PFSense 2.2 & Snort
-
Yes, I cleared both alerts and blocked ips. Then restarted the snort service. But to no avail
-
How specifically did you add the alert to the suppress list? If you manually edited a list, then you must assign that list by name to the Snort interface on the SETTINGS tab for that interface.
The preferred method for adding an alert to the suppress list is to click the plus ( + ) icon beside the SID on the ALERTS tab in the row containing the alert. This will automatically add the rule to the active suppress list for the interface. It will also automatically create and then assign a list for the interface if none is currently configured.
Here is a link to the instructions for the ALERTS tab on the Docs wiki: https://doc.pfsense.org/index.php/Snort_alerts.
Here is a general How-To for using the Snort package: https://doc.pfsense.org/index.php/Setup_Snort_Package (this one is a little dated but only in the sense that it does not show a couple of the newest features in the package).
Bill
-
I am having a similar issue with PfSense 2.2 and Snort. I force disabled the rule and restarted Snort. I also deleted the block in the "Blocked" tab. After I restart Snort and go to a site that triggers the rule the IP gets banned again. I also tried to suppress the rule with no success. :(
I attached a screenshot with both alerts for the same rule.
-
I am having a similar issue with PfSense 2.2 and Snort. I force disabled the rule and restarted Snort. I also deleted the block in the "Blocked" tab. After I restart Snort and go to a site that triggers the rule the IP gets banned again. I also tried to suppress the rule with no success. :(
I attached a screenshot with both alerts for the same rule.
Check and see if you perhaps have some other Snort processes running that are duplicates. Run this command –
ps -ax |grep snort
and see how many Snort processes show up. There should be one and only one per configured interface. You could also stop all Snort processes in the GUI, then run this command to see if any other Snort processes show up.
One other thing to try – go to the WAN SETTINGS tab in Snort and click the View List button beside the Suppress List drop-down box. Double check that the rule GID:SID is shown in the pop-up window.
Bill
-
Same thing happens, I even fully restart the firewall. Would it be the right time to update snort to its latest version?
-
In 2.1.5 I sometimes had to stop the monitoring of the interface and then restart it. Just click the Red stop on that interface then the green start and wait for it to start and see what happens.
Hopefully that will get'r'done -
@tux:
Same thing happens, I even fully restart the firewall. Would it be the right time to update snort to its latest version?
Most definitely!!! I assumed you were on the current version. There was a bug in the older package versions that could allow creation of duplicate UUIDs if you used the GUI option to "create a new Snort interface based on this one". That could lead to the behavior you see.
The upgrade will auto-fix that problem if it exists for you.
Bill
-
bmeeks,
Thanks! That was it there was more then 1 snort process running (3 actually) and that seemed to be the culprit. After removing all of the processes and starting over it seems to be working as I would expect it to!
Thanks again for the help!
-
Hello,
I used Snort on pfSense 2.1.5 quite a while without any problems (on a Firebox X750e with HD).
For some other reason I decided to go with pfSense 2.2. I have a spare Firebox X550e, so I made a clean install (Nano) on a CF card and I made the same config like the 750e.
I did not import the settings. I want thru every relevant dialog and made the changes in the Web GUI. They both have the same config. Especially Snort config is the same.So after all, Snort is not running. I miss many WAN categories (see attachment), only a view are listed. On my other system the list there is much longer.
And Snort is not starting. Here is the log from system log:Feb 14 14:48:55 php-fpm[80731]: /index.php: Session timed out for user 'admin' from: 192.168.20.10 Feb 14 09:56:21 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for WAN... Feb 14 09:56:18 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN... Feb 14 09:54:32 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN ... Feb 14 09:54:27 check_reload_status: Syncing firewall Feb 14 09:52:36 php-fpm[69476]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for WAN... Feb 14 09:52:31 php-fpm[69476]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN... Feb 14 09:52:09 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for WAN... Feb 14 09:52:02 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN... Feb 14 09:49:57 php-fpm[69476]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN ... Feb 14 09:49:51 check_reload_status: Syncing firewall Feb 14 09:49:19 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN ... Feb 14 09:49:13 check_reload_status: Syncing firewall Feb 14 09:47:05 php-fpm[69476]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for WAN... Feb 14 09:47:03 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for WAN... Feb 14 09:47:01 php-fpm[69476]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN... Feb 14 09:46:59 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN... Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/os-windows.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/policy-social.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/protocol-icmp.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/protocol-nntp.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/protocol-other.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-apache.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-iis.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-mail.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-mysql.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-oracle.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/server-other.so... Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic detection library /usr/pbi/snort-i386/lib/snort_dynamicrules/browser-ie.so... Feb 14 09:46:39 snort[26358]: Loading all dynamic detection libs from /usr/pbi/snort-i386/lib/snort_dynamicrules... Feb 14 09:46:39 snort[26358]: Finished Loading all dynamic engine libs from /usr/pbi/snort-i386/lib/snort_dynamicengine Feb 14 09:46:39 snort[26358]: done Feb 14 09:46:39 snort[26358]: Loading dynamic engine /usr/pbi/snort-i386/lib/snort_dynamicengine/libsf_engine.so... Feb 14 09:46:39 snort[26358]: Loading all dynamic engine libs from /usr/pbi/snort-i386/lib/snort_dynamicengine... Feb 14 09:46:39 snort[26358]: Tagged Packet Limit: 256 Feb 14 09:46:39 snort[26358]: Found pid path directive (/var/run) Feb 14 09:46:34 snort[26358]: Search-Method-Optimizations = enabled Feb 14 09:46:34 snort[26358]: Maximum pattern length = 20 Feb 14 09:46:34 snort[26358]: Split Any/Any group = enabled Feb 14 09:46:34 snort[26358]: Search-Method = AC-Full-Q Feb 14 09:46:34 snort[26358]: Detection: Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 2123 2152 3386 ] Feb 14 09:46:34 snort[26358]: PortVar 'GTP_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 502 ] Feb 14 09:46:34 snort[26358]: PortVar 'MODBUS_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 20000 ] Feb 14 09:46:34 snort[26358]: PortVar 'DNP3_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 6503:6504 ] Feb 14 09:46:34 snort[26358]: PortVar 'DCERPC_BRIGHTSTORE' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 2103 2105 2107 ] Feb 14 09:46:34 snort[26358]: PortVar 'DCERPC_NCACN_TCP' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 135 593 1024:65535 ] Feb 14 09:46:34 snort[26358]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 135 1024:65535 ] Feb 14 09:46:34 snort[26358]: PortVar 'DCERPC_NCACN_UDP_LONG' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 135 139 445 593 1024:65535 ] Feb 14 09:46:34 snort[26358]: PortVar 'DCERPC_NCACN_IP_LONG' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 138 1024:65535 ] Feb 14 09:46:34 snort[26358]: PortVar 'DCERPC_NCADG_IP_UDP' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 139 445 ] Feb 14 09:46:34 snort[26358]: PortVar 'DCERPC_NCACN_IP_TCP' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 111 32770:32779 ] Feb 14 09:46:34 snort[26358]: PortVar 'SUN_RPC_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 0:79 81:65535 ] Feb 14 09:46:34 snort[26358]: PortVar 'SHELLCODE_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 36 80:90 110 143 311 383 591 593 631 901 1220 1414 1533 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999:10000 11371 15489 29991 33300 34412 34443:34444 41080 44440 50000 50002 51423 55555 56712 ] Feb 14 09:46:34 snort[26358]: PortVar 'FILE_DATA_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 443 465 563 636 989 992:995 7801:7802 7900:7920 ] Feb 14 09:46:34 snort[26358]: PortVar 'SSL_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 514 ] Feb 14 09:46:34 snort[26358]: PortVar 'RSH_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 513 ] Feb 14 09:46:34 snort[26358]: PortVar 'RLOGIN_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 119 ] Feb 14 09:46:34 snort[26358]: PortVar 'NNTP_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 139 445 ] Feb 14 09:46:34 snort[26358]: PortVar 'SMB_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 6665:6669 7000 ] Feb 14 09:46:34 snort[26358]: PortVar 'IRC_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 79 ] Feb 14 09:46:34 snort[26358]: PortVar 'FINGER_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 113 ] Feb 14 09:46:34 snort[26358]: PortVar 'AUTH_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 5060:5061 5600 ] Feb 14 09:46:34 snort[26358]: PortVar 'SIP_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 143 ] Feb 14 09:46:34 snort[26358]: PortVar 'IMAP_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 110 ] Feb 14 09:46:34 snort[26358]: PortVar 'POP3_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 109 ] Feb 14 09:46:34 snort[26358]: PortVar 'POP2_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 22 ] Feb 14 09:46:34 snort[26358]: PortVar 'SSH_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 21 2100 3535 ] Feb 14 09:46:34 snort[26358]: PortVar 'FTP_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 161 ] Feb 14 09:46:34 snort[26358]: PortVar 'SNMP_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 23 ] Feb 14 09:46:34 snort[26358]: PortVar 'TELNET_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 1433 ] Feb 14 09:46:34 snort[26358]: PortVar 'MSSQL_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 1024:65535 ] Feb 14 09:46:34 snort[26358]: PortVar 'ORACLE_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 36 80:90 311 383 591 593 631 901 1220 1414 1533 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999:10000 11371 15489 29991 33300 34412 34443:34444 41080 44440 50000 50002 51423 55555 56712 ] Feb 14 09:46:34 snort[26358]: PortVar 'HTTP_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 25 465 587 691 ] Feb 14 09:46:34 snort[26358]: PortVar 'MAIL_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 25 ] Feb 14 09:46:34 snort[26358]: PortVar 'SMTP_PORTS' defined : Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: [ 53 ] Feb 14 09:46:34 snort[26358]: PortVar 'DNS_PORTS' defined : Feb 14 09:46:34 snort[26358]: Initializing Plug-ins! Feb 14 09:46:34 snort[26358]: Initializing Preprocessors! Feb 14 09:46:34 snort[26358]: Initializing Output Plugins! Feb 14 09:46:34 snort[26358]: --== Initializing Snort ==-- Feb 14 09:46:34 snort[26358]: Feb 14 09:46:34 snort[26358]: Running in IDS mode Feb 14 09:46:34 snort[26358]: Found pid path directive (/var/run) Feb 14 09:41:58 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN ... Feb 14 09:41:55 php-fpm[69476]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN ... Feb 14 09:41:50 check_reload_status: Syncing firewall Feb 14 09:41:46 check_reload_status: Syncing firewall Feb 14 09:38:36 php-fpm[19497]: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN... Feb 14 09:38:34 php-fpm[19497]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN... Feb 14 09:36:57 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for WAN... Feb 14 09:36:49 php-fpm[69476]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for WAN... Feb 14 09:36:48 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN... Feb 14 09:36:34 php-fpm[69476]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN... Feb 14 09:32:06 php-fpm[80731]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN ... Feb 14 09:32:04 php-fpm[69476]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN ... Feb 14 09:32:03 check_reload_status: Syncing firewall Feb 14 09:31:58 check_reload_status: Syncing firewall Feb 14 09:31:45 php-fpm[19497]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
Any clue?
Some time I can see more than one Snort task and Barnyard also.Matthias
![Bildschirmfoto 2015-02-14 um 14.57.46.jpg](/public/imported_attachments/1/Bildschirmfoto 2015-02-14 um 14.57.46.jpg)
![Bildschirmfoto 2015-02-14 um 14.57.46.jpg_thumb](/public/imported_attachments/1/Bildschirmfoto 2015-02-14 um 14.57.46.jpg_thumb) -
Snort and a CF-based Nano system do not always play well together. Was your old system a full install or a Nano install. If the old system was Nano, how large was the CF card on that box?
Snort needs a fair amount of free disk space to download, unzip and install the rules. Many times there is insufficient free space on the default RAM disk volumes that a Nano install creates.
Make sure that the /tmp and /var directories have at least 100 MB of free space (preferably 200 MB).
Bill
-
Thank you for your answer.
Here are the facts:
Filesystem Size Used Avail Capacity Mounted on /dev/ufs/pfsense0 1.8G 295M 1.4G 17% / devfs 1.0K 1.0K 0B 100% /dev /dev/ufs/cf 49M 1.4M 44M 3% /cf /dev/md0 38M 680K 35M 2% /tmp /dev/md1 58M 18M 35M 34% /var devfs 1.0K 1.0K 0B 100% /var/dhcpd/dev
It should be sufficient, or?
-
Thank you for your answer.
Here are the facts:
Filesystem Size Used Avail Capacity Mounted on /dev/ufs/pfsense0 1.8G 295M 1.4G 17% / devfs 1.0K 1.0K 0B 100% /dev /dev/ufs/cf 49M 1.4M 44M 3% /cf /dev/md0 38M 680K 35M 2% /tmp /dev/md1 58M 18M 35M 34% /var devfs 1.0K 1.0K 0B 100% /var/dhcpd/dev
It should be sufficient, or?
No, your /tmp and /var partitions are probably too small depending on the exact number of rules you have. You want at least 100 MB available and you are showing only 35 MB available.
Bill