Snort 2.9.4.6 pkg v2.6.0 Update
-
Are you running snort 2.5.9 or 2.6?
-
Currently 2.6.0, but also 2.5.9 and earlier before and they all behave the same in this regard.
-
I wonder what's different on mine? Can you control how often it reloads? I am seeing hundreds of blocks still in place back two weeks or more since last reboot.
-
I've had barnyard2 enabled on 4 interfaces for the last 5 days and so far so good. Everything is running good and memory usage is right on the money
-
I've had barnyard2 enabled on 4 interfaces for the last 5 days and so far so good. Everything is running good and memory usage is right on the money
Thanks Cino. I hope those pesky multiple instances are a thing of the past… ;)
Bill
-
Snort won't start anymore after the last rules update:
snort[37386]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,. [/code] It seems to be one of the ET rules categories I had checked. Looks like I need to go through them all so see which.
-
Snort won't start anymore after the last rules update:
snort[37386]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,. [/code] It seems to be one of the ET rules categories I had checked. Looks like I need to go through them all so see which. I am seeing the same thing here tho without the FATAL ERROR in log. Snort just die right after a rule update.
-
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
-
@BBcan17:
I disabled Emerging-botcc.rules and Snort started without any issues.
Thank You!!
-
@BBcan17:
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
[/quote]UPDATED INFO: After looking at the new Tuesday afternoon Emerging Threats Bot-CC rules files, I see it contains an error in all of the IP address ranges. The IP addresses are separated by commas followed by a space. Snort does not like that (the binary, not the package GUI). It wants the IP ranges in the brackets to be comma-delimited with no spaces. Only the ET Bot-CC file is affected. I suspect the Emerging Threats guys will quickly fix the error and post a new update.
ORIGINAL GUESS: ;)
My guess (without looking at the particular rules file) is a typo of some sort in the updated Emerging Threats rules. Should get fixed quickly I would think (if I am right on the cause).Bill
-
@BBcan17:
Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.
I disabled Emerging-botcc.rules and Snort started without any issues.
My Error was as follows:
snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.
Any ideas?
Thanks
[/quote]UPDATED INFO: After looking at the new Tuesday afternoon Emerging Threats Bot-CC rules files, I see it contains an error in all of the IP address ranges. The IP addresses are separated by commas followed by a space. Snort does not like that (the binary, not the package GUI). It wants the IP ranges in the brackets to be comma-delimited with no spaces. Only the ET Bot-CC file is affected. I suspect the Emerging Threats guys will quickly fix the error and post a new update.
ORIGINAL GUESS: ;)
My guess (without looking at the particular rules file) is a typo of some sort in the updated Emerging Threats rules. Should get fixed quickly I would think (if I am right on the cause).Bill
Just an update too right after disable Emerging Threats rules, Snort starts just fine.
-
Just updated all the rules, everything is fine again.
-
Hi!
I have problem with time,.. in pfsense is clook 7:52 on pfsense is 6:52 Why? How can i fix this?
-
Hi!
I have problem with time,.. in pfsense is clook 7:52 on pfsense is 6:52 Why? How can i fix this?
This is purely speculation on my part as I have no inside source of definitive data, but it looks like the Snort VRT server is routinely not available around or shortly after midnight U.S. Eastern Time. Depending on where you are in the world, that will translate differently to your local time zone. I know that I was regularly seeing issues doing Snort VRT updates between midnight and 1:00 AM U.S. Eastern Time. I changed my updates to 1:30 AM U.S. Eastern Time and have not had another issue.
As I said, you will need to adjust your rules update taking your local time zone (and any Daylight Savings Time adjustment) into account. The idea is to make sure you do not try to update rules between 12:00 midnight and 1:00 AM U.S. Eastern Time.
Bill
-
Hi!
the problem in in alert log, on pfsense is time 4:23 and the same time in alet log is 2:23.
How can i fix this?
-
Hi!
the problem in in alert log, on pfsense is time 4:23 and the same time in alet log is 2:23.
How can i fix this?
Whoa! That is weird. Snort does not keep its own time. It just uses system time. Maybe it's some kind of time zone issue ???
Do you have any other installed packages that log different times? What about the firewall logs, do they show the correct time stamp, or are they off like the Snort log?
Bill
-
I got this error, what does it mean?
Thanks.pfsense 2.1 x64
-
I got this error, what does it mean?
Thanks.pfsense 2.1 x64
That would indicate that at the instant the Snort binary's output plugin attempted to call the API function to insert an IP address into the snort2c table in the packet filter engine, the engine process was not there or not where the output plugin expected it to be. The event immediately preceding the error also gives me a clue. It says the check_reload_status() function in pfSense is reloading the firewall filter. That may temporarily stop and restart the processes the Snort binary plugin was trying to contact in order to insert the IP address for blocking.
Bill