Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not working at all ?

    pfSense Packages
    4
    8
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kedare
      last edited by

      Hello,

      I'm using Snort on my PFsense Install (2.0.1) and it looks like it's not doing anything at all.
      I can see the snort process present with "top", but it don't consume any CPU even under high load, and don't detect anything after many hours (on a WAN connection). (I tried to portscan from the WAN but it don't detect it too)

      Here are the boot logs (in double, I don't know why):

      Dec 20 11:13:35	snort[19362]: Found pid path directive (/var/run)
Dec 20 11:13:35	snort[19362]: Found pid path directive (/var/run)
Dec 20 11:13:35	snort[19362]: Running in IDS mode
Dec 20 11:13:35	snort[19362]: Running in IDS mode
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: --== Initializing Snort ==--
Dec 20 11:13:35	snort[19362]: --== Initializing Snort ==--
Dec 20 11:13:35	snort[19362]: Initializing Output Plugins!
Dec 20 11:13:35	snort[19362]: Initializing Output Plugins!
Dec 20 11:13:35	snort[19362]: Initializing Preprocessors!
Dec 20 11:13:35	snort[19362]: Initializing Preprocessors!
Dec 20 11:13:35	snort[19362]: Initializing Plug-ins!
Dec 20 11:13:35	snort[19362]: Initializing Plug-ins!
Dec 20 11:13:35	snort[19362]: Parsing Rules file "/usr/local/etc/snort/snort_55093_em0/snort.conf"
Dec 20 11:13:35	snort[19362]: Parsing Rules file "/usr/local/etc/snort/snort_55093_em0/snort.conf"
Dec 20 11:13:35	snort[19362]: PortVar 'DNS_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'DNS_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 53 ]
Dec 20 11:13:35	snort[19362]: [ 53 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'SMTP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'SMTP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 25 ]
Dec 20 11:13:35	snort[19362]: [ 25 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'MAIL_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'MAIL_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 25 143 465 691 ]
Dec 20 11:13:35	snort[19362]: [ 25 143 465 691 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'HTTP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'HTTP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 80 ]
Dec 20 11:13:35	snort[19362]: [ 80 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'ORACLE_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'ORACLE_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 1521 ]
Dec 20 11:13:35	snort[19362]: [ 1521 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'MSSQL_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'MSSQL_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 1433 ]
Dec 20 11:13:35	snort[19362]: [ 1433 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'TELNET_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'TELNET_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 23 ]
Dec 20 11:13:35	snort[19362]: [ 23 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'SNMP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'SNMP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 161 ]
Dec 20 11:13:35	snort[19362]: [ 161 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'FTP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'FTP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 21 ]
Dec 20 11:13:35	snort[19362]: [ 21 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'SSH_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'SSH_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 22 ]
Dec 20 11:13:35	snort[19362]: [ 22 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'POP2_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'POP2_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 109 ]
Dec 20 11:13:35	snort[19362]: [ 109 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'POP3_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'POP3_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 110 ]
Dec 20 11:13:35	snort[19362]: [ 110 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'IMAP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'IMAP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 143 ]
Dec 20 11:13:35	snort[19362]: [ 143 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'SIP_PROXY_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'SIP_PROXY_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 5060:5090 16384:32768 ]
Dec 20 11:13:35	snort[19362]: [ 5060:5090 16384:32768 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'SIP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'SIP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 5060:5090 16384:32768 ]
Dec 20 11:13:35	snort[19362]: [ 5060:5090 16384:32768 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'AUTH_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'AUTH_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 113 ]
Dec 20 11:13:35	snort[19362]: [ 113 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'FINGER_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'FINGER_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 79 ]
Dec 20 11:13:35	snort[19362]: [ 79 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'IRC_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'IRC_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 6665:6669 7000 ]
Dec 20 11:13:35	snort[19362]: [ 6665:6669 7000 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'SMB_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'SMB_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 139 445 ]
Dec 20 11:13:35	snort[19362]: [ 139 445 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'NNTP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'NNTP_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 119 ]
Dec 20 11:13:35	snort[19362]: [ 119 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'RLOGIN_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'RLOGIN_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 513 ]
Dec 20 11:13:35	snort[19362]: [ 513 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'RSH_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'RSH_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 514 ]
Dec 20 11:13:35	snort[19362]: [ 514 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'SSL_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'SSL_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 443 465 563 636 989:990 992:995 ]
Dec 20 11:13:35	snort[19362]: [ 443 465 563 636 989:990 992:995 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'FILE_DATA_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'FILE_DATA_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 80 110 143 ]
Dec 20 11:13:35	snort[19362]: [ 80 110 143 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'SHELLCODE_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'SHELLCODE_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 0:79 81:65535 ]
Dec 20 11:13:35	snort[19362]: [ 0:79 81:65535 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'SUN_RPC_PORTS' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'SUN_RPC_PORTS' defined :
Dec 20 11:13:35	snort[19362]: [ 111 32770:32779 ]
Dec 20 11:13:35	snort[19362]: [ 111 32770:32779 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_IP_TCP' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_IP_TCP' defined :
Dec 20 11:13:35	snort[19362]: [ 139 445 ]
Dec 20 11:13:35	snort[19362]: [ 139 445 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCADG_IP_UDP' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCADG_IP_UDP' defined :
Dec 20 11:13:35	snort[19362]: [ 138 1024:65535 ]
Dec 20 11:13:35	snort[19362]: [ 138 1024:65535 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Dec 20 11:13:35	snort[19362]: [ 135 139 445 593 1024:65535 ]
Dec 20 11:13:35	snort[19362]: [ 135 139 445 593 1024:65535 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Dec 20 11:13:35	snort[19362]: [ 135 1024:65535 ]
Dec 20 11:13:35	snort[19362]: [ 135 1024:65535 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Dec 20 11:13:35	snort[19362]: [ 135 593 1024:65535 ]
Dec 20 11:13:35	snort[19362]: [ 135 593 1024:65535 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_TCP' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_NCACN_TCP' defined :
Dec 20 11:13:35	snort[19362]: [ 2103 2105 2107 ]
Dec 20 11:13:35	snort[19362]: [ 2103 2105 2107 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Dec 20 11:13:35	snort[19362]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Dec 20 11:13:35	snort[19362]: [ 6503:6504 ]
Dec 20 11:13:35	snort[19362]: [ 6503:6504 ]
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: Detection:
Dec 20 11:13:35	snort[19362]: Detection:
Dec 20 11:13:35	snort[19362]: Search-Method = AC-Full-Q
Dec 20 11:13:35	snort[19362]: Search-Method = AC-Full-Q
Dec 20 11:13:35	snort[19362]: Found pid path directive (/var/run)
Dec 20 11:13:35	snort[19362]: Found pid path directive (/var/run)
Dec 20 11:13:35	snort[19362]: Tagged Packet Limit: 256
Dec 20 11:13:35	snort[19362]: Tagged Packet Limit: 256
Dec 20 11:13:35	snort[19362]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
Dec 20 11:13:35	snort[19362]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
Dec 20 11:13:35	snort[19362]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so...
Dec 20 11:13:35	snort[19362]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so...
Dec 20 11:13:35	snort[19362]: done
Dec 20 11:13:35	snort[19362]: done
Dec 20 11:13:35	snort[19362]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
Dec 20 11:13:35	snort[19362]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
Dec 20 11:13:35	snort[19362]: Loading all dynamic detection libs from /usr/local/etc/snort/snort_55093_em0/dynamicrules...
Dec 20 11:13:35	snort[19362]: Loading all dynamic detection libs from /usr/local/etc/snort/snort_55093_em0/dynamicrules...
Dec 20 11:13:35	snort[19362]: WARNING: No dynamic libraries found in directory /usr/local/etc/snort/snort_55093_em0/dynamicrules.
Dec 20 11:13:35	snort[19362]: WARNING: No dynamic libraries found in directory /usr/local/etc/snort/snort_55093_em0/dynamicrules.
Dec 20 11:13:35	snort[19362]: Finished Loading all dynamic detection libs from /usr/local/etc/snort/snort_55093_em0/dynamicrules
Dec 20 11:13:35	snort[19362]: Finished Loading all dynamic detection libs from /usr/local/etc/snort/snort_55093_em0/dynamicrules
Dec 20 11:13:35	snort[19362]: Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor...
Dec 20 11:13:35	snort[19362]: Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor...
Dec 20 11:13:35	snort[19362]: WARNING: No dynamic libraries found in directory /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor.
Dec 20 11:13:35	snort[19362]: WARNING: No dynamic libraries found in directory /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor.
Dec 20 11:13:35	snort[19362]: Finished Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor
Dec 20 11:13:35	snort[19362]: Finished Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor
Dec 20 11:13:35	snort[19362]: Log directory = /var/log/snort/snort_em055093
Dec 20 11:13:35	snort[19362]: Log directory = /var/log/snort/snort_em055093
Dec 20 11:13:35	snort[19362]: Frag3 global config:
Dec 20 11:13:35	snort[19362]: Frag3 global config:
Dec 20 11:13:35	snort[19362]: Max frags: 8192
Dec 20 11:13:35	snort[19362]: Max frags: 8192
Dec 20 11:13:35	snort[19362]: Fragment memory cap: 4194304 bytes
Dec 20 11:13:35	snort[19362]: Fragment memory cap: 4194304 bytes
Dec 20 11:13:35	snort[19362]: Frag3 engine config:
Dec 20 11:13:35	snort[19362]: Frag3 engine config:
Dec 20 11:13:35	snort[19362]: Bound Address: default
Dec 20 11:13:35	snort[19362]: Bound Address: default
Dec 20 11:13:35	snort[19362]: Target-based policy: BSD
Dec 20 11:13:35	snort[19362]: Target-based policy: BSD
Dec 20 11:13:35	snort[19362]: Fragment timeout: 60 seconds
Dec 20 11:13:35	snort[19362]: Fragment timeout: 60 seconds
Dec 20 11:13:35	snort[19362]: Fragment min_ttl: 1
Dec 20 11:13:35	snort[19362]: Fragment min_ttl: 1
Dec 20 11:13:35	snort[19362]: Fragment Anomalies: Alert
Dec 20 11:13:35	snort[19362]: Fragment Anomalies: Alert
Dec 20 11:13:35	snort[19362]: Overlap Limit: 0
Dec 20 11:13:35	snort[19362]: Overlap Limit: 0
Dec 20 11:13:35	snort[19362]: Min fragment Length: 0
Dec 20 11:13:35	snort[19362]: Min fragment Length: 0
Dec 20 11:13:35	snort[19362]: Stream5 global config:
Dec 20 11:13:35	snort[19362]: Stream5 global config:
Dec 20 11:13:35	snort[19362]: Track TCP sessions: ACTIVE
Dec 20 11:13:35	snort[19362]: Track TCP sessions: ACTIVE
Dec 20 11:13:35	snort[19362]: Max TCP sessions: 262144
Dec 20 11:13:35	snort[19362]: Max TCP sessions: 262144
Dec 20 11:13:35	snort[19362]: Memcap (for reassembly packet storage): 8388608
Dec 20 11:13:35	snort[19362]: Memcap (for reassembly packet storage): 8388608
Dec 20 11:13:35	snort[19362]: Track UDP sessions: ACTIVE
Dec 20 11:13:35	snort[19362]: Track UDP sessions: ACTIVE
Dec 20 11:13:35	snort[19362]: Max UDP sessions: 131072
Dec 20 11:13:35	snort[19362]: Max UDP sessions: 131072
Dec 20 11:13:35	snort[19362]: Track ICMP sessions: ACTIVE
Dec 20 11:13:35	snort[19362]: Track ICMP sessions: ACTIVE
Dec 20 11:13:35	snort[19362]: Max ICMP sessions: 65536
Dec 20 11:13:35	snort[19362]: Max ICMP sessions: 65536
Dec 20 11:13:35	snort[19362]: Track IP sessions: INACTIVE
Dec 20 11:13:35	snort[19362]: Track IP sessions: INACTIVE
Dec 20 11:13:35	snort[19362]: Log info if session memory consumption exceeds 1048576
Dec 20 11:13:35	snort[19362]: Log info if session memory consumption exceeds 1048576
Dec 20 11:13:35	snort[19362]: Send up to 0 active responses
Dec 20 11:13:35	snort[19362]: Send up to 0 active responses
Dec 20 11:13:35	snort[19362]: Protocol Aware Flushing: ACTIVE
Dec 20 11:13:35	snort[19362]: Protocol Aware Flushing: ACTIVE
Dec 20 11:13:35	snort[19362]: Maximum Flush Point: 16384
Dec 20 11:13:35	snort[19362]: Maximum Flush Point: 16384
Dec 20 11:13:35	snort[19362]: Stream5 TCP Policy config:
Dec 20 11:13:35	snort[19362]: Stream5 TCP Policy config:
Dec 20 11:13:35	snort[19362]: Bound Address: default
Dec 20 11:13:35	snort[19362]: Bound Address: default
Dec 20 11:13:35	snort[19362]: Reassembly Policy: BSD
Dec 20 11:13:35	snort[19362]: Reassembly Policy: BSD
Dec 20 11:13:35	snort[19362]: Timeout: 30 seconds
Dec 20 11:13:35	snort[19362]: Timeout: 30 seconds
Dec 20 11:13:35	snort[19362]: Maximum number of bytes to queue per session: 1048576
Dec 20 11:13:35	snort[19362]: Maximum number of bytes to queue per session: 1048576
Dec 20 11:13:35	snort[19362]: Maximum number of segs to queue per session: 2621
Dec 20 11:13:35	snort[19362]: Maximum number of segs to queue per session: 2621
Dec 20 11:13:35	snort[19362]: Reassembly Ports:
Dec 20 11:13:35	snort[19362]: Reassembly Ports:
Dec 20 11:13:35	snort[19362]: 0 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 0 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 1 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 1 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 2 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 2 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 3 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 3 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 4 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 4 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 5 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 5 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 6 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 6 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 7 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 7 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 8 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 8 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 9 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 9 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 10 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 10 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 11 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 11 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 12 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 12 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 13 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 13 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 14 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 14 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 15 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 15 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 16 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 16 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 17 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 17 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 18 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 18 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 19 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: 19 client (Footprint) server (Footprint)
Dec 20 11:13:35	snort[19362]: additional ports configured but not printed.
Dec 20 11:13:35	snort[19362]: additional ports configured but not printed.
Dec 20 11:13:35	snort[19362]: Stream5 UDP Policy config:
Dec 20 11:13:35	snort[19362]: Stream5 UDP Policy config:
Dec 20 11:13:35	snort[19362]: Timeout: 30 seconds
Dec 20 11:13:35	snort[19362]: Timeout: 30 seconds
Dec 20 11:13:35	snort[19362]: Stream5 ICMP Policy config:
Dec 20 11:13:35	snort[19362]: Stream5 ICMP Policy config:
Dec 20 11:13:35	snort[19362]: Timeout: 30 seconds
Dec 20 11:13:35	snort[19362]: Timeout: 30 seconds
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]:
Dec 20 11:13:35	snort[19362]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Dec 20 11:13:35	snort[19362]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Dec 20 11:13:35	snort[19362]: Initializing rule chains...
Dec 20 11:13:35	snort[19362]: Initializing rule chains...
Dec 20 11:13:36	snort[19362]: 405 Snort rules read
Dec 20 11:13:36	snort[19362]: 405 Snort rules read
Dec 20 11:13:36	snort[19362]: 0 detection rules
Dec 20 11:13:36	snort[19362]: 0 detection rules
Dec 20 11:13:36	snort[19362]: 142 decoder rules
Dec 20 11:13:36	snort[19362]: 142 decoder rules
Dec 20 11:13:36	snort[19362]: 263 preprocessor rules
Dec 20 11:13:36	snort[19362]: 263 preprocessor rules
Dec 20 11:13:36	snort[19362]: 405 Option Chains linked into 1 Chain Headers
Dec 20 11:13:36	snort[19362]: 405 Option Chains linked into 1 Chain Headers
Dec 20 11:13:36	snort[19362]: 0 Dynamic rules
Dec 20 11:13:36	snort[19362]: 0 Dynamic rules
Dec 20 11:13:36	snort[19362]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Dec 20 11:13:36	snort[19362]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]: +-------------------[Rule Port Counts]---------------------------------------
Dec 20 11:13:36	snort[19362]: +-------------------[Rule Port Counts]---------------------------------------
Dec 20 11:13:36	snort[19362]: | tcp udp icmp ip
Dec 20 11:13:36	snort[19362]: | tcp udp icmp ip
Dec 20 11:13:36	snort[19362]: | src 0 0 0 0
Dec 20 11:13:36	snort[19362]: | src 0 0 0 0
Dec 20 11:13:36	snort[19362]: | dst 0 0 0 0
Dec 20 11:13:36	snort[19362]: | dst 0 0 0 0
Dec 20 11:13:36	snort[19362]: | any 405 0 0 0
Dec 20 11:13:36	snort[19362]: | any 405 0 0 0
Dec 20 11:13:36	snort[19362]: | nc 405 0 0 0
Dec 20 11:13:36	snort[19362]: | nc 405 0 0 0
Dec 20 11:13:36	snort[19362]: | s+d 0 0 0 0
Dec 20 11:13:36	snort[19362]: | s+d 0 0 0 0
Dec 20 11:13:36	snort[19362]: +----------------------------------------------------------------------------
Dec 20 11:13:36	snort[19362]: +----------------------------------------------------------------------------
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]: +-----------------------[detection-filter-config]------------------------------
Dec 20 11:13:36	snort[19362]: +-----------------------[detection-filter-config]------------------------------
Dec 20 11:13:36	snort[19362]: | memory-cap : 1048576 bytes
Dec 20 11:13:36	snort[19362]: | memory-cap : 1048576 bytes
Dec 20 11:13:36	snort[19362]: +-----------------------[detection-filter-rules]-------------------------------
Dec 20 11:13:36	snort[19362]: +-----------------------[detection-filter-rules]-------------------------------
Dec 20 11:13:36	snort[19362]: | none
Dec 20 11:13:36	snort[19362]: | none
Dec 20 11:13:36	snort[19362]: -------------------------------------------------------------------------------
Dec 20 11:13:36	snort[19362]: -------------------------------------------------------------------------------
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]: +-----------------------[rate-filter-config]-----------------------------------
Dec 20 11:13:36	snort[19362]: +-----------------------[rate-filter-config]-----------------------------------
Dec 20 11:13:36	snort[19362]: | memory-cap : 1048576 bytes
Dec 20 11:13:36	snort[19362]: | memory-cap : 1048576 bytes
Dec 20 11:13:36	snort[19362]: +-----------------------[rate-filter-rules]------------------------------------
Dec 20 11:13:36	snort[19362]: +-----------------------[rate-filter-rules]------------------------------------
Dec 20 11:13:36	snort[19362]: | none
Dec 20 11:13:36	snort[19362]: | none
Dec 20 11:13:36	snort[19362]: -------------------------------------------------------------------------------
Dec 20 11:13:36	snort[19362]: -------------------------------------------------------------------------------
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]: +-----------------------[event-filter-config]----------------------------------
Dec 20 11:13:36	snort[19362]: +-----------------------[event-filter-config]----------------------------------
Dec 20 11:13:36	snort[19362]: | memory-cap : 1048576 bytes
Dec 20 11:13:36	snort[19362]: | memory-cap : 1048576 bytes
Dec 20 11:13:36	snort[19362]: +-----------------------[event-filter-global]----------------------------------
Dec 20 11:13:36	snort[19362]: +-----------------------[event-filter-global]----------------------------------
Dec 20 11:13:36	snort[19362]: +-----------------------[event-filter-local]-----------------------------------
Dec 20 11:13:36	snort[19362]: +-----------------------[event-filter-local]-----------------------------------
Dec 20 11:13:36	snort[19362]: | none
Dec 20 11:13:36	snort[19362]: | none
Dec 20 11:13:36	snort[19362]: +-----------------------[suppression]------------------------------------------
Dec 20 11:13:36	snort[19362]: +-----------------------[suppression]------------------------------------------
Dec 20 11:13:36	snort[19362]: | none
Dec 20 11:13:36	snort[19362]: | none
Dec 20 11:13:36	snort[19362]: -------------------------------------------------------------------------------
Dec 20 11:13:36	snort[19362]: -------------------------------------------------------------------------------
Dec 20 11:13:36	snort[19362]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Dec 20 11:13:36	snort[19362]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Dec 20 11:13:36	snort[19362]: Verifying Preprocessor Configurations!
Dec 20 11:13:36	snort[19362]: Verifying Preprocessor Configurations!
Dec 20 11:13:36	snort[19362]: IP tracking disabled, no IP sessions allocated
Dec 20 11:13:36	snort[19362]: IP tracking disabled, no IP sessions allocated
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]:
Dec 20 11:13:36	snort[19362]: [ Port Based Pattern Matching Memory ]
Dec 20 11:13:36	snort[19362]: [ Port Based Pattern Matching Memory ]
Dec 20 11:13:36	snort[19362]: pcap DAQ configured to passive.
Dec 20 11:13:36	snort[19362]: pcap DAQ configured to passive.
Dec 20 11:13:36	snort[19362]: The DAQ version does not support reload.
Dec 20 11:13:36	snort[19362]: The DAQ version does not support reload.
Dec 20 11:13:36	snort[19362]: Acquiring network traffic from "em0".
Dec 20 11:13:36	snort[19362]: Acquiring network traffic from "em0".
Dec 20 11:13:36	snort[19362]: Initializing daemon mode
Dec 20 11:13:36	snort[19362]: Initializing daemon mode
Dec 20 11:13:36	snort[19668]: Daemon initialized, signaled parent pid: 19362
Dec 20 11:13:36	snort[19668]: Daemon initialized, signaled parent pid: 19362
Dec 20 11:13:36	snort[19668]: Reload thread starting...
Dec 20 11:13:36	snort[19668]: Reload thread starting...
Dec 20 11:13:36	snort[19668]: Reload thread started, thread 0x28c98140 (19668)
Dec 20 11:13:36	snort[19668]: Reload thread started, thread 0x28c98140 (19668)
Dec 20 11:13:36	snort[19668]: Decoding Ethernet
Dec 20 11:13:36	snort[19668]: Decoding Ethernet
Dec 20 11:13:36	snort[19668]: Checking PID path...
Dec 20 11:13:36	snort[19668]: Checking PID path...
Dec 20 11:13:36	snort[19668]: PID path stat checked out ok, PID path set to /var/run
Dec 20 11:13:36	snort[19668]: PID path stat checked out ok, PID path set to /var/run
Dec 20 11:13:36	snort[19668]: Writing PID "19668" to file "/var/run/snort_em055093.pid"
Dec 20 11:13:36	snort[19668]: Writing PID "19668" to file "/var/run/snort_em055093.pid"
Dec 20 11:13:36	snort[19668]:
Dec 20 11:13:36	snort[19668]:
Dec 20 11:13:36	snort[19668]: --== Initialization Complete ==--
Dec 20 11:13:36	snort[19668]: --== Initialization Complete ==--
Dec 20 11:13:36	snort[19668]: Commencing packet processing (pid=19668)
Dec 20 11:13:36	snort[19668]: Commencing packet processing (pid=19668)
Dec 20 10:13:37	php: /snort/snort_interfaces.php: Interface Rule START for Snort on WAN(em0)...

      Do you have any idea on how to fix this ?

      Thank you.
      Best regards

      1 Reply Last reply Reply Quote 0
      • J
        jelcin
        last edited by

        I have pfSense 2.02 and my snort is not working also… i tried a pentest tool and snort is not logging anything even though it is up and running...

        can anyone help please i spend hours on this problem...

        thanks

        1 Reply Last reply Reply Quote 0
        • a-a-ronA
          a-a-ron
          last edited by

          I used this to get mine working yesterday.

          http://www.smallnetbuilder.com/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense?start=2

          Note; you'll want to create a new suppress file and add this to it.

          #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
          suppress gen_id 120,sig_id 3

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            I miss the ruleset: Snort. I have Emerging Threats running….

            How to get Snort rules??

            1 Reply Last reply Reply Quote 0
            • a-a-ronA
              a-a-ron
              last edited by

              @Supermule:

              I miss the ruleset: Snort. I have Emerging Threats running….

              How to get Snort rules??

              That happened to me the first time as well.

              I unchecked the ET threats box then tried the updates again. It worked the second time with no ET.

              Make sure you have your oinkid in.

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by

                Doesnt do it here :(

                OinkID is in….

                1 Reply Last reply Reply Quote 0
                • S
                  Supermule Banned
                  last edited by

                  I cant for the world get it to use snort rules!

                  Even if I manually copy rules to the rules folder and reboot….

                  It ONLY uses emerging rules or NOTHING at all despite the rules beeing in the right folder.

                  I am going crazy about this shit....!!!!!!!!!!!

                  1 Reply Last reply Reply Quote 0
                  • S
                    Supermule Banned
                    last edited by

                    Reinstalled Snort and began again.

                    Now it could DL the rules and everything is fine.

                    Its very sensitive to things….. :D

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.