Snort 2.9.4.1 pkg v. 2.5.5 Issue(s)
-
In regards to the md5 files, I just removed them with one command to make things a little easier to force the rules update.
rm /usr/pbi/snort-amd64/etc/snort/*.md5Thanks Bill, seems to be working just fine now.
-
After 4 or more updates I'm still forced to uninstall and reinstall Snort (I never needed to do this before):
snort[25337]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-i386/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-i386/lib/snort/dynamicengine/libsf_engine.so" version 1.17. -
After 4 or more updates I'm still forced to uninstall and reinstall Snort (I never needed to do this before):
snort[25337]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-i386/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-i386/lib/snort/dynamicengine/libsf_engine.so" version 1.17.You seem to have something weird going on in that install. You are clicking the "X" icon to completely remove the Snort package on the Installed Packages tab, and then going to the Available Packages tab and installing it again, correct? That error you are posting indicates an incomplete uninstall/reinstall process. Those files (with -example- in the filenames) are fixed up by the full package installation process. The fact you keep seeing this error means either that process is not happening, or is not running to conclusion.
One thing to try – click the "X" to totally remove Snort. Then go to the command line and issue this command to completely remove any remaining traces of Snort:
rm -rf /usr/pbi/snort-i386Then go to the Available Packages tab and install it fresh.
Bill
-
In regards to the md5 files, I just removed them with one command to make things a little easier to force the rules update.
rm /usr/pbi/snort-amd64/etc/snort/*.md5Thanks Bill, seems to be working just fine now.
Yep, your method is faster, but I was posting an alternative for anyone who might be "command-line shy"… ;)
Bill
-
Remember to reboot the system after removing Snort before adding it again in the available packages :)
-
INSTALLED RULESET SIGNATURES
SNORT.ORG –> xxxxxxxxxxxxxxxxxxx
EMERGINGTHREATS.NET --> xxxxxxxxxxxxxxxxxxxxxxxx
SNORT GPLv2 COMMUNITY RULES --> N/ANot seeing an update for GPLv2
-
INSTALLED RULESET SIGNATURES
SNORT.ORG –> xxxxxxxxxxxxxxxxxxx
EMERGINGTHREATS.NET --> xxxxxxxxxxxxxxxxxxxxxxxx
SNORT GPLv2 COMMUNITY RULES --> N/ANot seeing an update for GPLv2
Did you check and make sure they are enabled on the Global Settings tab? They default to "OFF", and must be explicitly enabled. Also, heed the note on that page. If you have a Snort VRT Paid Subscriber account, you already have all the Community Rules embedded within your paid package, so no need to install them. If you did, you would have the same rules twice. On the other had, if you have only a Free Registered User Snort account, or previously used only the Emerging Threats rules without VRT rules, then enabling the Community Rules is a good idea.
Bill
-
What does your Snort Update Log state? I saw in my own update logs where Snort was down a few days ago at a certain time after midnight and my download failed. Could just be a possible download failure which resides on snort.org side of things which will resolve itself later.
Will take a while Bill before others get used to checking on their update logs as well as the system logs when they have issues. Great feature to have now, thanks to Bmeeks.
-
Looking through my own update logs in response to Asterix' issue I noticed the following:
Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:03:57 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:05:31 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:06:28Cron only has the 'check for rule updates' command listed once. I only have Snort running on one interface and I confirmed there is only one instance of the Snort process running but it seems to have attempted the download 3x simultaneously last night. Any thoughts Bill?
Update: Looking at my other 2 boxes, they both show two simultaneous attempts at Update time.
-
I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets. I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this
Are you still seeing this Cino? I'm not getting this at all using the same rulesets, same cron job.
Anyone else having this issue? IPs are removed from the block list after 5 minutes when the cron job is run. I've check the snort2c table and they aren't there anymore. Any ideas?
-
Looking through my own update logs in response to Asterix' issue I noticed the following:
Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:03:57 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:05:31 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:06:28Cron only has the 'check for rule updates' command listed once. I only have Snort running on one interface and I confirmed there is only one instance of the Snort process running but it seems to have attempted the download 3x simultaneously last night. Any thoughts Bill?
Update: Looking at my other 2 boxes, they both show two simultaneous attempts at Update time.
I have never seen this behavior. Here are the Update Logs from my production LAN firewall. The couple of times that are not 12-hour intervals are when I forced a manual update and one today when I upgraded to the new 2.0.3 release.
Starting rules update... Time: 2013-04-08 19:06:22 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-08 19:06:24 Starting rules update... Time: 2013-04-09 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Signalling Snort to load new rules for: WAN ... Updating rules configuration for: DMZ ... Signalling Snort to load new rules for: DMZ ... Updating rules configuration for: LAN ... Signalling Snort to load new rules for: LAN ... The Rules update has finished. Time: 2013-04-09 00:05:35 Starting rules update... Time: 2013-04-09 12:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-09 12:04:46 Starting rules update... Time: 2013-04-10 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Done downloading rules file. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-10 00:08:52 Starting rules update... Time: 2013-04-10 12:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-10 12:04:39 Starting rules update... Time: 2013-04-10 21:51:37 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Done downloading rules file. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... The Rules update has finished. Time: 2013-04-10 21:54:45 Starting rules update... Time: 2013-04-11 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-11 00:06:54 Starting rules update... Time: 2013-04-11 12:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-11 12:04:57 Starting rules update... Time: 2013-04-12 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Done downloading rules file. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-12 00:08:38 Starting rules update... Time: 2013-04-12 12:03:00 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-12 12:04:48 Starting rules update... Time: 2013-04-13 00:03:00 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-13 00:04:40 Starting rules update... Time: 2013-04-13 12:03:02 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-13 12:04:41 Starting rules update... Time: 2013-04-13 19:10:25 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-13 19:12:06 Starting rules update... Time: 2013-04-14 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-14 00:06:12 Starting rules update... Time: 2013-04-14 12:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-14 12:05:32 Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:03:48 Starting rules update... Time: 2013-04-15 12:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 12:05:02 Starting rules update... Time: 2013-04-15 18:03:41 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Done downloading rules file. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... The Rules update has finished. Time: 2013-04-15 18:06:45I really don't know what could cause simultaneous updates to kick off except multiple cron jobs. I have the i386 version of 2.0.3. All the stuff for it is stored in /usr/local/etc/snort. For 2.1-BETA platforms, all the Snort stuff is now stored in /usr/pbi/snort-{arch}/. Don't know if this might somehow translate into multiple crontab setups or not. Just hypothesizing at the moment…
Also take a look in the /conf/config.xml file in the [cron] section to see what is listed there (and how many times).
Bill
-
Anyone else having this issue? IPs are removed from the block list after 5 minutes when the cron job is run. I've check the snort2c table and they aren't there anymore. Any ideas?
I have not timed mine, but I think the blocks are lasting for an hour. That's what I have mine set for. How is the time on your firewall synchronized? Does it have a NTP source to sync with, and is it holding the correct time?
Bill
-
I saw in my own update logs where Snort was down a few days ago at a certain time after midnight and my download failed. Could just be a possible download failure which resides on snort.org side of things which will resolve itself later.
The Snort Community Rules are hosted on an Amazon web services server and not the Snort.org site, so it would take an issue with Amazon's server farm to kill the Community Rules download. Only the Snort VRT rules are hosted at Snort.org.
Here is the URL for the Snort Community GPLv2 Rules: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
Bill
-
Anyone else having this issue? IPs are removed from the block list after 5 minutes when the cron job is run. I've check the snort2c table and they aren't there anymore. Any ideas?
I have not timed mine, but I think the blocks are lasting for an hour. That's what I have mine set for. How is the time on your firewall synchronized? Does it have a NTP source to sync with, and is it holding the correct time?
Bill
It syncs with a local NTP server in my time zone and if its not available then it syncs with couple from pool.ntp.org. The time is holding as far as I can tell…
-
Also take a look in the /conf/config.xml file in the [cron] section to see what is listed there (and how many times).
Looks normal enough, no duplicates.
<cron><minute>0</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 newsyslog <minute>1,31</minute> <hour>0-5</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 adjkerntz -a <minute>1</minute> <hour>3</hour> <mday>1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout <minute>1</minute> <hour>1</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot <minute>30</minute> <hour>12</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.update_urltables <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c <minute>3</minute> <hour>0</hour> <mday>*/1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log</cron>I'll report back what I see tonight when it updates again just after midnight
-
You seem to have something weird going on in that install. You are clicking the "X" icon to completely remove the Snort package on the Installed Packages tab, and then going to the Available Packages tab and installing it again, correct?
That's correct.
That error you are posting indicates an incomplete uninstall/reinstall process. Those files (with -example- in the filenames) are fixed up by the full package installation process. The fact you keep seeing this error means either that process is not happening, or is not running to conclusion.
One thing to try – click the "X" to totally remove Snort. Then go to the command line and issue this command to completely remove any remaining traces of Snort:
rm -rf /usr/pbi/snort-i386Then go to the Available Packages tab and install it fresh.
I'll do manual uninstall, but is really weird this is happening, since I did that a week or two ago (manually uninstalled).
-
This is all I have after uninstall by X:
/usr/local/etc/snort/snort_59419_pppoe0/rules/snort.rules /usr/local/etc/snort/snort_59419_pppoe0/snort.conf /usr/local/etc/snort/snort.conf /usr/local/etc/snort/rules/snort_attack-responses.rules /usr/local/etc/snort/rules/snort_backdoor.rules /usr/local/etc/snort/rules/snort_bad-traffic.rules /usr/local/etc/snort/rules/snort_blacklist.rules /usr/local/etc/snort/rules/snort_botnet-cnc.rules /usr/local/etc/snort/rules/snort_chat.rules /usr/local/etc/snort/rules/snort_content-replace.rules /usr/local/etc/snort/rules/snort_ddos.rules /usr/local/etc/snort/rules/snort_deleted.rules /usr/local/etc/snort/rules/snort_dns.rules /usr/local/etc/snort/rules/snort_dos.rules /usr/local/etc/snort/rules/snort_experimental.rules /usr/local/etc/snort/rules/snort_exploit.rules /usr/local/etc/snort/rules/snort_file-identify.rules /usr/local/etc/snort/rules/snort_file-office.rules /usr/local/etc/snort/rules/snort_file-other.rules /usr/local/etc/snort/rules/snort_file-pdf.rules /usr/local/etc/snort/rules/snort_finger.rules /usr/local/etc/snort/rules/snort_ftp.rules /usr/local/etc/snort/rules/snort_icmp-info.rules /usr/local/etc/snort/rules/snort_icmp.rules /usr/local/etc/snort/rules/snort_imap.rules /usr/local/etc/snort/rules/snort_indicator-compromise.rules /usr/local/etc/snort/rules/snort_indicator-obfuscation.rules /usr/local/etc/snort/rules/snort_info.rules /usr/local/etc/snort/rules/snort_local.rules /usr/local/etc/snort/rules/snort_misc.rules /usr/local/etc/snort/rules/snort_multimedia.rules /usr/local/etc/snort/rules/snort_mysql.rules /usr/local/etc/snort/rules/snort_netbios.rules /usr/local/etc/snort/rules/snort_nntp.rules /usr/local/etc/snort/rules/snort_oracle.rules /usr/local/etc/snort/rules/snort_other-ids.rules /usr/local/etc/snort/rules/snort_p2p.rules /usr/local/etc/snort/rules/snort_phishing-spam.rules /usr/local/etc/snort/rules/snort_policy-multimedia.rules /usr/local/etc/snort/rules/snort_policy-other.rules /usr/local/etc/snort/rules/snort_policy-social.rules /usr/local/etc/snort/rules/snort_policy.rules /usr/local/etc/snort/rules/snort_pop2.rules /usr/local/etc/snort/rules/snort_pop3.rules /usr/local/etc/snort/rules/snort_pua-p2p.rules /usr/local/etc/snort/rules/snort_pua-toolbars.rules /usr/local/etc/snort/rules/snort_rpc.rules /usr/local/etc/snort/rules/snort_rservices.rules /usr/local/etc/snort/rules/snort_scada.rules /usr/local/etc/snort/rules/snort_scan.rules /usr/local/etc/snort/rules/snort_server-mail.rules /usr/local/etc/snort/rules/snort_shellcode.rules /usr/local/etc/snort/rules/snort_smtp.rules /usr/local/etc/snort/rules/snort_snmp.rules /usr/local/etc/snort/rules/snort_specific-threats.rules /usr/local/etc/snort/rules/snort_spyware-put.rules /usr/local/etc/snort/rules/snort_sql.rules /usr/local/etc/snort/rules/snort_telnet.rules /usr/local/etc/snort/rules/snort_tftp.rules /usr/local/etc/snort/rules/snort_virus.rules /usr/local/etc/snort/rules/snort_voip.rules /usr/local/etc/snort/rules/snort_web-activex.rules /usr/local/etc/snort/rules/snort_web-attacks.rules /usr/local/etc/snort/rules/snort_web-cgi.rules /usr/local/etc/snort/rules/snort_web-client.rules /usr/local/etc/snort/rules/snort_web-coldfusion.rules /usr/local/etc/snort/rules/snort_x11.rules /usr/local/etc/snort/rules/snort_web-frontpage.rules /usr/local/etc/snort/rules/snort_web-iis.rules /usr/local/etc/snort/rules/snort_web-misc.rules /usr/local/etc/snort/rules/snort_web-php.rules /usr/local/etc/snort/rules/snort_bad-traffic.so.rules /usr/local/etc/snort/rules/snort_chat.so.rules /usr/local/etc/snort/rules/snort_dos.so.rules /usr/local/etc/snort/rules/snort_exploit.so.rules /usr/local/etc/snort/rules/snort_icmp.so.rules /usr/local/etc/snort/rules/snort_imap.so.rules /usr/local/etc/snort/rules/snort_misc.so.rules /usr/local/etc/snort/rules/snort_multimedia.so.rules /usr/local/etc/snort/rules/snort_netbios.so.rules /usr/local/etc/snort/rules/snort_nntp.so.rules /usr/local/etc/snort/rules/snort_p2p.so.rules /usr/local/etc/snort/rules/snort_smtp.so.rules /usr/local/etc/snort/rules/snort_snmp.so.rules /usr/local/etc/snort/rules/snort_specific-threats.so.rules /usr/local/etc/snort/rules/snort_web-activex.so.rules /usr/local/etc/snort/rules/snort_web-client.so.rules /usr/local/etc/snort/rules/snort_web-iis.so.rules /usr/local/etc/snort/rules/snort_web-misc.so.rules /usr/local/etc/snort/rules/snort-2.9.0-open.txt /usr/local/etc/snort/rules/snort_app-detect.rules /usr/local/etc/snort/rules/snort_browser-chrome.rules /usr/local/etc/snort/rules/snort_browser-firefox.rules /usr/local/etc/snort/rules/snort_browser-ie.rules /usr/local/etc/snort/rules/snort_browser-other.rules /usr/local/etc/snort/rules/snort_browser-webkit.rules /usr/local/etc/snort/rules/snort_exploit-kit.rules /usr/local/etc/snort/rules/snort_file-executable.rules /usr/local/etc/snort/rules/snort_file-flash.rules /usr/local/etc/snort/rules/snort_file-image.rules /usr/local/etc/snort/rules/snort_file-multimedia.rules /usr/local/etc/snort/rules/snort_malware-backdoor.rules /usr/local/etc/snort/rules/snort_malware-cnc.rules /usr/local/etc/snort/rules/snort_malware-other.rules /usr/local/etc/snort/rules/snort_malware-tools.rules /usr/local/etc/snort/rules/snort_browser-plugins.rules /usr/local/etc/snort/rules/snort_indicator-shellcode.rules /usr/local/etc/snort/rules/snort_os-linux.rules /usr/local/etc/snort/rules/snort_os-other.rules /usr/local/etc/snort/rules/snort_os-solaris.rules /usr/local/etc/snort/rules/snort_os-windows.rules /usr/local/etc/snort/rules/snort_policy-spam.rules /usr/local/etc/snort/rules/snort_protocol-finger.rules /usr/local/etc/snort/rules/snort_protocol-ftp.rules /usr/local/etc/snort/rules/snort_protocol-icmp.rules /usr/local/etc/snort/rules/snort_protocol-imap.rules /usr/local/etc/snort/rules/snort_protocol-pop.rules /usr/local/etc/snort/rules/snort_protocol-services.rules /usr/local/etc/snort/rules/snort_protocol-voip.rules /usr/local/etc/snort/rules/snort_pua-adware.rules /usr/local/etc/snort/rules/snort_pua-other.rules /usr/local/etc/snort/rules/snort_server-apache.rules /usr/local/etc/snort/rules/snort_server-iis.rules /usr/local/etc/snort/rules/snort_server-mssql.rules /usr/local/etc/snort/rules/snort_server-mysql.rules /usr/local/etc/snort/rules/snort_server-oracle.rules /usr/local/etc/snort/rules/snort_server-other.rules /usr/local/etc/snort/rules/snort_server-webapp.rules /usr/local/etc/snort/rules/snort-2.9.0-open-nogpl.txt -
This is all I have after uninstall by X:
/usr/local/etc/snort/snort_59419_pppoe0/rules/snort.rules /usr/local/etc/snort/snort_59419_pppoe0/snort.conf /usr/local/etc/snort/snort.conf /usr/local/etc/snort/rules/snort_attack-responses.rules /usr/local/etc/snort/rules/snort_backdoor.rules /usr/local/etc/snort/rules/snort_bad-traffic.rules /usr/local/etc/snort/rules/snort_blacklist.rules /usr/local/etc/snort/rules/snort_botnet-cnc.rules /usr/local/etc/snort/rules/snort_chat.rules /usr/local/etc/snort/rules/snort_content-replace.rules /usr/local/etc/snort/rules/snort_ddos.rules /usr/local/etc/snort/rules/snort_deleted.rules /usr/local/etc/snort/rules/snort_dns.rules /usr/local/etc/snort/rules/snort_dos.rules /usr/local/etc/snort/rules/snort_experimental.rules /usr/local/etc/snort/rules/snort_exploit.rules /usr/local/etc/snort/rules/snort_file-identify.rules /usr/local/etc/snort/rules/snort_file-office.rules /usr/local/etc/snort/rules/snort_file-other.rules /usr/local/etc/snort/rules/snort_file-pdf.rules /usr/local/etc/snort/rules/snort_finger.rules /usr/local/etc/snort/rules/snort_ftp.rules /usr/local/etc/snort/rules/snort_icmp-info.rules /usr/local/etc/snort/rules/snort_icmp.rules /usr/local/etc/snort/rules/snort_imap.rules /usr/local/etc/snort/rules/snort_indicator-compromise.rules /usr/local/etc/snort/rules/snort_indicator-obfuscation.rules /usr/local/etc/snort/rules/snort_info.rules /usr/local/etc/snort/rules/snort_local.rules /usr/local/etc/snort/rules/snort_misc.rules /usr/local/etc/snort/rules/snort_multimedia.rules /usr/local/etc/snort/rules/snort_mysql.rules /usr/local/etc/snort/rules/snort_netbios.rules /usr/local/etc/snort/rules/snort_nntp.rules /usr/local/etc/snort/rules/snort_oracle.rules /usr/local/etc/snort/rules/snort_other-ids.rules /usr/local/etc/snort/rules/snort_p2p.rules /usr/local/etc/snort/rules/snort_phishing-spam.rules /usr/local/etc/snort/rules/snort_policy-multimedia.rules /usr/local/etc/snort/rules/snort_policy-other.rules /usr/local/etc/snort/rules/snort_policy-social.rules /usr/local/etc/snort/rules/snort_policy.rules /usr/local/etc/snort/rules/snort_pop2.rules /usr/local/etc/snort/rules/snort_pop3.rules /usr/local/etc/snort/rules/snort_pua-p2p.rules /usr/local/etc/snort/rules/snort_pua-toolbars.rules /usr/local/etc/snort/rules/snort_rpc.rules /usr/local/etc/snort/rules/snort_rservices.rules /usr/local/etc/snort/rules/snort_scada.rules /usr/local/etc/snort/rules/snort_scan.rules /usr/local/etc/snort/rules/snort_server-mail.rules /usr/local/etc/snort/rules/snort_shellcode.rules /usr/local/etc/snort/rules/snort_smtp.rules /usr/local/etc/snort/rules/snort_snmp.rules /usr/local/etc/snort/rules/snort_specific-threats.rules /usr/local/etc/snort/rules/snort_spyware-put.rules /usr/local/etc/snort/rules/snort_sql.rules /usr/local/etc/snort/rules/snort_telnet.rules /usr/local/etc/snort/rules/snort_tftp.rules /usr/local/etc/snort/rules/snort_virus.rules /usr/local/etc/snort/rules/snort_voip.rules /usr/local/etc/snort/rules/snort_web-activex.rules /usr/local/etc/snort/rules/snort_web-attacks.rules /usr/local/etc/snort/rules/snort_web-cgi.rules /usr/local/etc/snort/rules/snort_web-client.rules /usr/local/etc/snort/rules/snort_web-coldfusion.rules /usr/local/etc/snort/rules/snort_x11.rules /usr/local/etc/snort/rules/snort_web-frontpage.rules /usr/local/etc/snort/rules/snort_web-iis.rules /usr/local/etc/snort/rules/snort_web-misc.rules /usr/local/etc/snort/rules/snort_web-php.rules /usr/local/etc/snort/rules/snort_bad-traffic.so.rules /usr/local/etc/snort/rules/snort_chat.so.rules /usr/local/etc/snort/rules/snort_dos.so.rules /usr/local/etc/snort/rules/snort_exploit.so.rules /usr/local/etc/snort/rules/snort_icmp.so.rules /usr/local/etc/snort/rules/snort_imap.so.rules /usr/local/etc/snort/rules/snort_misc.so.rules /usr/local/etc/snort/rules/snort_multimedia.so.rules /usr/local/etc/snort/rules/snort_netbios.so.rules /usr/local/etc/snort/rules/snort_nntp.so.rules /usr/local/etc/snort/rules/snort_p2p.so.rules /usr/local/etc/snort/rules/snort_smtp.so.rules /usr/local/etc/snort/rules/snort_snmp.so.rules /usr/local/etc/snort/rules/snort_specific-threats.so.rules /usr/local/etc/snort/rules/snort_web-activex.so.rules /usr/local/etc/snort/rules/snort_web-client.so.rules /usr/local/etc/snort/rules/snort_web-iis.so.rules /usr/local/etc/snort/rules/snort_web-misc.so.rules /usr/local/etc/snort/rules/snort-2.9.0-open.txt /usr/local/etc/snort/rules/snort_app-detect.rules /usr/local/etc/snort/rules/snort_browser-chrome.rules /usr/local/etc/snort/rules/snort_browser-firefox.rules /usr/local/etc/snort/rules/snort_browser-ie.rules /usr/local/etc/snort/rules/snort_browser-other.rules /usr/local/etc/snort/rules/snort_browser-webkit.rules /usr/local/etc/snort/rules/snort_exploit-kit.rules /usr/local/etc/snort/rules/snort_file-executable.rules /usr/local/etc/snort/rules/snort_file-flash.rules /usr/local/etc/snort/rules/snort_file-image.rules /usr/local/etc/snort/rules/snort_file-multimedia.rules /usr/local/etc/snort/rules/snort_malware-backdoor.rules /usr/local/etc/snort/rules/snort_malware-cnc.rules /usr/local/etc/snort/rules/snort_malware-other.rules /usr/local/etc/snort/rules/snort_malware-tools.rules /usr/local/etc/snort/rules/snort_browser-plugins.rules /usr/local/etc/snort/rules/snort_indicator-shellcode.rules /usr/local/etc/snort/rules/snort_os-linux.rules /usr/local/etc/snort/rules/snort_os-other.rules /usr/local/etc/snort/rules/snort_os-solaris.rules /usr/local/etc/snort/rules/snort_os-windows.rules /usr/local/etc/snort/rules/snort_policy-spam.rules /usr/local/etc/snort/rules/snort_protocol-finger.rules /usr/local/etc/snort/rules/snort_protocol-ftp.rules /usr/local/etc/snort/rules/snort_protocol-icmp.rules /usr/local/etc/snort/rules/snort_protocol-imap.rules /usr/local/etc/snort/rules/snort_protocol-pop.rules /usr/local/etc/snort/rules/snort_protocol-services.rules /usr/local/etc/snort/rules/snort_protocol-voip.rules /usr/local/etc/snort/rules/snort_pua-adware.rules /usr/local/etc/snort/rules/snort_pua-other.rules /usr/local/etc/snort/rules/snort_server-apache.rules /usr/local/etc/snort/rules/snort_server-iis.rules /usr/local/etc/snort/rules/snort_server-mssql.rules /usr/local/etc/snort/rules/snort_server-mysql.rules /usr/local/etc/snort/rules/snort_server-oracle.rules /usr/local/etc/snort/rules/snort_server-other.rules /usr/local/etc/snort/rules/snort_server-webapp.rules /usr/local/etc/snort/rules/snort-2.9.0-open-nogpl.txtNone of that should be there after a Delete. Get to the command line (either locally or via SSH) and execute the following commands –
rm -rf /usr/local/etc/snort rm -rf /usr/local/lib/snortIf you can, reboot the firewall after the commands above to be 100% sure no other Snort process is out there running. If you are confident no Snort processes remain, you can skip the reboot.
Reinstall Snort again and let's see if things work better.
Bill
-
I have Snort set to never remove blocked IP's, but they still get removed and not all IP's from alerts are put on blocked at all. It almost seems like Snort stops working after running for a while. The process is still running and alerts are made, but nothing is blocked and IP's already blocked are removed. Last time I noticed this was just now at ~21:50 and Snort was last restarted at 12:00 after rules update.
I'm on pfSense:
2.1-BETA1 (amd64) built on Thu Apr 4 12:39:50 EDT 2013 FreeBSD 8.3-RELEASE-p7 -
I have Snort set to never remove blocked IP's, but they still get removed and not all IP's from alerts are put on blocked at all. It almost seems like Snort stops working after running for a while. The process is still running and alerts are made, but nothing is blocked and IP's already blocked are removed. Last time I noticed this was just now at ~21:50 and Snort was last restarted at 12:00 after rules update.
I'm on pfSense:
2.1-BETA1 (amd64) built on Thu Apr 4 12:39:50 EDT 2013 FreeBSD 8.3-RELEASE-p7Are all the IPs you think should be blocked, but aren't, located outside HOME_NET? In other words, are they all IP addresses that are NOT in your automatic whitelist (the $HOME_NET variable).
Second question is do you have Snort on that interface set to block SRC, DST or BOTH? That setting can affect what you see getting blocked.
I don't have a good answer yet for the IPs getting removed from the block table if you have the automatic removal disabled. Look in the file /etc/crontab to see if there is a line that reads similar to this one:
/usr/bin/nice -n20 /usr/local/sbin/expiretable -t {# of seconds} snort2cIf you see such a line, then it means the cron job did not get cleaned up/deleted.
Bill
