Just Update to Services: Snort 2.8.4.1 pkg v. 1.4 (But Snort has no blocking)



  • Today upgrade it to Snort 2.8.4.1 pkg v. 1.4, but the Blocked section and Alerts do no show any blocked IP nor Alert messages.  ???



  • Davc,

    I haven't upgraded yet to Snort Pkg 1.4, (am still on v. 1.3). But wondering if you saved your settings which under 1.3 (and older versions) is required to successfully restart Snort service after a rule-set update. Actually under V 1.3 you can restart Snort either by hitting "save" on the Settings page or the Categories page… if you've done that and still don't get any alerts, you could try to confirm by going to www.grc.com "Shieldsup" to test scan your F/W to see if Snort picked up the scan.

    What's new in V 1.4 of the Snort package? JamesDean has done a great job of updating this package for all of us. If something is actually wrong it should be confirmed... but make sure you saved your settings and that Snort is actually running.



  • Snort 2.8.4.1 pkg v. 1.4 new features are the Threshold tab and Servers tab.

    The Servers tab lets you define your network server ips and ports for snort. Defining your servers will make snort perform better.

    The Threshold tab lets you suppress or limit alerts that are noisy.
    Here is a example on using the Threshold tab.
    http://forum.pfsense.org/index.php/topic,17529.0.html.

    James



  • @Davc:

    Today upgrade it to Snort 2.8.4.1 pkg v. 1.4, but the Blocked section and Alerts do no show any blocked IP nor Alert messages.  ???

    I just did a fresh install and Snort 2.8.4.1 pkg v. 1.4 and snort package is working. Im on Pfsense 1.2.3.
    Can you give me more info like; your Pfsense version, system specs and the options you have selected in the Settings tab.

    James



  • is it safe to move to the latest snapshots yet?



  • This is my Pfsense Spec:

    version: 1.2.3-RC1
    Kernel Version  FreeBSD 7.1-RELEASE-p5
    Model  Intel(R) Pentium(R) 4 CPU 3.00GHz
    CI Devices  atapci0: Intel ICH6 UDMA100 controller
    em1: Intel(R) PRO/1000 Network Connection 6.9.6
    em2: Intel(R) PRO/1000 Network Connection 6.9.6
    Physical Memory  Free2.64 GB  Used347.19 MB  Size2.98 GB    Percent Capacity11%

    Snort: Services: Snort 2.8.4.1 pkg v. 1.4
    Currently I only enabled  ddos.rules / emerging-rbn.rules  to test.

    I also installed Squid+SquidGuard+Rate+bandwidthd+phpSysInfo

    I got the Snort package reinstall today and reboot the box. Now I got a numbers of Alert messages but still no ip blocking.

    In the V1.3 which I can upto 350 blocked IP within an hour.

    Cheers,
    David



  • Agree, the new features of "Threshold " is excellent. We now no need to edit file on /usr/local/etc/snort/threshold.conf.  The GUI make life a lot easier to implement. Many Thanks to James.  ;)

    I now just easily suppress the 2 frequent alerts on
    (smtp) Attempted data header buffer overflow: 1014 chars [ ** ]  & the
    (ftp_telnet) FTP command parameters were malformed [ ** ]  through the GUI

    Great Works!!!



  • Thanks for the nice words Davc.
    snort not blocking.

    I enabled  ddos.rules and emerging-rbn.rules and other rules and snort is blocking.

    Please post the output of

    ps -aux | grep snort

    and

    cat /usr/local/etc/rc.d/snort.sh

    James



  • Hi James, this is the info

    $ ps -aux | grep snort
    root  42733  0.0  2.2 98976 67396  ??  Ss  12:59AM  0:41.56 snort -c /usr/lo

    $ cat /usr/local/etc/rc.d/snort.sh
    #!/bin/sh

    This file was automatically generated

    by the pfSense service handler.

    rc_start() {

    BEFORE_MEM=top | grep Free | grep Wired | awk '{print $10}'
    /bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em1 -q
    sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
    echo "Sleeping before final memory sampling…"
    sleep 17
    AFTER_MEM=top | grep Free | grep Wired | awk '{print $10}'

    echo "Ram free BEFORE starting Snort: ${BEFORE_MEM} -- Ram free AFTER starting Snort: ${AFTER_MEM}" -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup

    }

    rc_stop() {
    /usr/bin/killall snort; killall snort2c
    }

    case $1 in
    start)
    rc_start
    ;;
    stop)
    rc_stop
    ;;
    restart)
    rc_stop
    rc_start
    ;;
    esac



  • In the Setting Tab, I selected the follow:

    Interface: Wan
    Performance: ac-bnfa
    Oinkmaster Code: 8eexxxxxxxxxxxxx
    Block Offenders: Check
    Update rules automatically: check
    Whitelist VPNs automatically: uncheck
    Convert Snort alerts urls to Clickable links: check
    Associate events on Blocked tab: check
    Sync Snort configuration to secondary cluster memeber: uncheck
    Install emergingthreats rules: uncheck



  • @Davc:

    Hi James, this is the info

    $ ps -aux | grep snort
    root   42733  0.0  2.2 98976 67396  ??  Ss   12:59AM   0:41.56 snort -c /usr/lo

    $ cat /usr/local/etc/rc.d/snort.sh
    #!/bin/sh

    This file was automatically generated

    by the pfSense service handler.

    rc_start() {

    BEFORE_MEM=top | grep Free | grep Wired | awk '{print $10}'
    /bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em1 -q
    sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
    echo "Sleeping before final memory sampling…"
    sleep 17
    AFTER_MEM=top | grep Free | grep Wired | awk '{print $10}'

    echo "Ram free BEFORE starting Snort: ${BEFORE_MEM} -- Ram free AFTER starting Snort: ${AFTER_MEM}" -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup

    }

    rc_stop() {
    /usr/bin/killall snort; killall snort2c
    }

    case $1 in
    start)
    rc_start
    ;;
    stop)
    rc_stop
    ;;
    restart)
    rc_stop
    rc_start
    ;;
    esac

    Davc snort2c is not running.

    Make sure Block offenders is checked in the settings tab.

    Click on the save button on the Settings tab after you made sure Block offenders is checked.

    Lastly uncheck the auto update box in the settings tab.

    James



  • James,

    I have checked the Block Offenders is activated on the GUI , and i have now saved the setting again.

    This is the output:
    $ ps -aux | grep snort
    root    3914  0.0  1.3 85664 41344  ??  Ss    4:40AM  0:00.46 snort -c /usr/lo
    root    4371  0.0  0.0  3356  1156  ??  S    4:44AM  0:00.00 grep snort

    $ cat /usr/local/etc/rc.d/snort.sh
    #!/bin/sh

    This file was automatically generated

    by the pfSense service handler.

    rc_start() {

    BEFORE_MEM=top | grep Free | grep Wired | awk '{print $10}'
    /bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em1 -q
    sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
    echo "Sleeping before final memory sampling…"
    sleep 17
    AFTER_MEM=top | grep Free | grep Wired | awk '{print $10}'

    echo "Ram free BEFORE starting Snort: ${BEFORE_MEM} -- Ram free AFTER starting Snort: ${AFTER_MEM}" -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup

    }

    rc_stop() {
    /usr/bin/killall snort; killall snort2c
    }

    case $1 in
    start)
    rc_start
    ;;
    stop)
    rc_stop
    ;;
    restart)
    rc_stop
    rc_start
    ;;
    esac



  • Davc this is weird all your settings are right and /usr/local/etc/rc.d/snort.sh looks good.

    Davc please type this in the command prompt.

    snort2c -w /var/db/whitelist -a /var/log/snort/alert

    then see if snort2c is running by typing this in.

    ps -aux | grep snort

    Lastly check you logs for anying doing with snort2c.

    James



  • Dear James,

    Thankyou for the help. This is the output:
    $ ps -aux | grep snort
    root    7516  0.3  2.4 117408 73656  ??  Ss    2:04PM   0:03.72 snort -c /usr/lo
    root    7790  0.0  0.0  3156   972  ??  Is    2:05PM   0:00.01 snort2c -w /var/
    root    7796  0.0  0.0  3156   972  ??  Ss    2:06PM   0:00.01 snort2c -w /var/
    root    7800  0.0  0.0  1676  1044  ??  R     2:06PM   0:00.00 grep snort

    Furthermore i also tried to deinstall just the Gui Packages and update the rules again. But still no blocking with just alert messages, hope this is not something to do with the Bridge mode. Some say Pfsense work better in NAT mode than bridge mode.

    This is the system log:
    Jul 11 02:35:33 syslogd: exiting on signal 15
    Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
    Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
    Jul 11 00:59:44 SnortStartup[42762]: Ram free BEFORE starting Snort: 112M – Ram free AFTER starting Snort: 112M -- Mode ac-bnfa -- Snort memory usage:
    Jul 11 00:59:27 snort2c[42737]: snort2c running in daemon mode pid: 42737
    Jul 11 00:59:27 snort2c[42737]: snort2c running in daemon mode pid: 42737
    Jul 11 00:59:19 snort[42733]: Not Using PCAP_FRAMES
    Jul 11 00:59:19 snort[42733]: Not Using PCAP_FRAMES
    Jul 11 00:59:19 snort[42733]: Snort initialization completed successfully (pid=42733)
    Jul 11 00:59:19 snort[42733]: Snort initialization completed successfully (pid=42733)



  • @Davc:

    Dear James,

    Thankyou for the help. This is the output:
    $ ps -aux | grep snort
    root    7516  0.3  2.4 117408 73656  ??  Ss    2:04PM   0:03.72 snort -c /usr/lo
    root    7790  0.0  0.0  3156   972  ??  Is    2:05PM   0:00.01 snort2c -w /var/
    root    7796  0.0  0.0  3156   972  ??  Ss    2:06PM   0:00.01 snort2c -w /var/
    root    7800  0.0  0.0  1676  1044  ??  R     2:06PM   0:00.00 grep snort

    Furthermore i also tried to deinstall just the Gui Packages and update the rules again. But still no blocking with just alert messages, hope this is not something to do with the Bridge mode. Some say Pfsense work better in NAT mode than bridge mode.

    This is the system log:
    Jul 11 02:35:33 syslogd: exiting on signal 15
    Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
    Jul 11 01:01:31 snort2c[42737]: DIOCRADDADDRS - ioctl error - exit
    Jul 11 00:59:44 SnortStartup[42762]: Ram free BEFORE starting Snort: 112M – Ram free AFTER starting Snort: 112M -- Mode ac-bnfa -- Snort memory usage:
    Jul 11 00:59:27 snort2c[42737]: snort2c running in daemon mode pid: 42737
    Jul 11 00:59:27 snort2c[42737]: snort2c running in daemon mode pid: 42737
    Jul 11 00:59:19 snort[42733]: Not Using PCAP_FRAMES
    Jul 11 00:59:19 snort[42733]: Not Using PCAP_FRAMES
    Jul 11 00:59:19 snort[42733]: Snort initialization completed successfully (pid=42733)
    Jul 11 00:59:19 snort[42733]: Snort initialization completed successfully (pid=42733)

    Looks like snort2c and snort are running you should now see ips being blocked.

    James



  • Dear James,

    Still not able to block. I made some search and there are also report after update version 2.8.4.1 has the same problems to block. May be this is the cause?

    Jul 11 01:01:31    snort2c[42737]: DIOCRADDADDRS - ioctl error - exit

    This is the post i found (without solutions)
    http://www.mail-archive.com/support@pfsense.com/msg16831.html



  • @Davc:

    Dear James,

    Still not able to block. I made some search and there are also report after update version 2.8.4.1 has the same problems to block. May be this is the cause?

    Jul 11 01:01:31    snort2c[42737]: DIOCRADDADDRS - ioctl error - exit

    This is the post i found (without solutions)
    http://www.mail-archive.com/support@pfsense.com/msg16831.html

    I seen this before, seems snort2c is having trouble inserting ips to the firewall table snort2c.

    Installed all your packages and snort2c is working on Pfsense 7.2.

    I will do the something on Pfsense 7.1.

    James



  • ok, I can try to upgrade to pfsense 7.2 and check



  • Thanks for the great update to 1.4 James , but there are some strange issues.
    First all dynamic rules had a wrong path for me and Snort was refusing to start until I manually changed them to be /usr/local/lib/snort/dynamic (the original was /usr/local/lib/snort_dynamic ).
    Then I went ahead and downloaded the new rules because the upgrade from 1.3 to 1.4 deleted the rules (why?).
    Afterwards snort started but ate 80% of my RAM (256megs on alix2c2).
    I rebooted the box and got into some kind of crash loop (snort would startup , work for a few seconds , shutdown and start again).
    I had to manually stop the service.
    Afterwards I changed the memory consumption method to ac-sparse bands and started the service from services tab and it started working properly (memory consumption is about 58-60% which is what it used to be with previous version).
    Interestingly enough I don't see any evidence for the crashes in the logs.
    I assume those were crashes because you would see snort starting and reaching the point where it detaches itself from console and in a few seconds it would start all over again.

    One more thing :
    Contrary to what my signature says I am running 1.2.3RC2 (july 12th snapshot) full version.
    All the other info in signature is correct :)

    What could be the problem?



  • i am now running the following, still only alert messages and no blocking.

    1.2.3-RC2
    built on Tue Jul 14 06:55:51 EDT 2009
    FreeBSD 7.2-RELEASE-p2 i386



  • @matrix200:

    Thanks for the great update to 1.4 James , but there are some strange issues.
    First all dynamic rules had a wrong path for me and Snort was refusing to start until I manually changed them to be /usr/local/lib/snort/dynamic (the original was /usr/local/lib/snort_dynamic ).
    Then I went ahead and downloaded the new rules because the upgrade from 1.3 to 1.4 deleted the rules (why?).
    Afterwards snort started but ate 80% of my RAM (256megs on alix2c2).
    I rebooted the box and got into some kind of crash loop (snort would startup , work for a few seconds , shutdown and start again).
    I had to manually stop the service.
    Afterwards I changed the memory consumption method to ac-sparse bands and started the service from services tab and it started working properly (memory consumption is about 58-60% which is what it used to be with previous version).
    Interestingly enough I don't see any evidence for the crashes in the logs.
    I assume those were crashes because you would see snort starting and reaching the point where it detaches itself from console and in a few seconds it would start all over again.

    One more thing :
    Contrary to what my signature says I am running 1.2.3RC2 (july 12th snapshot) full version.
    All the other info in signature is correct :)

    What could be the problem?

    Hey matrix2000

    Here are the rule directories that I use in the snort package.
    Sounds like something going on with your snort.conf.

    #Configure dynamic loaded libraries
    dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/
    dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
    dynamicdetection directory /usr/local/lib/snort/dynamicrules/

    Make sure your Performance option is at ac-bnfa or lowmem.

    Make sure you watch how manny rules you load bceasue of ALIX low memory specs.

    James



  • @Davc:

    i am now running the following, still only alert messages and no blocking.

    1.2.3-RC2
    built on Tue Jul 14 06:55:51 EDT 2009
    FreeBSD 7.2-RELEASE-p2 i386

    Davc

    Did you do a fresh install or a update ?



  • James,

    I use the snapshot update: System>Firmware>autoupdate.

    We have another PFsense box which run 1.2.2 FreeBSD 7.0-RELEASE-p8 i386  are working perfect on the Snort packages  :D.

    So, your suggestion is to do a fresh install on the  1.2.3-RC2 FreeBSD 7.2-RELEASE-p2 i386.

    Davc



  • @Davc:

    James,

    I use the snapshot update: System>Firmware>autoupdate.

    We have another PFsense box which run 1.2.2 FreeBSD 7.0-RELEASE-p8 i386  are working perfect on the Snort packages  :D.

    So, your suggestion is to do a fresh install on the  1.2.3-RC2 FreeBSD 7.2-RELEASE-p2 i386.

    Davc

    Great to here snort is working for you on one of your boxes.

    Ya, do a fresh install and tell me how that goes.

    James



  • James , yeah I think you are right.
    It might have been that I had snort.conf from some other place (not sure but I could have overwritten the original file with one from a certain rules snapshot).
    Thankfully your latest version has update working so I don't have to do that manually :)
    So far (since the last report snort is working fine).



  • Ok..this is the results i had…very frasturated..I upgrade the 1.2.2 to 1.2.3 the whole pf box crashed. ok..may not be the problems of the SNORT....but it is the update snapshot.

    For the 1.2.3 RC1 & RC2 the snort only show alert but unable to block.

    Spend the last 3 days install / uninstall the packages ...fresh install the whole box few times...then stuck in the extracting rules (which i previous do not have such problems)..  so...i now got 2 very broken PF box. :-\

    By the way...1.2.2 do not have such error on my box: snort2c[42737]: DIOCRADDADDRS - ioctl error - exit

    But happen in 1.2.3 RC1 & RC2.. It must be something to do with the FreeBSD



  • @Davc:

    Ok..this is the results i had…very frasturated..I upgrade the 1.2.2 to 1.2.3 the whole pf box crashed. ok..may not be the problems of the SNORT....but it is the update snapshot.

    For the 1.2.3 RC1 & RC2 the snort only show alert but unable to block.

    Spend the last 3 days install / uninstall the packages ...fresh install the whole box few times...then stuck in the extracting rules (which i previous do not have such problems)..  so...i now got 2 very broken PF box. :-\

    By the way...1.2.2 do not have such error on my box: snort2c[42737]: DIOCRADDADDRS - ioctl error - exit

    But happen in 1.2.3 RC1 & RC2.. It must be something to do with the FreeBSD

    I wish I was near you computer systems so I could trouble shoot your problems.

    I am going to remove snort2c and add spoink which is snort2c built into snort binary today.

    James



  • James,

    Truly thanks for your great support.  ;)

    Today I make another fresh install and download the iso from the Germany Mirror site and snort now working properly in the Alert and blocking.

    This is the version i now installed:
    1.2.3-RC1
    built on Wed Apr 22 15:36:34 EDT 2009
    FreeBSD 7.1-RELEASE-p5 i386

    However, during the restore process I noticed there are fwrite error messages on the screen indicating issues the Pack_utitles files. Although at the end, it did not show the error messages again. Not sure there are something the development team to look at there. The error line is somewhere on 6xx .

    By the way, a small suggestion. It will be nice to know the exact version to download. Coz I think there are version difference between the mirror sites.



  • Fresh install of 1.2.3 RC1 (which is the latest yes?) I see people using 1.2.3 RC2, but cant find it anywhere.

    fresh install snort, and enabling outgoing rules, such as policy.rules / smpt relaying denied.

    This is what comes up in the alert file:
    09/03-11:02:19.771744 [ ** ] [ 1:10001:2 ] POLICY SMTP 550 Relaying denied [ ** ] [ Classification: Misc Attack ] [ Priority: 2 ] {TCP} 194.29.119.17:25 -> 193.183.18.10:55949

    But the dest IP does not pop up in the block list, and yes "block on alert" is checked.

    But you guys are removing snort2c to replace with other stuff, that hopefully will work better, yes?



  • pfsense 1.2.3 RC1, BSD 7.1. Fresh install.
    snort 2.8.4.1

    ps -aux | grep snort

    root    8579  0.0 14.0 82176 34816  ??  Ss  11:00AM  0:00.65 snort -c /usr/lo
    root    8583  0.0  0.4  3156  992  ??  Is  11:00AM  0:00.00 snort2c -w /var/
    root    9272  0.0  0.1  376  256  p0  R+  11:07AM  0:00.00 grep snort

    cat /usr/local/etc/rc.d/snort.sh

    #!/bin/sh

    This file was automatically generated

    by the pfSense service handler.

    rc_start() {

    BEFORE_MEM=top | grep Free | grep Wired | awk '{print $10}'
    /bin/mkdir -p /var/log/snort
    /usr/bin/killall snort2c
    sleep 8
    snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i le1 -q

    sleep 8
    snort2c -w /var/db/whitelist -a /var/log/snort/alert

    echo "Sleeping before final memory sampling…"
    sleep 17
    AFTER_MEM=top | grep Free | grep Wired | awk '{print $10}'

    echo "Ram free BEFORE starting Snort: ${BEFORE_MEM} -- Ram free AFTER starting Snort: ${AFTER_MEM}" -- Mode ac -- Snort memory usage: $TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup

    }

    rc_stop() {
            /usr/bin/killall snort; killall snort2c
    }

    case $1 in
            start)
                    rc_start
                    ;;
            stop)
                    rc_stop
                    ;;
            restart)
                    rc_stop
                    rc_start
                    ;;
    esac



  • Hi Hostmaster

    I just moved us from snort2c to spoink.

    Spoink is an out-plugin built into snort.

    Let me contact the Pfsense core-team so they can rebuild the snort package.

    James



  • @jamesdean:

    Hi Hostmaster

    I just moved us from snort2c to spoink.

    Spoink is an out-plugin built into snort.

    Let me contact the Pfsense core-team so they can rebuild the snort package.

    James

    James,

    I just saw an update but I didnt see a change at all…

    when I do ps aux|grep snort I get

    snort2c -w /var/db/whitelist -a /var/log/snort/alert

    Did the comit for the new snort pkg went threw?

    Thank You!



  • Dont worry about it.

    I removed snort2c and now were using spoink. Spoink is an out-put plugin coded into snort.
    The core-team of pfsense is building snort again. As soon as they build snort aging I will update the code tonight.
    Im also going to add barnyard2 tonight, crossing fingers.

    Moreover, Im testing snort-inline and all is going well.

    We will never have worrie about startup issues again.

    James



  • Hello,

    Is this new snort package complete?



  • ;D most of the coding is complete.
    Check tomorrow morning…

    Snort2c is removed. Hopefully we will never have to see start-up issues again.

    Sending the updated binaries to the core-team as we speak.
    Crossing fingers.

    James



  • neat!

    Will this also block destination IP addresses that pop up in the snort alert log?



    • Reviving post

    Will this also block destination IP addresses that pop up in the snort alert log?

    My test of snort-inline does not block destination addresses. When will there be a fix for this?


Log in to reply