Snort Update and Oinkmaster.conf



  • Just re-installed Snort - hopefully it won't kill everything this time.

    Is it necessary to configure oinkmaster.conf for a pfsense install - because my rules won't update and I can't find oinkmaster.conf in any folder on my box.

    Plus I am hit by a 'you can only check for updates' once every 15 minutes message - this could be a long night



  • Just tested my install of snort. Rule updates are working and are installing.

    Oinkmaster.conf ?

    You dont need mess with anything, snort package has custum code for snort rule updates. Just type in your oinkcode in the snort settings page, save and click on the update rules tab.

    The 15 miniute wait is imposed by snort.org, there is nothing we can do.

    James



  • It is downloading the MD5 but it goes no further ….

    I was misled a little by the Snort page where I generated the code - the URL's haven't been updated and they mention Oinkmaster - this is clearly an applicaiton for a different platform.



  • Getting same issue, going to snort.org it appears that they have changed their website somewhat

    I know it worked this morning on another install I have but my unit at home gives me this;

    Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /usr/local/www/snort_download_rules.php on line 105



  • @dlawley:

    Getting same issue, going to snort.org it appears that they have changed their website somewhat

    I know it worked this morning on another install I have but my unit at home gives me this;

    Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /usr/local/www/snort_download_rules.php on line 105

    You have an older version of snort package. Yes snort.org changed there urls.

    Please reinstall.

    This question has been asked befor.

    james



  • yes sir, indeed.  further searching I see it posted.  guess I was expecting pfsense to catch the update notice on the "install pkgs" screen..

    reinstall snort all is good

    thank you



  • uninstalled and cleaned up all old snort folders, re-installed and am back in business



  • I had a similar problem, and so I read this, uninstalled, rebooted, reinstalled after reading the above post about fixed package.

    Took 30 minutes to update, stalled on 'extracting rules', and rebooted without warning.

    When I try to re-update the rules, it says that its removing TMP files, and does that without changing.  Left it like that for over an hour before giving up.

    Perhaps I'll update my snapshot, as I also don't have any system logs.  (using June 5th one)
    "Last 100 system log entries
    Segmentation fault (core"



  • @jerrygoldsmith:

    I had a similar problem, and so I read this, uninstalled, rebooted, reinstalled after reading the above post about fixed package.

    Took 30 minutes to update, stalled on 'extracting rules', and rebooted without warning.

    When I try to re-update the rules, it says that its removing TMP files, and does that without changing.  Left it like that for over an hour before giving up.

    Perhaps I'll update my snapshot, as I also don't have any system logs.   (using June 5th one)
    "Last 100 system log entries
    Segmentation fault (core"

    Can you you post your system spec and pfsense version.

    thanx



  • @jamesdean:

    Can you you post your system spec and pfsense version.
    thanx

    Thank ya sir!

    1.2.3-RC2 built on Fri Jun 5 01:10:29 EDT 2009
    FreeBSD 7.1-RELEASE-p5 i386
    snapshot from http://snapshots.pfsense.org/FreeBSD_RELENG_7_1/pfSense_RELENG_1_2/updates/pfSense-Full-Update-1.2.3-20090605-0110.tgz

    processor-  VIA Samuel 2 (800mhz)
    RAM  -  512mb pc133

    Its an IP3 Gateway (series 100) that I modded and loaded PFsense on about 3 months ago.  I've never had problem with it before, Snort has worked perfectly until this last week.    Also, I've made no signifigant system changes aside from the snapshot version I updated yesterday because I thought that might help (I had run out of ideas and had some time on my hands)

    Thank you in advance for your input.  I've seen you've been working on this a lot lately!



  • @jerrygoldsmith:

    @jamesdean:

    Can you you post your system spec and pfsense version.
    thanx

    Thank ya sir!

    1.2.3-RC2 built on Fri Jun 5 01:10:29 EDT 2009
    FreeBSD 7.1-RELEASE-p5 i386
    snapshot from http://snapshots.pfsense.org/FreeBSD_RELENG_7_1/pfSense_RELENG_1_2/updates/pfSense-Full-Update-1.2.3-20090605-0110.tgz

    processor-   VIA Samuel 2 (800mhz)
    RAM   -   512mb pc133

    Its an IP3 Gateway (series 100) that I modded and loaded PFsense on about 3 months ago.   I've never had problem with it before, Snort has worked perfectly until this last week.    Also, I've made no signifigant system changes aside from the snapshot version I updated yesterday because I thought that might help (I had run out of ideas and had some time on my hands)

    Thank you in advance for your input.  I've seen you've been working on this a lot lately!

    No Problem, Thanx for the feed back.

    Your system specs are low. I still need to ajust my code for you type of system.
    In a few hours I'll upload code to reduce system resouces for users with your system specs.
    Dont say sir to, you make me feel old. ;)

    thanx
    james



  • @jamesdean:

    No Problem, Thanx for the feed back.

    Your system specs are low. I still need to ajust my code for you type of system.
    In a few hours I'll upload code to reduce system resouces for users with your system specs.
    Dont say sir to, you make me feel old. ;)

    thanx
    james

    Actually, I only use a few rule sets and its worked wonderfully for the past 3 months, maybe 4.  So I'm not sure the specs would be the problem unless there has been a major change in code?  I thought perhaps there were some remnant files left over, and that is what was causing it to hang.  But if you think its the code I'll just wait.

    I should have included this before, but my box only uses about 40%-50% memory usage and 30-40% CPU usage.  I use AC-sparcebands (the others usually don't let Snort start)
    I have the following things running
    SSH (I'm always tunneled in, I travel for work)
    Radius (sometimes on, usually not)
    VN stat

    As for 'Sir', its a work habit.  I call them 'Sir' by default so I don't accidentally call them the names I use for them in my head….. :p

    Thanks again.



  • Hey jerrygoldsmith

    You should try "ac-bnfa" its the best setting.
    Hope to finnish coding some time ealy this morning.

    james



  • No rush dude.  I'm off work for 2 weeks so I'm just geeking out on some projects.  Thanks again for your help.



  • James,

    This the same problem I had with the "extracting rules"… I am using lowmem... I am going to try your suggestion... I am also interested in your new code it might help me as well with my setup...

    TIA!



  • New code going up in 10 min.

    Added or fixed:

    Hopefully improved rule extraction.

    Advanced Shared Obect Rules from private companies.

    Fixed old snort double start error. Snort should start faster.

    ToDo:

    Backup rules option (finished coding, testing). (so after reinstalls no more downloading.)
    www.emergingthreats.net rules will be added.
    New RSS tab.



  • Reinstelld Snort 2.4.8.1 v1.0
    Rules updates went grate but I still get this error:

    snort[20732]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules

    Which require a restart from the system to get fix…



  • This time the system is not blocking anything on the alerts tab…

    IE:

    06/07-10:00:27.491182 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.220.11:80 -> MY IP:36482
    06/07-10:00:29.492106 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.220.11:80 -> MY IP:26976
    06/07-10:01:03.507222 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.218.11:80 -> MY IP:19943

    The IP

    76.13.218.11

    Is not being blocked

    Ok is official Is not blocking for me at all…

    
    There are currently no items being blocked by snort.
    
    

    Anybody else having the same problem?

    Update: changed to lowmem and now it blocks some of the IP's but not all.



  • serialdie

    The go to www.grc.com and use "shelds up" to test your firewall.
    do a port scan there.

    james



  • James,

    Thank you for your reply. I did the port scan and it came back stealth and snort catch the IP and blocked it….
    Funny part is when I am doing the test and I get different IP's doing the same exploit it only blocks one IP and not the other IP.

    Update: here is an example:

    06/07-10:10:17.526632 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.212.11:80 -> MY IP:41951
    06/07-10:22:28.385658 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 74.6.104.11:80 -> MY IP:14127

    In this case IP 74.6.104.11 was blocked but IP 76.13.212.11 was not blocked.



  • Forgot to mentiion, after reboots.
    You need to start snort again from the settings tab. (click the save)
    This is because snort wont start snort2c after reboots. (snort2c is the app the bloacks alerts.)
    Snort2c not starting after reboots has been in snort package as long as I can remember.

    Im glad that the snort updates finnished.

    This error meand that your system for somereson isnt seeing the new files.
    Going to add a "rehash" after installs hopfully that will fix issue.
    "snort[20732]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules"

    James



  • James,

    Thank you for the fast reply. Blocking is now working.
    Thank you for your hard work!



  • Sweeeeet…..

    Its working, though my services list shows it as stopped even though its actively logging/blocking.    Now I just have to fix my syslog (update of snapshot probably) so I can get a more detailed look at my Snort logs.

    But since its up and blocking I think that means its 100% :D     And mine has always started after reboot.  Just tested it, and it started automatically after reboot as its logging/blocking, though it shows as stopped in the Services tab and won't start there.   But as its working I'll leave it alone!

    Thanks man, you rock.   And roll.   All night long.

    edit
    with no traffic
    CPU usage - 29%
    Memory usage - 34%
    Not bad.   Slight usage drop after switching to the different memory usage, might be able to fit in a few more rule sets…...



  • Glad to see you guys with low system specs are running snort package.

    Snort2c starting for some of us and not starting for some of us might be realted to system memory.
    Im going to add more memory to my system and see if it helps.

    James



  • Ok now after I get more than one block in the Blocked tab the system CPU shoots off the roof rendering the system almost unusable.
    It was not doing that in the previous pkg…. Any idea whats going?

    Edit:

    Top shows that php is whats driving the cpu load crazy... and it only does it when I go to the blocked tab..
    Any ideas?

    Edit 2:

    I let the Blocked Page load and after of 4 Min trying to load it finally did to revel a few IP's blocked... Once the page load it the CPU load went down to the avg of 1% to 5%.... It looks like something is not right...



  • @serialdie:

    Ok now after I get more than one block in the Blocked tab the system CPU shoots off the roof rendering the system almost unusable.
    It was not doing that in the previous pkg…. Any idea whats going?

    Edit:

    Top shows that php is whats driving the cpu load crazy... and it only does it when I go to the blocked tab..
    Any ideas?

    Edit 2:

    I let the Blocked Page load and after of 4 Min trying to load it finally did to revel a few IP's blocked... Once the page load it the CPU load went down to the avg of 1% to 5%.... It looks like something is not right...

    I have not touched any code related to the blocked tab. I have tryed to reproduce the error but every thing looks fine.
    At most my system uses 3% when I click on the block tab. (I'm using firefox.)
    Holy crap, just used IE8 on the pfsense gui, the gui responds 4x faster. wow.

    What web browser are you using ?

    james



  • I try all of them and they do the same thing… Opera, Firefox, IE, Konqueror, Safari, etc....

    Should I reinstall?



  • No dont reinstall, your killing your flash card.

    I suspect all your problems are related to you hardware specs.
    When I get the board you mailed me I'll install pfsense on there.
    I should start to see the same gliches. Then I'll be able to fix the hickups asap.

    Just run snort as is for now. Don't worry I'll get to the bottom of this.
    Also, Im still adding features, so dont reinstall for a while.

    james



  • Got it James.

    Thank You very much!


Log in to reply