• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SNORT Rules not working

Scheduled Pinned Locked Moved pfSense Packages
9 Posts 7 Posters 8.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    cobra
    last edited by Oct 5, 2006, 11:51 PM

    I have been playing around with RC3. I got the oinkid from snort.org and downloaded the latest rules.
    I checked the "p2p.rules" option and kick off Azureus, but I do not see anything logged in the "Snort Alerts" section.
    I even checked all the rules and nothing comes up. I figured that at least something would appear, but nothing happened. Am I doing something wrong?

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Oct 6, 2006, 7:58 AM

      Click on the rulename in the rules list and it will open the rule in the edit window. The p2p rules don't cover bittorrent. It tries to detect gnutella, edonkey, skype, … . I don't think that any of the rules detect bittorrent atm. Google for signatures that cover bittorrent too and add them to your p2p detection rules.

      1 Reply Last reply Reply Quote 0
      • R
        ragzilla
        last edited by Oct 7, 2006, 2:53 AM

        Bleeding Snort has signatures for detecting bittorrent in their p2p ruleset:

        By Chich Thierry

        alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P BitTorrent peer sync"; flow: established; content:"|0000000d0600|"; offset: 0; depth: 6; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; sid: 2000334; rev:7; )
        alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; offset: 0; depth: 8; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; sid: 2000357; rev:3; )
        alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg: "BLEEDING-EDGE P2P BitTorrent Announce"; flow: to_server,established; content:"/announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; sid: 2000369; rev:4; )

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Oct 7, 2006, 3:15 AM

          I believe the bleeding items requires a custom program that only comes with the rules from snort.org.  Not sure if we can compile that and redistribute.

          I'll look into it.

          1 Reply Last reply Reply Quote 0
          • J
            jzsjr
            last edited by Oct 7, 2006, 6:40 PM

            Does clicking on the snort rule to edit work in Firefox?  All I can do is sort the column.

            thanks,
            Jim

            1 Reply Last reply Reply Quote 0
            • A
              annv
              last edited by Oct 7, 2006, 10:53 PM

              jzsjr,
              Yes, Firefox 1.5.0.7 works for me.

              But, I have noticed that something in snort 2.6.0.4 php has changed to the worse compared to 2.6.0.3. I realize that another column has been added - Snort Blocked_Alert Description, but now an refresh of the page takes about 30 seconds (8 blocked ip's) instead of perhaps 2-3 seconds before. RC3e P3-450 256MB

              In my other FW (RC3e  P3-350 256MB) where I normally have about 7-800 blocked ip, this page is unusable. Worst of all is that if you get impatient and refresh the page before its done another instance of php is started and they take 99% cpu indefinitely as it seems.

              I get the feeling that all of the GUI for snort has slowed down. So, jzsjr, perhaps you've double-clicked a little bit to much?

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by Oct 8, 2006, 2:42 AM

                @jzsjr:

                Does clicking on the snort rule to edit work in Firefox?  All I can do is sort the column.

                thanks,
                Jim

                There was a bug when this didn'T worked. You have to be at the latest version of RC3 and have the latest version of the package installed.

                1 Reply Last reply Reply Quote 0
                • U
                  unforeseen
                  last edited by Oct 21, 2006, 3:28 AM

                  @sullrich:

                  I believe the bleeding items requires a custom program that only comes with the rules from snort.org.  Not sure if we can compile that and redistribute.

                  I'll look into it.

                  Any word on this yet?  Just curious as I think it'd be useful to have the option to use either "regular" or "bleeding" rules  :)

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by Oct 24, 2006, 8:04 PM

                    No, sorry, nothing as of yet.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received