Snort 2.9.4.6 Pkg v 2.5.9
-
Has anyone else been experiencing this when Snort tries to update? I been getting it for a couple of weeks now. I have set to update once per day automatically which is around midnight.. Should the update run at a different time?
I do pay the yearly subscription to snort. I just have the snort.org rules and Emerging ones enabled. I am guessing its more of an issue with snort site than the app here with pfsense. Just wondering if I was the only one seeing this.Bill would it be possible if everyone (mass population) would like it to, to have the most recent snort update entry at the top of the log rather than the bottom? Not a major issue just save me some scrolling which at times is a P.I.T.A. on a mobile device.. No worries if its left as is.. just thought I would ask.
system log
Aug 4 00:08:03 php: : [Snort] The Rules update has finished.
Aug 4 00:08:03 php: : [Snort] Emerging Threat rules are up to date…
Aug 4 00:08:02 php: : [Snort] Server returned error code '0'…
Aug 4 00:08:02 php: : [Snort] Snort VRT md5 download failed…
Aug 4 00:08:02 php: : File 'snortrules-snapshot-2946.tar.gz.md5' download attempts: 4 ...
Aug 4 00:07:47 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:07:47 php: : [Snort] Rules download error: Empty reply from server
Aug 4 00:06:32 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:06:32 php: : [Snort] Rules download error: Empty reply from server
Aug 4 00:05:17 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:05:17 php: : [Snort] Rules download error: Empty reply from server
Aug 4 00:04:02 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:04:02 php: : [Snort] Rules download error: Empty reply from serverSnort update log
Starting rules update… Time: 2013-08-04 00:03:01
Downloading Snort VRT md5 file...
Snort VRT md5 download failed.
Server returned error code '0'.
Server error message was 'Empty reply from server'
Snort VRT rules will not be updated.
Downloading EmergingThreats md5 file...
Checking EmergingThreats md5.
Emerging Threats rules are up to date.
The Rules update has finished. Time: 2013-08-04 00:08:03I would frequently see this error in my own logs using the default update time of 3 minutes past midnight and 12:03 PM. Using the new option added in the 2.5.9 update that allows choosing other update times, I've eliminated this error by moving my updates to 1:00 AM and 1:00 PM. My guess is maybe the default time is frequently hitting some maintenance or backup process on the rules update server at Snort.org. I don't have anything to backup that supposition, but I can say that after moving my times to an hour later I have not had the issue happen again.
As for reordering the logs, I can take a look. It would complicate the code because now it just appends to the end of the file. The viewer is just a simple file reader (actually it just copies the contents into a HTML textarea object). I could add some sorting of the lines prior to display, but it will be tricky due to the formatting.
Bill
-
I repro multiple snort processes on the latest 2.1 builds as well. What additional information can I provide to help debug this issue and get a solution? Thanks!
According to a post earlier in this thread, Ermal is making some changes to the 2.1 Snapshot code that are likely responsible for this behavior. It started after a Snapshot update and well after the Snort 2.5.9 package was released. I have been quite busy the past three weeks and have not had a chance to test this nor investigate in my VMware test environment. I will see if I can reproduce it.
FOLLOW UP: I had a 2.1 Snapshot VM running the July 4 code. It does not exhibit the multiple Snort processes problem. I rebooted it several times and only the correct number of Snort processes started (two on this particular VM since I have Snort instances on the WAN side and the LAN side). Others have reported the odd behavior started with the July 5 update.
Bill
-
Has anyone else been experiencing this when Snort tries to update? I been getting it for a couple of weeks now. I have set to update once per day automatically which is around midnight.. Should the update run at a different time?
I do pay the yearly subscription to snort. I just have the snort.org rules and Emerging ones enabled. I am guessing its more of an issue with snort site than the app here with pfsense. Just wondering if I was the only one seeing this.Bill would it be possible if everyone (mass population) would like it to, to have the most recent snort update entry at the top of the log rather than the bottom? Not a major issue just save me some scrolling which at times is a P.I.T.A. on a mobile device.. No worries if its left as is.. just thought I would ask.
system log
Aug 4 00:08:03 php: : [Snort] The Rules update has finished.
Aug 4 00:08:03 php: : [Snort] Emerging Threat rules are up to date…
Aug 4 00:08:02 php: : [Snort] Server returned error code '0'…
Aug 4 00:08:02 php: : [Snort] Snort VRT md5 download failed…
Aug 4 00:08:02 php: : File 'snortrules-snapshot-2946.tar.gz.md5' download attempts: 4 ...
Aug 4 00:07:47 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:07:47 php: : [Snort] Rules download error: Empty reply from server
Aug 4 00:06:32 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:06:32 php: : [Snort] Rules download error: Empty reply from server
Aug 4 00:05:17 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:05:17 php: : [Snort] Rules download error: Empty reply from server
Aug 4 00:04:02 php: : [Snort] Will retry in 15 seconds…
Aug 4 00:04:02 php: : [Snort] Rules download error: Empty reply from serverSnort update log
Starting rules update… Time: 2013-08-04 00:03:01
Downloading Snort VRT md5 file...
Snort VRT md5 download failed.
Server returned error code '0'.
Server error message was 'Empty reply from server'
Snort VRT rules will not be updated.
Downloading EmergingThreats md5 file...
Checking EmergingThreats md5.
Emerging Threats rules are up to date.
The Rules update has finished. Time: 2013-08-04 00:08:03I would frequently see this error in my own logs using the default update time of 3 minutes past midnight and 12:03 PM. Using the new option added in the 2.5.9 update that allows choosing other update times, I've eliminated this error by moving my updates to 1:00 AM and 1:00 PM. My guess is maybe the default time is frequently hitting some maintenance or backup process on the rules update server at Snort.org. I don't have anything to backup that supposition, but I can say that after moving my times to an hour later I have not had the issue happen again.
As for reordering the logs, I can take a look. It would complicate the code because now it just appends to the end of the file. The viewer is just a simple file reader (actually it just copies the contents into a HTML textarea object). I could add some sorting of the lines prior to display, but it will be tricky due to the formatting.
Bill
Thanks Bill! I will move the time to 1 am. I was more concerned if it was just me or if others were seeing it. I appreciate the followup on it.
On the log issue, it seems like more work than what its worth. You dont have to worry about it unless you really feel bored. lol
-
Starting rules update… Time: 2013-08-04 17:44:54
Downloading Snort VRT md5 file...
Checking Snort VRT md5 file...
There is a new set of Snort VRT rules posted. Downloading...
Done downloading rules file.
Downloading EmergingThreats md5 file...
Checking EmergingThreats md5.
There is a new set of EmergingThreats rules posted. Downloading...
Done downloading EmergingThreats rules file.
Extracting and installing EmergingThreats.org rules...
Installation of EmergingThreats.org rules completed.
Extracting and installing Snort VRT rules...
Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
Installation of Snort VRT rules completed.
Copying new config and map files...
Updating rules configuration for: WAN ...
The Rules update has finished. Time: 2013-08-04 17:45:30I did a clean install of 2.1 rc-1, i imported a backup file i had of 2.0.3 . So my issue is, the snort package runs fine but i am not getting hits on any of the rules sets. To make sure the rules are working, i do a shields up scan which usually does a few nmap scans of my machine but i dont get hits anymore. I noticed that its saying freebsd-8-1 for the precompiled instead of 8-3. so i dont know if that might have something to do with it?
-
Do you have the rules enabled? Also do you have the block detected port scans enabled? If not, Snort will not be looking for them thus not blocking them.
-
Do you have the rules enabled? Also do you have the block detected port scans enabled? If not, Snort will not be looking for them thus not blocking them.
I had the nmap rules enabled along with the portscan option on. I just uninstalled snort with the saved settings. Started fresh and is working fine now 8)
-
I noticed that its saying freebsd-8-1 for the precompiled instead of 8-3. so i dont know if that might have something to do with it?
The only precompiled rules included in current Snort.org rules are for FreeBSD 8.1. They don't provide 8.3 versions yet. However, I think it's really only the major version that matters (8.x, for example).
Bill
-
Just want to say the old bug is back again, it bans my OWN IP after a bit a while just looking some normal websites.
Getting this:
(http_inspect) IIS UNICODE CODEPOINT ENCODING - 08/05/13-22:46:05
(portscan) TCP Portsweep - 08/05/13-22:48:52
(ssp_ssl) Invalid Client HELLO after Server HELLO Detected - 08/05/13-22:55:55 -
I just tried to install snort and I am having trouble getting it to work.
I have Alix 2D13 running pfSense 2.0.1-RELEASE (i386) and I know it's underdimensioned but my connections are not requiring much throughput. I have two connections and failover, one WAN is 7M downstream and 0.5 upstream, the other is even less than that, as 3G mobile signal from indoors is weak. I have currently disconnected the second one from the internet, for checking purposes, so it only talks to a small machine of mine, but I can't even enable there.
I know IDS and IPS are resource intensive but they should at least start, so that I can figure out the performance requirements.
I attach what I see. If I click the red "x" it waits about 10min (but still the firewall is passing traffic OK) with the web interface "waiting for reply", and then it reloads the page and I get exactly the same screen.
I know it says new settings won't take place until interface restarts and so I have disabled and reenabled wanmobile interface, same thing.
I wonder if I should remove package and then use a different version of snort to work with my pfSense 2.0.1 ?
Thank you so very much
-
You are trying to @daniela:
I have Alix 2D13 running pfSense 2.0.1-RELEASE (i386) and I know it's underdimensioned but my connections are not requiring much throughput.
No, they are not underdimensioned, they are absolutely unfit for purpose. Stop wasting your time.
-
Thank you a lot for saving me from heartache and waste of time. I will get something else: can you advise approx CPU and RAM specs? Theoretical max throughput in the foreseeable lifetime of the box is perhaps 20M per interface (unfortunately is located in the Internet Desert and no fiber anywhere near). Also what should I expect for disk usage? I am planning to get a SSD if it does not require too much space.
I would get two such boxes, one to run Snort and the other to run Squid, do you think is the best policy or do you think better a more performing appliance and have it do both?
Low energy consumption is a big plus.
-
Thank you a lot for saving me from heartache and waste of time. I will get something else: can you advise approx CPU and RAM specs?
Do you seriously intend to use IDS? I mean, the Alix HW is perfectly fine for running normal firewall on such lines. Before investing any money into new HW, I'd suggest to maybe recycle some desktop for testing and see for yourself how it feels and how much time you have to babysit and finetune the thing? It's not set-it-and-forget-it package in any way.
-
I just tried to install snort and I am having trouble getting it to work.
I have Alix 2D13 running pfSense 2.0.1-RELEASE (i386) and I know it's underdimensioned but my connections are not requiring much throughput.
I wonder if I should remove package and then use a different version of snort to work with my pfSense 2.0.1 ?Thank you so very much
Well, besides the marginal hardware issues, you will need pfSense 2.0.3 to run the latest Snort package. So the first thing I would do is upgrade to 2.0.3. After that you can try Snort again. But if you have less than 1 GB of RAM, Snort really is not for you. You need 2GB or more of RAM to run anything beyond a handful of Snort rules, though.
Bill
-
Just want to say the old bug is back again, it bans my OWN IP after a bit a while just looking some normal websites.
Getting this:
(http_inspect) IIS UNICODE CODEPOINT ENCODING - 08/05/13-22:46:05
(portscan) TCP Portsweep - 08/05/13-22:48:52
(ssp_ssl) Invalid Client HELLO after Server HELLO Detected - 08/05/13-22:55:55Is your WAN IP dynamic and frequently changing? If so it might what is causing the problem. Are you running 2.0.3 or 2.1 pfSense?
Bill
-
Thank you a lot everyone, I really appreciate.
For anyone else who may be interested or have a similar setup, Snort with lowmemory and "connectivity" inbuilt set of rules is working and being stable since 10+ hours with no perceivable slowdown even at full "speed" (if one may use the word, eh). Performance impact is not too bad (about 10% on memory and a few % on CPU, and less than a handful of extra processes) and I gave it 10MB space which is advised space for nanoBSD (may be one could increase it a little bit). Worst memory load is 57% and it's averaging about 35%, it won't melt. I decided to let it be for a while and whatever it filters and is not a false positive, I am adding to custom firewall rules. That way when I get rid of it, at least I have both learned something and improved the network a little. I got a process termination for lack of swap space, but since it did not keep happening, I think it's too amazing a miracle to tinker with, and kept my hands off it. I also realize it'd be better to reboot when doing extensive configuration changes, oh well. Also, I confirm the firewall kept working alright while enabling snort (which took about 1min per interface and I made sure to hammer the firewall).
I'll get some desktop from some closet and try Snort there, I'll activate it a couple hours a day while I am around and see what happens. I am realizing that it is not only necessary to learn Snort, but also to learn about network use of the users and what they need and use and what they don't. The users, however, seem to all have read everything about the bastard operator from hell and so don't even think of discussing needs and wishes, they also lie when asked! I am only trying to be helpful. I can't do any harm after all, I already have blocked Facebook years ago. :-D
I will move to 2.0.3, or to current version, as soon as downtime is available. I confirm to anyone on 2.0.1 that it sort of works.
-
When I disable this:
Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
Then Snort wont start. I cant find any rules that is associated with this preproc. at all.
-
When I disable this:
Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
Then Snort wont start. I cant find any rules that is associated with this preproc. at all.
There is a rule option somewhere that is dependent on the preprocessor. In the system log there should be a message with these words "snort[81145]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_64703_em0/rules/snort.rules(6050) Unknown rule option: 'dce_iface'." . Snort rules can contain all manner of special rule options, and many of these options depend on certain preprocessors being enabled. In this case, the rule option is "dce_iface". That's why it is usually best to just run all the preprocessors except maybe Sensitive Data (SDF). You never know when a rule update will suddenly enable a formerly disabled rule or include a new rule with the rule option. If you have the preprocessor disabled that some new rule depends on, then Snort will fail to start after the rule update.
If you want to disable the preprocessor anyway, then at the top of the Preprocessors tab is a check box that says "Auto-Disable Text Rules". If you check that option, then Snort will automatically disable any text rules that contain a rule option dependent upon the preprocessor you disabled. Using your example, if you check that box you should see this warning similar to this in the system log when Snort starts –
[Snort] Warning: auto-disabled 97 rules due to disabled preprocessor dependencies.It's telling you that it automatically disabled 97 rules that contained options dependent upon the DCE_RPC preprocessor. For this example, I just used the IPS Policy - Security with no Emerging Threats rules. If you have a different set of rules enabled, you will likely see a number different from 97.
I put a View button on the Preprocessors tab that is supposed to let you open and view the disabled rules, but I just found out it does not appear to be working. I will have to see why. In the meantime, you will find a text log file of the auto-disabled rules in /var/log/snort. The file will be named with the interface to make it easy to spot.
Bill
-
Thanks Bill!!
-
Thanks Bill!!
You're welcome. And by the way, I found the problem with the View button not working. A needed piece of JavaScript code got left out of the PHP page file during the last Snort package update. I've fixed it in my base code, but I will just wait until the next scheduled update to push the fix out to the production package. I'm really close to having the next update ready to go anyway.
Bill
-
In 2.1 RC1. I notice that the block list gets cleared everytime i save a setting in lets say squid. Also if i update the firewall rules on the server, it clears the list as well.
