• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort 2.9.2.3 pkg v. 2.5.0 Issues

pfSense Packages
38
331
225.7k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    LiamH
    last edited by Jan 29, 2013, 7:11 AM

    @ermal:

    You have to create a whitelist to override.
    If you run snort on the LAN interface then there is no reason to trust your hosts, no?

    Thanks for the feedback, But I'm not sure I'm following you…

    I have this rule:

    alert tcp any any -> any $HTTP_PORTS (msg:"INT-Babylon Detected"; flow:from_client; content:"User-Agent|3A20|Babylon"; HTTP_header; sid:1000007; classtype:policy-violation;)
    
    

    It should monitor and notify me about a specific program being used - The only way it will work in by monitoring my LAN interface, with HOME_NET containing my LAN network. Appreciate if you can clear that for me.

    1 Reply Last reply Reply Quote 0
    • L
      LiamH
      last edited by Jan 29, 2013, 8:47 AM

      @spi:

      Hej ermal

      Thanks for all your valuable knowledge and help here on snort.

      Since libmysqlclient.so.18 file is missing after a reboot and not libmysqlclient.so.16

      may I ask why it would not be more appropriate to apply```
      pkg_add -v http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.5.29.tbz

      
      this will give version 18 and not 16 as version 5.1.53 would do…or does it not matter ?
      

      Hi,

      pkg_add -v -f -F http://files.pfsense.org/packages/8/All/mysql-client-5.5.29.tbz
      

      worked on my machine. I had to use the "force" command because it complained about already having the package installed.

      1 Reply Last reply Reply Quote 0
      • F
        fragged
        last edited by Jan 29, 2013, 10:28 AM

        @LiamH:

        It should monitor and notify me about a specific program being used - The only way it will work in by monitoring my LAN interface, with HOME_NET containing my LAN network. Appreciate if you can clear that for me.

        If I understood you right, you would be monitoring a network (LAN) that you have completely whitelisted -> nothing is getting filtered and no warnings will trigger.

        1 Reply Last reply Reply Quote 0
        • L
          LiamH
          last edited by Jan 29, 2013, 10:59 AM

          @fragged:

          If I understood you right, you would be monitoring a network (LAN) that you have completely whitelisted -> nothing is getting filtered and no warnings will trigger.

          This is what happening when HOME_NET does not contains my LAN. When I set it manually (via snort.inc modification) I get the warnings and everything works as it should.

          Am I doing something wrong and there is another way to get this information, or does the HOME_NET should include my local network?

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by Jan 29, 2013, 4:14 PM

            Corrected teh HOME_NET generation.
            Also the libmysql issues should be fixed.

            1 Reply Last reply Reply Quote 0
            • K
              kilthro
              last edited by Jan 29, 2013, 4:17 PM

              Ermal,
              I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by Jan 29, 2013, 4:18 PM

                I get these errors when trying to change the ports of "Home NET"

                Define_servers.jpg
                Define_servers.jpg_thumb
                Define_servers2.jpg
                Define_servers2.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • S
                  Supermule Banned
                  last edited by Jan 29, 2013, 8:19 PM

                  First of all….

                  I get these false positives even if I have created them in the Suppress lists!!

                  Alerts.jpg
                  Alerts.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • S
                    Supermule Banned
                    last edited by Jan 29, 2013, 8:20 PM

                    Suppress list is here….

                    Tell me why Snort doesnt respect it..........  :-\

                    suppresslist.jpg
                    suppresslist.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • E
                      eri--
                      last edited by Jan 29, 2013, 8:46 PM

                      You need to have an alias cannot put ports there.

                      I wild guess about the suppression is a missing revision?

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri--
                        last edited by Jan 29, 2013, 8:58 PM Jan 29, 2013, 8:46 PM

                        @kilthro:

                        Ermal,
                        I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.

                        Can you check /etc/crontab if it has the entries for snort?

                        I pushed a fix which should help here.
                        Just resave yor settings on Global tab.

                        1 Reply Last reply Reply Quote 0
                        • K
                          kilthro
                          last edited by Jan 29, 2013, 11:47 PM

                          @ermal:

                          @kilthro:

                          Ermal,
                          I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.

                          Can you check /etc/crontab if it has the entries for snort?

                          I pushed a fix which should help here.
                          Just resave yor settings on Global tab.

                          Here is what cron is showing. Looks like no time settings are entered. Looks like the remove host is doing the same thing as its blank too.. May explain why they arent being removed like they should.

                          cron.jpg
                          cron.jpg_thumb

                          1 Reply Last reply Reply Quote 0
                          • K
                            kilthro
                            last edited by Jan 29, 2013, 11:50 PM

                            I am not seeing the update on the dashboard… Guess it takes a while to recognize.. Will check back on it.. What version number is it up to now?

                            1 Reply Last reply Reply Quote 0
                            • S
                              Supermule Banned
                              last edited by Jan 30, 2013, 2:37 AM

                              @ermal:

                              You need to have an alias cannot put ports there.

                              I wild guess about the suppression is a missing revision?

                              Why an alias when the specific ports are needed??

                              By the way, running on 2.5.4 so unless package has been updated, then I am on the latest revision.

                              1 Reply Last reply Reply Quote 0
                              • E
                                eri--
                                last edited by Jan 30, 2013, 8:00 AM

                                No the version has not been bumped since some small fixes will come still.
                                When those are finished ti will be bumped.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Supermule Banned
                                  last edited by Jan 30, 2013, 8:47 AM

                                  Thx Ermal!

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    Phoenix912
                                    last edited by Jan 31, 2013, 5:01 PM

                                    Hi,

                                    I have the issue with the lib mysql.18 which I was able to correct with pkg_add -v -f -F http://files.pfsense.org/packages/8/All/mysql-client-5.5.29.tbz

                                    But when I reboot my VM, I have to do the command again, because snort won't start with my interfaces.
                                    It is very weird because before rebooting everything was working perfectly fine, alerts were there, all interfaces were enabled…

                                    Anyone has an idea ?

                                    Thanks in advance

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      Phoenix912
                                      last edited by Jan 31, 2013, 6:57 PM

                                      It seems very weird because if I create a folder, after rebooting it is still there, but a modifications like the package is not working.

                                      I suppose pfsense or Freebsd is blocking my modifications, is it possible to force the modification or disable the thing which is unabling me to saves changes ?

                                      Thanks in advance

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned
                                        last edited by Feb 10, 2013, 5:59 PM

                                        Are we seeing the end of this when Ermal/Bmeeks committed the last changes or do we have to wait until the package is bumped to 2.5.5??? So far running fine here, but havent upgraded to the last snaps from Ermal. Running the changed files from Bmeeks.

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kilthro
                                          last edited by Feb 10, 2013, 6:23 PM

                                          I have the latest downloaded and installed and everything seems to be working just fine here.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.