Snort 2.9.2.3 pkg v. 2.5.0 Issues

Cino

@breusshe:

@breusshe:

Just did the reinstall.  I get this error:

FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

The funny part is I'm not even using bad-traffic.so.  Not sure why it is even loading.

Uninstall and wipe of config, then reinstall seems to have fixed this.  Not sure what was causing it.  But, snort starts up just fine now.  Just waiting to see if I can catch alerts.

i figured out what is causing this.. ermal submitted a change based on what is left on our system when you uninstall snort https://github.com/bsdperimeter/pfsense-packages/commit/380d7cbe464a271c47fa57d4a890e1d61019fd08  I told him about this morning. These files are linked files to the pbi folders.. You we are doing a reinstall/reinstall gui.. Its removing the linked files.. Because how pbi's behave with the pfsense package manager… I recommend that you uninstall a package then install it when you doing an upgraded.. I recommend this because if you select to re-install the package, some reason or another, the pbi binary isn't re-installed.... Now this is behavior on pfSense 2.1.. 2.0.1, i would do the same thing

Cino

@Fesoj:

This is just inquiring on how to do updates in an economical way.

In emergency situations one could always update from github (github.com/bsdperimeter/pfsense-packages).

The regular package updates seem to come from  http://files.pfsense.com/packages/8/All/, but it takes some time after updating the repository before the regular package update has the latest version (hours?). Since not every package update is accompanied by a change of the version string, it is rather difficult to see, whether the advertised updates from the forum are going to be installed or not. Currently snort-2.9.2.3-i386.pbi is still from yesterday 2012-Jul-15 21:11:02, so a regular update (System: Packages:) doesn't really update anything. It looks to me that some of the recent messages can be explained by this setup.

It's not about making things faster, but to know when the update will actually be available. I wouldn't mind having a 4 digit version string for the package. Another method would be to base the update on the associated md5 hashes.

Am I here off base, or does this remark that make some sense?

Whentever changes are made to github.com/bsdperimeter/pfsense-packages, you are able to get them within 5 minutes or less(I think its real-time).. Binaries are a different story… jimp has a builder that builds them base on what changes happen to github.com/bsdperimeter/pfsense-tools... Not sure if its a auto or manual process for them to move the files over to files.pfsense.org

as far as seeing a package update within the package manager. that is up to the maintainer to increase the version number of the package.

pfsense team, correct me if i'm wrong on this

dwood

Same thing here..had to remove 2.5.0.  WAN IP x.x.x.0 network was being blocked.  PFsense log than alerted on WAN down, and removed it from routing group (dual wan).

Cheers,
Dennis.

mschiek01

Snort was running with preproc active a rules update was processed and snort stopped with the following error.

Jul 16 20:56:27 php: /snort/snort_download_rules.php: Snort has restarted with your new set of rules…
Jul 16 20:56:26 snort[25975]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
Jul 16 20:56:26 snort[25975]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
Jul 16 20:56:26 snort[25975]: Initializing rule chains…
Jul 16 20:56:26 snort[25975]: Initializing rule chains…
Jul 16 20:56:26 snort[25975]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Jul 16 20:56:26 snort[25975]: +++++++++++++++++++++++++++++++++++++++++++++++++++

joako

Same here.

However mine seems to be caused by an invalid snort.conf. This can not be fixed by hand because it's deleted and regenerated each time snort is run.

snort[55098]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_21199_em0//usr/local/etc/snort/preproc_rules/sensitive-data.rules/": No such file or directory.

include $PREPROC_RULE_PATH/sensitive-data.rules**/**

UPDATE: Cleared it up with package reinstall and of course re-download rules. Working as before.

eri--

@dwood:

Same thing here..had to remove 2.5.0.  WAN IP x.x.x.0 network was being blocked.  PFsense log than alerted on WAN down, and removed it from routing group (dual wan).

Cheers,
Dennis.

As i put in the other thread.
There is an issue that was solved with blocking not parsing correctly the whitelist.
Just re-install the binary.

digdug3

Sometimes the alerts go wrong and give you a N/A in the blocked tab

Cino

@mschiek01:

Snort was running with preproc active a rules update was processed and snort stopped with the following error.

Jul 16 20:56:27 php: /snort/snort_download_rules.php: Snort has restarted with your new set of rules…
Jul 16 20:56:26 snort[25975]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
Jul 16 20:56:26 snort[25975]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
Jul 16 20:56:26 snort[25975]: Initializing rule chains…
Jul 16 20:56:26 snort[25975]: Initializing rule chains…
Jul 16 20:56:26 snort[25975]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Jul 16 20:56:26 snort[25975]: +++++++++++++++++++++++++++++++++++++++++++++++++++

woke up to the same error this this morning. i looked in the preprocessor.rules file and commented the line and turned off sensitive data..

a google search states its because of sensitive data not being not being turned on… i have it on for testing and have 2 rules suppress. strange.....

alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; )

EDIT: manual update (after removing the md5 files), and I dont have the above issue with sensitive data on… going to copy the rules over to my pc and compare them when/if this happens again

Fesoj

I installed the latest version and snort is running fine, but there might be an issue with the perl package that affects other packages.

During the last 2 weeks I removed and installed the snort package only. After one of the latest updates the perl files were gone, but pkg_info still reported about 2 perl packages installed. I noticed the missing files by the failure of other packages (e.g. lightsquid). After forcing a reinstall (pkg_add -f) of the latest perl package everything worked again as expected.

I am not sure whether this odd behavior is due to the snort package, but if you find that some things don't work any more, check for the existence of the perl package (and the system log).

Cino

@Fesoj:

I installed the latest version and snort is running fine, but there might be an issue with the perl package that affects other packages.

During the last 2 weeks I removed and installed the snort package only. After one of the latest updates the perl files were gone, but pkg_info still reported about 2 perl packages installed. I noticed the missing files by the failure of other packages (e.g. lightsquid). After forcing a reinstall (pkg_add -f) of the latest perl package everything worked again as expected.

I am not sure whether this odd behavior is due to the snort package, but if you find that some things don't work any more, check for the existence of the perl package (and the system log).

are you running 2.0.x? If so, here is why(i think anyways) https://github.com/bsdperimeter/pfsense-packages/commit/90a78d1150d6cf90b9fb60c2237d8c12b112c7d0. its been removed from the package.

with 2.1 being pbi packages, its alittle different

Fesoj

Cino,

yes, I am running 2.0.1.

bump version to 2.5.0 and remove perl from build requirments since it…

The extracts from snort.inc don't show what happens to those perl files, but the title seems to point to the villain.

Anyway, pkg_add -f remedies the situation.

breusshe

@Cino:

EDIT: manual update (after removing the md5 files), and I dont have the above issue with sensitive data on… going to copy the rules over to my pc and compare them when/if this happens again

I can confirm this solution.  I deleted the MD5 files from /usr/local/etc/snort, turned on sensitive data, ran the rules update manually, and snort started right up.  I'll post if thise problem repeats itself in the next day or two.

marcelloc

@Fesoj:

Anyway, pkg_add -f remedies the situation.

That because snort uninstalled perl on last update. As you have two other packages that requires perl, if you uninstall one of them, the other will break too.

To workaround the pkg_add step, just reinstall a package that requires perl.

att,
Marcello Coutinho

Fesoj

Marcello,

To workaround the pkg_add step, just reinstall a package that requires perl.

that's what I tried first && this didn't work. The perl files were gone, but pkg_info still reported about perl being installed. Therefore reinstalling s.th. like Lightsquid does not trigger a reinstall of perl.

Cino

not sure if its because of the new binary or this change https://github.com/bsdperimeter/pfsense-packages/commit/e2618ca4b906460455f1f778718ed9e9825d7085 but after uninstall-install around 12pm est, snort is blocking my wan ip address now. its in the HOME_NET… So i'm not sure what is going on... I dont have it on my whitelist, which i'm  adding now and see what happens

EDIT: Its blocking my WAN IP with it in the whitelist also...

anyway the previous binary can be put back?  ;D well if other users can confirm my findings

Fesoj

Cino,

I do not have any problems with bogus blockings (and I tested new version quit a lot today), but my pfSense box is not an edge router and the "WAN" side has a static address that showed up automatically in the default HOME_NET.

eri--

Cino,

please either snort config or snort package xml on config.xml?

dwood

Ermal, I've been uninstalling Snort, running the command "find /* | grep -i snort | xargs rm -rv" then reinstalling.  I have to assume that this process would always replace the binary files?

I haven't reinstalled since yesterday in the site that's best for testing (live site!) so not sure if a reinstall will fix the WAN blocking…

Cino

here is my config, I'm trying see if i re-produce this on-demand… cause now it seems to be working just fine... Go figure right? lol

but i did another (de)install, saved every paged.. then rebooted

# snort configuration file
# generated automatically by the pfSense subsystems do not modify manually

# Define Local Network  #
var HOME_NET [127.0.0.1,10.0.0.0/8,2001:470:x:x::/64,x.x.x.x/22,192.168.0.1/24,2001:470:x:x::1/64,192.168.200.1/32,172.16.50.1/32,2001:470:x:x::2/64,192.168.5.1/24,x.x.x.1,209.18.47.61,209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24]
var EXTERNAL_NET [!$HOME_NET]

# Define Rule Paths #
var RULE_PATH /usr/local/etc/snort/snort_60770_em3/rules
var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules

# Define Servers  #
var DNS_SERVERS [$HOME_NET]
var SMTP_SERVERS [$HOME_NET]
var HTTP_SERVERS [$HOME_NET]
var WWW_SERVERS [$HOME_NET]
var SQL_SERVERS [$HOME_NET]
var TELNET_SERVERS [$HOME_NET]
var SNMP_SERVERS [$HOME_NET]
var FTP_SERVERS [$HOME_NET]
var SSH_SERVERS [$HOME_NET]
var POP_SERVERS [$HOME_NET]
var IMAP_SERVERS [$HOME_NET]
var SIP_PROXY_IP [$HOME_NET]
var SIP_SERVERS [$HOME_NET]
var RPC_SERVERS [$HOME_NET]
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Define Server Ports  #
portvar DNS_PORTS [53]
portvar SMTP_PORTS [25]
portvar MAIL_PORTS [25,143,465,691]
portvar HTTP_PORTS [80]
portvar ORACLE_PORTS [1521]
portvar MSSQL_PORTS [1433]
portvar TELNET_PORTS [23]
portvar SNMP_PORTS [161]
portvar FTP_PORTS [21]
portvar SSH_PORTS [22]
portvar POP2_PORTS [109]
portvar POP3_PORTS [110]
portvar IMAP_PORTS [143]
portvar SIP_PROXY_PORTS [5060:5090,16384:32768]
portvar SIP_PORTS [5060:5090,16384:32768]
portvar AUTH_PORTS [113]
portvar FINGER_PORTS [79]
portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
portvar SMB_PORTS [139,445]
portvar NNTP_PORTS [119]
portvar RLOGIN_PORTS [513]
portvar RSH_PORTS [514]
portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995]
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
portvar SHELLCODE_PORTS [!80]
portvar SUN_RPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
portvar DCERPC_NCACN_IP_TCP [139,445]
portvar DCERPC_NCADG_IP_UDP [138,1024:]
portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
portvar DCERPC_NCACN_UDP_LONG [135,1024:]
portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
portvar DCERPC_NCACN_TCP [2103,2105,2107]
portvar DCERPC_BRIGHTSTORE [6503,6504]

# Configure the snort decoder  #
config checksum_mode: all
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops

# Configure the detection engine  #
config detection: search-method ac-bnfa max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length

#Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
dynamicengine directory /usr/local/lib/snort/dynamicengine
dynamicdetection directory /usr/local/lib/snort/dynamicrules

# Flow and stream #
preprocessor frag3_global: max_frags 8192
preprocessor frag3_engine: policy bsd detect_anomalies

preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes
preprocessor stream5_tcp: policy BSD, ports both all, max_queued_bytes 10485760, max_queued_segs 26210
preprocessor stream5_udp:
preprocessor stream5_icmp:

# Performance Statistics #
preprocessor perfmonitor: time 300 file /var/log/snort/snort_em360770/em3.stats pktcnt 10000

# HTTP Inspect  #
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535

preprocessor http_inspect_server: server default \
                        ports  { 80 }  \
                        non_strict \
                        non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                        flow_depth 300  \
                        apache_whitespace no \
                        directory no \
                        iis_backslash no \
                        u_encode yes \
			extended_response_inspection \
			inspect_gzip \
			normalize_utf \
			normalize_javascript \
			unlimited_decompress \
                        ascii no \
                        chunk_length 500000 \
                        bare_byte yes \
                        double_decode yes \
                        iis_unicode no \
                        iis_delimiter no \
                        multi_slash no

# Other preprocs #
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779

# Back Orifice
preprocessor bo

# ftp preprocessor  #
preprocessor ftp_telnet: global \
inspection_type stateless

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: \
    ftp server default \
    def_max_param_len 100 \
    ports { 21 } \
    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
    ftp_cmds { FEAT CEL CMD MACB } \
    ftp_cmds { MDTM REST SIZE MLST MLSD } \
    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
    alt_max_param_len 256 { RNTO CWD } \
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE } \
    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
    chk_str_fmt { FEAT CEL CMD } \
    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity STRU < char FRP > \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity PORT < host_port >

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes

# SMTP preprocessor #
preprocessor SMTP: \
    ports { 25 143 465 691 } \
    inspection_type stateful \
    normalize cmds \
    valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    max_header_line_len 1000 \ 
    max_response_line_len 512 \
    alt_max_command_line_len 260 { MAIL } \
    alt_max_command_line_len 300 { RCPT } \
    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
    alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
    alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    xlink2state { enable }

# sf Portscan  #
preprocessor sfportscan: scan_type { all } \
                         proto  { all } \
                         memcap { 10000000 } \
                         sense_level { medium } \
                         ignore_scanners { $HOME_NET }

# DCE/RPC 2   #
preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

# DNS preprocessor #
preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow

preprocessor sensitive_data:

# Ignore SSL and Encryption  #
preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted

# Snort Output Logs #
output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority

output unified2: filename snort_60770_em3.u2, limit 128
output alert_pf: /usr/local/etc/snort/snort_60770_em3/MainWhiteList,snort2c,src,

# Misc Includes #
include /usr/local/etc/snort/snort_60770_em3/reference.config
include /usr/local/etc/snort/snort_60770_em3/classification.config
include $PREPROC_RULE_PATH/sensitive-data.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/preprocessor.rules

include /usr/local/etc/snort/snort_60770_em3/suppMainSuppressList

# Snort user pass through configuration

# Rules Selection #
include $RULE_PATH/snort_attack-responses.rules
include $RULE_PATH/snort_bad-traffic.so.rules
include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/snort_backdoor.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/snort_bad-traffic.rules
include $RULE_PATH/snort_dos.so.rules
include $RULE_PATH/snort_blacklist.rules
include $RULE_PATH/snort_exploit.so.rules
include $RULE_PATH/emerging-ciarmy.rules
include $RULE_PATH/snort_botnet-cnc.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-current_events.rules
include $RULE_PATH/snort_content-replace.rules
include $RULE_PATH/snort_misc.so.rules
include $RULE_PATH/snort_ddos.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/snort_dos.rules
include $RULE_PATH/emerging-dshield.rules
include $RULE_PATH/emerging-exploit.rules
include $RULE_PATH/snort_exploit.rules
include $RULE_PATH/snort_web-client.so.rules
include $RULE_PATH/snort_web-misc.so.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-misc.rules
include $RULE_PATH/emerging-mobile_malware.rules
include $RULE_PATH/snort_indicator-compromise.rules
include $RULE_PATH/snort_indicator-obfuscation.rules
include $RULE_PATH/snort_misc.rules
include $RULE_PATH/emerging-rbn-malvertisers.rules
include $RULE_PATH/emerging-rbn.rules
include $RULE_PATH/emerging-rpc.rules
include $RULE_PATH/emerging-scan.rules
include $RULE_PATH/emerging-shellcode.rules
include $RULE_PATH/snort_other-ids.rules
include $RULE_PATH/snort_phishing-spam.rules
include $RULE_PATH/emerging-trojan.rules
include $RULE_PATH/emerging-user_agents.rules
include $RULE_PATH/emerging-virus.rules
include $RULE_PATH/emerging-web_client.rules
include $RULE_PATH/snort_rpc.rules
include $RULE_PATH/emerging-worm.rules
include $RULE_PATH/snort_scan.rules
include $RULE_PATH/snort_shellcode.rules
include $RULE_PATH/snort_specific-threats.rules
include $RULE_PATH/snort_spyware-put.rules
include $RULE_PATH/snort_virus.rules
include $RULE_PATH/snort_web-attacks.rules
include $RULE_PATH/snort_web-client.rules
include $RULE_PATH/snort_web-iis.rules
include $RULE_PATH/snort_web-misc.rules

mschiek01

@Cino:

here is my config, I'm trying see if i re-produce this on-demand… cause now it seems to be working just fine... Go figure right? lol

but i did another (de)install, saved every paged.. then rebooted

# snort configuration file
# generated automatically by the pfSense subsystems do not modify manually

# Define Local Network  #
var HOME_NET [127.0.0.1,10.0.0.0/8,2001:470:x:x::/64,x.x.x.x/22,192.168.0.1/24,2001:470:x:x::1/64,192.168.200.1/32,172.16.50.1/32,2001:470:x:x::2/64,192.168.5.1/24,x.x.x.1,209.18.47.61,209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24]
var EXTERNAL_NET [!$HOME_NET]

# Define Rule Paths #
var RULE_PATH /usr/local/etc/snort/snort_60770_em3/rules
var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules

# Define Servers  #
var DNS_SERVERS [$HOME_NET]
var SMTP_SERVERS [$HOME_NET]
var HTTP_SERVERS [$HOME_NET]
var WWW_SERVERS [$HOME_NET]
var SQL_SERVERS [$HOME_NET]
var TELNET_SERVERS [$HOME_NET]
var SNMP_SERVERS [$HOME_NET]
var FTP_SERVERS [$HOME_NET]
var SSH_SERVERS [$HOME_NET]
var POP_SERVERS [$HOME_NET]
var IMAP_SERVERS [$HOME_NET]
var SIP_PROXY_IP [$HOME_NET]
var SIP_SERVERS [$HOME_NET]
var RPC_SERVERS [$HOME_NET]
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Define Server Ports  #
portvar DNS_PORTS [53]
portvar SMTP_PORTS [25]
portvar MAIL_PORTS [25,143,465,691]
portvar HTTP_PORTS [80]
portvar ORACLE_PORTS [1521]
portvar MSSQL_PORTS [1433]
portvar TELNET_PORTS [23]
portvar SNMP_PORTS [161]
portvar FTP_PORTS [21]
portvar SSH_PORTS [22]
portvar POP2_PORTS [109]
portvar POP3_PORTS [110]
portvar IMAP_PORTS [143]
portvar SIP_PROXY_PORTS [5060:5090,16384:32768]
portvar SIP_PORTS [5060:5090,16384:32768]
portvar AUTH_PORTS [113]
portvar FINGER_PORTS [79]
portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
portvar SMB_PORTS [139,445]
portvar NNTP_PORTS [119]
portvar RLOGIN_PORTS [513]
portvar RSH_PORTS [514]
portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995]
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
portvar SHELLCODE_PORTS [!80]
portvar SUN_RPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
portvar DCERPC_NCACN_IP_TCP [139,445]
portvar DCERPC_NCADG_IP_UDP [138,1024:]
portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
portvar DCERPC_NCACN_UDP_LONG [135,1024:]
portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
portvar DCERPC_NCACN_TCP [2103,2105,2107]
portvar DCERPC_BRIGHTSTORE [6503,6504]

# Configure the snort decoder  #
config checksum_mode: all
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops

# Configure the detection engine  #
config detection: search-method ac-bnfa max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length

#Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
dynamicengine directory /usr/local/lib/snort/dynamicengine
dynamicdetection directory /usr/local/lib/snort/dynamicrules

# Flow and stream #
preprocessor frag3_global: max_frags 8192
preprocessor frag3_engine: policy bsd detect_anomalies

preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes
preprocessor stream5_tcp: policy BSD, ports both all, max_queued_bytes 10485760, max_queued_segs 26210
preprocessor stream5_udp:
preprocessor stream5_icmp:

# Performance Statistics #
preprocessor perfmonitor: time 300 file /var/log/snort/snort_em360770/em3.stats pktcnt 10000
	
# HTTP Inspect  #
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535

preprocessor http_inspect_server: server default \
                        ports  { 80 }  \
                        non_strict \
                        non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                        flow_depth 300  \
                        apache_whitespace no \
                        directory no \
                        iis_backslash no \
                        u_encode yes \
			extended_response_inspection \
			inspect_gzip \
			normalize_utf \
			normalize_javascript \
			unlimited_decompress \
                        ascii no \
                        chunk_length 500000 \
                        bare_byte yes \
                        double_decode yes \
                        iis_unicode no \
                        iis_delimiter no \
                        multi_slash no
	
# Other preprocs #
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779

# Back Orifice
preprocessor bo
	
# ftp preprocessor  #
preprocessor ftp_telnet: global \
inspection_type stateless

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: \
    ftp server default \
    def_max_param_len 100 \
    ports { 21 } \
    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
    ftp_cmds { FEAT CEL CMD MACB } \
    ftp_cmds { MDTM REST SIZE MLST MLSD } \
    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
    alt_max_param_len 256 { RNTO CWD } \
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE } \
    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
    chk_str_fmt { FEAT CEL CMD } \
    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity STRU < char FRP > \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity PORT < host_port >

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes
	
# SMTP preprocessor #
preprocessor SMTP: \
    ports { 25 143 465 691 } \
    inspection_type stateful \
    normalize cmds \
    valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    max_header_line_len 1000 \ 
    max_response_line_len 512 \
    alt_max_command_line_len 260 { MAIL } \
    alt_max_command_line_len 300 { RCPT } \
    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
    alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
    alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    xlink2state { enable }
	
# sf Portscan  #
preprocessor sfportscan: scan_type { all } \
                         proto  { all } \
                         memcap { 10000000 } \
                         sense_level { medium } \
                         ignore_scanners { $HOME_NET }
	
# DCE/RPC 2   #
preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3
	
# DNS preprocessor #
preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow
	
preprocessor sensitive_data:

# Ignore SSL and Encryption  #
preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted

# Snort Output Logs #
output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority

output unified2: filename snort_60770_em3.u2, limit 128
output alert_pf: /usr/local/etc/snort/snort_60770_em3/MainWhiteList,snort2c,src,
						
# Misc Includes #
include /usr/local/etc/snort/snort_60770_em3/reference.config
include /usr/local/etc/snort/snort_60770_em3/classification.config
include $PREPROC_RULE_PATH/sensitive-data.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/preprocessor.rules

include /usr/local/etc/snort/snort_60770_em3/suppMainSuppressList

# Snort user pass through configuration

# Rules Selection #
include $RULE_PATH/snort_attack-responses.rules
include $RULE_PATH/snort_bad-traffic.so.rules
include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/snort_backdoor.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/snort_bad-traffic.rules
include $RULE_PATH/snort_dos.so.rules
include $RULE_PATH/snort_blacklist.rules
include $RULE_PATH/snort_exploit.so.rules
include $RULE_PATH/emerging-ciarmy.rules
include $RULE_PATH/snort_botnet-cnc.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-current_events.rules
include $RULE_PATH/snort_content-replace.rules
include $RULE_PATH/snort_misc.so.rules
include $RULE_PATH/snort_ddos.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/snort_dos.rules
include $RULE_PATH/emerging-dshield.rules
include $RULE_PATH/emerging-exploit.rules
include $RULE_PATH/snort_exploit.rules
include $RULE_PATH/snort_web-client.so.rules
include $RULE_PATH/snort_web-misc.so.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-misc.rules
include $RULE_PATH/emerging-mobile_malware.rules
include $RULE_PATH/snort_indicator-compromise.rules
include $RULE_PATH/snort_indicator-obfuscation.rules
include $RULE_PATH/snort_misc.rules
include $RULE_PATH/emerging-rbn-malvertisers.rules
include $RULE_PATH/emerging-rbn.rules
include $RULE_PATH/emerging-rpc.rules
include $RULE_PATH/emerging-scan.rules
include $RULE_PATH/emerging-shellcode.rules
include $RULE_PATH/snort_other-ids.rules
include $RULE_PATH/snort_phishing-spam.rules
include $RULE_PATH/emerging-trojan.rules
include $RULE_PATH/emerging-user_agents.rules
include $RULE_PATH/emerging-virus.rules
include $RULE_PATH/emerging-web_client.rules
include $RULE_PATH/snort_rpc.rules
include $RULE_PATH/emerging-worm.rules
include $RULE_PATH/snort_scan.rules
include $RULE_PATH/snort_shellcode.rules
include $RULE_PATH/snort_specific-threats.rules
include $RULE_PATH/snort_spyware-put.rules
include $RULE_PATH/snort_virus.rules
include $RULE_PATH/snort_web-attacks.rules
include $RULE_PATH/snort_web-client.rules
include $RULE_PATH/snort_web-iis.rules
include $RULE_PATH/snort_web-misc.rules

I have the same problem except I have static Wan addresses snort was running just without problems then the following

system log
Jul 17 13:33:32 apinger: ALARM: WAN1GW(nn.nn.nnn.nnn) *** WAN1GWdown ***
Jul 17 13:28:04 snort[40189]: [1:2500062:2570] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32) [Classification: Misc Attack] [Priority: 2] {TCP}
Jul 17 13:28:04 snort[40189]: [1:2500062:2570] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32) [Classification: Misc Attack] [Priority: 2]

Alert description which is very strange.

"ET RBN Known Russian Business Network IP UDP (112)" - 07/17-12:25:48
                                             "ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt" - 07/17-11:59:17
4 nnn.nnn.nnn.nnn                  "ET RBN Known Russian Business Network IP TCP (232)" - 07/17-09:59:36
                                             "ET RBN Known Russian Business Network IP TCP (208)" - 07/17-11:05:21
                                               "ET RBN Known Russian Business Network IP TCP (94)" - 07/17-11:14:14
                                               "ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (29)" - 07/17-11:23:48
                                               "(dcerpc2) Connection-oriented DCE/RPC - Bind: Remaining fragment length (3) less than size needed (20)" - 07/17-13:19:42
"ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32)" - 07/17-13:28:04

Snort started blocking the Wan interface ip.

The wan addresses are defined as nnn.nnn.nnn.nnn/nn in the white list.