Snort Catalog List is Truncated
-
Bill,
The list is just truncated. I will try to perform a fresh install and re-import my configuration. It just seems really odd. I inspected the code that was given to the web browser and the table is really truncated.
Is there something I can look at in regards to logs regarding this package? Is there a FAQ I could follow?
Thanks,
Ryan
-
Bill,
The list is just truncated. I will try to perform a fresh install and re-import my configuration. It just seems really odd. I inspected the code that was given to the web browser and the table is really truncated.
Is there something I can look at in regards to logs regarding this package? Is there a FAQ I could follow?
Thanks,
Ryan
The only way the table could be actually truncated is if quite a few of the rules files are actually missing. All that code does is walk the *.rules files in the rules directory for the interface. If the list is short and you are not getting scroll bars, then a pile of your rules files are missing.
Go here and compare the folder contents to what is shown on the CATEGORIES tab:
/usr/pbi/snort-amd64/etc/snort/rules (this path assumes a 64-bit install, use snort-i386 if 32-bit)
You should have a one-to-one correspondence between *.rules files in that folder and what is shown on the CATEGORIES tab.
Bill
-
Bill,
Here is the directory listing. It is significantly different from what is shown in the web browser.
/usr/pbi/snort-amd64/etc/snort/rules(13): ls -la
total 12878
drwxr-xr-x 2 root wheel 4096 Nov 13 00:03 .
drwxr-xr-x 6 root wheel 512 Oct 15 00:30 ..
-rw-r–r-- 1 root wheel 1320773 Nov 13 12:03 GPLv2_community.rules
-rw-r--r-- 1 root wheel 19574 Nov 12 00:03 VRT-License.txt
-rw-r--r-- 1 root wheel 296128 Nov 13 00:03 emerging-activex.rules
-rw-r--r-- 1 root wheel 36073 Nov 13 00:03 emerging-attack_response.rules
-rw-r--r-- 1 root wheel 32294 Nov 13 00:03 emerging-botcc.portgrouped.rules
-rw-r--r-- 1 root wheel 120454 Nov 13 00:03 emerging-botcc.rules
-rw-r--r-- 1 root wheel 26341 Nov 13 00:03 emerging-chat.rules
-rw-r--r-- 1 root wheel 37894 Nov 13 00:03 emerging-ciarmy.rules
-rw-r--r-- 1 root wheel 11948 Nov 13 00:03 emerging-compromised-ips.txt
-rw-r--r-- 1 root wheel 43665 Nov 13 00:03 emerging-compromised.rules
-rw-r--r-- 1 root wheel 665998 Nov 13 00:03 emerging-current_events.rules
-rw-r--r-- 1 root wheel 761360 Nov 13 00:03 emerging-deleted.rules
-rw-r--r-- 1 root wheel 21066 Nov 13 00:03 emerging-dns.rules
-rw-r--r-- 1 root wheel 38408 Nov 13 00:03 emerging-dos.rules
-rw-r--r-- 1 root wheel 17339 Nov 13 00:03 emerging-drop.rules
-rw-r--r-- 1 root wheel 3116 Nov 13 00:03 emerging-dshield.rules
-rw-r--r-- 1 root wheel 120376 Nov 13 00:03 emerging-exploit.rules
-rw-r--r-- 1 root wheel 11745 Nov 13 00:03 emerging-ftp.rules
-rw-r--r-- 1 root wheel 28762 Nov 13 00:03 emerging-games.rules
-rw-r--r-- 1 root wheel 2243 Nov 13 00:03 emerging-icmp.rules
-rw-r--r-- 1 root wheel 2324 Nov 13 00:03 emerging-icmp_info.rules
-rw-r--r-- 1 root wheel 2225 Nov 13 00:03 emerging-imap.rules
-rw-r--r-- 1 root wheel 8143 Nov 13 00:03 emerging-inappropriate.rules
-rw-r--r-- 1 root wheel 110225 Nov 13 00:03 emerging-info.rules
-rw-r--r-- 1 root wheel 405496 Nov 13 00:03 emerging-malware.rules
-rw-r--r-- 1 root wheel 3145 Nov 13 00:03 emerging-misc.rules
-rw-r--r-- 1 root wheel 53475 Nov 13 00:03 emerging-mobile_malware.rules
-rw-r--r-- 1 root wheel 30268 Nov 13 00:03 emerging-netbios.rules
-rw-r--r-- 1 root wheel 43277 Nov 13 00:03 emerging-p2p.rules
-rw-r--r-- 1 root wheel 238847 Nov 13 00:03 emerging-policy.rules
-rw-r--r-- 1 root wheel 2186 Nov 13 00:03 emerging-pop3.rules
-rw-r--r-- 1 root wheel 1963 Nov 13 00:03 emerging-rbn-malvertisers.rules
-rw-r--r-- 1 root wheel 1934 Nov 13 00:03 emerging-rbn.rules
-rw-r--r-- 1 root wheel 2474 Nov 13 00:03 emerging-rpc.rules
-rw-r--r-- 1 root wheel 9401 Nov 13 00:03 emerging-scada.rules
-rw-r--r-- 1 root wheel 88756 Nov 13 00:03 emerging-scan.rules
-rw-r--r-- 1 root wheel 59877 Nov 13 00:03 emerging-shellcode.rules
-rw-r--r-- 1 root wheel 3592 Nov 13 00:03 emerging-smtp.rules
-rw-r--r-- 1 root wheel 8895 Nov 13 00:03 emerging-snmp.rules
-rw-r--r-- 1 root wheel 3808 Nov 13 00:03 emerging-sql.rules
-rw-r--r-- 1 root wheel 2979 Nov 13 00:03 emerging-telnet.rules
-rw-r--r-- 1 root wheel 3583 Nov 13 00:03 emerging-tftp.rules
-rw-r--r-- 1 root wheel 658972 Nov 13 00:03 emerging-tor.rules
-rw-r--r-- 1 root wheel 1277850 Nov 13 00:03 emerging-trojan.rules
-rw-r--r-- 1 root wheel 28038 Nov 13 00:03 emerging-user_agents.rules
-rw-r--r-- 1 root wheel 7243 Nov 13 00:03 emerging-voip.rules
-rw-r--r-- 1 root wheel 117263 Nov 13 00:03 emerging-web_client.rules
-rw-r--r-- 1 root wheel 191974 Nov 13 00:03 emerging-web_server.rules
-rw-r--r-- 1 root wheel 2859281 Nov 13 00:03 emerging-web_specific_apps.rules
-rw-r--r-- 1 root wheel 8973 Nov 13 00:03 emerging-worm.rules
-rw-r--r-- 1 root wheel 49276 Nov 12 00:03 snort_app-detect.rules
-rw-r--r-- 1 root wheel 1061 Nov 12 00:03 snort_attack-responses.rules
-rw-r--r-- 1 root wheel 1037 Nov 12 00:03 snort_backdoor.rules
-rw-r--r-- 1 root wheel 1046 Nov 12 00:03 snort_bad-traffic.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_bad-traffic.so.rules
-rw-r--r-- 1 root wheel 991486 Nov 12 00:03 snort_blacklist.rules
-rw-r--r-- 1 root wheel 1043 Nov 12 00:03 snort_botnet-cnc.rules
-rw-r--r-- 1 root wheel 12012 Nov 12 00:03 snort_browser-chrome.rules
-rw-r--r-- 1 root wheel 80242 Nov 12 00:03 snort_browser-firefox.rules
-rw-r--r-- 1 root wheel 552007 Nov 12 00:03 snort_browser-ie.rules
-rw-r--r-- 1 root wheel 3363 Nov 12 00:04 snort_browser-ie.so.rules
-rw-r--r-- 1 root wheel 13200 Nov 12 00:03 snort_browser-other.rules
-rw-r--r-- 1 root wheel 521 Nov 12 00:04 snort_browser-other.so.rules
-rw-r--r-- 1 root wheel 1280071 Nov 12 00:03 snort_browser-plugins.rules
-rw-r--r-- 1 root wheel 3452 Nov 12 00:04 snort_browser-plugins.so.rules
-rw-r--r-- 1 root wheel 29568 Nov 12 00:03 snort_browser-webkit.rules
-rw-r--r-- 1 root wheel 1025 Nov 12 00:03 snort_chat.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_chat.so.rules
-rw-r--r-- 1 root wheel 8015 Nov 12 00:03 snort_content-replace.rules
-rw-r--r-- 1 root wheel 1025 Nov 12 00:03 snort_ddos.rules
-rw-r--r-- 1 root wheel 23552 Nov 12 00:03 snort_deleted.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_dos.so.rules
-rw-r--r-- 1 root wheel 811 Nov 12 00:04 snort_exploit-kit.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_exploit.so.rules
-rw-r--r-- 1 root wheel 2090 Nov 12 00:04 snort_file-executable.so.rules
-rw-r--r-- 1 root wheel 3619 Nov 12 00:04 snort_file-flash.so.rules
-rw-r--r-- 1 root wheel 5281 Nov 12 00:04 snort_file-image.so.rules
-rw-r--r-- 1 root wheel 379 Nov 12 00:04 snort_file-java.so.rules
-rw-r--r-- 1 root wheel 4832 Nov 12 00:04 snort_file-multimedia.so.rules
-rw-r--r-- 1 root wheel 12987 Nov 12 00:04 snort_file-office.so.rules
-rw-r--r-- 1 root wheel 6248 Nov 12 00:04 snort_file-other.so.rules
-rw-r--r-- 1 root wheel 1121 Nov 12 00:04 snort_file-pdf.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_icmp.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_imap.so.rules
-rw-r--r-- 1 root wheel 281 Nov 12 00:04 snort_indicator-shellcode.so.rules
-rw-r--r-- 1 root wheel 1723 Nov 12 00:04 snort_malware-cnc.so.rules
-rw-r--r-- 1 root wheel 1066 Nov 12 00:04 snort_malware-other.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_misc.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_multimedia.so.rules
-rw-r--r-- 1 root wheel 3461 Nov 12 00:04 snort_netbios.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_nntp.so.rules
-rw-r--r-- 1 root wheel 496 Nov 12 00:04 snort_os-linux.so.rules
-rw-r--r-- 1 root wheel 1580 Nov 12 00:04 snort_os-other.so.rules
-rw-r--r-- 1 root wheel 24520 Nov 12 00:04 snort_os-windows.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_p2p.so.rules
-rw-r--r-- 1 root wheel 761 Nov 12 00:04 snort_policy-social.so.rules
-rw-r--r-- 1 root wheel 4071 Nov 12 00:04 snort_protocol-dns.so.rules
-rw-r--r-- 1 root wheel 815 Nov 12 00:04 snort_protocol-icmp.so.rules
-rw-r--r-- 1 root wheel 340 Nov 12 00:04 snort_protocol-nntp.so.rules
-rw-r--r-- 1 root wheel 1071 Nov 12 00:04 snort_protocol-other.so.rules
-rw-r--r-- 1 root wheel 709 Nov 12 00:04 snort_protocol-snmp.so.rules
-rw-r--r-- 1 root wheel 7535 Nov 12 00:04 snort_protocol-voip.so.rules
-rw-r--r-- 1 root wheel 262 Nov 12 00:04 snort_pua-p2p.so.rules
-rw-r--r-- 1 root wheel 389 Nov 12 00:04 snort_server-apache.so.rules
-rw-r--r-- 1 root wheel 1896 Nov 12 00:04 snort_server-iis.so.rules
-rw-r--r-- 1 root wheel 2201 Nov 12 00:04 snort_server-mail.so.rules
-rw-r--r-- 1 root wheel 430 Nov 12 00:04 snort_server-mysql.so.rules
-rw-r--r-- 1 root wheel 1544 Nov 12 00:04 snort_server-oracle.so.rules
-rw-r--r-- 1 root wheel 19537 Nov 12 00:04 snort_server-other.so.rules
-rw-r--r-- 1 root wheel 2602 Nov 12 00:04 snort_server-webapp.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_smtp.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_snmp.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_specific-threats.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_web-activex.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_web-client.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_web-iis.so.rules
-rw-r--r-- 1 root wheel 58 Nov 12 00:04 snort_web-misc.so.rulesThis is a cut and paste from the screen which has the categories:
Enabled Ruleset: Snort GPLv2 Community Rules
Snort GPLv2 Community Rules (VRT certified)
Enabled Ruleset: ET Open Rules Enabled Ruleset: Snort Text Rules Enabled Ruleset: Snort SO Rules
emerging-activex.rules snort_app-detect.rules snort_bad-traffic.so.rules
emerging-attack_response.rules snort_attack-responses.rules snort_browser-ie.so.rules
emerging-botcc.portgrouped.rules snort_backdoor.rules snort_browser-other.so.rules
emerging-botcc.rules snort_bad-traffic.rules snort_browser-plugins.so.rules
emerging-chat.rules snort_blacklist.rules snort_chat.so.rules
emerging-ciarmy.rules snort_botnet-cnc.rules snort_dos.so.rules
emerging-compromised.rules snort_browser-chrome.rules snort_exploit-kit.so.rules
emerging-current_events.rules snort_browser-firefox.rules snort_exploit.so.rules
emerging-deleted.rules snort_browser-ie.rules snort_file-executable.so.rules
emerging-dns.rules snort_browser-other.rules snort_file-flash.so.rules
emerging-dos.rules snort_browser-plugins.rules snort_file-image.so.rules
emerging-drop.rules snort_browser-webkit.rules snort_file-java.so.rules
emerging-dshield.rules snort_chat.rules snort_file-multimedia.so.rules
emerging-exploit.rules snort_content-replace.rules snort_file-office.so.rules
emerging-ftp.rules snort_ddos.rules snort_file-other.so.rules
emerging-games.rules snort_deleted.rules snort_file-pdf.so.rules...You can see the list is truncated.
Thoughts or ideas?
Ryan
-
A few more questions for you:
How much RAM is in this box?
Have you looked at the system log immediately after viewing the CATEGORIES tab to see if there are any suspicious messages logged?
Bill
-
Bill,
There is 8 GB of memory in the machine. No error messages logged.
Ryan
-
Previously, in the list of rules files you posted, the path seems a bit strange. Here is what was posted:
/usr/pbi/snort-amd64/etc/snort/rules**(13)**
That part I highlighted in bold maroon seems unusual. Is that actually part of the path, or is that just an artifact of your CLI prompt?
I have one more thing for you to check. In the /usr/pbi/snort-amd64/etc/snort directory you will find an additional subdirectory for each configured interface. That subdirectory will have a UUID and the NIC name in the folder name. Inside that directory will be another rules folder. Compare the contents of that folder with the /usr/pbi/snort-amd64/etc/snort/rules folder. In particular I am wondering if the contents of that folder matches what is displayed on your CATEGORIES tab.
Bill
-
Bill,
The (13) is just from the prompt in regards to history number of commands typed in for tcsh on the command line. I forgot to trim that from my post.
As you can see from the command:
/usr/pbi/snort-amd64/etc/snort/rules(11): pwd /usr/pbi/snort-amd64/etc/snort/rulespwd returns the path you had advised me to check.
In regards to the UUID/NIC name directory, the contents are:
/usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules(37): ls -l total 1148 -rw-r--r-- 1 root wheel 0 Nov 13 12:03 custom.rules -rw-r--r-- 1 root wheel 0 Nov 13 12:03 flowbit-required.rules -rw-r--r-- 1 root wheel 1170393 Nov 13 12:03 snort.rulespwd returns:
/usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules(38): pwd /usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rulesIt is significantly emptier than the other directory. Please also note, if I go to create a new snort instance, the list is also truncated which leads me to believe it is not related to configuration or files missing.
Just as reference, I have deleted the package, reinstalled, tried reinstalling the package, and reinstalling the UI components.
Thanks,
Ryan
-
Bill,
The (13) is just from the prompt in regards to history number of commands typed in for tcsh on the command line. I forgot to trim that from my post.
As you can see from the command:
/usr/pbi/snort-amd64/etc/snort/rules(11): pwd /usr/pbi/snort-amd64/etc/snort/rulespwd returns the path you had advised me to check.
In regards to the UUID/NIC name directory, the contents are:
/usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules(37): ls -l total 1148 -rw-r--r-- 1 root wheel 0 Nov 13 12:03 custom.rules -rw-r--r-- 1 root wheel 0 Nov 13 12:03 flowbit-required.rules -rw-r--r-- 1 root wheel 1170393 Nov 13 12:03 snort.rulespwd returns:
/usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules(38): pwd /usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rulesIt is significantly emptier than the other directory. Please also note, if I go to create a new snort instance, the list is also truncated which leads me to believe it is not related to configuration or files missing.
Just as reference, I have deleted the package, reinstalled, tried reinstalling the package, and reinstalling the UI components.
Thanks,
Ryan
Sorry about sending you looking in the UUID directory. I forgot that it will only contain three files. That was a wild goose chase.
I sincerely do not know what is going on in your system. The CATEGORIES page reads all the *.rules files in that directory into an in-memory array and then displays them in columns on the tab.
Are you using some kind of customized theme or have you in any other manner modified the default CSS files on the firewall?
Bill
-
Sometimes a reboot will fix GUI issues
-
Bill,
I am using the stock theme (pfsense_ng). CSS files are unmodified.
Ryan
-
Ron,
Thanks for responding. Reboot does not fix the behavior either. I'm going to try a fresh install at this point. I believe there is an issue with my install. I will report back later this evening.
Thanks,
Ryan
