Snort Problem !!!!!



  • Hi .. some one know why i have this error on Snort Rules Option ?

    Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39

    I use pfsense 1.2.2 (also pass with 1.2.3 RC1 )

    Thanks a lot



  • @tixe:

    Hi .. some one know why i have this error on Snort Rules Option ?

    Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39

    I use pfsense 1.2.2 (also pass with 1.2.3 RC1 )

    Thanks a lot

    Hey can you tell me a little more.
    Did you update the rules first before trying to edit the rules ?
    What version of snort package do you have ?

    James



  • Hi .. thanks for your response … i use the version that can download by the packager admin on pfsense ( 2.8.4.1 ), and the rules are traing to download from 1 day ago aprox. how many time need to download the package rules from the first time that is installed de package ?

    Thanks a lot



  • @tixe:

    Hi .. thanks for your response … i use the version that can download by the packager admin on pfsense ( 2.8.4.1 ), and the rules are traing to download from 1 day ago aprox. how many time need to download the package rules from the first time that is installed de package ?

    Thanks a lot

    Also when i go to the Snort .. Update Rules … show it

    Please wait... You may only check for New Rules every 15 minutes...
    Rules are released every month from snort.org. You may download the Rules at any time.



  • @tixe:

    @tixe:

    Hi .. thanks for your response … i use the version that can download by the packager admin on pfsense ( 2.8.4.1 ), and the rules are traing to download from 1 day ago aprox. how many time need to download the package rules from the first time that is installed de package ?

    Thanks a lot

    Also when i go to the Snort .. Update Rules … show it

    Please wait... You may only check for New Rules every 15 minutes...
    Rules are released every month from snort.org. You may download the Rules at any time.

    Can you please type this in the terminal.

    rm /usr/local/etc/snort/rules/*
    rm /usr/local/etc/snort/

    Wait 15 minutes and try to update the rules.

    You should try to update your rules once a day but I do it once a week.

    James



  • I am also having the exact same problem.

    Installed Snort 2.8.4.1 pkg v. 1.4 via the Packages module in the pfsense 1.2.2 gui, updated the rules manually (as per the wiki, as the gui times out), rebooted pfsense - but the Snort service won't start, and when clicking the Rules tab, this error appears at the top of the webgui:

    Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39

    …if it helps, I'm running pfsense on a Nokia IP330 (AMD K6 II-400, 256 MB RAM, 20 GB HD).

    Also, just noticed this error in the Diagnostics / System log:

    snort[48048]: FATAL ERROR: Dynamic detection lib /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort/dynamicengine/libsf_engine.so 1.10. The dynamic detection lib is compiled with an older version of the dynamic engine.



  • @DigitalJer:

    I am also having the exact same problem.

    Installed Snort 2.8.4.1 pkg v. 1.4 via the Packages module in the pfsense 1.2.2 gui, updated the rules manually (as per the wiki, as the gui times out), rebooted pfsense - but the Snort service won't start, and when clicking the Rules tab, this error appears at the top of the webgui:

    Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39

    …if it helps, I'm running pfsense on a Nokia IP330 (AMD K6 II-400, 256 MB RAM, 20 GB HD).

    I'm running a Alix 2d3 running at 500mhz and 256 mb RAM. Rule updates takes 5 minutes. How long are you waiting for the rules updates to finish ?

    Please post the output of

    ls /usr/local/etc/snort/

    and

    ls /usr/local/etc/snort/rules

    James



  • An Alix, sweeeet, I'd like to get my hands on a WRAP board to install in my car (dual wifi radios).

    Sry the proc in my Nokia IP330 is a K6-II 500, not K6-II 400.

    The gui seems to time out at extraction - at about the 9 minute mark, give or take 10 - 20 seconds.

    Dunno if this means anything, but with top running in an SSH session, bsdtar keeps running for several minutes after the gui times out.

    ls /usr/local/etc/snort/

    classification.config          sid-msg.map-sample
    classification.config-sample    snort.conf
    gen-msg.map                    snort.conf-sample
    gen-msg.map-sample              threshold.conf
    reference.config                threshold.conf-sample
    reference.config-sample        unicode.map
    rules                          unicode.map-sample
    sid-msg.map

    …and

    ls /usr/local/etc/snort/rules

    doc            etc            rules          so_rules

    Thanks James.  Been struggling and searching for a while before posting…pretty sure I've just missed something silly.



  • NP DigitalJer

    There GUI errors you get are because the rules have not extracted to /usr/local/etc/snort/rules.

    Dont touch the gui do this for me.

    rm /usr/local/etc/snort/rules/*

    and

    ls /tmp/snort_rules_up/

    James



  • rm /usr/local/etc/snort/rules/*

    rm: /usr/local/etc/snort/rules/doc: is a directory
    rm: /usr/local/etc/snort/rules/etc: is a directory
    rm: /usr/local/etc/snort/rules/rules: is a directory
    rm: /usr/local/etc/snort/rules/so_rules: is a directory

    ..and

    ls /tmp/snort_rules_up/

    etc                                    snortrules-snapshot-2.8.tar.gz
    pfsense_rules.tar.gz                    snortrules-snapshot-2.8.tar.gz.md5
    pfsense_rules.tar.gz.md5                so_rules
    rules

    …looking into Alix / WRAP, I see the WRAPs are discontinued in favour of the Alix, since the last time I looked.  The Alix looks sharp.  waaaaannnnt!!



  • @DigitalJer:

    rm /usr/local/etc/snort/rules/*

    rm: /usr/local/etc/snort/rules/doc: is a directory
    rm: /usr/local/etc/snort/rules/etc: is a directory
    rm: /usr/local/etc/snort/rules/rules: is a directory
    rm: /usr/local/etc/snort/rules/so_rules: is a directory

    ..and

    ls /tmp/snort_rules_up/

    etc                                     snortrules-snapshot-2.8.tar.gz
    pfsense_rules.tar.gz                    snortrules-snapshot-2.8.tar.gz.md5
    pfsense_rules.tar.gz.md5                so_rules
    rules

    …looking into Alix / WRAP, I see the WRAPs are discontinued in favour of the Alix, since the last time I looked.  The Alix looks sharp.  waaaaannnnt!!

    Good news, looks like the rules are downloading fine, but your system cant handle the extraction processes.

    Do this

    rm -r /usr/local/etc/snort/rules/*

    and

    ls /tmp/snort_rules_up/rules

    James



  • ls /tmp/snort_rules_up/rules

    Makefile.am            local.rules            snmp.rules
    VRT-License.txt        misc.rules              specific-threats.rules
    attack-responses.rules  multimedia.rules        spyware-put.rules
    backdoor.rules          mysql.rules            sql.rules
    bad-traffic.rules      netbios.rules          telnet.rules
    cgi-bin.list            nntp.rules              tftp.rules
    chat.rules              open-test.conf          virus.rules
    content-replace.rules  oracle.rules            voip.rules
    ddos.rules              other-ids.rules        web-activex.rules
    deleted.rules          p2p.rules              web-attacks.rules
    dns.rules              policy.rules            web-cgi.rules
    dos.rules              pop2.rules              web-client.rules
    experimental.rules      pop3.rules              web-coldfusion.rules
    exploit.rules          porn.rules              web-frontpage.rules
    finger.rules            rpc.rules              web-iis.rules
    ftp.rules              rservices.rules        web-misc.rules
    icmp-info.rules        scada.rules            web-php.rules
    icmp.rules              scan.rules              x11.rules
    imap.rules              shellcode.rules
    info.rules              smtp.rules

    …my Nokia can't handle the truth??  boo!  Oh well it was only $20.



  • @DigitalJer:

    ls /tmp/snort_rules_up/rules

    Makefile.am             local.rules             snmp.rules
    VRT-License.txt         misc.rules              specific-threats.rules
    attack-responses.rules  multimedia.rules        spyware-put.rules
    backdoor.rules          mysql.rules             sql.rules
    bad-traffic.rules       netbios.rules           telnet.rules
    cgi-bin.list            nntp.rules              tftp.rules
    chat.rules              open-test.conf          virus.rules
    content-replace.rules   oracle.rules            voip.rules
    ddos.rules              other-ids.rules         web-activex.rules
    deleted.rules           p2p.rules               web-attacks.rules
    dns.rules               policy.rules            web-cgi.rules
    dos.rules               pop2.rules              web-client.rules
    experimental.rules      pop3.rules              web-coldfusion.rules
    exploit.rules           porn.rules              web-frontpage.rules
    finger.rules            rpc.rules               web-iis.rules
    ftp.rules               rservices.rules         web-misc.rules
    icmp-info.rules         scada.rules             web-php.rules
    icmp.rules              scan.rules              x11.rules
    imap.rules              shellcode.rules
    info.rules              smtp.rules

    …my Nokia can't handle the truth??  boo!  Oh well it was only $20.

    Never give up DigitalJer…...

    Do this

    cp /tmp/snort_rules_up/rules/ /usr/local/etc/snort/rules*

    and

    rm /usr/local/lib/snort/dynamicrules/*

    cp /tmp/snort_rules_up/so_rules/ /usr/local/lib/snort/dynamicrules/*

    and start snort by clicking save on the Settings Tab.



  • Heck no, not giving up, just mildly disappointed.

    …and that worked - tyvm!!

    How did you know that it was failing on the extraction?  Going forward - will it update automatically, do you think, or should I bookmark this thread.



  • snort will not update automatically for you, so bookmark this thread.
    The main problem is that your system cant handle extracting snortrules-snapshot-2.8.tar.gz.
    Hope you understand that I cant fix bsd tar problem, because your on a low end system.

    Just remember to

    rm /usr/local/etc/snort/rules/*
    cp /tmp/snort_rules_up/rules/ /usr/local/etc/snort/rules*

    rm /usr/local/lib/snort/dynamicrules/*
    cp /tmp/snort_rules_up/so_rules/ /usr/local/lib/snort/dynamicrules/*

    cp /tmp/snort_rules_up/pfsense_rules.tar.gz.md5 /usr/local/etc/snort/
    cp /tmp/snort_rules_up/snortrules-snapshot-2.8.tar.gz.md5 /usr/local/etc/snort/

    James

    P.S.

    You could write a small script to do this after snort package downloads the rules.



  • Got it.

    Thanks again :)



  • UPDATE:  You're right, the Nokia IP330 firewall turned out to be considerably less powerful than I thought.

    I recently ordered Shaw's 100 mbps service, and with just ONE decently seeded torrent the pfsense f/w CPU held steady at about 55%.  Even just surfing at the same time resulted in 100% CPU, saturation, and laaaag :(

    So, that's been retired, and an Athlon XP 64 3000+ with a gig of RAM moved in instead, and all is well.  I did the math, this should just slightly exceed requirements…so ought to be just about right.

    Anyway, thanks again jamesdean, for taking the time to help me out!  Happy Holidays :)


Log in to reply