Snort adding multiple cron entries which expire blocked IPs too early

pious_greek

My snort rules are configured to block hosts for 7 days, however the blocked IPs are getting cleared extremely frequently, at least every 15 minutes.

I first thought apinger alarms might be causing the filter to be reloaded, but after adjusting the alarm thresholds to eliminate this factor, i'm still having blocked IPs get cleared.

When i look at my /etc/crontab, i see that the following entries have been added.  The first entry corresponds to 15 minutes.

*/5 * * * * root /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 1800
2 */2 * * * root /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 86400
2 */8 * * * root /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 345600
2 */14 * * * root /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 604800

When i comment out the first three lines, this issue is resolved, however when i restart pfsense, my changes are not retained.

1. Can i safely comment out the first three snort2c expiration cron jobs above?
2. is there a way to retain these changes after restart?
3. how can i fix snort to not add the additional cron jobs?

i tried uninstalling snort, saving the configuration file, and the reinstalling snort using the saved config file.

pfSense:  2.2-RELEASE (amd64)
Snort:      2.9.7.0 pkg v3.2.2

fragged

You can delete the incorrect entries. It seems like Snort package is not removing the old entries when you change the setting on pfSense 2.2.

bmeeks

I thought I had fixed that a couple of updates back.  Sounds like I need to test and be sure.

Bill

Beerman

Same here…

2       */2     *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 86400
2       */8     *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 345600
*/2     *       *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 900

It´s useless to delete the old entries, because after changing the Snort config all entries are back.  :(

(Snort 2.9.7.0 pkg v3.2.2)

bmeeks

@Beerman:

Same here…

2       */2     *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 86400
2       */8     *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 345600
*/2     *       *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 900

It´s useless to delete the old entries, because after changing the Snort config all entries are back.  :(

(Snort 2.9.7.0 pkg v3.2.2)

Sorry about this.  It appears to be a regression bug.  You are correct that each time you save a change to the Snort config, it will create a new cron task entry.  However, if you delete the extras and then don't make another change, it should stay at just one task.  The numbers on the end are the expire time in seconds.

I will see about fixing this soon.

Bill

bmeeks

I replicated this bug in my test environment.  A fix will be submitted to the pfSense Team today for review and merge.  This will show up as Snort 2.9.7.0 pkg v3.2.3 when merged.

Bill

bmeeks

The Pull Request containing the fix for this bug has been posted for the pfSense Team to review and merge.  Here is a link:  https://github.com/pfsense/pfsense-packages/pull/805.

Bill

Beerman

Thx, for the fix!  :)

Now, let´s wait for the pfSense Team. :-P