Snort 2.9.4.1 pkg v. 2.5.6 Issue(s)
-
Thank you for clearing that up. I did not realize that "Apply Changes" button before and thought saving would be enough.
However, when I put in a rule like this on for example:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (flags:S; flow: stateless; detection_filter:track by_src, count 200, seconds 5; msg:"SYN flood attack detected!"; classtype:attempted-dos; sid:1000002; rev:1;)
without quotes I get an error. If I put it in with quotes it gets saved but with carriage returns in the custom rules file. The interface fails to start afterwards.
Am I doing something else wrong?
The rule works great if I load it via the "include my.rules" in the advanced processing options of the specific interface, and put a file called my.rules in the interface directory of course.Alex
BTW: I am already using 2.5.6
-
Thank you for clearing that up. I did not realize that "Apply Changes" button before and thought saving would be enough.
However, when I put in a rule like this on for example:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (flags:S; flow: stateless; detection_filter:track by_src, count 200, seconds 5; msg:"SYN flood attack detected!"; classtype:attempted-dos; sid:1000002; rev:1;)
without quotes I get an error. If I put it in with quotes it gets saved but with carriage returns in the custom rules file. The interface fails to start afterwards.
Am I doing something else wrong?
The rule works great if I load it via the "include my.rules" in the advanced processing options of the specific interface, and put a file called my.rules in the interface directory of course.Alex
BTW: I am already using 2.5.6
I will use your rule for my troubleshooting. It should work, but the text you type in the text area is run through a Base64 encode before being stored in the config file. It's then extracted via a Base64 decode before going into the custom.rules file. That process may be altering the format. This is a part of the Snort package I did not write and have never toyed with before, so I will have to tread carefully.
As for the Apply Changes button, that actually performs the rules file generation from all the selected rules. All Save does is save the choices (or custom rules) into the config.xml file of pfSense. Apply Changes actually calls the rules building routine, and at that point any custom rules stored in config.xml get physically written to the custom.rules file.
Bill
-
However, when I put in a rule like this on for example:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (flags:S; flow: stateless; detection_filter:track by_src, count 200, seconds 5; msg:"SYN flood attack detected!"; classtype:attempted-dos; sid:1000002; rev:1;)
without quotes I get an error. If I put it in with quotes it gets saved but with carriage returns in the custom rules file. The interface fails to start afterwards.
Alex
Alex:
I copied and pasted your rule exactly as shown in your post into the "custom.rules" dialog on one of my 2.0.3 test virtual machines. I then did a Save and then Apply Changes to actually generate the rules file. I opened the resulting custom.rules file and it was fine (no carriage returns). I then restarted Snort on the affected interface (WAN on my test VM), and it restarted just fine.
UPDATED: While executing my various testing scenarios for the upcoming 2.5.7 release, I believe I stumbled upon your issue with the Apply Changes button when using Custom Rules. The short version is "the button ain't there" when editing Custom Rules. It only shows up when editing the Rules Categories. My bad… :-[ I just made some changes that will be in the upcoming 2.5.7 release to address this shortcoming. The [b]Save button on the Custom Rules dialog will now save the custom rules and generate the correct file in the interface's directory. I also added a Clear button that lets you just instantly clear out all the custom rules for the interface at once and then regenerate the enforcing rules file again.
First up, I am in the US and using the standard US English locale settings. Is that what you are using, or do you maybe have a different language or keyboard layout in your environment?
Try pasting your rule again directly from your post above into your firewall and repeat what I did. Let me know how that goes for you. Your rule as written in your original post is correct and looks fine. Without the quotes would be incorrect syntax, so that's why the error is thrown. The dialog actually passes your custom rule text off to Snort for validation before saving it. If Snort balks at the syntax, then an error is thrown requiring the user to fix it before saving.
Bill
-
Box 1:
Apr 25 00:08:04 php: : The Rules update has finished.
Apr 25 00:08:04 php: : Snort has restarted with your new set of rules…
Apr 25 00:08:02 kernel: em0: promiscuous mode enabled
Apr 25 00:08:02 SnortStartup[21448]: Snort START For Internet(9626_em0)…
Apr 25 00:06:14 kernel: em0: promiscuous mode disabled
Apr 25 00:06:14 snort[52077]: *** Caught Term-Signal
Apr 25 00:06:14 snort[52077]: *** Caught Term-Signal
Apr 25 00:06:13 SnortStartup[6666]: Snort STOP For Internet(9626_em0)…
Apr 25 00:06:12 php: : Building new sig-msg.map file for WAN...
Apr 25 00:06:10 php: : Resolving and auto-enabling any flowbit-required rules for WAN...
Apr 25 00:06:08 php: : Updating rules configuration for: WAN ...
Apr 25 00:06:07 php: : EmergingThreats rules file update downloaded succsesfully
Apr 25 00:06:05 php: : There is a new set of EmergingThreats rules posted. Downloading...
Apr 25 00:06:04 php: : Snort GPLv2 Community Rules file update downloaded succsesfully
Apr 25 00:06:03 php: : There is a new set of Snort GPLv2 Community Rules posted. Downloading...
Apr 25 00:06:03 php: : Snort VRT rules are up to date...
Apr 25 00:06:03 php: : Snort MD5 Attempts: 3Box 2:
Apr 25 00:03:49 php: : The Rules update has finished.
Apr 25 00:03:49 php: : Emerging Threat rules are up to date...
Apr 25 00:03:48 php: : Snort GPLv2 Community Rules are up to date...
Apr 25 00:03:47 php: : Snort VRT rules are up to date...
Apr 25 00:03:47 php: : Snort MD5 Attempts: 1Everything is running as it should on 2.5.6 :)
-
Everything is running as it should on 2.5.6 :)
Good to hear. I'm about ready to submit the Pull Request for my 2.5.7 update that solves all the open issues I posted earlier plus a handful of small nits I discovered during testing of my other fixes.
I also found some boo-boos in the rules update code where some string variables were not properly escaped with {} when used in quotes. While in there I decided to make the verification of the downloaded rules files a little more robust. The old code which I inherited simply looked at the downloaded file size, and if greater than a set amount, it assumed the file was OK to unpack and use. I changed that to now calculate the MD5 hash of the downloaded rules file and compare that to the posted MD5 hash from the origin web site. Only if they match is the file then unpacked and the rules within it used to update the system. This new verification process is performed for all the rule sets (Snort VRT, GPLv2 and ET). If there is a MD5 mismatch, it is logged in the new log file viewable from the Updates tab.
I'm going to run through my test battery one time this evening with 2.0.3 and 2.1 machines to see if I can break it with installs, uninstalls and updates. If it survives testing, then I will post the Pull Request Thursday evening U.S. Eastern time.
Bill
-
-
Does this new version fix snort ignoring the whitelist and blocking whitelisted IPs?
-
Good to hear. I'm about ready to submit the Pull Request for my 2.5.7 update that solves all the open issues I posted earlier plus a handful of small nits I discovered during testing of my other fixes.
I also found some boo-boos in the rules update code where some string variables were not properly escaped with {} when used in quotes. While in there I decided to make the verification of the downloaded rules files a little more robust. The old code which I inherited simply looked at the downloaded file size, and if greater than a set amount, it assumed the file was OK to unpack and use. I changed that to now calculate the MD5 hash of the downloaded rules file and compare that to the posted MD5 hash from the origin web site. Only if they match is the file then unpacked and the rules within it used to update the system. This new verification process is performed for all the rule sets (Snort VRT, GPLv2 and ET). If there is a MD5 mismatch, it is logged in the new log file viewable from the Updates tab.
I'm going to run through my test battery one time this evening with 2.0.3 and 2.1 machines to see if I can break it with installs, uninstalls and updates. If it survives testing, then I will post the Pull Request Thursday evening U.S. Eastern time.
Bill
Nice thanks Bill!!!
-
Does this new version fix snort ignoring the whitelist and blocking whitelisted IPs?
That problem should have been fixed back with the release of 2.5.5. It was a problem in the Spoink plugin that does the actual blocking. That has been fixed for about a month now as far as I know. Upgrade to at least the current 2.5.6 version if you are still having the problem.
If you have already upgraded and are still having the issue, then I need some more details. You can PM me if you wish with some additional information if necessary.
Bill
-
Bill, thx for testing the custom.rules issue.
Now I did again what you supposed and pasted the rule from my posting into the custom.rules field -> Saved -> clicked on the rules tab again -> clicked Apply Changes -> stopped interface -> started interface ->
snort[67588]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_48204_vtnet3/rules/custom.rules(1) Unknown rule type: "alert.
Interface did not start. The first space character stops ist. I tried it with Chrome and IE. With IE there were no carriage returns in the custom.rules file but I got the same error as above when starting the interface. I am using English language in pfSense but have a German keyboard layout and system. I am using double quotes for the rule.
If I clear the c.r.rules field and click save and apply settings and do "cat custom.rules" on the shell, the old rule ist still there. When I open c.r rules in the GUI the old rule is shown again. It seems as if the system would be one step behind the GUI all the time. I think there has been such an issue before but can find it in the forum. Maybe if have more time in the afternoon - it is 8:39 am here and I have to leave for work. This is really weird and baybe I can find some reproducable behaviour.
Alex
-
Bill, thx for testing the custom.rules issue.
Now I did again what you supposed and pasted the rule from my posting into the custom.rules field -> Saved -> clicked on the rules tab again -> clicked Apply Changes -> stopped interface -> started interface ->
snort[67588]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_48204_vtnet3/rules/custom.rules(1) Unknown rule type: "alert.
Interface did not start. The first space character stops ist. I tried it with Chrome and IE. With IE there were no carriage returns in the custom.rules file but I got the same error as above when starting the interface. I am using English language in pfSense but have a German keyboard layout and system. I am using double quotes for the rule.
If I clear the c.r.rules field and click save and apply settings and do "cat custom.rules" on the shell, the old rule ist still there. When I open c.r rules in the GUI the old rule is shown again. It seems as if the system would be one step behind the GUI all the time. I think there has been such an issue before but can find it in the forum. Maybe if have more time in the afternoon - it is 8:39 am here and I have to leave for work. This is really weird and baybe I can find some reproducable behaviour.
Alex
Thanks for the feedback. If you will PM me and provide your e-mail address, I would like to send you the latest version of the PHP file that actually handles the custom rules save and edit functions. Just curious if it will make any difference. I was using IE 10 for my testing, but the IE version really should not matter. If we can swap e-mail addresses via PM, I would also like you to send me the actual custom.rules file from your system.
Bill
-
FYI. Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve. This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features. This is a GUI update only. The underlying Snort binary itself remains at 2.9.4.1.
Here is a link to the Pull Request: https://github.com/pfsense/pfsense-packages/pull/433
Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7. When it is merged, I will open a new thread containing the Change Log.
Bill
-
One little issue still present for ages is that when you are in the Snort pages,
if you click on the pfsense top left logo you end up with 404 - Not Found
because the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages. -
Got this issue after I had upgraded. In the services widget Snort was running but in the Services -> Snort said it wasnt running. It showed as stated earlier that you needed to start Snort. I did and got this log:
pr 26 06:40:57 php: /snort/snort_interfaces.php: Snort START for Internet(em0)…
Apr 26 06:39:51 kernel: em0: promiscuous mode enabled
Apr 26 06:39:51 SnortStartup[28731]: Snort START for Internet(9626_em0)…
Apr 26 06:39:10 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 06:39:08 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 06:39:06 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 26 06:39:06 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
Apr 26 06:38:00 SnortStartup[45184]: Snort STOP for Internet(9626_em0)…
Apr 26 06:37:58 SnortStartup[43710]: Snort START for Internet(9626_em0)…
Apr 26 06:37:58 SnortStartup[42872]: Snort STOP for Internet(9626_em0)…
Apr 26 06:37:49 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
Apr 26 06:37:49 php: /snort/snort_download_rules.php: [Snort] Emerging Threat rules are up to date…
Apr 26 06:37:48 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules are up to date…
Apr 26 06:37:47 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules are up to date…
Apr 26 06:37:47 php: /snort/snort_download_rules.php: [Snort] Snort MD5 Attempts: 1
Apr 26 06:37:29 check_reload_status: Reloading filter
Apr 26 06:37:27 check_reload_status: Syncing firewall
Apr 26 06:37:26 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Starting Snort using rebuilt configuration…
Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…
Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 06:37:22 php: /pkg_mgr_install.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 06:37:20 php: /pkg_mgr_install.php: [Snort] Updating rules configuration for: WAN …
Apr 26 06:37:18 php: /pkg_mgr_install.php: [Snort] The Rules update has finished.
Apr 26 06:37:11 php: /pkg_mgr_install.php: [Snort] EmergingThreats rules file update downloaded successfully
Apr 26 06:37:08 php: /pkg_mgr_install.php: [Snort] There is a new set of EmergingThreats rules posted. Downloading…
Apr 26 06:37:07 php: /pkg_mgr_install.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
Apr 26 06:37:06 php: /pkg_mgr_install.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading…
Apr 26 06:37:06 php: /pkg_mgr_install.php: [Snort] Snort VRT Rules Attempts: 1
Apr 26 06:36:49 apinger: rrdtool respawning too fast, waiting 300s.
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] There is a new set of Snort VRT rules posted. Downloading…
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Snort MD5 Attempts: 1
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Downloading and updating configured rule types…
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Saved settings detected… rebuilding installation with saved settings...It came on fine, but not because of the services widget, but manually had to start it under services -> snort despite saying it was running!
-
One little issue still present for ages is that when you are in the Snort pages,
if you click on the pfsense top left logo you end up with 404 - Not Found
because the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages.I don't have this problem, and I haven't seen this reported before. What is your version of snort?
-
I dont have that either….Clear your browser cache!
-
FYI. Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve. This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features. This is a GUI update only. The underlying Snort binary itself remains at 2.9.4.1.
Here is a link to the Pull Request: https://github.com/pfsense/pfsense-packages/pull/433
Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7. When it is merged, I will open a new thread containing the Change Log.
Bill
Great job again Bill, I have no reason to start a new topic with 2.5.7 issues yet. I have it running!
-
Pfsense 2.0.3 x86 fresh install with 2.0.1 config restored
which give me Snort 2.9.4.1 pkg v. 2.5.6
pfsense_ng ThemeI don't think it's a cache problem, I tried with Chrome instead of FF same thing happens
go to Services/Snort page and the logo points to the https://xxxxx/snort/index.phpReally not a big issue, just annoying ::)
-
can you test without a restore??
Mine is pointing to https://xxxxx/index.php
-
can you test without a restore??
Mine is pointing to https://xxxxx/index.php
I could, that means doing and fresh install from scratch on another disk
doing a manual config, installing snort etc ….
I might :-\
