Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 289.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Supermule Banned
      last edited by

      Damn nice!! Nothing more to say :)

      1 Reply Last reply Reply Quote 0
      • E Offline
        eri--
        last edited by

        I fixed the missing file issue by just adding the checks.

        Supermule you can already sort afaik in the gui by clcking on the headers, no?

        1 Reply Last reply Reply Quote 0
        • E Offline
          eri--
          last edited by

          @Supermule:

          Snort doesnt respect whitelisted Alias on the WAN side. Got blocked out and had to use the back entrance :D

          Can you explain here and you are taling about pfblocker or about the default homelist generated?

          1 Reply Last reply Reply Quote 0
          • S Offline
            Supermule Banned
            last edited by

            ¨Whitelist in Snort…you create an alias and use that as whitelist. IP adresses listed in this doesnt get respected if on the WAN side. Local servers are fine, but external IP doesnt get whitelisted.

            1 Reply Last reply Reply Quote 0
            • S Offline
              Supermule Banned
              last edited by

              Nope…

              @ermal:

              I fixed the missing file issue by just adding the checks.

              Supermule you can already sort afaik in the gui by clcking on the headers, no?

              1 Reply Last reply Reply Quote 0
              • bmeeksB Offline
                bmeeks
                last edited by

                @ermal:

                I fixed the missing file issue by just adding the checks.

                Supermule you can already sort afaik in the gui by clcking on the headers, no?

                Hi Ermal:

                By my count, there were four places in the code where this potential issue existed.  Three in snort.inc, and one in snort_check_for_rule_updates.php.  They are in the following functions:

                snort_build_sid_msg_map()
                snort_load_rules_map()
                snort_generate_conf()
                snort_apply_customizations()

                Bill

                1 Reply Last reply Reply Quote 0
                • I Offline
                  iFloris
                  last edited by

                  Have been following this closely & This is awesome. Thanks bmeeks!

                  one layer of information
                  removed

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB Offline
                    bmeeks
                    last edited by

                    @iFloris:

                    Have been following this closely & This is awesome. Thanks bmeeks!

                    No problem.  Enjoyed tinkering with the code and trying to make Snort work even better.

                    I submitted a small batch of changes last evening that Ermal and team merged to fix the remaining glitches with the missing files warning messages, and to make sure that flowbit rules get included (if enabled) during the initial Rules Update after a re-install or a fresh install.  These last fixes should make the package 100% functional.  Please post if any other bugs show up.

                    There are some outstanding to-do features/improvements on my list.  Supermule and others have posted some of them in this thread such as some problems with external IP whitelisting surviving reboots, column sorting, etc.  A move to the Snort 2.9.4.x binary is needed as well, but I have some more to learn about how binary packages are built and tested with the pfSense platform.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      Supermule Banned
                      last edited by

                      No problems Bill!

                      I think you should work closely with Ermal to get this going asap! Combine talents :)

                      1 Reply Last reply Reply Quote 0
                      • K Offline
                        kilthro
                        last edited by

                        I grabbed the update and prior to the update i had no issues. after this update and redloading rules I am getting this error when i try to start snort.

                        Jan 24 10:23:46 snort[24008]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
                        Jan 24 10:23:46 snort[24008]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

                        Not sure why this is appearing now. Any ideas?

                        1 Reply Last reply Reply Quote 0
                        • K Offline
                          kilthro
                          last edited by

                          I ended up uninstalling the package and searching for all snort related items and deleting them. I set it up fresh and all seems to be working ok now.. Not sure what was going on.

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            Supermule Banned
                            last edited by

                            It seems that the reinstall is broken somehow, but a fresh install works.

                            Its almost worse than windows :D

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB Offline
                              bmeeks
                              last edited by

                              @kilthro:

                              I ended up uninstalling the package and searching for all snort related items and deleting them. I set it up fresh and all seems to be working ok now.. Not sure what was going on.

                              Yes, this a partially documented problem.  I say "partially" because there is some mention of it in some previous threads here on the forum from the summer of 2012.

                              It seems to be a problem with the package manager tools used to install, un-install and re-install packages.  During a re-install of an existing package, some symbolic links or something don't get properly cleaned up.  I'm not sure about the details.  Others more cognizant of the inner workings of FreeBSD have explained it better.

                              The workaround is to always do an uninstall of a package, and then install it again so it is the same as a fresh install.  That works.

                              1 Reply Last reply Reply Quote 0
                              • RonpfSR Offline
                                RonpfS
                                last edited by

                                Maybe update the package Description "Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. "
                                to mention  not to re-install ;)

                                2.4.5-RELEASE-p1 (amd64)
                                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB Offline
                                  bmeeks
                                  last edited by

                                  @RonpfS:

                                  Maybe update the package Description "Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. "
                                  to mention  not to re-install ;)

                                  Would be better, in my opinion, if the re-install just worked correctly. I'm no BSD guru, but I will take a look and see if maybe the Snort uninstall code is doing something weird to hose itself on the subsequent re-install.  No promises on this one, though.  I'm definitely a newb with FreeBSD deep down under-the-hood magic.

                                  1 Reply Last reply Reply Quote 0
                                  • S Offline
                                    Supermule Banned
                                    last edited by

                                    Is it possible when you release a IP in the "Alerts" section, then its added to a whitelist?

                                    The "Blocked" list can be added without alias and it would be nice to have a simple list there instead of creating a very long alias list….

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB Offline
                                      bmeeks
                                      last edited by

                                      @Supermule:

                                      Is it possible when you release a IP in the "Alerts" section, then its added to a whitelist?

                                      Are you talking about clicking the little "+" icon that adds the GID:SID to the Suppression List, or what do you mean by "release an IP"?  Perhaps an example will help me undestand this question better.

                                      @Supermule:

                                      The "Blocked" list can be added without alias and it would be nice to have a simple list there instead of creating a very long alias list….

                                      I think you're asking here to be able to directly add an IP address instead of having to jump through the hoops of creating an alias under the Firewall tab.  Is this correct?  If yes, then I believe this can be easily accomplished.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • S Offline
                                        Supermule Banned
                                        last edited by

                                        This is the Alerts tab…

                                        Clicking and releasing the source IP of an alert automatically adds it to a whitelist.

                                        ![alerts_whitelist IP.jpg](/public/imported_attachments/1/alerts_whitelist IP.jpg)
                                        ![alerts_whitelist IP.jpg_thumb](/public/imported_attachments/1/alerts_whitelist IP.jpg_thumb)

                                        1 Reply Last reply Reply Quote 0
                                        • S Offline
                                          Supermule Banned
                                          last edited by

                                          This is the Suppress tab.

                                          A lot easier to add entries as IP's here than adding an alias.

                                          So could the alias list become the same "look" as the suppress tab?

                                          Would make the entry a lot easier.

                                          suppress.jpg
                                          suppress.jpg_thumb

                                          1 Reply Last reply Reply Quote 0
                                          • S Offline
                                            Supermule Banned
                                            last edited by

                                            So in short, clicking the "release" icon in alerts tab, insert it in the suppress page with SID and SRC IP.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.