Post snort package problems here



  • October 15

    Working on…...

    When selecting multiple interfaces barnyard2 does not start.

    Someone reported that enable disable rules are not being saved.

    James



  • @jamesdean:

    Someone reported that enable disable rules are not being saved.

    Just to clarify, I believe that the rules are initially saved, but does not survive either 1) subsequent clicks of the save button  OR 2) new signature set download. I'm not sure exactly when the enable disable rules get flushed as I only noticed this last night. I'll try to pin point when the rules are discarded when I get home tonight.



  • We are seeing this error:

    Oct 15 16:55:23 snort[25967]: FATAL ERROR: /usr/local/etc/snort/snort.conf(89) *** PortVar Parse error: (pos=1,error=no end of list bracket. Elements must be comma seperated, and no spaces may appear between brackets.) >>[25, >>^[/quote]

    We have removed - then re-installed the pkg and same deal.

    Snort PKG:  2.8.4.1_5 pkg v.1.6
    PFSENSE:  1.2.2  FreeBSD 7.0-RELEASE-p8 i386

    Please advise.



  • Is their a way to auto enable/ all new rules after they are updated, it would save on going and enable them all, also snort is not saving the rules that i enable once i update i have to keep going back and  enable them can you please fix . 6gig ram ac-bnfa with  only 4 rules not enabble snort using 20% it seem a little sluggish  when I only have the Emerging Threats
    rules enable snort seem to trigger more and block more  but when i enable the snort rules it get sluggish. I would also like to see detection of ARP spoofing, brutforcing attempts.

    Thanks



  • I have a free afternoon trying to redo the snort interface so that every interface has its own settings and rules but, you guys
    keep bothering me ;)

    churchmedic

    give me the output of

    cat /usr/local/etc/snort/snort.conf

    ToxIcon

    Let the great perl god enable all your rules.

    /usr/local/bin/perl -pi -e 's/# alert/alert/g' /usr/local/etc/snort/rules/*.rules

    I working on the issues I do have a job you know…........

    I think its do to the new nano code for pfsense nanoBSD in the snort package.

    churchmedic

    Its working for me.

    In the servers tab

    You should be typing info for servers like this;

    192.168.1.3/24,192.168.1.4/24

    Not this

    "192.168.1.3/24,192.168.1.4/24"

    You should be typing info for ports like this;

    25,443,110

    Not this

    "25,443,110"

    James



  • @addp009:

    @jamesdean:

    Someone reported that enable disable rules are not being saved.

    Just to clarify, I believe that the rules are initially saved, but does not survive either 1) subsequent clicks of the save button  OR 2) new signature set download. I'm not sure exactly when the enable disable rules get flushed as I only noticed this last night. I'll try to pin point when the rules are discarded when I get home tonight.

    Hmm, I can't reproduce this today… not really sure why. Ignore what I said for now. :)



  • Just a question.

    If I had snort block, lets say 50 thousand IP numbers or more, would that be a problem for snort or the system?
    Is there a limit? Would it crawl down to a hog after some X number of blocks?

    // BlackWand



  • :) thanks jamesdean your the best



  • James,

    Sorry for not responding the last thread, I have been really busy recently… and it has been successful for me.  8)

    I created a repo and pushed a few fixes:

    Changes were not be kept if one only enabled or disabled rules. Should fix ToxIcon and addp009 problems
        Memory stats displays incorrectly under certain circumstances
        Snort may not restart with 'snort.sh restart' from command line

    I've just sent a merge request.



  • Nestorfish

    Cool I have some help. ;D

    I been really busy to…........

    I'll test your changes and merg them with mine.

    See your PM Netsorfish.

    james



  • jamesdean when i use the command to enable all snort rules all rules is enable but snort service is disable and wont start
    got the error.
    snort[10410]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-policy.rules(1467): Bad rule in rules file
    snort[10410]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-policy.rules(1467): Bad rule in rules file



  • ToxIcon

    Post the rule in "/usr/local/etc/snort/rules/emerging-policy.rules" at line 1467

    james



  • ToxIcon,

    Don't bother with it, it will be corrected soon. You won't have to run any perl script in a few hours.  :)

    Please wait, and maintain your own settings manually for now until the next update… Or disable a natively enabled rule, it should help.

    Nestorfish



  • Nestorfish

    wait a minute.

    I added Nestorfish to be able to commit to my clone of mainline. (done)
    Add your changes to my clone then I'll add then to the main repository.

    I'm realy busy at work these next 3 days.

    ToxIcon post that rule at that line number.
    Might be a bad rule.

    Hostmaster

    50k ant nothing for the great pf.

    james



  • Just installed the latest Snort package on NanoBSD 1.2.3-RC3 built on Sat Oct 17 22:24:29 UTC 2009 (4GB), but the package doesn't seem to remount root filesystem to rw before saving and updating rules. Updating rules gives the following error:

    Warning: mkdir(/root/snort_rules_up): Read-only file system in /usr/local/www/snort_download_rules.php on line 186
    Warning: fopen(/root/snort_rules_up/snortrules-snapshot-2.8.tar.gz.md5): failed to open stream: No such file or directory in /usr/local/www/snort_download_rules.php on line 202
    Warning: fwrite(): supplied argument is not a valid stream resource in /usr/local/www/snort_download_rules.php on line 203
    Warning: fclose(): supplied argument is not a valid stream resource in /usr/local/www/snort_download_rules.php on line 204
    Warning: fopen(/root/snort_rules_up/pfsense_rules.tar.gz.md5): failed to open stream: No such file or directory in /usr/local/www/snort_download_rules.php on line 229
    Warning: fwrite(): supplied argument is not a valid stream resource in /usr/local/www/snort_download_rules.php on line 230
    Warning: fclose(): supplied argument is not a valid stream resource in /usr/local/www/snort_download_rules.php on line 231
    Warning: filesize(): Stat failed for /root/snort_rules_up/snortrules-snapshot-2.8.tar.gz.md5 (errno=2 - No such file or directory) in /usr/local/www/snort_download_rules.php on line 240 
    

    Running 'Save' from the Settings tab gives the following (even with root manually mounted rw, it probably remounts to ro at some point):

    Warning: fopen(/usr/local/etc/snort/threshold.conf): failed to open stream: Read-only file system in /usr/local/pkg/snort.inc on line 999
    Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort.inc:999) in /usr/local/www/pkg_edit.php on line 35 
    

    Joost



  • @jamesdean:

    I have a free afternoon trying to redo the snort interface so that every interface has its own settings and rules but, you guys
    keep bothering me ;)

    churchmedic

    give me the output of

    cat /usr/local/etc/snort/snort.conf

    not sure why - never got a notice on this thread - came back looking …

    cat /usr/local/etc/snort/snort.conf

    snort configuration file

    generated by the pfSense

    package manager system

    see /usr/local/pkg/snort.inc

    for more information

    snort.conf

    Snort can be found at http://www.snort.org/

    Copyright (C) 2006 Robert Zelaya

    part of pfSense

    All rights reserved.

    Redistribution and use in source and binary forms, with or without

    modification, are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice,

    this list of conditions and the following disclaimer.

    2. Redistributions in binary form must reproduce the above copyright

    notice, this list of conditions and the following disclaimer in the

    documentation and/or other materials provided with the distribution.

    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

    POSSIBILITY OF SUCH DAMAGE.

    #########################
                           #

    Define Local Network  #

    #
    #########################

    var HOME_NET [removed]
    var EXTERNAL_NET !$HOME_NET

    ###################
                     #

    Define Servers  #

    #
    ###################

    var DNS_SERVERS [$HOME_NET]
    var SMTP_SERVERS [$HOME_NET]
    var HTTP_SERVERS [$HOME_NET]
    var SQL_SERVERS [$HOME_NET]
    var TELNET_SERVERS [$HOME_NET]
    var SNMP_SERVERS [$HOME_NET]
    var FTP_SERVERS [$HOME_NET]
    var SSH_SERVERS [$HOME_NET]
    var POP_SERVERS [$HOME_NET]
    var IMAP_SERVERS [$HOME_NET]
    var RPC_SERVERS $HOME_NET
    var WWW_SERVERS [$HOME_NET]
    var SIP_PROXY_IP [$HOME_NET]
    var AIM_SERVERS
    [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

    ########################
                          #

    Define Server Ports  #

    #
    ########################

    portvar HTTP_PORTS [80]
    portvar SHELLCODE_PORTS !80
    portvar ORACLE_PORTS [1521]
    portvar AUTH_PORTS [113]
    portvar DNS_PORTS [53]
    portvar FINGER_PORTS [79]
    portvar FTP_PORTS [21]
    portvar IMAP_PORTS [143]
    portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
    portvar MSSQL_PORTS [1433]
    portvar NNTP_PORTS [119]
    portvar POP2_PORTS [109]
    portvar POP3_PORTS [110]
    portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
    portvar RLOGIN_PORTS [513]
    portvar RSH_PORTS [514]
    portvar SMB_PORTS [139,445]
    portvar SMTP_PORTS [25, 587, 465]
    portvar SNMP_PORTS [161]
    portvar SSH_PORTS [8724]
    portvar TELNET_PORTS [23]
    portvar MAIL_PORTS [25,143,465,691]
    portvar SSL_PORTS [25,443,465,636,993,995]
    portvar SIP_PROXY_PORTS [5060:5090,16384:32768]

    DCERPC NCACN-IP-TCP

    portvar DCERPC_NCACN_IP_TCP [139,445]
    portvar DCERPC_NCADG_IP_UDP [138,1024:]
    portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
    portvar DCERPC_NCACN_UDP_LONG [135,1024:]
    portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
    portvar DCERPC_NCACN_TCP [2103,2105,2107]
    portvar DCERPC_BRIGHTSTORE [6503,6504]

    #####################
                       #

    Define Rule Paths

    #
    #####################

    var RULE_PATH /usr/local/etc/snort/rules

    var PREPROC_RULE_PATH ./preproc_rules

    ################################
                                  #

    Configure the snort decoder  #

    #
    ################################

    config checksum_mode: all
    config disable_decode_alerts
    config disable_tcpopt_experimental_alerts
    config disable_tcpopt_obsolete_alerts
    config disable_ttcp_alerts
    config disable_tcpopt_alerts
    config disable_ipopt_alerts
    config disable_decode_drops

    ###################################
                                     #

    Configure the detection engine  #

    Use lower memory models

    #
    ###################################

    config detection: search-method ac-sparsebands
    config detection: max_queue_events 5
    config event_queue: max_queue 8 log 3 order_events content_length

    #Configure dynamic loaded libraries
    dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/
    dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
    dynamicdetection directory /usr/local/lib/snort/dynamicrules/

    ###################
                     #

    Flow and stream

    #
    ###################

    preprocessor frag3_global: max_frags 8192
    preprocessor frag3_engine: policy windows
    preprocessor frag3_engine: policy linux
    preprocessor frag3_engine: policy first
    preprocessor frag3_engine: policy bsd detect_anomalies

    preprocessor stream5_global: max_tcp 8192, track_tcp yes,
    track_udp yes, track_icmp yes
    preprocessor stream5_tcp: bind_to any, policy windows
    preprocessor stream5_tcp: bind_to any, policy linux
    preprocessor stream5_tcp: bind_to any, policy vista
    preprocessor stream5_tcp: bind_to any, policy macos
    preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes
    preprocessor stream5_udp
    preprocessor stream5_icmp

    ##########################
                            #

    NEW                    #

    Performance Statistics

    #
    ##########################

    preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000

    #################
                   #

    HTTP Inspect  #

    #
    #################

    preprocessor http_inspect: global iis_unicode_map unicode.map 1252

    preprocessor http_inspect_server: server default
                           ports  { 80 8080 }  
                           no_alerts
                           non_strict
                           non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  
                           flow_depth 0  
                           apache_whitespace yes
                           directory no
                           iis_backslash no
                           u_encode yes
                           ascii yes
                           chunk_length 500000
                           bare_byte yes
                           double_decode yes
                           iis_unicode yes
                           iis_delimiter yes
                           multi_slash no

    ##################
                    #

    Other preprocs

    #
    ##################

    preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    preprocessor bo

    #####################
                       #

    ftp preprocessor  #

    #
    #####################

    preprocessor ftp_telnet: global
    inspection_type stateless

    preprocessor ftp_telnet_protocol: telnet
      normalize
      ayt_attack_thresh 200

    preprocessor ftp_telnet_protocol:
       ftp server default
       def_max_param_len 100
       ports { 21 }
       ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE }
       ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD }
       ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP }
       ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC }
       ftp_cmds { FEAT CEL CMD MACB }
       ftp_cmds { MDTM REST SIZE MLST MLSD }
       ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT }
       alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP }
       alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT }
       alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP }
       alt_max_param_len 256 { RNTO CWD }
       alt_max_param_len 400 { PORT }
       alt_max_param_len 512 { SIZE }
       chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE }
       chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD }
       chk_str_fmt { LIST NLST SITE SYST STAT HELP }
       chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC }
       chk_str_fmt { FEAT CEL CMD }
       chk_str_fmt { MDTM REST SIZE MLST MLSD }
       chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT }
       cmd_validity MODE < char ASBCZ >
       cmd_validity STRU < char FRP >
       cmd_validity ALLO < int [ char R int ] >
       cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
       cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >
       cmd_validity PORT < host_port >

    preprocessor ftp_telnet_protocol: ftp client default
      max_resp_len 256
      bounce yes
      telnet_cmds yes

    #####################
                       #

    SMTP preprocessor

    #
    #####################

    preprocessor SMTP:
       ports { 25 465 691 }
       inspection_type stateful
       normalize cmds
       valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING
    CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR }
       normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN
    PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR }
       max_header_line_len 1000
       max_response_line_len 512
       alt_max_command_line_len 260 { MAIL }
       alt_max_command_line_len 300 { RCPT }
       alt_max_command_line_len 500 { HELP HELO ETRN EHLO }
       alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET }
       alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX }
       alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR }
       alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR }
       xlink2state { enable }

    ################
                  #

    sf Portscan  #

    #
    ################

    preprocessor sfportscan: scan_type { all }
                            proto  { all }
                            memcap { 10000000 }
                            sense_level { medium }
                            ignore_scanners { $HOME_NET }

    ############################
                              #

    OLD                      #

    preprocessor dcerpc: \

    autodetect \          #

    max_frag_size 3000 \  #

    memcap 100000

    #
    ############################

    ###############
                 #

    NEW

    DCE/RPC 2

    #
    ###############

    preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
    preprocessor dcerpc2_server: default, policy WinXP,
       detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593],
       autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:],
       smb_max_chain 3

    ####################
                      #

    DNS preprocessor

    #
    ####################

    preprocessor dns:
       ports { 53 }
       enable_rdata_overflow

    ##############################
                                #

    NEW                        #

    Ignore SSL and Encryption  #

    #
    ##############################

    preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted

    #####################
                       #

    Snort Output Logs

    #
    #####################

    output alert_full: alert

    #################
                   #

    Misc Includes

    #
    #################

    include /usr/local/etc/snort/reference.config
    include /usr/local/etc/snort/classification.config
    include /usr/local/etc/snort/threshold.conf

    Snort user pass through configuration

    ###################
                     #

    Rules Selection

    #
    ###################

    include $RULE_PATH/attack-responses.rules
    include $RULE_PATH/backdoor.rules
    include $RULE_PATH/bad-traffic.rules
    include $RULE_PATH/bad-traffic.so.rules
    include $RULE_PATH/ddos.rules
    include $RULE_PATH/exploit.rules
    include $RULE_PATH/exploit.so.rules
    include $RULE_PATH/finger.rules
    include $RULE_PATH/mysql.rules
    include $RULE_PATH/p2p.rules
    include $RULE_PATH/porn.rules
    include $RULE_PATH/scan.rules
    include $RULE_PATH/shellcode.rules
    include $RULE_PATH/specific-threats.rules
    include $RULE_PATH/spyware-put.rules
    include $RULE_PATH/sql.rules
    include $RULE_PATH/sql.so.rules
    include $RULE_PATH/telnet.rules
    include $RULE_PATH/virus.rules
    include $RULE_PATH/voip.rules
    include $RULE_PATH/web-attacks.rules
    include $RULE_PATH/web-coldfusion.rules



  • churchmedic

    Your snort.conf is being built wrong.

    portvar SMTP_PORTS [25, 587, 465]

    The above line should have no spaces like the error says. Your custom SMTP ports should be changed to look like this.

    25,587,465

    James



  • Perfect for the last fix - thats awesome.
    I am however also getting issues when trying to see the blocked ip's

    Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 74957108 bytes) in /usr/local/pkg/snort.inc on line 1488

    This package is awesome compared to where it was :-)  awesome stuff !



  • I'm having an issue with snort on both my pfSense boxes and I'm not sure how to resolve it or if it's an issue with the current build. I'm running 1.2.3-rc3 with the latest build of snort.

    I can not access the blocked address page and I seem to be having an issue with snort blocking internal traffic out as well as traffic in that should not be blocked. Road warriors are getting blocked when trying to access PPTP, FTP users are getting blocked and the internal mail server seems to be having it's DNS requests blocked. I've tried disabling rules that didn't apply to our setup, but it doesn't seem to be helping.

    I'm not sure where to go from here, but if anyone needs any info that might be useful please let me know and I'll post. Thanks for any help anyone can give.



  • netmethods

    Are you using snorts white list to protect ips you do not want to block ?

    James



  • yes, but it seems to be blocking IP's that should not be being blocked. For example, getting random emails from outside people or my internal mail server being blocked from sending out. Snort is set to listen to the WAN interface.



  • @netmethods:

    yes, but it seems to be blocking IP's that should not be being blocked. For example, getting random emails from outside people or my internal mail server being blocked from sending out. Snort is set to listen to the WAN interface.

    netmethods

    Can you see if the file /var/db/whitelist has all the ips you want to protect.

    James



  • If I add an IP to the whitelist, it will work. The problem is that one site has 150 employee's and the other has 60 or so, so they are emailing to all types of companies all over the world. It would be impossible to know all the IP's without having them be blocked first. Shouldn't snort only block IP's that are actually violating a rule?



  • Ahh got it, post the Alert in full that is giving you the problem.

    We will use thresholding to solve your problem.

    Heres an example http://forum.pfsense.org/index.php/topic,20137.0.html.

    James



  • I'm not sure what rules are being triggered, I'll have to install it and see what I can do to get something to show up in the logs. I've tried disabling the rules that didn't apply to our setup, but haven't had any luck with that so far. This will probably have to wait until the weekend, as I can't afford any additional downtime and I don't have a way to replicate this in a test environment.

    Thanks for the help with this.



  • Hi,

    On my pfsense system snort fails to start after an automatic rules update. However it will start correctly after a manual rules update from web conf. Any suggestions? Something to do with the crontab entry?

    syslog:

    
    Nov 16 18:05:48 	SnortStartup[20730]: Ram free BEFORE starting Snort: 738M -- Ram free AFTER starting Snort: 738M -- Mode ac-bnfa -- Snort memory usage:
    Nov 16 18:03:06 	snort[49800]: Snort exiting
    Nov 16 18:03:06 	snort[49800]: Snort exiting
    
    

    snort_update.log:

    
    #########################Monday 16th of November 2009 06:03:01 PM#########################Downloading md5 file...
    Done. downloading md5
    Downloading md5 file...
    Done. downloading md5
    Downloading pfsense md5 file...
    Done. downloading md5
    Your rules are up to date...
    You may start Snort now, check update.
    You are NOT up to date...
    Stopping Snort service...
    There is a new set of Emergingthreats rules posted. Downloading...
    May take 4 to 10 min...
    Done downloading Emergingthreats rules file.
    Extracting rules...
    May take a while...
    Copying md5 sig to snort directory...
    Updating Alert Messages...
    Please Wait...
    Your first set of rules are being copied...
    May take a while...
    Cleaning up...
    The Rules update finished...
    Snort has restarted with your new set of rules...
    
    

    Edit:
    The restart script works perfectly, when running as root from shell. If I try to run it as a cronjob, it seems that "start_service("snort")" function doesn't work correctly with cron.

    Edit2:
    Ok, found the problem and fixed it by myself. "snort.inc" should have full paths to snort and barnyard2 binaries in $start variable.

    Before:

    
    $start .= "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n";
    $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n";
    
    

    After:

    
    $start .= "/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n";
    $start .= "\nsleep 4;/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n";
    
    

    You can find those on lines 149 and 153 in "snort.inc".



  • Updated the snort package so full paths to binaries are in snort.inc.

    James



  • Hmm I also have restart issues (after wan ip change).
    The packages still shows 1.7 (the previous memleak update).
    How can I be sure this is the right one?
    Or should I wait a little longer for the update to appear?

    Ok please ignore my message I checked snort.inc and it is apparently fixed there :)


Log in to reply