Get snort back and maintained!



  • I am pretty new to PFsense and with good reason. From 2000 to 2005 I was one half of a team that build a Linux based appliance called Sabrnet. You may find the URL www.sabrnet.com in the wayback web archiver. It was almost a replica of PFsense minus a few great features PFsense has. One of the features we did have was and integrated snort service that supported rule uploads and a area to build your own rules. We supported tying the logging in with mySQL and alert parsing. Our platform was built using LFS packages and custom code we produced along with kernel hacks it to the hooks for NetFilter.

    Sabrnet died due to lack of a revenue stream and the developers went their separate ways and management dissolved. I now work for a ISP that had bought in to the Sabrnet system where we still today run a Sabrnet system as our production border security system. The systems hardware is now 4 years old and the packages have not been kept up to date so it is time to replace those systems. We have decided to use PFSense as the replacement. But now we see that Snort has been removed as a package(arg..) Which was one of the main reasons we decided to use PFsense(not the only reason). I been browsing thru the forums and noticed a few post where people really want Snort and /or snort back as a package and to make it stable.

    I've texted the other half of the dev team for Sabrnet and have discussed picking up the package and maintaining it out of my own greed for the package.

    I would like to see who else really wants a stable snort package and to see if a bounty can be put up to move this forward. As for us to get this involved will require some beer money if the powers to be allow us to take over this package.

    Post your bouties here.

    Cubert



  • Sounds great.  Currently the only thing that needs fixing is the screen scraping code that extracts the version information.

    There may or may not be another problem related to snort moving the download locations for the rules.  Basically all of the breakage has been due to Snort changing their download pages and html.  Maybe there is a cleaner way to glean this information from snort.org but I am not privy to it.



  • I believe the problem with the scraper is that snort.com was blocking whatever http referrer header was being sent by php. If you forge the referrer then the script works.

    A bigger problem is that snort frequently fails to launch when it's started by php. I haven't looked into it yet, but the first thing I'd look at is the php timeout value.

    I've also noticed that snort dies if you load too many rules. On my server if snort used more than 400 (or so) megs of ram then it would die before it finished initializing.



  • I fixed the issue with snort dying on startup. It was a bug in snort.xml that caused snort to start twice each time you saved a preference.

    With that fixed, auto-update should work now.



  • ;D - well done. Will snort be included to the official list in the Packet Manager in 1.2.1 and/or 1.3 ?
    What's to do including ist manually ? Please post a well known and working link to a working list or discribe the steps - Thanks !!!

    FBI01



  • I found yet another bug related to auto-update (that makes four). I don't know how this package ever worked!

    I'll post the code as soon as I get through all these little bugs.



  • First off, Justin, thank you very much for working on this project!  Your efforts will be greatly appreciated.  I'm going to move this thread to Packages now because this doesn't fit the "bounty" criteria.  Even so, I certainly hope that all the people who have been complaining about the snort package will find it in their hearts to paypal you some money for your efforts.



  • I am not a snort complainer but I would like to be a user… I wont mind giving out a small donation once is stable!
    Thank You for your efforts!



  • Sorry went on Vacation last 4 days.. This is great news.. I look forward to seeing and helping get tis fixed.



  • Anyone try snort2pfsense? http://www.bellera.cat/josep/snort2pfsense/

    It looks like it will work with snort on a seperate server and SSH into the pfsense box… I am having trouble getting it to work.

    Are there any other alternatives to Snort? I'd hate to have to manually check logs for suspicious activity just to find out someones trying to attack my servers...



  • What troubles ? I'm also interesting to snort2pfsense.



  • Snort works like a charm on pfsense 1.2.1 rc2. The whole 1.2.1 rc2 is a great release and I now run that with snort, squid/squidguard/lightsquid

    Try it out!


Log in to reply