Snort Update and Oinkmaster.conf
-
Just re-installed Snort - hopefully it won't kill everything this time.
Is it necessary to configure oinkmaster.conf for a pfsense install - because my rules won't update and I can't find oinkmaster.conf in any folder on my box.
Plus I am hit by a 'you can only check for updates' once every 15 minutes message - this could be a long night
-
Just tested my install of snort. Rule updates are working and are installing.
Oinkmaster.conf ?
You dont need mess with anything, snort package has custum code for snort rule updates. Just type in your oinkcode in the snort settings page, save and click on the update rules tab.
The 15 miniute wait is imposed by snort.org, there is nothing we can do.
James
-
It is downloading the MD5 but it goes no further ….
I was misled a little by the Snort page where I generated the code - the URL's haven't been updated and they mention Oinkmaster - this is clearly an applicaiton for a different platform.
-
Getting same issue, going to snort.org it appears that they have changed their website somewhat
I know it worked this morning on another install I have but my unit at home gives me this;
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /usr/local/www/snort_download_rules.php on line 105
-
Getting same issue, going to snort.org it appears that they have changed their website somewhat
I know it worked this morning on another install I have but my unit at home gives me this;
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /usr/local/www/snort_download_rules.php on line 105
You have an older version of snort package. Yes snort.org changed there urls.
Please reinstall.
This question has been asked befor.
james
-
yes sir, indeed. further searching I see it posted. guess I was expecting pfsense to catch the update notice on the "install pkgs" screen..
reinstall snort all is good
thank you
-
uninstalled and cleaned up all old snort folders, re-installed and am back in business
-
I had a similar problem, and so I read this, uninstalled, rebooted, reinstalled after reading the above post about fixed package.
Took 30 minutes to update, stalled on 'extracting rules', and rebooted without warning.
When I try to re-update the rules, it says that its removing TMP files, and does that without changing. Left it like that for over an hour before giving up.
Perhaps I'll update my snapshot, as I also don't have any system logs. (using June 5th one)
"Last 100 system log entries
Segmentation fault (core" -
I had a similar problem, and so I read this, uninstalled, rebooted, reinstalled after reading the above post about fixed package.
Took 30 minutes to update, stalled on 'extracting rules', and rebooted without warning.
When I try to re-update the rules, it says that its removing TMP files, and does that without changing. Left it like that for over an hour before giving up.
Perhaps I'll update my snapshot, as I also don't have any system logs. (using June 5th one)
"Last 100 system log entries
Segmentation fault (core"Can you you post your system spec and pfsense version.
thanx
-
Can you you post your system spec and pfsense version.
thanxThank ya sir!
1.2.3-RC2 built on Fri Jun 5 01:10:29 EDT 2009
FreeBSD 7.1-RELEASE-p5 i386
snapshot from http://snapshots.pfsense.org/FreeBSD_RELENG_7_1/pfSense_RELENG_1_2/updates/pfSense-Full-Update-1.2.3-20090605-0110.tgzprocessor- VIA Samuel 2 (800mhz)
RAM - 512mb pc133Its an IP3 Gateway (series 100) that I modded and loaded PFsense on about 3 months ago. I've never had problem with it before, Snort has worked perfectly until this last week. Also, I've made no signifigant system changes aside from the snapshot version I updated yesterday because I thought that might help (I had run out of ideas and had some time on my hands)
Thank you in advance for your input. I've seen you've been working on this a lot lately!
-
Can you you post your system spec and pfsense version.
thanxThank ya sir!
1.2.3-RC2 built on Fri Jun 5 01:10:29 EDT 2009
FreeBSD 7.1-RELEASE-p5 i386
snapshot from http://snapshots.pfsense.org/FreeBSD_RELENG_7_1/pfSense_RELENG_1_2/updates/pfSense-Full-Update-1.2.3-20090605-0110.tgzprocessor- VIA Samuel 2 (800mhz)
RAM - 512mb pc133Its an IP3 Gateway (series 100) that I modded and loaded PFsense on about 3 months ago. I've never had problem with it before, Snort has worked perfectly until this last week. Also, I've made no signifigant system changes aside from the snapshot version I updated yesterday because I thought that might help (I had run out of ideas and had some time on my hands)
Thank you in advance for your input. I've seen you've been working on this a lot lately!
No Problem, Thanx for the feed back.
Your system specs are low. I still need to ajust my code for you type of system.
In a few hours I'll upload code to reduce system resouces for users with your system specs.
Dont say sir to, you make me feel old. ;)thanx
james -
No Problem, Thanx for the feed back.
Your system specs are low. I still need to ajust my code for you type of system.
In a few hours I'll upload code to reduce system resouces for users with your system specs.
Dont say sir to, you make me feel old. ;)thanx
jamesActually, I only use a few rule sets and its worked wonderfully for the past 3 months, maybe 4. So I'm not sure the specs would be the problem unless there has been a major change in code? I thought perhaps there were some remnant files left over, and that is what was causing it to hang. But if you think its the code I'll just wait.
I should have included this before, but my box only uses about 40%-50% memory usage and 30-40% CPU usage. I use AC-sparcebands (the others usually don't let Snort start)
I have the following things running
SSH (I'm always tunneled in, I travel for work)
Radius (sometimes on, usually not)
VN statAs for 'Sir', its a work habit. I call them 'Sir' by default so I don't accidentally call them the names I use for them in my head….. :p
Thanks again.
-
Hey jerrygoldsmith
You should try "ac-bnfa" its the best setting.
Hope to finnish coding some time ealy this morning.james
-
No rush dude. I'm off work for 2 weeks so I'm just geeking out on some projects. Thanks again for your help.
-
James,
This the same problem I had with the "extracting rules"… I am using lowmem... I am going to try your suggestion... I am also interested in your new code it might help me as well with my setup...
TIA!
-
New code going up in 10 min.
Added or fixed:
Hopefully improved rule extraction.
Advanced Shared Obect Rules from private companies.
Fixed old snort double start error. Snort should start faster.
ToDo:
Backup rules option (finished coding, testing). (so after reinstalls no more downloading.)
www.emergingthreats.net rules will be added.
New RSS tab. -
Reinstelld Snort 2.4.8.1 v1.0
Rules updates went grate but I still get this error:snort[20732]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules
Which require a restart from the system to get fix…
-
This time the system is not blocking anything on the alerts tab…
IE:
06/07-10:00:27.491182 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.220.11:80 -> MY IP:36482
06/07-10:00:29.492106 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.220.11:80 -> MY IP:26976
06/07-10:01:03.507222 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.218.11:80 -> MY IP:19943The IP
76.13.218.11
Is not being blocked
Ok is official Is not blocking for me at all…
There are currently no items being blocked by snort.Anybody else having the same problem?
Update: changed to lowmem and now it blocks some of the IP's but not all.
-
serialdie
The go to www.grc.com and use "shelds up" to test your firewall.
do a port scan there.james
-
James,
Thank you for your reply. I did the port scan and it came back stealth and snort catch the IP and blocked it….
Funny part is when I am doing the test and I get different IP's doing the same exploit it only blocks one IP and not the other IP.Update: here is an example:
06/07-10:10:17.526632 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.212.11:80 -> MY IP:41951
06/07-10:22:28.385658 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 74.6.104.11:80 -> MY IP:14127In this case IP 74.6.104.11 was blocked but IP 76.13.212.11 was not blocked.