Snort Package automatically stop?!



  • Good day.
    My snort package stop working after i add a custom list of Bad IPs to the IP LIST and add them to (IP REP) for interface.. As soon as i apply it stops working?.. but if i delete the list and start the service again it seem to work?



  • @jason001 said in Snort Package automatically stop?!:

    Good day.
    My snort package stop working after i add a custom list of Bad IPs to the IP LIST and add them to (IP REP) for interface.. As soon as i apply it stops working?.. but if i delete the list and start the service again it seem to work?

    The solution here is pretty simple: I bet your custom Bad IP List is the problem. How do I know this? Because you say when you disable your custom IP list Snort starts.

    Your list likely has a syntax error. Have you checked the pfSense system log when you get the Snort start failure? It will tell you if Snort has issues loading your custom IP list.



  • @bmeeks said in Snort Package automatically stop?!:

    ty simple: I bet your custom Bad IP List is the problem. How do I know this? Because you say when you disable your custom IP list Snort starts.

    lol. I Know its my custom IP!.
    but i don't know why its not loading it?
    all seem to be in correct format.
    Blacklisted IPS.txt



  • @jason001 said in Snort Package automatically stop?!:

    @bmeeks said in Snort Package automatically stop?!:

    ty simple: I bet your custom Bad IP List is the problem. How do I know this? Because you say when you disable your custom IP list Snort starts.

    lol. I Know its my custom IP!.
    but i don't know why its not loading it?
    all seem to be in correct format.
    Blacklisted IPS.txt

    I would expect Snort to be logging an error in the pfSense system log, but you may need to go to the GLOBAL SETTINGS tab and temporarily enable the "Verbose Startup Logging" option. That will make Snort spew a ton of startup messages to the system log. You might also need to significantly increase the number of displayed entries for the system log using the Settings tab of the pfSense System Log screen.

    One possibility would be DOS line endings (carriage return and newline) in your text file versus UNIX line endings (newline only). Make sure your uploaded text file has UNIX line endings.



  • The logs say nothing about the error..



  • @jason001 said in Snort Package automatically stop?!:

    The logs say nothing about the error..

    I will try to load your list on one of my testing virtual machines to see what I can determine. Will post back the results in a bit ...



  • It works for me with one caveat. When I initially enable the IP REPUTATION preprocessor with Snort running, Snort will stop. But I can then restart it without issue. I downloaded your list and then uploaded it to a pfSense 2.4.4-p2 firewall running as a virtual machine.

    Here is your IP list uploaded (the funny prefix at the front was added by the forum here when I did a "save as" on the link you posted):

    IP Rep Blacklist File.png

    and here is the Snort Interfaces tab of the VM showing Snort's status:

    Snort Running.png



  • I do see a cosmetic issue on the IP REP tab when adding an IP blacklist or whitelist. I will get that fixed in the next update which I'm working on now. I will also look into why Snort stops when initially enabling the preprocessor. Might be that is by design within the binary as usually changing a preprocessor requires a Snort restart. If it is by design within the binary, perhaps I can make it a bit more seamless using an auto shutdown/restart sequence from the GUI when changing the preprocessor's state.



  • @bmeeks
    At my side if i restart it does nothing.. Just show an x icon.. Like service not started..



  • @jason001 said in Snort Package automatically stop?!:

    @bmeeks
    At my side if i restart it does nothing.. Just show an x icon.. Like service not started..

    Are you running the latest version of the package (should be 3.2.9.8_5), and what is your underlying hardware and how much RAM is installed? When you click the icon to start Snort on the INTERFACES tab you should see a little spinning gear for a few seconds and then it will either turn to a green check indicating startup success, or it will return to a red x indicating startup failure. Do you never see the spinning blue gear icon?

    My test VM is running the latest pfSense-RELEASE and the latest Snort package. It has 4GB of RAM configured.



  • Wonder when there be a new pfsense update?

    2.4.4-RELEASE-p2 (amd64)
    Im running snort 3.2.9.8_4

    Hardware:
    Intel(R) Celeron(R) CPU J1900 @ 1.99GHz
    Current: 1992 MHz, Max: 1993 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    4GB DDR3l RAM..

    il update snort now..



  • got error cant update..

    Upgrading pfSense-pkg-snort...
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.
    Checking integrity... done (0 conflicting)
    The following 1 package(s) will be affected (of 0 checked):

    Installed packages to be UPGRADED:
    pfSense-pkg-snort: 3.2.9.8_4 -> 3.2.9.8_5 [pfSense]

    Number of packages to be upgraded: 1
    [1/1] Upgrading pfSense-pkg-snort from 3.2.9.8_4 to 3.2.9.8_5...
    [1/1] Extracting pfSense-pkg-snort-3.2.9.8_5: .......... done
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    pfSense-pkg-snort-3.2.9.8_4: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.8_4/APACHE20
    pfSense-pkg-snort-3.2.9.8_4: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.8_4/LICENSE
    pfSense-pkg-snort-3.2.9.8_4: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.8_4/catalog.mk
    pkg-static: Fail to rename /var/db/snort/sidmods/.disablesid-sample.conf.EE88zIQqrT2p -> /var/db/snort/sidmods/disablesid-sample.conf:No such file or directory
    Failed



  • Had to uninstall and reinstall snort to get it to latest version



  • Those error messages are from the FreeBSD pkg utility itself and indicate something went wrong with the package file download and extraction. Those errors are not from Snort. It is not even present on the machine at that point other than as a collection of temp files being unzipped and copied to their proper locations and renamed.



  • iv solved the installation error.. just logout, Login again, delete package and reinstall..
    i see also now with this version of snort the custom Ip also loaded without problems!..
    Green Icon..

    Thanks iv seen alot of Ip addresses trying to access the server behind pfsense....
    wonder if there is a packet fail2ban option?

    Thanks...


Log in to reply