Snort 2.9.4.6 pkg v2.6.0 Update
-
Here is the alias as attachment.
-
Here is the alias as attachment.
Thanks for the information. It will be a few days, but I will see if I can fix this. I have some other conflicting activities the next few days.
Bill
-
Take your time. Workaround was simple. Just add the ports one by one in the alias and all was working again.
I think it is more important to fix the snort blocking issues in pfsense 2.1 -
Take your time. Workaround was simple. Just add the ports one by one in the alias and all was working again.
I think it is more important to fix the snort blocking issues in pfsense 2.1Ermal has committed to take a run at that soon. He did confirm the problem is with the filter_reload() code and not in the Snort package itself. The bad news in this good news is that means an update to pfSense itself, so we are probably looking at 2.1.1 or something for the fix.
Bill
-
Then I wished they would incoporate the widescreen theme as well since it makes pfsense much better!
-
Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?
No I don't, but I also don't think it is necessarily on a regularly scheduled basis. I really don't know much about that process. Guess I need to dig in and learn.
Bill
Filter reload is done every 15 mins.
From /etc/crontab :
0,15,30,45 * * * * root /etc/rc.filter_configure_syncEach time filter_configure_sync is called, the snort2c table is cleared:
[2.1-RELEASE][root@necro.necronet.local]/root(6): pfctl -t snort2c -T show 209.31.45.2 [2.1-RELEASE][root@necro.necronet.local]/root(7): /etc/rc.filter_configure_sync [2.1-RELEASE][root@necro.necronet.local]/root(8): pfctl -t snort2c -T show -
I do not have that entry in my crontab…
Checked 2 pfsense production boxes, snort is working as expected... -
Something weird I noticed is on package 2.5.9 with 2.1 on 64, it is blocking just fine. But on 32 bit 2.6 on 2.1, I have the blocking issue where the table gets wiped. Do you still think it's the function filter reload? I thought it was a 2.1 issue, but maybe it's a 2.6 snort issue?
-
The behavior has been the same since 2.1 Snapshots. I'm running 64 bit and filter_reload will clear the snort2c table.
It's not a huge issue as the offending host will get blocked again if it tries anything fishy.
-
Are you running snort 2.5.9 or 2.6?
-
Currently 2.6.0, but also 2.5.9 and earlier before and they all behave the same in this regard.
-
I wonder what's different on mine? Can you control how often it reloads? I am seeing hundreds of blocks still in place back two weeks or more since last reboot.
-
I've had barnyard2 enabled on 4 interfaces for the last 5 days and so far so good. Everything is running good and memory usage is right on the money
-
I've had barnyard2 enabled on 4 interfaces for the last 5 days and so far so good. Everything is running good and memory usage is right on the money
Thanks Cino. I hope those pesky multiple instances are a thing of the past… ;)
Bill
-
Snort won't start anymore after the last rules update:
snort[37386]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,. [/code] It seems to be one of the ET rules categories I had checked. Looks like I need to go through them all so see which. -
Snort won't start anymore after the last rules update:
snort[37386]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,. [/code] It seems to be one of the ET rules categories I had checked. Looks like I need to go through them all so see which. I am seeing the same thing here tho without the FATAL ERROR in log. Snort just die right after a rule update. -
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
-
@BBcan17:
I disabled Emerging-botcc.rules and Snort started without any issues.
Thank You!!
-
@BBcan17:
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
[/quote]UPDATED INFO: After looking at the new Tuesday afternoon Emerging Threats Bot-CC rules files, I see it contains an error in all of the IP address ranges. The IP addresses are separated by commas followed by a space. Snort does not like that (the binary, not the package GUI). It wants the IP ranges in the brackets to be comma-delimited with no spaces. Only the ET Bot-CC file is affected. I suspect the Emerging Threats guys will quickly fix the error and post a new update.
ORIGINAL GUESS: ;)
My guess (without looking at the particular rules file) is a typo of some sort in the updated Emerging Threats rules. Should get fixed quickly I would think (if I am right on the cause).Bill
-
@BBcan17:
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
[/quote]UPDATED INFO: After looking at the new Tuesday afternoon Emerging Threats Bot-CC rules files, I see it contains an error in all of the IP address ranges. The IP addresses are separated by commas followed by a space. Snort does not like that (the binary, not the package GUI). It wants the IP ranges in the brackets to be comma-delimited with no spaces. Only the ET Bot-CC file is affected. I suspect the Emerging Threats guys will quickly fix the error and post a new update.
ORIGINAL GUESS: ;)
My guess (without looking at the particular rules file) is a typo of some sort in the updated Emerging Threats rules. Should get fixed quickly I would think (if I am right on the cause).Bill
Just an update too right after disable Emerging Threats rules, Snort starts just fine.
