Snort 2.9.6.0 pkg v3.0.7 Update – Release Notes

bmeeks

@marcelloc:

Sure. After checking Auto Rule Disable service started.

It's a clean snort installation with few steps to get starting. I'll find rule/preprocessor that is not configured.

I have this file created with no content /var/log/snort/WAN_disabled_preproc_rules.log

After unselecting  Auto Rule Disable save again(whitout any rule or preprocessor change) I could stop and start service.

Not sure what happened but it's working now.

It's strange that file is empty.  It should have contained the particular preprocessor and rule(s) that caused the error.

Glad it's working OK now.

Bill

bmeeks

@marcelloc:

Sure. After checking Auto Rule Disable service started.

It's a clean snort installation with few steps to get starting. I'll find rule/preprocessor that is not configured.

I have this file created with no content /var/log/snort/WAN_disabled_preproc_rules.log

After unselecting  Auto Rule Disable save again(whitout any rule or preprocessor change) I could stop and start service.

Not sure what happened but it's working now.

I need to check that the initial Rules Package download is working correctly when installing or reinstalling the package.  Might be an issue lurking in there that only pops up during the installation process.

Bill

armouredking

Still getting sig-ref errors with the update.

Apr 29 18:12:00	barnyard2[11981]: database: Closing connection to database "snorby"
Apr 29 18:11:59	barnyard2[11981]: Barnyard2 exiting
Apr 29 18:11:59	barnyard2[11981]: FATAL ERROR: database mysql_error: Duplicate entry '7142-1' for key 'PRIMARY' SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('2627','7142','1');]
Apr 29 18:11:43	barnyard2[11981]: Writing PID "11981" to file "/var/run/barnyard2_igb151284.pid"
Apr 29 18:11:43	barnyard2[11981]: PID path stat checked out ok, PID path set to /var/run

Tried to startup WAN and LAN. One interface will run but not the other; same as before. I wiped the DB and tried again with same result.

Edit; I uninstalled and reinstalled Snort. For at least the last 10 mins the DB is running; it threw a few errors but it still shows as enabled on status and logs haven't shown a connection close yet. Logs below for reference if they mean anything:

Apr 29 19:19:20	barnyard2[36286]: Waiting for new data
Apr 29 19:19:01	barnyard2[36286]: WARNING database [Database()]: Called with Event[0x1a43f00] Event Type [7] (P)acket [0x0], information has not been outputed.
Apr 29 19:17:31	barnyard2[36286]: Opened spool file '/var/log/snort/snort_igb151284/snort_51284_igb1.u2.1398737569'
Apr 29 19:17:31	barnyard2[36286]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/snort_igb151284/barnyard2/51284_igb1.waldo'
Apr 29 19:17:31	barnyard2[36286]: Barnyard2 initialization completed successfully (pid=36286)

Going to try adding another interface ( for DMZ ) and guess see what happens.

Edit2; It looks like things are fine now. I don't know what / why the reinstall was required to get it up and running. Do you have a specific set idea for the sig-ref tables? IE: I've left the WAN sig-ref tables on, and used the checkbox for the other interfaces and it's still working. Is that a bad idea to your knowledge or does it not matter? It makes sense that as long as only one interface is using the sig-ref they shouldn't have collisions or what-not.

bmeeks

@armouredking:

Still getting sig-ref errors with the update.

Apr 29 18:12:00	barnyard2[11981]: database: Closing connection to database "snorby"
Apr 29 18:11:59	barnyard2[11981]: Barnyard2 exiting
Apr 29 18:11:59	barnyard2[11981]: FATAL ERROR: database mysql_error: Duplicate entry '7142-1' for key 'PRIMARY' SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('2627','7142','1');]
Apr 29 18:11:43	barnyard2[11981]: Writing PID "11981" to file "/var/run/barnyard2_igb151284.pid"
Apr 29 18:11:43	barnyard2[11981]: PID path stat checked out ok, PID path set to /var/run

Tried to startup WAN and LAN. One interface will run but not the other; same as before. I wiped the DB and tried again with same result.

Edit; I uninstalled and reinstalled Snort. For at least the last 10 mins the DB is running; it threw a few errors but it still shows as enabled on status and logs haven't shown a connection close yet. Logs below for reference if they mean anything:

Apr 29 19:19:20	barnyard2[36286]: Waiting for new data
Apr 29 19:19:01	barnyard2[36286]: WARNING database [Database()]: Called with Event[0x1a43f00] Event Type [7] (P)acket [0x0], information has not been outputed.
Apr 29 19:17:31	barnyard2[36286]: Opened spool file '/var/log/snort/snort_igb151284/snort_51284_igb1.u2.1398737569'
Apr 29 19:17:31	barnyard2[36286]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/snort_igb151284/barnyard2/51284_igb1.waldo'
Apr 29 19:17:31	barnyard2[36286]: Barnyard2 initialization completed successfully (pid=36286)

Going to try adding another interface ( for DMZ ) and guess see what happens.

Edit2; It looks like things are fine now. I don't know what / why the reinstall was required to get it up and running. Do you have a specific set idea for the sig-ref tables? IE: I've left the WAN sig-ref tables on, and used the checkbox for the other interfaces and it's still working. Is that a bad idea to your knowledge or does it not matter? It makes sense that as long as only one interface is using the sig-ref they shouldn't have collisions or what-not.

Shouldn't matter which interface you let update the sig-ref table.  This problem with multiple processes using the same DB is a Barnyard2 issue and not just with Snort.  Hopefully the Barnyard2 developers make some changes in the future.  Simply stated, they are not accounting for the possibility of two Barnyard processes attempting to update the table at the same time.  And this updating of the sig-ref table is new in Barnyard2 1.3 as far as I can tell.  That's why this problem never surfaced before.

Bill

rds_correia

First of all, thank you very much for this snort package. Very handy.
Second, I would just like bring up 2 small/minor issues:
1-small typo in "Are you sure you want to remove all blocked hosts?  Click OK to continue or CANCLE to quit.". It is obviously CANCEL instead of CANCLE.
2-everytime I add Snort Alerts to the Dashboard it actually gets added twice. I mean, Snort Alerts panel shows up twice. Then when I remove it only once, actually both panels disappear.

Other than that, this package is a life savior.
Many thanks

bmeeks

@rds_correia:

First of all, thank you very much for this snort package. Very handy.
Second, I would just like bring up 2 small/minor issues:
1-small typo in "Are you sure you want to remove all blocked hosts?  Click OK to continue or CANCLE to quit.". It is obviously CANCEL instead of CANCLE.
2-everytime I add Snort Alerts to the Dashboard it actually gets added twice. I mean, Snort Alerts panel shows up twice. Then when I remove it only once, actually both panels disappear.

Other than that, this package is a life savior.
Many thanks

Thanks for both bug reports.  I will fix the typo.  I hate those in software, and especially in software I created… :-[

As for the Dashboard Widget bug, I did see that in early pre-release testing and thought I had fixed it.  Here is how you can patch it up.  It will require editing a line in the [i]/conf/config.xml file using the Diagnostics…Edit File pfSense menu option.

1.  Make a backup of the system configuration using Diagnostics…Backup/Restore so you have a copy in case the edit below goes wrong.

2.  Use Diagnostics…Edit File and browse to and open the file /conf/config.xml.

3.  Scroll down in that file and find the following section (this is an example from my firewall, yours will be similar but some details may differ):

	 <widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col1:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:show,openvpn-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:show,traffic_graphs-container:col2:none,wake_on_lan-container:col2:none,dyn_dns_status-container:col2:none,smart_status-container:col2:none,thermal_sensors-container:col2:none,snort_alerts-container:col2:show</sequence>
		<servicestatusfilter>routed</servicestatusfilter>
		<widget_snort_display_lines>9</widget_snort_display_lines></widgets> 

In the field, find all instances of the text "snort_alerts-container:col2:show".  Don't worry if the "col2:show" part is different.  It may show "col1" or say "closed".  Carefully delete all of these except one.  In your case, I expect you will find two entries.  Delete one of them and save the change.

That should fix your problem.

Bill

Supermule

I hae begun to get this error with the latest release on 2.0.3

"(POP) No memory available for decoding. Memcap exceeded"

I dont know why it has begun popping up and blocking peoples pop mail from external vendors. Never did it before and I havent changed anything.

BBcan177

@Supermule:

I hae begun to get this error with the latest release on 2.0.3

"(POP) No memory available for decoding. Memcap exceeded"

I dont know why it has begun popping up and blocking peoples pop mail from external vendors. Never did it before and I havent changed anything.

Take a look at this link
http://manual.snort.org/node111.html

Apart from enabling the Pre Processor (Enable POP Normalizer), I dont see any settings in the GUI to edit the "memcap". Maybe the snort conf file needs to be edited from a shell?

memcap <int>This option determines (in bytes) the maximum amount of memory the POP preprocessor will use for decoding base64 encoded/quoted-printable/non-encoded MIME attachments/data or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB.

This option along with the maximum of the decoding depths will determine the POP sessions that will be decoded at any given instant. The default value for this option is 838860.

Note: It is suggested to set this value such that the max pop session calculated as follows is atleast 1.

max pop session = memcap /(2 * max of (b64_decode_depth, uu_decode_depth, qp_decode_depth or bitenc_decode_depth))

For example, if b64_decode_depth is 0 (indicates unlimited decoding) and qp_decode_depth is 100, then

max pop session = memcap/2*65535 (max value for b64_decode_depth)

In case of multiple configs, the memcap of the non-default configs will be overwritten by the default config's value. Hence user needs to define it in the default config with the new keyword disabled (used to disable POP preprocessor in a config).

When the memcap for decoding (memcap) is exceeded the POP preprocessor alert with sid 3 is generated (when enabled).</int>

Supermule

Thanks mate!

I need to disable the pop normalizer to get rid of it. It seems the def. config gets overwritten on package updates and unless beeing able to edit it in the GUI, I just leave it alone since it takes quite some time on 52 boxes every time…. :(

bmeeks

@Supermule:

Thanks mate!

I need to disable the pop normalizer to get rid of it. It seems the def. config gets overwritten on package updates and unless beeing able to edit it in the GUI, I just leave it alone since it takes quite some time on 52 boxes every time…. :(

Yep, any hand edits to the snort.conf file are overwritten on the next save or stop/start of Snort.  I can add this parameter to the GUI and will look at doing so with the next update.

Bill

Supermule

Exactly. :) Its a good idea so you wont have any trouble with any memcap triggering blocks of mail with no real scary scenarios…