Snort package will be Under Heavy Development this labor day weekend.



  • Make sure you deinstall snort before installing snort-dev.

    Hostmaster

    Update your rules before starting the snort-dev package. If you did update the rules you may need a reboot.

    Blocking both source and destination will be add latter, I have to add an option that disables white listing of home networks and I have
    to add custom C++ code. Its on my list of things to do please be patient.

    keeper

    Update your rules and do a reboot.

    Roodawakening

    Barnyard2 is already installed.

    Barnyard only supports loging to mysql, but I will add logging to

    odbc
    postgresql
    mssql
    oracle

    Common Event Format (CEF)
    prelude: log to the Prelude Hybrid IDS system
    sguil

    Should be very easy.

    Make sure these are enabled in the Advanced tab.

    Enable Barnyard2.
    Barnyard2 Log Mysql Database.
    Log Alerts to a snort unified file.



  • I appreciate your efforts. We all do, I'm sure.



  • NP, doing what I can when I have free time.

    James



  • thanks sir for the hard work  :) :)

    more power to your team



  • I been asked by the Pfsense core-team not touch the snort package and make a separate package called Snort-dev
    until we are sure my changes have not broken the package.

    De-install the snort package and install the snort-dev package if you want to see my changes.

    Changes.

    Replace Snort2c with spoink (done)…

    Replace snorts myslq output with barnyard2 (done)…

    Add GUI changes for spoink and barnyard2 (done)…

    Add oinkmaster perl files. (done)…

    Fix the double start-up issues during boot-up. (done)…

    Add autogen of sid-msg.map. (work started…..)

    Add auto block time adjustments. (work started....)

    Add auto rule updates. (work not started)

    Add tracking of rule file changes after rule upgrades. (work started....) (High priority for me)

    Add AJAX to the Snort GUI to improve performance and add more sub-menus.

    James



  • Nice. Installing snort-dev now.



  • Not sure if its supposed to error on this, but her is my system log output:
    I think these goes away after a rules update. [update] - Yes they do vanish after snort rule update.
    And the double / in the path is cute :P

    pfsense 1.2.3 RC1
    snort-dev

    Sep 8 15:01:29 SnortStartup[44697]: Ram free BEFORE starting Snort: 34M – Ram free AFTER starting Snort: 34M -- Mode ac -- Snort memory usage:
    Sep 8 15:01:12 snort[44676]: FATAL ERROR: Dynamic detection lib /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort/dynamicengine/libsf_engine.so 1.10. The dynamic detection lib is compiled with an older version of the dynamic engine.
    Sep 8 15:01:12 snort[44676]: FATAL ERROR: Dynamic detection lib /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort/dynamicengine/libsf_engine.so 1.10. The dynamic detection lib is compiled with an older version of the dynamic engine.
    Sep 8 15:01:12 snort[44676]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/
    Sep 8 15:01:12 snort[44676]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so…
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so…
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so…
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so…
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so…
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so…
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dcerpc_preproc.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dcerpc_preproc.so…
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so…
    Sep 8 15:01:12 snort[44676]: Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/…
    Sep 8 15:01:12 snort[44676]: Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/…
    Sep 8 15:01:12 snort[44676]: Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/
    Sep 8 15:01:12 snort[44676]: Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so…
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: done
    Sep 8 15:01:12 snort[44676]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-misc.so…
    Sep 8 15:01:12 snort[44676]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-misc.so…
    Sep 8 15:01:12 snort[44676]: done



  • Outgoing data rules test:

    Used rule: policy.smtp_relay. Matches "relaying denied" RESPONSE data, and the receiver (remote) should be blocked.

    Log:
    09/08-15:08:55.559440 [ ** ] [ 1:10001:2 ] POLICY SMTP 550 Relaying denied [ ** ] [ Classification: Misc Attack ] [ Priority: 2 ] {TCP} 194.29.119.17:25 -> 193.183.18.10:7809

    Nothing pops up in the BLOCK tab tho. So it is still only checking the source IP, instead of both.

    Services: Snort 2.8.4.1_1 pkg v. 1.6 Beta



  • I have also an error from the Snort-dev

    here's the system logs

    Sep 8 21:16:35 SnortStartup[4782]: Ram free BEFORE starting Snort: 56M – Ram free AFTER starting Snort: 56M -- Mode ac-sparsebands -- Snort memory usage:
    Sep 8 21:16:17 snort[4758]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules
    Sep 8 21:16:17 snort[4758]: FATAL ERROR: Unable to open rules file: ../rules/local.rules or /usr/local/etc/snort/../rules/local.rules
    Sep 8 21:16:17 snort[4758]: alert_multiple_requests: ACTIVE
    Sep 8 21:16:17 snort[4758]: alert_multiple_requests: ACTIVE
    Sep 8 21:16:17 snort[4758]: alert_incomplete: ACTIVE
    Sep 8 21:16:17 snort[4758]: alert_incomplete: ACTIVE
    Sep 8 21:16:17 snort[4758]: alert_large_fragments: ACTIVE
    Sep 8 21:16:17 snort[4758]: alert_large_fragments: ACTIVE
    Sep 8 21:16:17 snort[4758]: alert_fragments: INACTIVE
    Sep 8 21:16:17 snort[4758]: alert_fragments: INACTIVE
    Sep 8 21:16:17 snort[4758]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    Sep 8 21:16:17 snort[4758]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    Sep 8 21:16:17 snort[4758]: rpc_decode arguments:
    Sep 8 21:16:17 snort[4758]: rpc_decode arguments:
    Sep 8 21:16:17 snort[4758]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d
    Sep 8 21:16:17 snort[4758]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d
    Sep 8 21:16:17 snort[4758]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
    Sep 8 21:16:17 snort[4758]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
    Sep 8 21:16:17 snort[4758]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
    Sep 8 21:16:17 snort[4758]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
    Sep 8 21:16:17 snort[4758]: IIS Delimiter: YES alert: NO
    Sep 8 21:16:17 snort[4758]: IIS Delimiter: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Apache WhiteSpace: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Apache WhiteSpace: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Web Root Traversal: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Web Root Traversal: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Directory Traversal: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Directory Traversal: YES alert: NO
    Sep 8 21:16:17 snort[4758]: IIS Backslash: YES alert: NO
    Sep 8 21:16:17 snort[4758]: IIS Backslash: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Multiple Slash: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Multiple Slash: YES alert: NO
    Sep 8 21:16:17 snort[4758]: IIS Unicode: YES alert: NO
    Sep 8 21:16:17 snort[4758]: IIS Unicode: YES alert: NO
    Sep 8 21:16:17 snort[4758]: UTF 8: YES alert: NO
    Sep 8 21:16:17 snort[4758]: UTF 8: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Base36: OFF
    Sep 8 21:16:17 snort[4758]: Base36: OFF
    Sep 8 21:16:17 snort[4758]: Bare Byte: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Bare Byte: YES alert: NO
    Sep 8 21:16:17 snort[4758]: %U Encoding: YES alert: YES
    Sep 8 21:16:17 snort[4758]: %U Encoding: YES alert: YES
    Sep 8 21:16:17 snort[4758]: Double Decoding: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Double Decoding: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Ascii: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Ascii: YES alert: NO
    Sep 8 21:16:17 snort[4758]: Normalize HTTP Cookies: NO
    Sep 8 21:16:17 snort[4758]: Normalize HTTP Cookies: NO
    Sep 8 21:16:17 snort[4758]: Normalize HTTP Headers: NO



  • Thanks, James, for working on this.

    Now another question: If we enable Barnyard2, do we have to manually download Barnyard2 or is there a package already available for pfSense? I went to http://www.securixlive.com/barnyard2/docs/manual.php to read up on how Barnyard2 works but I'm going to have to experiment with it and don't know where to start.


Log in to reply