lines 82 and 83 in /usr/local/www/snort/snort_interfaces_edit.php

make them look like this:
#		if ($natent['interface'] == $_POST['interface'])
#			$input_errors[] = "This interface is already configured for another instance";
This allowed me to create another WAN interface, and it has a different ID:
 ps -aux | grep snort
root   61341 23.7    ??  Ss    1:56PM   0:01.29 /usr/pbi/snort-i386/bin/snort -R 36745 -D -q -l /var/log/snort/snort_em336745 --pid-path /var/run --nolock-pidfile -G 36745 -c /usr/
root   59209  0.2    ??  Ss    1:54PM   0:01.13 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/
root    3143  0.0  0.3 13048  8384  ??  Ss    1:54PM   0:00.06 /usr/local/bin/barnyard2 -r 60770 -f snort_60770_em3.u2 --pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_60770_em3
root   35410  0.0  0.0  3536  1256   0  S+    1:56PM   0:00.01 grep snort

Use event_filter configurations for this it makes no sense to do this!

eri--

@Cino:

@ermal Great work!!! So far so good.. Its alerting and blocking.

Issues I've noticed
1: Have the alert description show up on the block page. I noticed you did some tweaks for the snort binary.. Hopefully when its built, it will resolve this.

Still checking on this

2: On the alert page, Priority Column is grabbing data from the date time-stamp with seconds. Noticed the time-stamp is in the alert file a couple of times.. I don't see Priority in the new alert file format. Not sure if its used/or how by other users. I do miss the classification column tho

With new binary this should be ok, if not shout.


New Alert Format
07/15-08:07:58.167280 ,1,2402001,2666,"ET DROP Dshield Block Listed Source",UDP,69.175.126.170,33137,x.x.x.x,1900,0,07/15-08:07:58.167280 ,07/15-08:07:58.167280 ,

Old Alert Format
[**] [1:2402000:2650] ET DROP Dshield Block Listed Source [**]
[Classification: Misc Attack] [Priority: 2] 
07/01-11:04:.200:16189 -> x.x.x.x:22
TCP TTL:117 TOS:0x0 ID:10183 IpLen:20 DgmLen:48
******S* Seq: 0x3932295A  Ack: 0x661A02CF  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
[Xref => http://feeds.dshield.org/block.txt]

Hoping the new binary will resolve this issue too

3: Not sure if this is needed but I noticed the Default HOME_NET doesn't include the LAN subnet. Only the LAN IP of pfSense..

That is how i think it should be.
There is no reason to trust your lan is there?
From my side its there just because old code put the ips of all interfaces, it should only put the ip of the interface its listening on!
Though i just still thinking about doing that change.

4: Clear Alert log only works for first interface, doesn't clear them for 2nd one

Should be fixed

A couple of little things to tweak I think
1: Someone else brought this up, enable sorting within the alert page.. And IMHO i would have default sorting as last alert, not first alert

Done

2: IMHO I think SRC/DST Ports should be put back into separate columns. The log format would be cleaner and allow sorting

done

3: Use the same font/size that used for the whitelist edit page for the suppress edit page

Not sure here displays fine!

4: Folders/file names are not consistent,should follow this as an example: snort_60770_em3
Folders:
/var/log/snort/snort_em360770
Files:
/var/run/snort_em360770.pid

I would like to remove the interface from the paths but just want do it.
And anyway its backend.

Future add-on
This would be really nice but I know its not in-scope right now
http://forum.pfsense.org/index.php/topic,42994.0.html

Not from me.
Use barnyard or something else for that. I consider that in depth analysis.

PS. Its able to detect and block IPv6 addresses, still tweaking my NETLIST for it tho.. I've notice IPv6 address show up in the block list, which is really good! No more looking at the snort2c table.

Will add soon.

eri--

BTW, where are my donations?

For those who want to donate please go to http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77

eri--

Fixed even blocked page.
Just reinstall, with a new binary.

Cino

thanks for the changes. Haven't gone thru all of them yet but snort won't start because of the sensitive-data change. When I disable it in the GUI and click Save, the checkbox is still checked.


Jul 15 18:46:23 	snort[38626]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_60770_em3//usr/local/etc/snort/preproc_rules/sensitive-data.rules/": No such file or directory.
Jul 15 18:46:23 	snort[38626]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_60770_em3//usr/local/etc/snort/preproc_rules/sensitive-data.rules/": No such file or directory.

after removing the / on line 1280


Jul 15 18:50:58 	snort[46423]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.
Jul 15 18:50:58 	snort[46423]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.

with removing / and enabling sensitive-data, snort starts.

going to go over the other changes and report back… thank you again!!

Edit: Did some quick testing with the blocking feature... Block Page looking good!! I would probably take out the msec(s) but if it would be a big change, i can live with it ;) A couple of tweaks but needed for the Alert page, see screen shots:

snort_alerts.jpg_thumb

snort_blocks.jpg_thumb

Cino

@ermal:

@Cino:

@ermal Great work!!! So far so good.. Its alerting and blocking.

Issues I've noticed
~~1: Have the alert description show up on the block page. I noticed you did some tweaks for the snort binary.. Hopefully when its built, it will resolve this.~~

Still checking on this

Fixed

2: On the alert page, Priority Column is grabbing data from the date time-stamp with seconds. Noticed the time-stamp is in the alert file a couple of times.. I don't see Priority in the new alert file format. Not sure if its used/or how by other users. I do miss the classification column tho

With new binary this should be ok, if not shout.

Fixed

New Alert Format
07/15-08:07:58.167280 ,1,2402001,2666,"ET DROP Dshield Block Listed Source",UDP,69.175.126.170,33137,x.x.x.x,1900,0,07/15-08:07:58.167280 ,07/15-08:07:58.167280 ,

Old Alert Format
[**] [1:2402000:2650] ET DROP Dshield Block Listed Source [**]
[Classification: Misc Attack] [Priority: 2] 
07/01-11:04:.200:16189 -> x.x.x.x:22
TCP TTL:117 TOS:0x0 ID:10183 IpLen:20 DgmLen:48
******S* Seq: 0x3932295A  Ack: 0x661A02CF  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
[Xref => http://feeds.dshield.org/block.txt]
Hoping the new binary will resolve this issue too

3: Not sure if this is needed but I noticed the Default HOME_NET doesn't include the LAN subnet. Only the LAN IP of pfSense..
That is how i think it should be.
There is no reason to trust your lan is there?
From my side its there just because old code put the ips of all interfaces, it should only put the ip of the interface its listening on!
Though i just still thinking about doing that change.

I'm leaning to agree with you on this one.. Probably no reason for it.

4: Clear Alert log only works for first interface, doesn't clear them for 2nd one

Should be fixed

Haven't tested yet

A couple of little things to tweak I think
~~1: Someone else brought this up, enable sorting within the alert page.. And IMHO i would have default sorting as last alert, not first alert~~

Done

Thank you!

2: IMHO I think SRC/DST Ports should be put back into separate columns. The log format would be cleaner and allow sorting

done

thank you but needs a couple of tweaks, see above post

miles267

@ermal:

Fixed even blocked page.
Just reinstall, with a new binary.

I can confirm the alert descriptions on the blocked page are back and working. Thanks Ermal!

dwood

Ermal, on AMD64, 2.0.1 (this time a reinstall of 2.4.2 instead of the usual "clean" install I've been doing):

1. Alert descriptions are back visible on blocked IP

2. 2nd Interface alerts can now be cleared..and the interface is now staying active when selected.

3. Love the new categories (select all) and add to suppress features.

4. Issue with 2nd interface stopping after reboot is still there.```
Jul 15 20:52:03 snort[35121]: FATAL ERROR: Unable to load pf args: Interrupted system call


This is going on with two seperate installations, both AMD64, 2.0.1

Awesome work sir.  I am sending $$$ your way.

Cheers,
Dennis.

tester_02

@ermal:

BTW, where are my donations?

For those who want to donate please go to http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77

Done.. It's been a while so feeling bad about it. Best home router ever!

Hoping people who use it for business contribute a lot more than me.

10101000

@ermal:

BTW, where are my donations?

For those who want to donate please go to http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77

So far, so good. I've sent a donation your way and look forward to future improvements.

Thanks