Snort Package 2.5.7 – Issues
-
install the filemanager package and there is a DL function build in :)
Thank you very much ;D
Your speedtest picture in your sig: ARE you a backbone yourself ???
:P
;D
-
I am still having problems with snort blocking whitelisted IPs. I sent just you a PM bmeeks.
Thanks for all your work so far, Snort has consistently been improving with all your hard work and releases! It's greatly appreciated by the community. :)
-
I am still having problems with snort blocking whitelisted IPs. I sent just you a PM bmeeks.
Thanks for all your work so far, Snort has consistently been improving with all your hard work and releases! It's greatly appreciated by the community. :)
I received the PM and will look into it. As I mentioned in my PM reply to you, I will have to solicit some assistance from Ermal on this one as he is the expert with the Spoink plugin where the actual blocking and whitelist testing takes place.
Bill
-
@Hollander:
The killall instructions you gave return nothing:
[2.0.3-RELEASE][admin@pfsense.localdomain]/root(2): /usr/bin/killall snort No matching processes were found [2.0.3-RELEASE][admin@pfsense.localdomain]/root(3): ps -ax | grep snort [2.0.3-RELEASE][admin@pfsense.localdomain]/root(4):I can press as many times 'start' (the green icon) as I want to, it stays green and also the dashboard service widget shows all packages running except for Snort; that is stopped, and starting it from that dashboard widget also doesn't make it run. Starting it from the shell:
[2.0.3-RELEASE][admin@pfsense.localdomain]/root(8): /usr/local/etc/rc.d/snort.sh start [2.0.3-RELEASE][admin@pfsense.localdomain]/root(9):(I don't know what that means).
But in the GUI Snort is still stopped.
And for a slightly less stupid (but still not the brightest :-[) question: is there another Snort log I should look into (via the shell) in addition to the general system log in the GUI?
Thank you very much for any help ;D
[/quote]
I see from the posted snort.sh script that you are running Snort on a PPPoE interface. I've never done that. I know within pfSense that's a special kind of interface quite unlike the normal physical interfaces. Maybe some other users can chime in that may be running Snort successfully on a PPPoE connection. It could be that PPPoE and Snort don't like each other, but I don't know that for sure. I've just never encountered that configuration.
As for your second question relative to logs, there is really just the system log. You can see part of it in the GUI, or you can go to /var/log/system.log and see it all. Other than a separate rules update log, there is no separate log file for Snort (aside from the alerts log, but no system startup/error messages get printed there).
Bill
-
I've been trying to get snort to work on my router but been running into some issues.
I'm running a new install of 2.1-BETA1 April 25 Build on i386.
The package installs fine, but when I set it up on my WAN interface and add a basic rule, such as:
alert tcp any any -> any 80 (msg:"HTTP Testing Rule"; sid:1098001; rev:1;)Snort service starts, but will crash at the first time something matches the rule (such as me running wget http://myip/)
Apr 28 16:11:20 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(snort wan)... Apr 28 16:11:20 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ... Apr 28 16:11:20 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN... Apr 28 16:11:21 php: /snort/snort_interfaces.php: Snort START for snort wan(bge0)... Apr 28 16:11:21 kernel: bge0: promiscuous mode enabled Apr 28 16:11:31 kernel: pid 44641 (snort), uid 0: exited on signal 11 Apr 28 16:11:31 kernel: bge0: promiscuous mode disabledSo I played around with it some more, and the command it generates to run snort is:
/usr/local/bin/snort -R 18495 -D -q -l /var/log/snort/snort_bge018495 --pid-path /var/run --nolock-pidfile -G 18495 -c /usr/pbi/snort-i386/etc/snort/snort_18495_bge0/snort.conf -i bge0If I remove the -D, and instead add -A console, it seems to be acting just fine:
04/28/13-16:15:01.659745 [**] [1:1098001:1] HTTP Testing Rule [**] [Priority: 0] {TCP} x.x.x.x:58385 -> x.x.x.x:80Likewise, "-A full" will add data data to the alert log file, but those alerts never show up in the web interface.
If I run it without a -A, it will crash and just say Segmentation fault.
-
Nevermind, I figured it out. I searched the forums more (google failed me yesterday when I was using it to search).
I needed to define a classtype in the rule. Once I did that everything seems to be working.
-
Ok, one more issue I encountered. I noticed it wasn't catching events that it should have. For example, when I enable the ET Policy rules on my LAN, it should alert on skype connections, ftp connections, dropbox, apple software update, etc.
While digging, it seems that its not populating my $HOME_NET variable in snort.conf properly. It adds my routers IP 192.168.13.1, but not the 192.168.13.0/24 subnet.
I haven't been able to figure out how to change it off 'default' addresses either in the interface settings. I created aliases in the firewall settings as was suggested but that doesn't seem to make a difference.
Edit: Ok, figured out this one too.. figure i'll leave the fix incase someone else has this issue. I had to create a whitelist in snort and link that whitelist to my firewall alias with my LAN subnet. Then I could set that as my homenet. Although it still seems to me that this should automatically be added into the snort.conf without having to go through this step.
-
Quick question (or maybe feature request?)…
I have my snort config set to "NEVER" remove bogeys from the "Blocked" list. However when the system is rebooted the list is cleared. I usually reboot a few times a week due to power issues, a crappy cable modem, or just beta code updates. I am curious as to whether there is a config option, command-line option, etc. that will allow snort to retain the blocked list indefinitely, even beyond a reboot?
On occasion I do save the list and suppose that I could somehow add those addresses to an alias, then block that list at the firewall. But as my job has me traveling often, I'm not always able to check/save the blocked list before it goes away.
Thoughts?
Thanks!
David -
Good idea!!
-
Moved to its own thread, here: http://forum.pfsense.org/index.php/topic,61757.0.html
-
Could it be related to the fact that you use a private IP as WAN and then Snort doesnt see it because of the definition of home net??
-
Moved to its own thread, here: http://forum.pfsense.org/index.php/topic,61757.0.html
-
The meaning of this topic is for common Snort 2.5.7 issues and I have the feeling Snort is very solid now, at least on my system.
Now we are discussing a setup issue that is very specific. I think it is better to start a new topic on this pppoe setup. It will have a better title too
-
The meaning of this topic is for common Snort 2.5.7 issues and I have the feeling Snort is very solid now, at least on my system.
Now we are discussing a setup issue that is very specific. I think it is better to start a new topic on this pppoe setup. It will have a better title too
Might be a good idea ;D
I'll create a new thread and move my post in there.
-
Unless I am missing something simple, it looks like the internal interface (in my case em0) is not populating the home_net (192.168.1.0/24) variable correctly.
When I manually edit /usr/local/etc/snort/snort_52009_em0/snort.conf and reload the config, my home_net (192.168.1.0/24) is overwritten to only include the gateway (192.168.1.1) IP address. This obviously is causing me to miss events from the private network.
I've tried the following to resolve the issue:
1. Reinstalled the Snort package - failed to fix issue
2. Uninstalled/reinstalled Snort package - failed to fix the issue
3. Edited snort.conf for the internal interface - failed to fix the issueThanks,
CarbonCopy
-
Unless I am missing something simple, it looks like the internal interface (in my case em0) is not populating the home_net (192.168.1.0/24) variable correctly.
When I manually edit /usr/local/etc/snort/snort_52009_em0/snort.conf and reload the config, my home_net (192.168.1.0/24) is overwritten to only include the gateway (192.168.1.1) IP address. This obviously is causing me to miss events from the private network.
I've tried the following to resolve the issue:
1. Reinstalled the Snort package - failed to fix issue
2. Uninstalled/reinstalled Snort package - failed to fix the issue
3. Edited snort.conf for the internal interface - failed to fix the issueThanks,
CarbonCopy
I had the same issue and posted about it earlier in this thread, but here's the workaround I ended up using. Manually editing snort.conf doesn't work because it just gets recreated and overwritten.
Go to firewall, aliases, make an alias for your 192.168.1.0/24 network. I named mine LANSUB
Go to snort settings, whitelists, create a whitelist, called myhomenet for example, leave all the boxes checked and add the LANSUB alias.
Go to the snort interface settings, change the homenet from default to myhomenet.
Save and restart service(s)
-
It seems like there is an error in the script that runs that configures snort.conf. I am thinking this is a simple fix, but I'll let the experts speak to the issue. I don't really have time to dig on it. Thanks for the workaround by the way.
-CC
-
It seems like there is an error in the script that runs that configures snort.conf. I am thinking this is a simple fix, but I'll let the experts speak to the issue. I don't really have time to dig on it. Thanks for the workaround by the way.
-CC
When you edit the Snort interface: What is defined for Homenet in Snort Interface settings?
-
It seems like there is an error in the script that runs that configures snort.conf. I am thinking this is a simple fix, but I'll let the experts speak to the issue. I don't really have time to dig on it. Thanks for the workaround by the way.
-CC
How many interfaces are you running Snort on? Just the WAN, or WAN and LAN, or some other combination? The code that builds the snort.conf file (and the $HOME_NET variable) asks pfSense for the addresses associated with the interface Snort is running on, and then any far-end gateways (for example, on the WAN side).
Bill
-
It seems like there is an error in the script that runs that configures snort.conf. I am thinking this is a simple fix, but I'll let the experts speak to the issue. I don't really have time to dig on it. Thanks for the workaround by the way.
-CC
How many interfaces are you running Snort on? Just the WAN, or WAN and LAN, or some other combination? The code that builds the snort.conf file (and the $HOME_NET variable) asks pfSense for the addresses associated with the interface Snort is running on, and then any far-end gateways (for example, on the WAN side).
Bill
On my setup I had the same error. I have 4 interfaces, WAN, LAN, Opt1 (OpenVPN server for mobile ssl clients) and Opt2 (OpenVPN Client for a site to site shared key vpn). I run Snort on the WAN and LAN interfaces. On the snort instance on my LAN interface, it detected the IP of the interface (192.168.13.1) but did not add 192.168.13.0/24. It did catch my VPN subnets (192.168.14.0/24 for the mobile, and 10.0.8.0/24 for the site to site connection), Wan subnet, dns servers, and localhost.
I think the wan interface came up with the same list, but I don't have access to the router right now to look.
I tried digging around the code to see where the issue was but ran out of time last night.
