Snort 2.9.4.6 pkg v2.6.0 Update
-
Awesome. Thanks again for creating this package. It's a great one. What do you think will happen with Cisco's acquisition of Sourcefire? Do you think it will effect the availability or your package?
I think the general feeling is the open-source Snort software and rules will survive despite the Cisco acquisition. But nobody really knows for sure but the Cisco bosses.
One minor correction. I did not create the Snort package on pfSense. That was the work of several others in the distant past. I just sort of became the default maintainer late in 2012 when I submitted some fixes and a few new features. Thanks for the kind words, though.
Bill
-
Thanks for the update!
Additional to upcoming binary update, would it be possible to make snort2c list persist through filter_reload? pfBlocker lists, aliases, etc. persist through it, why doesn't snort2c?
Aliases live in the config.xml file and might be reloaded on a filter reload call. Don't now for sure, though. I can look through the pfBlocker package code and see where it stores its block list and how it protects it.
Bill
-
Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?
-
Well - If the Cisco acquisition of SNORT effects things and 90% or so of the group goes with Cisco, then get a new group. Call it something else and continue on. SNIFF (TM) is a good name…
And if the band you're in starts playing different tunes...
-
Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?
No I don't, but I also don't think it is necessarily on a regularly scheduled basis. I really don't know much about that process. Guess I need to dig in and learn.
Bill
-
I get this when trying to upgrade a 2.0.3 box…
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.12.tbz ... (extracting)Downloading http://files.pfsense.org/packages/8/All/mysql-client-5.5.33.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/mysql-client-5.5.33.tbz.
of barnyard2-1.12 failed!Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for mysql-client-5.5.30...done.
Starting package deletion for barnyard2-1.12...done.
Starting package deletion for libnet11-1.1.6,1...done.
Skipping package deletion for libdnet-1.11_3 because it is a dependency.
Starting package deletion for libpcap-1.3.0...done.
Starting package deletion for daq-2.0.0...done.
Starting package deletion for snort-2.9.4.6...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.Installation halted.
-
Supermule, how much do you pay for your connection a month or do you work at an ISP? That speed is nuts.
-
:D That is what I offer to my clients in my VDI environment.
All sitting on 10Gbit backbone direct to the internet exchange :)
Supermule, how much do you pay for your connection a month or do you work at an ISP? That speed is nuts.
-
I get this when trying to upgrade a 2.0.3 box…
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...Downloading http://files.pfsense.org/packages/8/All/mysql-client-5.5.33.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/mysql-client-5.5.33.tbz.
of barnyard2-1.12 failed!...
Installation aborted.Backing up libraries...
Cleaning up... Failed to install package.Installation halted.
jimp mentioned in an e-mail exchange with me that the 2.0.3 package builders had some issues with updates to the Ports. That's why the rollout of the updated binary was delayed a bit. Looks like the builder used a newer MySQL client package (5.5.33 instead of 5.5.30) than what is specified in the pkg_config.8.xml file. I'll pass this along to jimp. He should be able to fix it up easy enough.
I looked at files.pfsense.org and MySQL client packages are there for 5.5.30, 5.5.32, and 5.5.34. But no version 5.5.33, so something must have gone weird with the package builder. The pfSense guys should be able to get it sorted out. I've sent a note to them alerting them of the issue.
Bill
-
Damn nice Bill!!
-
Pls. notify when package is ready to install :)
-
Pls. notify when package is ready to install :)
Got a reply back from jimp. He says it should be OK now. Give it a try and let me know if you still have problems.
Bill
-
Its running and blocking!!
THAAAAAAAAAAAAAAAAAANK YOU!! :-*
-
Its running and blocking!!
THAAAAAAAAAAAAAAAAAANK YOU!! :-*
OK! Thanks for the feedback.
There is one small bug uncovered thus far with the new FQDN Alias support. I worked that one with another user who successfully tested a fix. I will hold up pushing out that update while I wait to see if anything else surfaces. That bug is sort of minor and only affects folks using the FQDN Alias with a particular configuration.
Bill
-
No worries! I will provide peadback asap if something pops up!
-
Thanks for the updates/fixes Bill!! Snort is running pretty smooth and no dup processes =D
-
Updated fine a few days ago, but today Snort won't start on all of my three interfaces.
All interfaces get the same fatal error:FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_35802_em2/snort.conf(194) => Invalid port number.
pfSense 2.1 i386 snort 2.9.4.6 pkg v2.60
Reinstalling the package gives the same error.
-
Updated fine a few days ago, but today Snort won't start on all of my three interfaces.
All interfaces get the same fatal error:FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_35802_em2/snort.conf(194) => Invalid port number.
pfSense 2.1 i386 snort 2.9.4.6 pkg v2.60
Reinstalling the package gives the same error.
Sounds like maybe something is corrupted in your configuration. Get a console prompt and open that file in vi. Goto line 194 and see what is shown. Post the results back if you can. The error message gives the offending line number in the text. It is 194 in this case. Did you make any changes to the configuration or edit any Aliases that may be referenced in Snort?
Bill
-
No, no changes. Even put back the backup from a day before, same problems.
Here are the lines at #194 (all interfaces hang at the same line):
Line 194 is in bold:preprocessor ftp_telnet_protocol: ftp server default
….
....
cmd_validity STRU < char FRP >
cmd_validity ALLO < int [ char R int ] >
cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >
cmd_validity PORT < host_port >preprocessor ftp_telnet_protocol: ftp client default
max_resp_len 256
bounce yes
ignore_telnet_erase_cmds yes
telnet_cmds yes -
Ok, found the problem… (Thanks for hinting me about the aliases)
In v2.0.3 I added the FTP ports alias:
20,21 AND 15002:15018That last one (with the semicolom) isn't supported anymore for the FTP preprocessor in the last version of the Snort package(?).
After removing the port range the interfaces all started again.
-
Ok, found the problem… (Thanks for hinting me about the aliases)
In v2.0.3 I added the FTP ports alias:
20,21 AND 15002:15018That last one (with the semicolom) isn't supported anymore for the FTP preprocessor in the last version of the Snort package(?).
After removing the port range the interfaces all started again.
Probably my bad with the last update. The port range should work. Post back exactly what your Alias looks like and let me reproduce the condition in my test VMs so I can fix it.
Thanks for reporting it,
Bill
-
Here is the alias as attachment.
-
Here is the alias as attachment.
Thanks for the information. It will be a few days, but I will see if I can fix this. I have some other conflicting activities the next few days.
Bill
-
Take your time. Workaround was simple. Just add the ports one by one in the alias and all was working again.
I think it is more important to fix the snort blocking issues in pfsense 2.1 -
Take your time. Workaround was simple. Just add the ports one by one in the alias and all was working again.
I think it is more important to fix the snort blocking issues in pfsense 2.1Ermal has committed to take a run at that soon. He did confirm the problem is with the filter_reload() code and not in the Snort package itself. The bad news in this good news is that means an update to pfSense itself, so we are probably looking at 2.1.1 or something for the fix.
Bill
-
Then I wished they would incoporate the widescreen theme as well since it makes pfsense much better!
-
Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?
No I don't, but I also don't think it is necessarily on a regularly scheduled basis. I really don't know much about that process. Guess I need to dig in and learn.
Bill
Filter reload is done every 15 mins.
From /etc/crontab :
0,15,30,45 * * * * root /etc/rc.filter_configure_sync
Each time filter_configure_sync is called, the snort2c table is cleared:
[2.1-RELEASE][root@necro.necronet.local]/root(6): pfctl -t snort2c -T show 209.31.45.2 [2.1-RELEASE][root@necro.necronet.local]/root(7): /etc/rc.filter_configure_sync [2.1-RELEASE][root@necro.necronet.local]/root(8): pfctl -t snort2c -T show
-
I do not have that entry in my crontab…
Checked 2 pfsense production boxes, snort is working as expected... -
Something weird I noticed is on package 2.5.9 with 2.1 on 64, it is blocking just fine. But on 32 bit 2.6 on 2.1, I have the blocking issue where the table gets wiped. Do you still think it's the function filter reload? I thought it was a 2.1 issue, but maybe it's a 2.6 snort issue?
-
The behavior has been the same since 2.1 Snapshots. I'm running 64 bit and filter_reload will clear the snort2c table.
It's not a huge issue as the offending host will get blocked again if it tries anything fishy.
-
Are you running snort 2.5.9 or 2.6?
-
Currently 2.6.0, but also 2.5.9 and earlier before and they all behave the same in this regard.
-
I wonder what's different on mine? Can you control how often it reloads? I am seeing hundreds of blocks still in place back two weeks or more since last reboot.
-
I've had barnyard2 enabled on 4 interfaces for the last 5 days and so far so good. Everything is running good and memory usage is right on the money
-
I've had barnyard2 enabled on 4 interfaces for the last 5 days and so far so good. Everything is running good and memory usage is right on the money
Thanks Cino. I hope those pesky multiple instances are a thing of the past… ;)
Bill
-
Snort won't start anymore after the last rules update:
snort[37386]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,. [/code] It seems to be one of the ET rules categories I had checked. Looks like I need to go through them all so see which.
-
Snort won't start anymore after the last rules update:
snort[37386]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,. [/code] It seems to be one of the ET rules categories I had checked. Looks like I need to go through them all so see which. I am seeing the same thing here tho without the FATAL ERROR in log. Snort just die right after a rule update.
-
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
-
@BBcan17:
I disabled Emerging-botcc.rules and Snort started without any issues.
Thank You!!
-
@BBcan17:
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
[/quote]UPDATED INFO: After looking at the new Tuesday afternoon Emerging Threats Bot-CC rules files, I see it contains an error in all of the IP address ranges. The IP addresses are separated by commas followed by a space. Snort does not like that (the binary, not the package GUI). It wants the IP ranges in the brackets to be comma-delimited with no spaces. Only the ET Bot-CC file is affected. I suspect the Emerging Threats guys will quickly fix the error and post a new update.
ORIGINAL GUESS: ;)
My guess (without looking at the particular rules file) is a typo of some sort in the updated Emerging Threats rules. Should get fixed quickly I would think (if I am right on the cause).Bill