Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.4.6 Pkg v 2.5.9

    Scheduled Pinned Locked Moved pfSense Packages
    203 Posts 28 Posters 110.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      @shinzo:

      When i run the command, it says
      ERROR: ./snort.conf(253) Unknown config directive: max_attribute_hosts.
      Fatal Error, Quitting..

      In the snort.conf file, its like the example you provied except for the path which is as stated before.  I lowered the max_attribute_hosts number from 10,000 to 10 and made sure there was no spaces or anything and still the same

      OK. I've seen similar behavior before with another different directive in snort.conf. It may be choking not on the "max_attribute_hosts" value, but instead on the preceding line.  Open the snort.conf in the vi editor and be sure nothing weird exists on the end of any of the lines in the Host Attribute Table section.  Be sure the filename is correct and contains nothing padded onto the end.  Save the file from the vi editor.

      Now restart Snort using the command line shell script.  Doing it this way will not rebuild the conf file.  Doing anything from the GUI will rebuild the conf file, and if that is how an error is getting in, it will come back.  Here is how to stop/start with the shell script:

      /usr/local/etc/rc.d/snort.sh start
      

      I'm using just "start", because with the error Snort is not starting.  You can substitute "stop" or "restart" at other times.

      Bill

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @shinzo:

        the 3 lines are
        attribute_table filename /usr/local/etc/snort/snort_59927_em0/host_attributes
        config max_attribute_hosts: 10
        config max_attribute_services_per_host: 10

        If i cat the host_attributes file it display the same as in the text file.  If i VI into it, it has  ^M at the end of every line except for the last

        The ^M characters are just DOS line endings (CR/LF) instead of UNIX (LF).  They are in my file and don't seem to confuse Snort.

        Bill

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @shinzo:

          the 3 lines are
          attribute_table filename /usr/local/etc/snort/snort_59927_em0/host_attributes
          config max_attribute_hosts: 10
          config max_attribute_services_per_host: 10

          If i cat the host_attributes file it display the same as in the text file.  If i VI into it, it has  ^M at the end of every line except for the last

          If you don't get to the bottom of this, send me your snort.conf file if you don't mind.  I will PM you with my e-mail address.  It's getting close to my bedtime here, so I'm logging out for tonight.  Us old farts have to get our rest.. :D  Will check back in tomorrow.

          Bill

          1 Reply Last reply Reply Quote 0
          • S
            shinzo
            last edited by

            Yeah i tried it again and no go, i dont mind sending you the file

            1 Reply Last reply Reply Quote 0
            • S
              shinzo
              last edited by

              yeah i couldn't get it to work.  I did what i was going to do another way.  I added this to the Advanced configuration pass-through. This is pretty much a baseline for now

              preprocessor frag3_engine: policy bsd bind_to 192.168.1.1 detect_anomalies timeout 60 overlap_limit 0 min_fragment_length 0
              preprocessor frag3_engine: policy first bind_to 192.168.1.3 detect_anomalies timeout 60 overlap_limit 0 min_fragment_length 0
              preprocessor frag3_engine: policy first bind_to 192.168.1.0/24 detect_anomalies timeout 60 overlap_limit 0 min_fragment_length 0
              preprocessor stream5_tcp: policy bsd, bind_to 192.168.1.1, overlap_limit 0, timeout 30, ports both all, max_queued_bytes 1048576, max_queued_segs 2621
              preprocessor stream5_tcp: policy windows, bind_to 192.168.1.3, overlap_limit 0, timeout 30, ports both all, max_queued_bytes 1048576, max_queued_segs 2621
              preprocessor stream5_tcp: policy vista, bind_to 192.168.1.0/24, overlap_limit 0, timeout 30, ports both all, max_queued_bytes 1048576, max_queued_segs 2621

              It works fine, as long as frag3 and stream5 have a default policy which they already do, i am able to bind specific ranges to other policies.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @shinzo:

                yeah i couldn't get it to work.  I did what i was going to do another way.  I added this to the Advanced configuration pass-through. This is pretty much a baseline for now

                preprocessor frag3_engine: policy bsd bind_to 192.168.1.1 detect_anomalies timeout 60 overlap_limit 0 min_fragment_length 0
                preprocessor frag3_engine: policy first bind_to 192.168.1.3 detect_anomalies timeout 60 overlap_limit 0 min_fragment_length 0
                preprocessor frag3_engine: policy first bind_to 192.168.1.0/24 detect_anomalies timeout 60 overlap_limit 0 min_fragment_length 0
                preprocessor stream5_tcp: policy bsd, bind_to 192.168.1.1, overlap_limit 0, timeout 30, ports both all, max_queued_bytes 1048576, max_queued_segs 2621
                preprocessor stream5_tcp: policy windows, bind_to 192.168.1.3, overlap_limit 0, timeout 30, ports both all, max_queued_bytes 1048576, max_queued_segs 2621
                preprocessor stream5_tcp: policy vista, bind_to 192.168.1.0/24, overlap_limit 0, timeout 30, ports both all, max_queued_bytes 1048576, max_queued_segs 2621

                It works fine, as long as frag3 and stream5 have a default policy which they already do, i am able to bind specific ranges to other policies.

                This level of "multi-engine configurations" is coming in the next release.  Now that the Snort binary is up to the latest version and we will have Snort VRT rules updates for a while, I can concentrate some time on getting the multi-engine configuration incorporated.  Once done, you will be able to do things like this via the GUI.  There will be a "default" or "global" section for each preprocessor, and then a table underneath where you can add additional rows that represent unique "engines" running under that preprocessor.  I'm still working out in my head exactly how to structure it.

                The Host Attribute Table feature can accomplish the same thing, but obviously needs third-party tools to generate the data.

                I will troubleshoot why the Host Attribute Table is not working for you.  One thing I need to validate is that the 2.0.x TBZ package file actually got compiled with "–enabled-targetbased" as an option.  The Snort GUI is identical on 2.0.x and 2.1 pfSense, but the binaries are compiled on different servers.  It could be that the new config directive for Target-Based support did not get switched on in the 2.0.x compile.  I did my test yesterday on a 2.1 virtual machine.  My 2.0.x VM also worked, but it was loaded with the binary compiled by my own test pfSense package builder.  I need to download the 2.0.x package from pfSense and make sure it works as well.

                Bill

                1 Reply Last reply Reply Quote 0
                • G
                  giorgiolago
                  last edited by

                  Hi i'm using this version: pfsense 2.1-RC0 (amd64) built on Wed Jun 19 07:03:30 EDT 2013 FreeBSD 8.3-RELEASE-p8 and i have many problems here:
                  1- stop/start button dont work, snort is always running independent I deactivate it or not by gui
                  2- suppression rules made ​​through the web interface, still being shown on  alerts tab

                  This is a bug ?

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @shinzo:

                    So i have been playing with the Host Attribute Table but cant seem to get it running correctly.  I looked at a few examples but i keep getting
                    snort[****]: FATAL ERROR: /usr/local/etc/snort/snort_*_em0/snort.conf(253) Unknown config directive: max_attribute_hosts.

                    I think I've found the cause of this error.  It looks like the new Snort 2.9.4.6 binaries did not get compiled on the Package Builders with the required –enable-targetbased option enabled to support the Host Attribute Table.  I have sent a note to the pfSense Core Team asking them to look into this.  I can reliably reproduce the error when I use the Snort 2.9.4.6 binary package installed from the pfSense Package Repository.  But when I used my private Package Repository where I compiled Snort with the targetbased option enabled, the Host Attribute Table works fine.

                    Hopefully a quick recompile on the package builders will suffice to fix this error.  I will post back when I have confirmation this is fixed.  Until, then, do not enable the Host Attribute Table on the Preprocessors tab.

                    UPDATE:   This issue should now be fixed.  See this post for details:

                    http://forum.pfsense.org/index.php/topic,63568.msg344067.html#msg344067

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @giorgiolago:

                      Hi i'm using this version: pfsense 2.1-RC0 (amd64) built on Wed Jun 19 07:03:30 EDT 2013 FreeBSD 8.3-RELEASE-p8 and i have many problems here:
                      1- stop/start button dont work, snort is always running independent I deactivate it or not by gui
                      2- suppression rules made ​​through the web interface, still being shown on  alerts tab

                      This is a bug ?

                      Item #1: are you giving Snort enough time to start or stop?  Depending on how many rules you have active and how powerful your hardware is, it can take several seconds for Snort to change state and the icons adjust accordingly.  A green icon means the Snort process is running, and a red icon means it is stopped.  This is reversed from the old icons in packages older than 2.5.8.  Snort will auto-start upon a firewall reboot.  That is by design.

                      Item #2: Can you be more specific with your comment?  Do you mean new events are still logged?  The Alerts tab is just a dump of the most recent log file entries, so adding an alert to the Suppression List will prevent new alerts from coming in for that GID:SID, but any entries that existed prior to when the Suppression List was edited will still show up in the window depending on how many entries the screen is set to display (default is last 250 alerts).

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User
                        last edited by

                        <kid expression="">ZOMG!!11!!! ENABLE ALL RULES BUTTON!!!!111</kid>

                        I'm so happy tears actually welled up in my eyes. CARP SYNC + enable all buttons. I really can't express my gratitude with words. Please check your PMs shortly. I think you'll find something there worth taking the time to reply to. These are hard times but this work should be rewarded. What's a couple of weeks with no food when you have so dedicated programmers?

                        Thank you
                        Thank you
                        Thank you

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @shinzo:

                          So i have been playing with the Host Attribute Table but cant seem to get it running correctly.  I looked at a few examples but i keep getting
                          snort[****]: FATAL ERROR: /usr/local/etc/snort/snort_*_em0/snort.conf(253) Unknown config directive: max_attribute_hosts.

                          The error posted above was a result of the new Snort 2.9.4.6 binaries being compiled without the TARGETBASED option enabled.  That was caused by a timing issue on my part with the various Github Pull Requests I submitted for this upgrade.  The one enabling the TARGETBASED option did not get there until after the binaries were built.  Thanks to jimp the new binaries have just been built and posted.

                          So if you want to use the new Host Attribute Table option, you will first need to remove and then reinstall the Snort package in order to pickup the new binary compiled with the targetbased support.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • S
                            shinzo
                            last edited by

                            @jflsakfja:

                            <kid expression="">ZOMG!!11!!! ENABLE ALL RULES BUTTON!!!!111</kid>

                            I'm so happy tears actually welled up in my eyes. CARP SYNC + enable all buttons. I really can't express my gratitude with words. Please check your PMs shortly. I think you'll find something there worth taking the time to reply to. These are hard times but this work should be rewarded. What's a couple of weeks with no food when you have so dedicated programmers?

                            Thank you
                            Thank you
                            Thank you

                            you sound as happy as i was when i saw the ALL DISABLE BUTTON  ;D

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User
                              last edited by

                              @shinzo:

                              you sound as happy as i was when i saw the ALL DISABLE BUTTON  ;D

                              I have so far clicked on each and every single rule (mostly manually enabled rules not enabled by default) except about 3/4 of web_specific_apps and most of IPS Policy - Security, so you can understand why I'm so happy  ;D. Had to manually enable rules that were disabled and needed to be enabled, check the sticky for more info. I'll be updating the list on the sticky soon(ish).

                              I'm still trying to calm down from the excitement. Clicking enable all, manually searching for the 10 rules out of 5420 rules and disable them takes a while to get used to. Trust me it's a lot faster than the old way of doing it  ;D

                              edit: oh and that 5420 is only the web_specific_apps list  :D

                              1 Reply Last reply Reply Quote 0
                              • S
                                shinzo
                                last edited by

                                @bmeeks:

                                @shinzo:

                                So i have been playing with the Host Attribute Table but cant seem to get it running correctly.  I looked at a few examples but i keep getting
                                snort[****]: FATAL ERROR: /usr/local/etc/snort/snort_*_em0/snort.conf(253) Unknown config directive: max_attribute_hosts.

                                The error posted above was a result of the new Snort 2.9.4.6 binaries being compiled without the TARGETBASED option enabled.  That was caused by a timing issue on my part with the various Github Pull Requests I submitted for this upgrade.  The one enabling the TARGETBASED option did not get there until afte the binaries were built.  Thanks to jimp the new binaries have just been built and posted.

                                So if you want to use the new Host Attribute Table option, you will first need to remove and then reinstall the Snort package in order to pickup the new binary compiled with the targetbased support.

                                Bill

                                I uninstalled and reinstalled the package and the issue has been fixed.  When doing some research yesterday i noticed someone had a list of ip addresses with the service/port next to them for the host attribute table.  A suggestion i have is to have a viewlist tab with what has been setup there.  I will post an example later in the day

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @shinzo:

                                  [When doing some research yesterday i noticed someone had a list of ip addresses with the service/port next to them for the host attribute table.  A suggestion i have is to have a viewlist tab with what has been setup there.  I will post an example later in the day
                                  [/quote]

                                  That's a good idea.  There definitely needs to be a better way to view/edit the Host Attribute Table.  What's there now was just quick and easy to get the feature out the door.  I will be happy to entertain suggestions for improvement.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Supermule Banned
                                    last edited by

                                    Could it be an idea to have a list of IP's that could be monitored for triggering events?

                                    Like clients having IP's that gets triggered in Snort and then be able to send alerts to either the admin or both admin and client?

                                    Like you have been caught in the firewall triggering this event: bla bla bla. Contact Support for solving issues.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      shinzo
                                      last edited by

                                      @bmeeks:

                                      @shinzo:

                                      [When doing some research yesterday i noticed someone had a list of ip addresses with the service/port next to them for the host attribute table.  A suggestion i have is to have a viewlist tab with what has been setup there.  I will post an example later in the day
                                      [/quote]

                                      That's a good idea.  There definitely needs to be a better way to view/edit the Host Attribute Table.  What's there now was just quick and easy to get the feature out the door.  I will be happy to entertain suggestions for improvement.

                                      Bill

                                      The table i saw looked like this

                                      192.168.1.1, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http
                                      192.168.1.2, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http
                                      192.168.1.7, FreeBSD, 22|tcp|ssh 53|tcp|domain 80|tcp|http 3000|tcp|http 3128|tcp|http-proxy 3306|tcp|mysql 5000|tcp|http-proxy 8443|tcp|http

                                      An example for a view table.  Just an idea 8)

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by

                                        @Supermule:

                                        Could it be an idea to have a list of IP's that could be monitored for triggering events?

                                        Like clients having IP's that gets triggered in Snort and then be able to send alerts to either the admin or both admin and client?

                                        Like you have been caught in the firewall triggering this event: bla bla bla. Contact Support for solving issues.

                                        Another good idea!  Maybe something where you could enter an IP or IP block and an associated contact e-mail.  A cron job would fire periodically, review the Alerts table, and fire off an e-mail to the contact.

                                        It would take a little thought to be able to keep track of who was notified and when.  You would not want to spam the contact with e-mail notes over and over.  Might be better to spawn this idea off into a new and separate package that used a MySQL backend to store the data.  And like barnyard2 with Snort, the MySQL backend would be on a different box.  You don't want your firewall becoming a DB server.  The new package could still scan the Snort alert log, but just do all of its other processing in the MySQL backend someplace else.

                                        I'm not familiar with all the options in barnyard2, either.  Could be that such a capability exists there already with the right plugin.

                                        Bill

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Supermule Banned
                                          last edited by

                                          Why not make it simple and use IMAP on the server so the emails can be searched and are serverside? Very easy and simple. And you could monitor the "sent Items" folder for new mails on every platform and gadget…

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            kilthro
                                            last edited by

                                            @bmeeks:

                                            @Supermule:

                                            Could it be an idea to have a list of IP's that could be monitored for triggering events?

                                            Like clients having IP's that gets triggered in Snort and then be able to send alerts to either the admin or both admin and client?

                                            Like you have been caught in the firewall triggering this event: bla bla bla. Contact Support for solving issues.

                                            Another good idea!  Maybe something where you could enter an IP or IP block and an associated contact e-mail.  A cron job would fire periodically, review the Alerts table, and fire off an e-mail to the contact.

                                            It would take a little thought to be able to keep track of who was notified and when.  You would not want to spam the contact with e-mail notes over and over.  Might be better to spawn this idea off into a new and separate package that used a MySQL backend to store the data.  And like barnyard2 with Snort, the MySQL backend would be on a different box.  You don't want your firewall becoming a DB server.  The new package could still scan the Snort alert log, but just do all of its other processing in the MySQL backend someplace else.

                                            I'm not familiar with all the options in barnyard2, either.  Could be that such a capability exists there already with the right plugin.

                                            Bill

                                            Or have it log the event and have the events sent to a log server and let that server notify set on the applicable criteria. I do that with my firewall already. I have it parse the alerts and notify me only on the ones I really want to.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.