Snort 2.9.4.6 pkg v2.6.0 Update

BBcan177

Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.

I disabled Emerging-botcc.rules and Snort started without any issues.

My Error was as follows:

snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.

Any ideas?

Thanks

priller

@BBcan17:

I disabled Emerging-botcc.rules and Snort started without any issues.

Thank You!!

bmeeks

@BBcan17:

Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.

I disabled Emerging-botcc.rules and Snort started without any issues.

My Error was as follows:

snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.

Any ideas?

Thanks
[/quote]

UPDATED INFO:  After looking at the new Tuesday afternoon Emerging Threats Bot-CC rules files, I see it contains an error in all of the IP address ranges.  The IP addresses are separated by commas followed by a space.  Snort does not like that (the binary, not the package GUI).  It wants the IP ranges in the brackets to be comma-delimited with no spaces.  Only the ET Bot-CC file is affected.  I suspect the Emerging Threats guys will quickly fix the error and post a new update.

ORIGINAL GUESS:  ;)
My guess (without looking at the particular rules file) is a typo of some sort in the updated Emerging Threats rules.  Should get fixed quickly I would think (if I am right on the cause).

Bill

val

@bmeeks:

@BBcan17:

Im running Snort 2.9.4.6 pkg v. 2.6.0 and Snort wont start on several of my pfsense boxes.

I disabled Emerging-botcc.rules and Snort started without any issues.

My Error was as follows:

snort[97526]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_43799_rl0/rules/snort.rules(266) Unable to process the IP address: [103.6.207.37,.

Any ideas?

Thanks
[/quote]

UPDATED INFO:  After looking at the new Tuesday afternoon Emerging Threats Bot-CC rules files, I see it contains an error in all of the IP address ranges.  The IP addresses are separated by commas followed by a space.  Snort does not like that (the binary, not the package GUI).  It wants the IP ranges in the brackets to be comma-delimited with no spaces.  Only the ET Bot-CC file is affected.  I suspect the Emerging Threats guys will quickly fix the error and post a new update.

ORIGINAL GUESS:  ;)
My guess (without looking at the particular rules file) is a typo of some sort in the updated Emerging Threats rules.  Should get fixed quickly I would think (if I am right on the cause).

Bill

Just an update too right after disable Emerging Threats rules, Snort starts just fine.

digdug3

Just updated all the rules, everything is fine again.

simby

Hi!

I have problem with time,.. in pfsense is clook 7:52 on pfsense is 6:52 Why? How can i fix this?

bmeeks

@simby:

Hi!

I have problem with time,.. in pfsense is clook 7:52 on pfsense is 6:52 Why? How can i fix this?

This is purely speculation on my part as I have no inside source of definitive data, but it looks like the Snort VRT server is routinely not available around or shortly after midnight U.S. Eastern Time.  Depending on where you are in the world, that will translate differently to your local time zone.  I know that I was regularly seeing issues doing Snort VRT updates between midnight and 1:00 AM U.S. Eastern Time.  I changed my updates to 1:30 AM U.S. Eastern Time and have not had another issue.

As I said, you will need to adjust your rules update taking your local time zone (and any Daylight Savings Time adjustment) into account.  The idea is to make sure you do not try to update rules between 12:00 midnight and 1:00 AM U.S. Eastern Time.

Bill

simby

Hi!

the problem in in alert log, on pfsense is time 4:23 and the same time in alet log is 2:23.

How can i fix this?

bmeeks

@simby:

Hi!

the problem in in alert log, on pfsense is time 4:23 and the same time in alet log is 2:23.

How can i fix this?

Whoa!  That is weird.  Snort does not keep its own time.  It just uses system time.  Maybe it's some kind of time zone issue ???

Do you have any other installed packages that log different times?  What about the firewall logs, do they show the correct time stamp, or are they off like the Snort log?

Bill

turker

I got this error,  what does it mean?
Thanks.

pfsense 2.1 x64

bmeeks

@turker:

I got this error,  what does it mean?
Thanks.

pfsense 2.1 x64

That would indicate that at the instant the Snort binary's output plugin attempted to call the API function to insert an IP address into the snort2c table in the packet filter engine, the engine process was not there or not where the output plugin expected it to be.  The event immediately preceding the error also gives me a clue.  It says the check_reload_status() function in pfSense is reloading the firewall filter.  That may temporarily stop and restart the processes the Snort binary plugin was trying to contact in order to insert the IP address for blocking.

Bill