Snort 2.9.4.1 pkg v.2.5.8

bmeeks

@gogol:

But I can't change the driver for my Virtual Machine  >:(

If it's VMware, yes you can.  Simply choose e1000 in the NIC options (for ESXi).  For Workstation you can manually edit the vmx file.  Do a quick Google search.  VMware will usually by default configure the e1000 NIC driver for virtual machines.  This driver will show up in pfSense as "em0".

Bill

gogol

We are going off-topic but I have a Mac and Parallels Desktop. Too bad :'(

bmeeks

@gogol:

We are going off-topic but I have a Mac and Parallels Desktop. Too bad :'(

Oh…there is VMware Fusion for the Mac ... :D

A Former User

Only security gives me the blank page, as previously stated. I'm using iceweasel (for all intents and purposes it's identical to firefox).

/usr/pbi/snort_i386/etc/snort/snort_xxxx_em1/snort.rules does not exist

/usr/local/etc/snort/snort_7104_em1/rules/snort.rules on the other hand exists and contains:
#some comments
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, /|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
and so on and so forth…
As you can see it shows security-ips. It's not that security is not used, it's just not displayed properly. As I said above it was working fine just before the update, updated and now both systems show that behaviour (security selected, enabled,used, but rule edit page is completely blank). Is that the only file that gets parsed to display the results on the IPS Policy Security rule edit page (the one that comes up blank)?
I can't remember if system B (slave) displayed this behaviour before the first post-update sync. But system B definitely shows blank page now, maybe something got messed up on system A (master) and got replicated to B.

gogol

I also see the behavior of a blank screen when IPS Security is enabled, but also a crash report:

[02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157

This should give a clou I guess?

bmeeks

@gogol:

I also see the behavior of a blank screen when IPS Security is enabled, but also a crash report:

[02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157

This should give a clou I guess?

Yep, the box is running out of memory to hold the rules from the IPS Security policy as it loads them into an array for manipulation.  Can you give the amount of RAM configured in your box and whether you are running 32-bit or 64-bit pfSense kernel.

Bill

bmeeks

@jflsakfja:

Only security gives me the blank page, as previously stated. I'm using iceweasel (for all intents and purposes it's identical to firefox).

/usr/pbi/snort_i386/etc/snort/snort_xxxx_em1/snort.rules does not exist

/usr/local/etc/snort/snort_7104_em1/rules/snort.rules on the other hand exists and contains:
#some comments
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, /|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
and so on and so forth…
As you can see it shows security-ips. It's not that security is not used, it's just not displayed properly. As I said above it was working fine just before the update, updated and now both systems show that behaviour (security selected, enabled,used, but rule edit page is completely blank). Is that the only file that gets parsed to display the results on the IPS Policy Security rule edit page (the one that comes up blank)?
I can't remember if system B (slave) displayed this behaviour before the first post-update sync. But system B definitely shows blank page now, maybe something got messed up on system A (master) and got replicated to B.

Same question for you as for gogol:

How much RAM is installed in your firewall and are you running 32-bit or 64-bit pfSense?

Can you list for me the exact sequence of steps you go through to get the blank page?  Where do you click and in what order?  I want to try and reproduce this by configuring a VM with the same specs and then duplicating your steps precisely.

Oh, and the "xxxx" in my previous post was referring to that "7104" number.  That is an unique identifier (UUID) generated by the system for each configured Snort interface.  Each one will be different, hence I just said "xxxx" in my post.

Bill

Supermule

I needed 4GB to run Snort in a stable state. 2GB was not enough to load all the rules and it pulled a Swap file error on me.

Did a lot of searching together with Bill to come to that conclusion :)

gogol

@bmeeks:

@gogol:

I also see the behavior of a blank screen when IPS Security is enabled, but also a crash report:

[02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157

This should give a clou I guess?

Yep, the box is running out of memory to hold the rules from the IPS Security policy as it loads them into an array for manipulation.  Can you give the amount of RAM configured in your box and whether you are running 32-bit or 64-bit pfSense kernel.

Bill

I have 2 GB Ram on a 32bit system. I have 1 snort sensor and Dashboard says that I use 67% Ram. I tested on a VM and upped it to 4 GB of Ram. Dashboard says 49% of Ram used, but I get the same crash report.

fragged

If I load some ET rules + IPS Security, Snort is using +2 GB RAM on my system with AC as memory performance option. So it could be that your system is running out of memory. Either for Snort process or PHP possibly.

Supermule

I run AC-Sparsebands. Try that and see if it makes a difference.

fragged

In my case it doesn't matter how much memory Snort uses, I just thought of mentioning it to remind that Snort is a resource hog with a lot of rules loaded up. My box has 8 GB RAM and I run AMD64 version of Snort, so memory usage isn't really a problem :)

kilthro

Thanks for all of the hard work on this. I just updated today. All went well so far and i am loving the new features! Just gotta wait and see if auto updates run ok. ;)

bmeeks

@gogol:

I have 2 GB Ram on a 32bit system. I have 1 snort sensor and Dashboard says that I use 67% Ram. I tested on a VM and upped it to 4 GB of Ram. Dashboard says 49% of Ram used, but I get the same crash report.

Sorry to continue with questions, but I need one more answered to help me reproduce.  Besides the Snort VRT rules, what others are you running?

Emerging Threats (if yes, how many categories are selected)?

Snort GPLv2 Community Rules?

I will send you a PM with my e-mail address, and if you don't mind I would like for you to send me a copy of your config.xml (or at least the sections for Snort).  I want to reproduce your setup and see if I can force the same problem.

Bill

marcelloc

[02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157

This is related to a 128Mb php memory limit set on conf files.

In some packages I use this code to set a larger memory limit.

$uname=posix_uname();
if ($uname['machine']=='amd64')
        ini_set('memory_limit', '250M');

A Former User

@bmeeks:

@jflsakfja:

Only security gives me the blank page, as previously stated. I'm using iceweasel (for all intents and purposes it's identical to firefox).

/usr/pbi/snort_i386/etc/snort/snort_xxxx_em1/snort.rules does not exist

/usr/local/etc/snort/snort_7104_em1/rules/snort.rules on the other hand exists and contains:
#some comments
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, /|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
and so on and so forth…
As you can see it shows security-ips. It's not that security is not used, it's just not displayed properly. As I said above it was working fine just before the update, updated and now both systems show that behaviour (security selected, enabled,used, but rule edit page is completely blank). Is that the only file that gets parsed to display the results on the IPS Policy Security rule edit page (the one that comes up blank)?
I can't remember if system B (slave) displayed this behaviour before the first post-update sync. But system B definitely shows blank page now, maybe something got messed up on system A (master) and got replicated to B.

Same question for you as for gogol:

How much RAM is installed in your firewall and are you running 32-bit or 64-bit pfSense?

Can you list for me the exact sequence of steps you go through to get the blank page?  Where do you click and in what order?  I want to try and reproduce this by configuring a VM with the same specs and then duplicating your steps precisely.

Oh, and the "xxxx" in my previous post was referring to that "7104" number.  That is an unique identifier (UUID) generated by the system for each configured Snort interface.  Each one will be different, hence I just said "xxxx" in my post.

Bill

Please re-read my post. /usr/pbi/snort_i386/ is miles away from /usr/local/etc/snort. UUID has nothing to do with it.

I'm running 2GB of RAM in a 32 bit pfsense. Just selecting Security shows the blank page. Running GPLv2 rules (ALL), emerging threats (ALL) and VRT rules (guessed it right, ALL). AC-BNFA. I have never run out of memory during all the previous years running this setup,as previously mentioned RAM usage never goes above 40% and that's on the days that clients are downloading, webservers get hammered and so on and so forth (WORST CASE SCENARIO), so it's not the memory that's the problem. The problem lies within a change introduced in the last package version.
Not meaning to sound rude or anything, but once it happens, twice is a coincidence, third time something's wrong.

Install a 32 bit pfsense in a vm, install snort package and select everything I mentioned above. I bet you'll get the blank page.

gogol

@dhatz:

@bmeeks:

Another user in the thread topic you linked was also having a problem with a newer Intel NIC (using the fxp0) driver.
He swapped out his card and his problems also went away.

Unless something changed very recently, the fxp(4) FreeBSD driver is used for ancient (mid-1990s) 100Mbps Intel NICs.

For best results it is recommended to use relatively recent (less than 10 years old) Intel GbE NICs such as those supported by the em(4) driver, and IMHO avoid wasting developers' time troubleshooting 20 year old hardware …

PS: bmeeks keep up your fine work !!!

I wonder why my 82574L Intel NIC doesn't work and an old Realtek 8139 does with Snort version 2.5.8. Anyway I am going to replace the Realtek NIC with an Intel Pro 1000 GT card. Let us see what happens then.

Supermule

I have it running no issues in a VM using E1000 driver on Dual port Intel Server NIC's.

gogol

@Supermule:

I have it running no issues in a VM using E1000 driver on Dual port Intel Server NIC's.

Even on a VM on a MAC with the em0 driver I have the same issues (alert -> check_reload_status -> high cpu -> filter reset). Still wondering  ;)

bmeeks

@jflsakfja:

Please re-read my post. /usr/pbi/snort_i386/ is miles away from /usr/local/etc/snort. UUID has nothing to do with it.

I'm running 2GB of RAM in a 32 bit pfsense. Just selecting Security shows the blank page. Running GPLv2 rules (ALL), emerging threats (ALL) and VRT rules (guessed it right, ALL). AC-BNFA. I have never run out of memory during all the previous years running this setup,as previously mentioned RAM usage never goes above 40% and that's on the days that clients are downloading, webservers get hammered and so on and so forth (WORST CASE SCENARIO), so it's not the memory that's the problem. The problem lies within a change introduced in the last package version.
Not meaning to sound rude or anything, but once it happens, twice is a coincidence, third time something's wrong.

Install a 32 bit pfsense in a vm, install snort package and select everything I mentioned above. I bet you'll get the blank page.

Sorry about giving you the wrong path.  I am confusing different users' environments.  Hard to keep the posts with similar problems separated sometimes.  From your path, you are on 2.0.x and not 2.1.  Users on 2.1 will have the /usr/pbi/ path.  Both paths will have a UUID as part of the snort interface sub-directory name.

I am testing this scenario.

Bill