Snort 2.9.4.6 pkg v2.6.0 Update
-
Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?
No I don't, but I also don't think it is necessarily on a regularly scheduled basis. I really don't know much about that process. Guess I need to dig in and learn.
Bill
Filter reload is done every 15 mins.
From /etc/crontab :
0,15,30,45 * * * * root /etc/rc.filter_configure_sync
Each time filter_configure_sync is called, the snort2c table is cleared:
[2.1-RELEASE][root@necro.necronet.local]/root(6): pfctl -t snort2c -T show 209.31.45.2 [2.1-RELEASE][root@necro.necronet.local]/root(7): /etc/rc.filter_configure_sync [2.1-RELEASE][root@necro.necronet.local]/root(8): pfctl -t snort2c -T show
-
I do not have that entry in my crontab…
Checked 2 pfsense production boxes, snort is working as expected... -
Something weird I noticed is on package 2.5.9 with 2.1 on 64, it is blocking just fine. But on 32 bit 2.6 on 2.1, I have the blocking issue where the table gets wiped. Do you still think it's the function filter reload? I thought it was a 2.1 issue, but maybe it's a 2.6 snort issue?
-
The behavior has been the same since 2.1 Snapshots. I'm running 64 bit and filter_reload will clear the snort2c table.
It's not a huge issue as the offending host will get blocked again if it tries anything fishy.
-
Are you running snort 2.5.9 or 2.6?
-
Currently 2.6.0, but also 2.5.9 and earlier before and they all behave the same in this regard.
-
I wonder what's different on mine? Can you control how often it reloads? I am seeing hundreds of blocks still in place back two weeks or more since last reboot.
-
I've had barnyard2 enabled on 4 interfaces for the last 5 days and so far so good. Everything is running good and memory usage is right on the money
-
I've had barnyard2 enabled on 4 interfaces for the last 5 days and so far so good. Everything is running good and memory usage is right on the money
Thanks Cino. I hope those pesky multiple instances are a thing of the past… ;)
Bill
-
Snort won't start anymore after the last rules update:
snort[37386]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,. [/code] It seems to be one of the ET rules categories I had checked. Looks like I need to go through them all so see which.
-
Snort won't start anymore after the last rules update:
snort[37386]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,. [/code] It seems to be one of the ET rules categories I had checked. Looks like I need to go through them all so see which. I am seeing the same thing here tho without the FATAL ERROR in log. Snort just die right after a rule update.
-
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
-
@BBcan17:
I disabled Emerging-botcc.rules and Snort started without any issues.
Thank You!!
-
@BBcan17:
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
[/quote]UPDATED INFO: After looking at the new Tuesday afternoon Emerging Threats Bot-CC rules files, I see it contains an error in all of the IP address ranges. The IP addresses are separated by commas followed by a space. Snort does not like that (the binary, not the package GUI). It wants the IP ranges in the brackets to be comma-delimited with no spaces. Only the ET Bot-CC file is affected. I suspect the Emerging Threats guys will quickly fix the error and post a new update.
ORIGINAL GUESS: ;)
My guess (without looking at the particular rules file) is a typo of some sort in the updated Emerging Threats rules. Should get fixed quickly I would think (if I am right on the cause).Bill
-
@BBcan17:
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
[/quote]UPDATED INFO: After looking at the new Tuesday afternoon Emerging Threats Bot-CC rules files, I see it contains an error in all of the IP address ranges. The IP addresses are separated by commas followed by a space. Snort does not like that (the binary, not the package GUI). It wants the IP ranges in the brackets to be comma-delimited with no spaces. Only the ET Bot-CC file is affected. I suspect the Emerging Threats guys will quickly fix the error and post a new update.
ORIGINAL GUESS: ;)
My guess (without looking at the particular rules file) is a typo of some sort in the updated Emerging Threats rules. Should get fixed quickly I would think (if I am right on the cause).Bill
Just an update too right after disable Emerging Threats rules, Snort starts just fine.
-
Just updated all the rules, everything is fine again.
-
Hi!
I have problem with time,.. in pfsense is clook 7:52 on pfsense is 6:52 Why? How can i fix this?
-
Hi!
I have problem with time,.. in pfsense is clook 7:52 on pfsense is 6:52 Why? How can i fix this?
This is purely speculation on my part as I have no inside source of definitive data, but it looks like the Snort VRT server is routinely not available around or shortly after midnight U.S. Eastern Time. Depending on where you are in the world, that will translate differently to your local time zone. I know that I was regularly seeing issues doing Snort VRT updates between midnight and 1:00 AM U.S. Eastern Time. I changed my updates to 1:30 AM U.S. Eastern Time and have not had another issue.
As I said, you will need to adjust your rules update taking your local time zone (and any Daylight Savings Time adjustment) into account. The idea is to make sure you do not try to update rules between 12:00 midnight and 1:00 AM U.S. Eastern Time.
Bill
-
Hi!
the problem in in alert log, on pfsense is time 4:23 and the same time in alet log is 2:23.
How can i fix this?
-
Hi!
the problem in in alert log, on pfsense is time 4:23 and the same time in alet log is 2:23.
How can i fix this?
Whoa! That is weird. Snort does not keep its own time. It just uses system time. Maybe it's some kind of time zone issue ???
Do you have any other installed packages that log different times? What about the firewall logs, do they show the correct time stamp, or are they off like the Snort log?
Bill