Snort 2.9.4.6 Pkg v 2.5.9

bmeeks

@giorgiolago:

Hi i'm using this version: pfsense 2.1-RC0 (amd64) built on Wed Jun 19 07:03:30 EDT 2013 FreeBSD 8.3-RELEASE-p8 and i have many problems here:
1- stop/start button dont work, snort is always running independent I deactivate it or not by gui
2- suppression rules made ​​through the web interface, still being shown on  alerts tab

This is a bug ?

Item #1: are you giving Snort enough time to start or stop?  Depending on how many rules you have active and how powerful your hardware is, it can take several seconds for Snort to change state and the icons adjust accordingly.  A green icon means the Snort process is running, and a red icon means it is stopped.  This is reversed from the old icons in packages older than 2.5.8.  Snort will auto-start upon a firewall reboot.  That is by design.

Item #2: Can you be more specific with your comment?  Do you mean new events are still logged?  The Alerts tab is just a dump of the most recent log file entries, so adding an alert to the Suppression List will prevent new alerts from coming in for that GID:SID, but any entries that existed prior to when the Suppression List was edited will still show up in the window depending on how many entries the screen is set to display (default is last 250 alerts).

Bill

A Former User

<kid expression="">ZOMG!!11!!! ENABLE ALL RULES BUTTON!!!!111</kid>

I'm so happy tears actually welled up in my eyes. CARP SYNC + enable all buttons. I really can't express my gratitude with words. Please check your PMs shortly. I think you'll find something there worth taking the time to reply to. These are hard times but this work should be rewarded. What's a couple of weeks with no food when you have so dedicated programmers?

Thank you
Thank you
Thank you

bmeeks

@shinzo:

So i have been playing with the Host Attribute Table but cant seem to get it running correctly.  I looked at a few examples but i keep getting
snort[****]: FATAL ERROR: /usr/local/etc/snort/snort_*_em0/snort.conf(253) Unknown config directive: max_attribute_hosts.

The error posted above was a result of the new Snort 2.9.4.6 binaries being compiled without the TARGETBASED option enabled.  That was caused by a timing issue on my part with the various Github Pull Requests I submitted for this upgrade.  The one enabling the TARGETBASED option did not get there until after the binaries were built.  Thanks to jimp the new binaries have just been built and posted.

So if you want to use the new Host Attribute Table option, you will first need to remove and then reinstall the Snort package in order to pickup the new binary compiled with the targetbased support.

Bill

shinzo

@jflsakfja:

<kid expression="">ZOMG!!11!!! ENABLE ALL RULES BUTTON!!!!111</kid>

I'm so happy tears actually welled up in my eyes. CARP SYNC + enable all buttons. I really can't express my gratitude with words. Please check your PMs shortly. I think you'll find something there worth taking the time to reply to. These are hard times but this work should be rewarded. What's a couple of weeks with no food when you have so dedicated programmers?

Thank you
Thank you
Thank you

you sound as happy as i was when i saw the ALL DISABLE BUTTON  ;D

A Former User

@shinzo:

you sound as happy as i was when i saw the ALL DISABLE BUTTON  ;D

I have so far clicked on each and every single rule (mostly manually enabled rules not enabled by default) except about 3/4 of web_specific_apps and most of IPS Policy - Security, so you can understand why I'm so happy  ;D. Had to manually enable rules that were disabled and needed to be enabled, check the sticky for more info. I'll be updating the list on the sticky soon(ish).

I'm still trying to calm down from the excitement. Clicking enable all, manually searching for the 10 rules out of 5420 rules and disable them takes a while to get used to. Trust me it's a lot faster than the old way of doing it  ;D

edit: oh and that 5420 is only the web_specific_apps list  :D

shinzo

@bmeeks:

@shinzo:

So i have been playing with the Host Attribute Table but cant seem to get it running correctly.  I looked at a few examples but i keep getting
snort[****]: FATAL ERROR: /usr/local/etc/snort/snort_*_em0/snort.conf(253) Unknown config directive: max_attribute_hosts.

The error posted above was a result of the new Snort 2.9.4.6 binaries being compiled without the TARGETBASED option enabled.  That was caused by a timing issue on my part with the various Github Pull Requests I submitted for this upgrade.  The one enabling the TARGETBASED option did not get there until afte the binaries were built.  Thanks to jimp the new binaries have just been built and posted.

So if you want to use the new Host Attribute Table option, you will first need to remove and then reinstall the Snort package in order to pickup the new binary compiled with the targetbased support.

Bill

I uninstalled and reinstalled the package and the issue has been fixed.  When doing some research yesterday i noticed someone had a list of ip addresses with the service/port next to them for the host attribute table.  A suggestion i have is to have a viewlist tab with what has been setup there.  I will post an example later in the day

bmeeks

@shinzo:

[When doing some research yesterday i noticed someone had a list of ip addresses with the service/port next to them for the host attribute table.  A suggestion i have is to have a viewlist tab with what has been setup there.  I will post an example later in the day
[/quote]

That's a good idea.  There definitely needs to be a better way to view/edit the Host Attribute Table.  What's there now was just quick and easy to get the feature out the door.  I will be happy to entertain suggestions for improvement.

Bill

Supermule

Could it be an idea to have a list of IP's that could be monitored for triggering events?

Like clients having IP's that gets triggered in Snort and then be able to send alerts to either the admin or both admin and client?

Like you have been caught in the firewall triggering this event: bla bla bla. Contact Support for solving issues.

shinzo

@bmeeks:

@shinzo:

[When doing some research yesterday i noticed someone had a list of ip addresses with the service/port next to them for the host attribute table.  A suggestion i have is to have a viewlist tab with what has been setup there.  I will post an example later in the day
[/quote]

That's a good idea.  There definitely needs to be a better way to view/edit the Host Attribute Table.  What's there now was just quick and easy to get the feature out the door.  I will be happy to entertain suggestions for improvement.

Bill

The table i saw looked like this

192.168.1.1, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http
192.168.1.2, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http
192.168.1.7, FreeBSD, 22|tcp|ssh 53|tcp|domain 80|tcp|http 3000|tcp|http 3128|tcp|http-proxy 3306|tcp|mysql 5000|tcp|http-proxy 8443|tcp|http

An example for a view table.  Just an idea 8)

bmeeks

@Supermule:

Could it be an idea to have a list of IP's that could be monitored for triggering events?

Like clients having IP's that gets triggered in Snort and then be able to send alerts to either the admin or both admin and client?

Like you have been caught in the firewall triggering this event: bla bla bla. Contact Support for solving issues.

Another good idea!  Maybe something where you could enter an IP or IP block and an associated contact e-mail.  A cron job would fire periodically, review the Alerts table, and fire off an e-mail to the contact.

It would take a little thought to be able to keep track of who was notified and when.  You would not want to spam the contact with e-mail notes over and over.  Might be better to spawn this idea off into a new and separate package that used a MySQL backend to store the data.  And like barnyard2 with Snort, the MySQL backend would be on a different box.  You don't want your firewall becoming a DB server.  The new package could still scan the Snort alert log, but just do all of its other processing in the MySQL backend someplace else.

I'm not familiar with all the options in barnyard2, either.  Could be that such a capability exists there already with the right plugin.

Bill

Supermule

Why not make it simple and use IMAP on the server so the emails can be searched and are serverside? Very easy and simple. And you could monitor the "sent Items" folder for new mails on every platform and gadget…

kilthro

@bmeeks:

@Supermule:

Could it be an idea to have a list of IP's that could be monitored for triggering events?

Like clients having IP's that gets triggered in Snort and then be able to send alerts to either the admin or both admin and client?

Like you have been caught in the firewall triggering this event: bla bla bla. Contact Support for solving issues.

Another good idea!  Maybe something where you could enter an IP or IP block and an associated contact e-mail.  A cron job would fire periodically, review the Alerts table, and fire off an e-mail to the contact.

It would take a little thought to be able to keep track of who was notified and when.  You would not want to spam the contact with e-mail notes over and over.  Might be better to spawn this idea off into a new and separate package that used a MySQL backend to store the data.  And like barnyard2 with Snort, the MySQL backend would be on a different box.  You don't want your firewall becoming a DB server.  The new package could still scan the Snort alert log, but just do all of its other processing in the MySQL backend someplace else.

I'm not familiar with all the options in barnyard2, either.  Could be that such a capability exists there already with the right plugin.

Bill

Or have it log the event and have the events sent to a log server and let that server notify set on the applicable criteria. I do that with my firewall already. I have it parse the alerts and notify me only on the ones I really want to.

turker

Hi,
Same time double alert.
Is this normal?

bmeeks

@Supermule:

Why not make it simple and use IMAP on the server so the emails can be searched and are serverside? Very easy and simple. And you could monitor the "sent Items" folder for new mails on every platform and gadget…

If you mean on the firewall itself, I'm not sure a lot of folks would agree with that paradigm.  The usual idea in security circles is your firewall has the absolute minimum in terms of services so as to present a very small attack surface.  So adding stuff like mail clients, databases, etc., opens up vulnerabilities.

pfSense already treads on the fine line there sometimes with all the packages available for it (Squid, Snort, etc.).  Security purists would argue that a firewall should only contain the firewall code, and anything else should be a separate box.  On the other hand, I understand and appreciate the utility of something more consolidated in the vein of a UTM type appliance running several related services.  So to each his own as we say.

Bill

bmeeks

@turker:

Hi,
Same time double alert.
Is this normal?

No, that would not be normal.  My first thought is perhaps two instances of Snort are running against the same interface.  Run this command from the firewall console (via SSH or directly from the console if you have a keyboard and monitor connected):

ps -ax | grep snort

You should see exactly one instance of Snort for each interface on your firewall where you have it enabled.  You will also have one line showing the actual command you just typed.  Ignore that one.  The others will have long command-line arguments shown with them.  How many instances of Snort show up when running the command?

Bill

turker

35928  ??  SNs    0:18.39 /usr/pbi/snort-amd64/bin/snort -R 5428 -D -q -l /var/log/snort/snort_em05428 --pid-path /var/run --nolock-pidfile -G 5428 -c /usr/pbi/snort-a
74130  ??  Ss     0:34.05 /usr/pbi/snort-amd64/bin/snort -R 5428 -E -q -l /var/log/snort/snort_em05428 --pid-path /var/run --nolock-pidfile -G 5428 -c /usr/pbi/snort-a
76150  ??  Ss     0:08.80 /usr/pbi/snort-amd64/bin/snort -R 47828 -D -q -l /var/log/snort/snort_em147828 --pid-path /var/run --nolock-pidfile -G 47828 -c /usr/pbi/snor
77552  ??  Ss     0:00.30 /usr/pbi/snort-amd64/bin/snort -R 12845 -D -q -l /var/log/snort/snort_em1_vlan212845 --pid-path /var/run --nolock-pidfile -G 12845 -c /usr/pb
25231   0  R+     0:00.00 grep snort

Supermule

A simple script to send the mail using supplied credentials. Nothing more.

@bmeeks:

@Supermule:

Why not make it simple and use IMAP on the server so the emails can be searched and are serverside? Very easy and simple. And you could monitor the "sent Items" folder for new mails on every platform and gadget…

If you mean on the firewall itself, I'm not sure a lot of folks would agree with that paradigm.  The usual idea in security circles is your firewall has the absolute minimum in terms of services so as to present a very small attack surface.  So adding stuff like mail clients, databases, etc., opens up vulnerabilities.

pfSense already treads on the fine line there sometimes with all the packages available for it (Squid, Snort, etc.).  Security purists would argue that a firewall should only contain the firewall code, and anything else should be a separate box.  On the other hand, I understand and appreciate the utility of something more consolidated in the vein of a UTM type appliance running several related services.  So to each his own as we say.

Bill

bmeeks

@turker:

35928  ??  SNs    0:18.39 /usr/pbi/snort-amd64/bin/snort -R 5428 -D -q -l /var/log/snort/snort_em05428 --pid-path /var/run --nolock-pidfile -G 5428 -c /usr/pbi/snort-a
74130  ??  Ss     0:34.05 /usr/pbi/snort-amd64/bin/snort -R 5428 -E -q -l /var/log/snort/snort_em05428 --pid-path /var/run --nolock-pidfile -G 5428 -c /usr/pbi/snort-a
76150  ??  Ss     0:08.80 /usr/pbi/snort-amd64/bin/snort -R 47828 -D -q -l /var/log/snort/snort_em147828 --pid-path /var/run --nolock-pidfile -G 47828 -c /usr/pbi/snor
77552  ??  Ss     0:00.30 /usr/pbi/snort-amd64/bin/snort -R 12845 -D -q -l /var/log/snort/snort_em1_vlan212845 --pid-path /var/run --nolock-pidfile -G 12845 -c /usr/pb
25231   0  R+     0:00.00 grep snort

You have two duplicate Snort processes running (well, I really mean running on the same interface).  They are:

35928  ??  SNs    0:18.39 /usr/pbi/snort-amd64/bin/snort -R 5428 -D -q -l /var/log/snort/snort_em05428 --pid-path /var/run --nolock-pidfile -G 5428 -c /usr/pbi/snort-a
74130  ??  Ss     0:34.05 /usr/pbi/snort-amd64/bin/snort -R 5428 -E -q -l /var/log/snort/snort_em05428 --pid-path /var/run --nolock-pidfile -G 5428 -c /usr/pbi/snort-a

Notice both are on interface em0 (I can tell by looking at the log path, since it names that with the interface name in the string).  It looks like one is in daemon mode (the one with -D in the command string) and the other is not.  Both are running against the same interface using the same rules, so that's why you are getting the duplicate alerts.  I would do a pkill on process ID 74130, or else just reboot the firewall if you can.  I've never seen that condition before and have no idea how it could have happened.  The second set of two Snort processes on interface em1 are OK.  One is the primary and the other is a VLAN running on em1, so they are really like two separate interfaces.  Those first two; however, are not differentiated by a VLAN.

Bill

turker

I could not. did not happen. (2.1 x64)

And return 2.0.3 x86.
Same system, same rules. No problem. But i seen double logging to system logs.

My rules:
Wan:Blue(+ET Cairmy&ET RBN)
LAN&VLAN:Red
All other rules are the default

bmeeks

@turker:

I could not. did not happen. (2.1 x64)

I'm  not sure what you mean with the reply above.  Do you mean you could not kill the process, or you could not reboot the firewall?  Or did you do one or the other and it still did the same thing?

One other related question, you mention "rolling back" to 2.0.3, so did you upgrade the firewall and Snort together or separately?  If you are going from 32-bit to 64-bit, then I would definitely remove Snort (and all packages), upgrade the firewall OS, then reinstall the packages.  I can see where, if you upgraded to 64-bit firmware with the packages in place, this could have happened.  The firmware upgrade always does a "reinstall" of existing packages.  The problem is that 2.1 packages are PBI form and they get stored in a different path.  So if the old Snort 2.9.4.1 was left installed from the 32-bit image, then you upgraded to a 64-bit image in-place, you could wind up with two Snort installs in different directories using the same configuration.  The package reinstall step the 64-bit firmware upgrade does would have installed Snort in the new PBI path (since the platform would be 2.1).  But if you never removed the 32-bit version, it could be left hanging around in /usr/local/etc/snort.

Snort on any 2.0.x platform stores its config in /usr/local/etc/snort.  A Snort install on 2.1 pfSense will put its config in /usr/pbi/snort-i386 or /usr/pbi/snort-amd64 depending on platform.  Both will reference and use the same config.xml file data and thus would fire up on the same interface.  This could maybe explain your scenario.

If you are game to try, remove Snort completely (click the X icon on Installed Packages), upgrade the firewall to 2.1 64-bit, then reinstall Snort from Available Packages.

@turker:

And return 2.0.3 x86.
Same system, same rules. No problem. But i seen double logging to system logs.

Double-logging of system log entries is and has been a quirk of 2.0.x.  Note that even some non-Snort things are also double logged (for example, the web configurator login at the very bottom of your screenshot).

Bill