Snort Now Auto Updates !!!



  • ;D ;D I tryed to update snort about 10 minutes ago and the auto update worked so now it is working fine .



  • yes, I also now can update the snort rules. however, it still won't do any blocking. :-[



  • I have a list of blocked IPs. Do you and it still does not work?



  • @Davc:

    yes, I also now can update the snort rules. however, it still won't do any blocking. :-[
    [/quote]
    Yes mine does seem to be blocking ip's !!!!



  • @g4m3c4ck:

    I have a list of blocked IPs. Do you and it still does not work?

    Yes mine seems to be blocking ip's .There is an error at bootup but it goes by to fast to read .



  • That is a strange issues on my Pfsense box. In the Index page "DashBox" , it show Snort Packages installation: Services: Snort 2.8.4.1_5 pkg v. 1.7.

    However, when i click to the Snort Interface page, it title: Services: Snort 2.8.4.1_5 pkg v. 1.6

    I have download the Pfsense Configuration file and check it is marked as Snort 2.8.4.1_5 pkg v. 1.7

    Tried re-install and remove the package and install again. Same issues, I cannot block any ip or get any alert display in the interface.

    Any suggestion or way to tell which version I am now running, thanks.



  • @Davc:

    That is a strange issues on my Pfsense box. In the Index page "DashBox" , it show Snort Packages installation: Services: Snort 2.8.4.1_5 pkg v. 1.7.

    However, when i click to the Snort Interface page, it title: Services: Snort 2.8.4.1_5 pkg v. 1.6

    I have download the Pfsense Configuration file and check it is marked as Snort 2.8.4.1_5 pkg v. 1.7

    Tried re-install and remove the package and install again. Same issues, I cannot block any ip or get any alert display in the interface.

    Any suggestion or way to tell which version I am now running, thanks.

    I have the same thing !!Services: Snort 2.8.4.1_5 pkg v. 1.6 it did say at one piont Services: Snort 2.8.4.1_5 pkg v. 1.7 a while ago .



  • Dont worry about the version number its prob a typo.

    James

    @cdx304:

    @Davc:

    That is a strange issues on my Pfsense box. In the Index page "DashBox" , it show Snort Packages installation: Services: Snort 2.8.4.1_5 pkg v. 1.7.

    However, when i click to the Snort Interface page, it title: Services: Snort 2.8.4.1_5 pkg v. 1.6

    I have download the Pfsense Configuration file and check it is marked as Snort 2.8.4.1_5 pkg v. 1.7

    Tried re-install and remove the package and install again. Same issues, I cannot block any ip or get any alert display in the interface.

    Any suggestion or way to tell which version I am now running, thanks.

    I have the same thing !!Services: Snort 2.8.4.1_5 pkg v. 1.6 it did say at one piont Services: Snort 2.8.4.1_5 pkg v. 1.7 a while ago .



  • Dear James,

    It is so nice to hear from you again in the forum.  :D

    My Snort packages did not get any alert messages nor there are any blocked ip. I have tried reinstall and install again without success.

    I have now subscribed the "Snort.org subscriber" which now able me to update without the need to wait for 15 minutes. But still no use to the tackle the faulty problems of the snort sensor.

    Regards,

    Davec



  • Got the Snort running and blocking now…yeah.  :D

    There seems to be issues on the filter keyword rules in "SQL.rules" & "smtp.rules".  :-[



  • Thanks for the nice words Davc

    A new Developer named Thompsa made major changes to the snort repos including binaries these past few weeks, so I will get back to you in a lil bit.

    Im not saying its his fault just that I have to go through and see what he has done.

    James



  • WB Jamesdean :)

    I have problem with last snort v. today with this error and stop working (also problem with emergenc). Will you be so nice to check, please :)

    kernel: em1: promiscuous mode disabled
    Mar 8 22:01:02 kernel: pid 1721 (snort), uid 1003: exited on signal 11
    Mar 8 22:00:42 snort[1721]: Not Using PCAP_FRAMES
    Mar 8 22:00:42 snort[1721]: Not Using PCAP_FRAMES
    Mar 8 22:00:42 snort[1721]: Snort initialization completed successfully (pid=1721)
    Mar 8 22:00:42 snort[1721]: Snort initialization completed successfully (pid=1721)
    Mar 8 22:00:42 snort[1721]: –== Initialization Complete ==--
    Mar 8 22:00:42 snort[1721]: –== Initialization Complete ==--
    Mar 8 22:00:42 snort[1721]:
    Mar 8 22:00:42 snort[1721]:
    Mar 8 22:00:42 snort[1721]: +–-----------------------------------------------
    Mar 8 22:00:42 snort[1721]: +–-----------------------------------------------
    Mar 8 22:00:42 snort[1721]: | Transitions : 28.86M
    Mar 8 22:00:42 snort[1721]: | Transitions : 28.86M
    Mar 8 22:00:42 snort[1721]: | Match Lists : 32.38M
    Mar 8 22:00:42 snort[1721]: | Match Lists : 32.38M
    Mar 8 22:00:42 snort[1721]: | Patterns : 11.29M
    Mar 8 22:00:42 snort[1721]: | Patterns : 11.29M
    Mar 8 22:00:42 snort[1721]: | Memory : 72.74Mbytes
    Mar 8 22:00:42 snort[1721]: | Memory : 72.74Mbytes
    Mar 8 22:00:42 snort[1721]: | Num Match States : 537666
    Mar 8 22:00:42 snort[1721]: | Num Match States : 537666
    Mar 8 22:00:42 snort[1721]: | Num States : 2464276
    Mar 8 22:00:42 snort[1721]: | Num States : 2464276
    Mar 8 22:00:42 snort[1721]: | Pattern Chars : 3648965
    Mar 8 22:00:42 snort[1721]: | Pattern Chars : 3648965
    Mar 8 22:00:42 snort[1721]: | Patterns : 341433
    Mar 8 22:00:42 snort[1721]: | Patterns : 341433
    Mar 8 22:00:42 snort[1721]: | Instances : 882
    Mar 8 22:00:42 snort[1721]: | Instances : 882
    Mar 8 22:00:42 snort[1721]: +-[AC-BNFA Search Info Summary]–----------------------------
    Mar 8 22:00:42 snort[1721]: +-[AC-BNFA Search Info Summary]–----------------------------
    Mar 8 22:00:42 snort[1721]: [ Port Based Pattern Matching Memory ]
    Mar 8 22:00:42 snort[1721]: [ Port Based Pattern Matching Memory ]
    Mar 8 22:00:42 snort[1721]:
    Mar 8 22:00:42 snort[1721]:
    Mar 8 22:00:24 snort[1721]: Decoding Ethernet on interface em1
    Mar 8 22:00:24 snort[1721]: Decoding Ethernet on interface em1
    Mar 8 22:00:24 snort[1721]: Writing PID "1721" to file "/var/run//snort_em10em1.pid"
    Mar 8 22:00:24 snort[1721]: Writing PID "1721" to file "/var/run//snort_em10em1.pid"
    Mar 8 22:00:24 snort[1721]: PID path stat checked out ok, PID path set to /var/run/
    Mar 8 22:00:24 snort[1721]: PID path stat checked out ok, PID path set to /var/run/
    Mar 8 22:00:24 snort[1721]: Checking PID path…
    Mar 8 22:00:24 snort[1721]: Checking PID path…
    Mar 8 22:00:24 kernel: em1: promiscuous mode enabled
    Mar 8 22:00:24 snort[1721]: Daemon initialized, signaled parent pid: 971
    Mar 8 22:00:24 snort[1721]: Daemon initialized, signaled parent pid: 971
    Mar 8 22:00:24 snort[971]: Daemon parent exiting
    Mar 8 22:00:24 snort[971]: Daemon parent exiting
    Mar 8 22:00:24 snort[971]: Initializing daemon mode

    and with borken rules:

    Mar 8 22:05:21 snort[3194]: Warning: /usr/local/etc/snort/snort_0em1/rules/emerging-attack_response.rules(37) => threshold (in rule) is deprecated; use detection_filter instead.
    Mar 8 22:05:21 snort[3194]: Warning: /usr/local/etc/snort/snort_0em1/rules/emerging-attack_response.rules(37) => threshold (in rule) is deprecated; use detection_filter instead.
    Mar 8 22:05:21 snort[3194]: Initializing rule chains…
    Mar 8 22:05:21 snort[3194]: Initializing rule chains…
    Mar 8 22:05:21 snort[3194]: +++++++++++++++++++++++++++++++++++++++++++++++++++
    Mar 8 22:05:21 snort[3194]: +++++++++++++++++++++++++++++++++++++++++++++++++++
    Mar 8 22:05:21 snort[3194]:
    Mar 8 22:05:21 snort[3194]:
    Mar 8 22:05:21 snort[3194]: Server side data is trusted
    Mar 8 22:05:21 snort[3194]: Server side data is trusted
    Mar 8 22:05:21 snort[3194]:
    Mar 8 22:05:21 snort[3194]:
    Mar 8 22:05:21 snort[3194]: 990 992 993 994 995
    Mar 8 22:05:21 snort[3194]: 990 992 993 994 995
    Mar 8 22:05:21 snort[3194]: 443 465 563 636 989
    Mar 8 22:05:21 snort[3194]: 443 465 563 636 989
    Mar 8 22:05:21 snort[3194]: Ports:
    Mar 8 22:05:21 snort[3194]: Ports:
    Mar 8 22:05:21 snort[3194]: Encrypted packets: not inspected
    Mar 8 22:05:21 snort[3194]: Encrypted packets: not inspected
    Mar 8 22:05:21 snort[3194]: SSLPP config:
    Mar 8 22:05:21 snort[3194]: SSLPP config:
    Mar 8 22:05:21 snort[3194]:
    Mar 8 22:05:21 snort[3194]:
    Mar 8 22:05:21 snort[3194]: 53
    Mar 8 22:05:21 snort[3194]: 53
    Mar 8 22:05:21 snort[3194]: Ports:
    Mar 8 22:05:21 snort[3194]: Ports:
    Mar 8 22:05:21 snort[3194]: Experimental DNS RR Types Alert: INACTIVE
    Mar 8 22:05:21 snort[3194]: Experimental DNS RR Types Alert: INACTIVE
    Mar 8 22:05:21 snort[3194]: Obsolete DNS RR Types Alert: INACTIVE
    Mar 8 22:05:21 snort[3194]: Obsolete DNS RR Types Alert: INACTIVE
    Mar 8 22:05:21 snort[3194]: DNS Client rdata txt Overflow Alert: ACTIVE
    Mar 8 22:05:21 snort[3194]: DNS Client rdata txt Overflow Alert: ACTIVE
    Mar 8 22:05:21 snort[3194]: DNS config:
    Mar 8 22:05:21 snort[3194]: DNS config:
    Mar 8 22:05:21 snort[3194]: Maximum SMB command chaining: 3 commands
    Mar 8 22:05:21 snort[3194]: Maximum SMB command chaining: 3 commands
    Mar 8 22:05:21 snort[3194]: RPC over HTTP proxy: None
    Mar 8 22:05:21 snort[3194]: RPC over HTTP proxy: None
    Mar 8 22:05:21 snort[3194]: RPC over HTTP server: 1025-65535
    Mar 8 22:05:21 snort[3194]: RPC over HTTP server: 1025-65535
    Mar 8 22:05:21 snort[3194]: UDP: 1025-65535
    Mar 8 22:05:21 snort[3194]: UDP: 1025-65535
    Mar 8 22:05:21 snort[3194]: TCP: 1025-65535
    Mar 8 22:05:21 snort[3194]: TCP: 1025-65535
    Mar 8 22:05:21 snort[3194]: SMB: None
    Mar 8 22:05:21 snort[3194]: SMB: None
    Mar 8 22:05:21 snort[3194]: Autodetect ports
    Mar 8 22:05:21 snort[3194]: Autodetect ports

    Mar 8 22:08:30 kernel: em1: promiscuous mode disabled
    Mar 8 22:08:30 kernel: pid 3609 (snort), uid 1003: exited on signal 11
    Mar 8 22:08:30 snort[3609]: Not Using PCAP_FRAMES
    Mar 8 22:08:30 snort[3609]: Not Using PCAP_FRAMES
    Mar 8 22:08:30 snort[3609]: Snort initialization completed successfully (pid=3609)
    Mar 8 22:08:30 snort[3609]: Snort initialization completed successfully (pid=3609)
    Mar 8 22:08:30 snort[3609]: –== Initialization Complete ==--
    Mar 8 22:08:30 snort[3609]: –== Initialization Complete ==--
    Mar 8 22:08:30 snort[3609]:
    Mar 8 22:08:30 snort[3609]:
    Mar 8 22:08:30 snort[3609]: +–-----------------------------------------------
    Mar 8 22:08:30 snort[3609]: +–-----------------------------------------------
    Mar 8 22:08:30 snort[3609]: | Transitions : 31.68M
    Mar 8 22:08:30 snort[3609]: | Transitions : 31.68M
    Mar 8 22:08:30 snort[3609]: | Match Lists : 34.18M
    Mar 8 22:08:30 snort[3609]: | Match Lists : 34.18M
    Mar 8 22:08:30 snort[3609]: | Patterns : 12.35M
    Mar 8 22:08:30 snort[3609]: | Patterns : 12.35M
    Mar 8 22:08:30 snort[3609]: | Memory : 78.41Mbytes
    Mar 8 22:08:30 snort[3609]: | Memory : 78.41Mbytes
    Mar 8 22:08:30 snort[3609]: | Num Match States : 575415
    Mar 8 22:08:30 snort[3609]: | Num Match States : 575415
    Mar 8 22:08:30 snort[3609]: | Num States : 2712025
    Mar 8 22:08:30 snort[3609]: | Num States : 2712025
    Mar 8 22:08:30 snort[3609]: | Pattern Chars : 4060599
    Mar 8 22:08:30 snort[3609]: | Pattern Chars : 4060599
    Mar 8 22:08:30 snort[3609]: | Patterns : 370435
    Mar 8 22:08:30 snort[3609]: | Patterns : 370435
    Mar 8 22:08:30 snort[3609]: | Instances : 881
    Mar 8 22:08:30 snort[3609]: | Instances : 881
    Mar 8 22:08:30 snort[3609]: +-[AC-BNFA Search Info Summary]–----------------------------
    Mar 8 22:08:30 snort[3609]: +-[AC-BNFA Search Info Summary]–----------------------------
    Mar 8 22:08:30 snort[3609]: [ Port Based Pattern Matching Memory ]
    Mar 8 22:08:30 snort[3609]: [ Port Based Pattern Matching Memory ]
    Mar 8 22:08:30 snort[3609]:
    Mar 8 22:08:30 snort[3609]:
    Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
    Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
    Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
    Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
    Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
    Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
    Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
    Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
    Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
    Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
    Mar 8 22:08:10 barnyard2[3611]:
    Mar 8 22:08:10 barnyard2[3611]:
    Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
    Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
    Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
    Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
    Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
    Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
    Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
    Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
    Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
    Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
    Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
    Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
    Mar 8 22:08:10 barnyard2[3611]:
    Mar 8 22:08:10 barnyard2[3611]:
    Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
    Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
    Mar 8 22:08:10 barnyard2[3611]: ERROR: Unable to open Reference file '0em1' (No such file or directory)
    Mar 8 22:08:10 barnyard2[3611]: ERROR: Unable to open Reference file '0em1' (No such file or directory)
    Mar 8 22:08:10 snort[3609]: Decoding Ethernet on interface em1
    Mar 8 22:08:10 snort[3609]: Decoding Ethernet on interface em1
    Mar 8 22:08:10 snort[3609]: Writing PID "3609" to file "/var/run//snort_em10em1.pid"
    Mar 8 22:08:10 snort[3609]: Writing PID "3609" to file "/var/run//snort_em10em1.pid"
    Mar 8 22:08:10 snort[3609]: PID path stat checked out ok, PID path set to /var/run/
    Mar 8 22:08:10 snort[3609]: PID path stat checked out ok, PID path set to /var/run/
    Mar 8 22:08:10 snort[3609]: Checking PID path…
    Mar 8 22:08:10 snort[3609]: Checking PID path…
    Mar 8 22:08:10 kernel: em1: promiscuous mode enabled
    Mar 8 22:08:10 snort[3609]: Daemon initialized, signaled parent pid: 3541
    Mar 8 22:08:10 snort[3609]: Daemon initialized, signaled parent pid: 3541
    Mar 8 22:08:10 snort[3541]: Daemon parent exiting
    Mar 8 22:08:10 snort[3541]: Daemon parent exiting
    Mar 8 22:08:10 snort[3541]: Initializing daemon mode
    Mar 8 22:08:10 snort[3541]: Initializing daemon mode
    Mar 8 22:08:10 snort[3541]: Initializing Network Interface em1
    Mar 8 22:08:10 snort[3541]: Initializing Network Interface em1
    Mar 8 22:08:10 snort[3541]: 460 out of 512 flowbits in use.
    Mar 8 22:08:10 snort[3541]: 460 out of 512 flowbits in use.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'csv.download' is checked but not ever set.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'csv.download' is checked but not ever set.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.asf' is checked but not ever set.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.asf' is checked but not ever set.
    Mar 8 22:08:10 kernel: em1: promiscuous mode disabled
    Mar 8 22:08:10 kernel: em1: promiscuous mode enabled
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'visio.request' is checked but not ever set.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'visio.request' is checked but not ever set.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.eps.download' is checked but not ever set.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.eps.download' is checked but not ever set.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'realmedia_file.request' is set but not ever checked.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'realmedia_file.request' is set but not ever checke

    d.
    Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.wma' is set but not ever checked.



  • The log post is not help ing me out.

    Please post pfsense version and snort version.

    I need you start snort manually in the terminal. Please post the output of these commands.

    ls /usr/local/etc/snort/

    snort -c /usr/local/etc/snort/snort_whatever_interface_number_real/snort.conf -l /var/log/snort -D -i what_ever_name -q

    P.S. I'll add code to make truble shooting easier.




  • *** interface device lookup found: em0


    Initializing Network Interface em0
    Decoding Ethernet on interface em0
    re
    [ Port Based Pattern Matching Memory ]
    +-[AC-BNFA Search Info Summary]–----------------------------
    | Instances        : 907
    | Patterns        : 381151
    | Pattern Chars    : 4171811
    | Num States      : 2783753
    | Num Match States : 591167
    | Memory          :  80.36Mbytes
    |  Patterns      :  12.70M
    |  Match Lists    :  34.93M
    |  Transitions    :  32.52M
    +-------------------------------------------------

    --== Initialization Complete ==--

    ,,_    -> Snort! <-
      o"  )~  Version 2.8.5.3 (Build 124)  FreeBSD
      ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
              Copyright (C) 1998-2009 Sourcefire, Inc., et al.
              Using PCRE version: 8.00 2009-10-19

    ___  Built Date for Snort on Pfsense 1.2.3 is March 7 2010.
    / f \  Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya.
    / p _
    /Sense
    _
    /  \  Using Snort.org dynamic plugins and Orion IPS source.
        _
    _/  Using MMX and 3DNOW.

    Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <build 17="">Rules Object: web-misc  Version 1.0  <build 1="">Rules Object: chat  Version 1.0  <build 1="">Rules Object: dos  Version 1.0  <build 1="">Rules Object: exploit  Version 1.0  <build 1="">Rules Object: icmp  Version 1.0  <build 1="">Rules Object: imap  Version 1.0  <build 1="">Rules Object: misc  Version 1.0  <build 1="">Rules Object: multimedia  Version 1.0  <build 1="">Rules Object: netbios  Version 1.0  <build 1="">Rules Object: nntp  Version 1.0  <build 1="">Rules Object: p2p  Version 1.0  <build 1="">Rules Object: smtp  Version 1.0  <build 1="">Rules Object: sql  Version 1.0  <build 1="">Rules Object: web-activex  Version 1.0  <build 1="">Rules Object: web-client  Version 1.0  <build 1="">Rules Object: web-iis  Version 1.0  <build 1="">Rules Object: bad-traffic  Version 1.0  <build 1="">Preprocessor Object: SF_SSLPP  Version 1.1  <build 3="">Preprocessor Object: SF_SSH  Version 1.1  <build 2="">Preprocessor Object: SF_SMTP  Version 1.1  <build 8="">Preprocessor Object: SF_FTPTELNET  Version 1.2  <build 12="">Preprocessor Object: SF_DNS  Version 1.1  <build 3="">Preprocessor Object: SF_DCERPC2  Version 1.0  <build 2="">Preprocessor Object: SF_DCERPC  Version 1.1  <build 5="">Not Using PCAP_FRAMES

    
    +-----------------------[suppression]------------------------------------------
    | none
    -------------------------------------------------------------------------------
    Rule application order: activation->dynamic->pass->drop->alert->log
    Encoded Rule Plugin SID: 13416, GID: 3 not registered properly.  Disabling this rule.
    Verifying Preprocessor Configurations!
    Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
    Warning: flowbits key 'aiff_file.request' is set but not ever checked.
    Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
    Warning: flowbits key 'realmedia_file.request' is set but not ever checked.
    Warning: flowbits key 'http.eps.download' is checked but not ever set.
    Warning: flowbits key 'http.pls.download' is set but not ever checked.
    Warning: flowbits key 'csv.download' is checked but not ever set.
    Warning: flowbits key 'http.asf' is checked but not ever set.
    Warning: flowbits key 'works.download' is checked but not ever set.
    Warning: flowbits key 'http.bmp' is checked but not ever set.
    Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
    Warning: flowbits key 'Backdoor.Bersek.Init' is set but not ever checked.
    Warning: flowbits key 'download.pecompact.binary' is checked but not ever set.
    Warning: flowbits key 'http.m3u.download' is set but not ever checked.
    Warning: flowbits key 'wav_file.request' is set but not ever checked.
    Warning: flowbits key 'excel.download' is set but not ever checked.
    Warning: flowbits key 'visio.request' is checked but not ever set.
    Warning: flowbits key 'caff_request' is set but not ever checked.
    Warning: flowbits key 'irc.trojan' is set but not ever checked.
    Warning: flowbits key 'PtakkS_Keepalive' is set but not ever checked.
    Warning: flowbits key 'BS.SSL.Server.Hello.Done' is set but not ever checked.
    Warning: flowbits key 'snipernet' is set but not ever checked.
    Warning: flowbits key 'http.wma' is set but not ever checked.
    Warning: flowbits key 'wmp.playlist.download' is checked but not ever set.
    461 out of 512 flowbits in use.
    ***
    *** interface device lookup found: em0
    ***
    Initializing Network Interface em0
    ERROR: Bpf compilation failed: syntax error.  PCAP filter: -.
    Fatal Error, Quitting..
    # reset
    Erase is backspace.
    # reset
    cleErase is backspace.
    # clear
    # snort -c /usr/local/etc/snort/snort_0em1/snort.conf - | /var/log/snort/ -D izvoz.txt -q
    /var/log/snort/: Permission denied.
    Running in IDS mode
    
            --== Initializing Snort ==--
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file "/usr/local/etc/snort/snort_0em1/snort.conf"
    PortVar 'HTTP_PORTS' defined :  [ 80 ]
    PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
    PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
    PortVar 'AUTH_PORTS' defined :  [ 113 ]
    PortVar 'DNS_PORTS' defined :  [ 53 ]
    PortVar 'FINGER_PORTS' defined :  [ 79 ]
    PortVar 'FTP_PORTS' defined :  [ 21 ]
    PortVar 'IMAP_PORTS' defined :  [ 143 ]
    PortVar 'IRC_PORTS' defined :  [ 6665:6669 7000 ]
    PortVar 'MSSQL_PORTS' defined :  [ 1433 ]
    PortVar 'NNTP_PORTS' defined :  [ 119 ]
    PortVar 'POP2_PORTS' defined :  [ 109 ]
    PortVar 'POP3_PORTS' defined :  [ 110 ]
    PortVar 'SUNRPC_PORTS' defined :  [ 111 32770:32779 ]
    PortVar 'RLOGIN_PORTS' defined :  [ 513 ]
    PortVar 'RSH_PORTS' defined :  [ 514 ]
    PortVar 'SMB_PORTS' defined :  [ 139 445 ]
    PortVar 'SMTP_PORTS' defined :  [ 25 ]
    PortVar 'SNMP_PORTS' defined :  [ 161 ]
    PortVar 'SSH_PORTS' defined :  [ 22 ]
    PortVar 'TELNET_PORTS' defined :  [ 23 ]
    PortVar 'MAIL_PORTS' defined :  [ 25 143 465 691 ]
    PortVar 'SSL_PORTS' defined :  [ 25 443 465 636 993 995 ]
    PortVar 'SIP_PROXY_PORTS' defined :  [ 5060:5090 16384:32768 ]
    PortVar 'DCERPC_NCACN_IP_TCP' defined :  [ 139 445 ]
    PortVar 'DCERPC_NCADG_IP_UDP' defined :  [ 138 1024:65535 ]
    PortVar 'DCERPC_NCACN_IP_LONG' defined :  [ 135 139 445 593 1024:65535 ]
    PortVar 'DCERPC_NCACN_UDP_LONG' defined :  [ 135 1024:65535 ]
    PortVar 'DCERPC_NCACN_UDP_SHORT' defined :  [ 135 593 1024:65535 ]
    PortVar 'DCERPC_NCACN_TCP' defined :  [ 2103 2105 2107 ]
    PortVar 'DCERPC_BRIGHTSTORE' defined :  [ 6503:6504 ]
    Detection:
       Search-Method = AC-BNFA-Q
    Tagged Packet Limit: 256
    Snort BPF option: -
    Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so... done
    Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/...
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-iis.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-client.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-activex.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//sql.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//smtp.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//p2p.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//nntp.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//netbios.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//multimedia.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//misc.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//imap.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//icmp.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//exploit.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//dos.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//chat.so... done
      Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-misc.so... done
      Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/
    Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/...
      Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dcerpc_preproc.so... done
      Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so... done
      Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
      Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
      Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
      Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so... done
      Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so... done
      Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/
    Log directory = /var/log/snort
    Frag3 global config:
        Max frags: 8192
        Fragment memory cap: 4194304 bytes
    Frag3 engine config:
        Target-based policy: BSD
        Fragment timeout: 60 seconds
        Fragment min_ttl:   1
        Fragment Problems: 1
        Overlap Limit:     0
        Min fragment Length:     0
    Stream5 global config:
        Track TCP sessions: ACTIVE
        Max TCP sessions: 8192
        Memcap (for reassembly packet storage): 8388608
        Track UDP sessions: ACTIVE
        Max UDP sessions: 131072
        Track ICMP sessions: ACTIVE
        Max ICMP sessions: 65536
        Log info if session memory consumption exceeds 1048576
    Stream5 TCP Policy config:
        Reassembly Policy: BSD
        Timeout: 30 seconds
        Min ttl:  1
        Maximum number of bytes to queue per session: 1048576
        Maximum number of segs to queue per session: 2621
        Options:
            Static Flushpoint Sizes: YES
        Reassembly Ports:
          0 client (Footprint) server (Footprint)
          1 client (Footprint) server (Footprint)
          2 client (Footprint) server (Footprint)
          3 client (Footprint) server (Footprint)
          4 client (Footprint) server (Footprint)
          5 client (Footprint) server (Footprint)
          6 client (Footprint) server (Footprint)
          7 client (Footprint) server (Footprint)
          8 client (Footprint) server (Footprint)
          9 client (Footprint) server (Footprint)
          10 client (Footprint) server (Footprint)
          11 client (Footprint) server (Footprint)
          12 client (Footprint) server (Footprint)
          13 client (Footprint) server (Footprint)
          14 client (Footprint) server (Footprint)
          15 client (Footprint) server (Footprint)
          16 client (Footprint) server (Footprint)
          17 client (Footprint) server (Footprint)
          18 client (Footprint) server (Footprint)
          19 client (Footprint) server (Footprint)
    Stream5 UDP Policy config:
        Timeout: 30 seconds
    Stream5 ICMP Policy config:
        Timeout: 30 seconds
    PerfMonitor config:
        Time:           300 seconds
        Flow Stats:     INACTIVE
        Event Stats:    INACTIVE
        Max Perf Stats: INACTIVE
        Console Mode:   INACTIVE
        File Mode:      /var/log/snort/snort_0em1.stats
        SnortFile Mode: INACTIVE
        Packet Count:   10000
        Dump Summary:   No
        Max file size:  2147483648
    HttpInspect Config:
        GLOBAL CONFIG
          Max Pipeline Requests:    0
          Inspection Type:          STATELESS
          Detect Proxy Usage:       NO
          IIS Unicode Map Filename: /usr/local/etc/snort/snort_0em1/unicode.map
          IIS Unicode Map Codepage: 1252
        DEFAULT SERVER CONFIG:
          Server profile: All
          Ports: 80 8080
          Server Flow Depth: 0
          Client Flow Depth: 300
          Max Chunk Length: 500000
          Max Header Field Length: 0
          Max Number Header Fields: 0
          Inspect Pipeline Requests: YES
          URI Discovery Strict Mode: NO
          Allow Proxy Usage: NO
          Disable Alerting: NO
          Oversize Dir Length: 0
          Only inspect URI: NO
          Normalize HTTP Headers: NO
          Normalize HTTP Cookies: NO
          Ascii: YES alert: NO
          Double Decoding: YES alert: YES
          %U Encoding: YES alert: YES
          Bare Byte: YES alert: YES
          Base36: OFF
          UTF 8: YES alert: NO
          IIS Unicode: YES alert: NO
          Multiple Slash: YES alert: NO
          IIS Backslash: YES alert: NO
          Directory Traversal: YES alert: NO
          Web Root Traversal: YES alert: YES
          Apache WhiteSpace: YES alert: NO
          IIS Delimiter: YES alert: NO
          IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
          Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
          Whitespace Characters: 0x09 0x0b 0x0c 0x0d
    rpc_decode arguments:
        Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
        alert_fragments: INACTIVE
        alert_large_fragments: ACTIVE
        alert_incomplete: ACTIVE
        alert_multiple_requests: ACTIVE
    Portscan Detection Config:
        Detect Protocols:  TCP UDP ICMP IP
        Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
        Sensitivity Level: Medium
        Memcap (in bytes): 10000000
        Number of Nodes:   36900
        Ignore Scanner IP List:
            10.135.147.0 / 255.255.255.0
           my.wan.ip / 255.255.255.255
            my.gw.ip / 255.255.255.255
            193.2.1.66 / 255.255.255.255
            193.2.1.72 / 255.255.255.255
            127.0.0.1 / 255.255.255.255
    FTPTelnet Config:
        GLOBAL CONFIG
          Inspection Type: stateless
          Check for Encrypted Traffic: OFF
          Continue to check encrypted data: NO
        TELNET CONFIG:
          Ports: 23
          Are You There Threshold: 200
          Normalize: YES
          Detect Anomalies: NO
        FTP CONFIG:
          FTP Server: default
            Ports: 21
            Check for Telnet Cmds: OFF
            Ignore Telnet Cmd Operations: OFF
            Identify open data channels: NO
          FTP Client: default
            Check for Bounce Attacks: YES alert: YES
            Check for Telnet Cmds: YES alert: YES
            Ignore Telnet Cmd Operations: OFF
            Max Response Length: 256
    SMTP Config:
        Ports: 25 465 691
        Inspection Type: Stateful
        Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XSTA XTRN XUSR PIPELINING CHUNKING DSN XQUEU
        Ignore Data: No
        Ignore TLS Data: No
        Ignore SMTP Alerts: No
        Max Command Line Length: Unlimited
        Max Specific Command Line Length:
           ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
           EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
           ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
           IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
           QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
           SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
           TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
           XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
           XLICENSE:246 X-LINK2STATE:246 XSTA:246 XTRN:246 XUSR:246
           PIPELINING:246 CHUNKING:246 DSN:246 XQUEU:246
        Max Header Line Length: 1000
        Max Response Line Length: 512
        X-Link2State Alert: Yes
        Drop on X-Link2State Alert: No
        Alert on commands: None
    DCE/RPC 2 Preprocessor Configuration
      Global Configuration
        DCE/RPC Defragmentation: Enabled
        Memcap: 102400 KB
        Events: smb co cl
      Server Default Configuration
        Policy: WinXP
        Detect ports
          SMB: 139 445
          TCP: 135
          UDP: 135
          RPC over HTTP server: 593
          RPC over HTTP proxy: None
        Autodetect ports
          SMB: None
          TCP: 1025-65535
          UDP: 1025-65535
          RPC over HTTP server: 1025-65535
          RPC over HTTP proxy: None
        Maximum SMB command chaining: 3 commands
    DNS config:
        DNS Client rdata txt Overflow Alert: ACTIVE
        Obsolete DNS RR Types Alert: INACTIVE
        Experimental DNS RR Types Alert: INACTIVE
        Ports: 53
    SSLPP config:
        Encrypted packets: not inspected
        Ports:
          443      465      563      636      989
          990      992      993      994      995
        Server side data is trusted
    
    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    Warning: /usr/local/etc/snort/snort_0em1/rules/emerging-attack_response.rules(37) => threshold (in rule) is deprecated; use detection_filter instead.
    
    | gen-id=1      sig-id=2406150    type=Limit     tracking=src count=1   seconds=60
    | gen-id=1      sig-id=12295      type=Limit     tracking=src count=1   seconds=300
    | gen-id=1      sig-id=2500058    type=Limit     tracking=src count=1   seconds=60
    | gen-id=1      sig-id=6192       type=Limit     tracking=src count=1   seconds=300
    | gen-id=1      sig-id=6365       type=Limit     tracking=src count=1   seconds=600
    | gen-id=1      sig-id=2406647    type=Limit     tracking=src count=1   seconds=60
    | gen-id=1      sig-id=2406181    type=Limit     tracking=src count=1   seconds=60
    | gen-id=1      sig-id=2500167    type=Limit     tracking=src count=1   seconds=60
    | gen-id=1      sig-id=2500056    type=Limit     tracking=src count=1   seconds=60
    | gen-id=1      sig-id=8073       type=Limit     tracking=src count=1   seconds=300
    | gen-id=3      sig-id=15851      type=Both      tracking=dst count=12  seconds=1  
    | gen-id=3      sig-id=15474      type=Threshold tracking=src count=50  seconds=10
    | gen-id=3      sig-id=15912      type=Threshold tracking=src count=200 seconds=30
    | gen-id=3      sig-id=15522      type=Threshold tracking=dst count=200 seconds=30
    +-----------------------[suppression]------------------------------------------
    | none
    -------------------------------------------------------------------------------
    Rule application order: activation->dynamic->pass->drop->alert->log
    Encoded Rule Plugin SID: 13416, GID: 3 not registered properly.  Disabling this rule.
    Verifying Preprocessor Configurations!
    Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
    Warning: flowbits key 'BS.SSL.Server.Hello.Done' is set but not ever checked.
    Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
    Warning: flowbits key 'http.eps.download' is checked but not ever set.
    Warning: flowbits key 'irc.trojan' is set but not ever checked.
    Warning: flowbits key 'Backdoor.Bersek.Init' is set but not ever checked.
    Warning: flowbits key 'http.wma' is set but not ever checked.
    Warning: flowbits key 'download.pecompact.binary' is checked but not ever set.
    Warning: flowbits key 'PtakkS_Keepalive' is set but not ever checked.
    Warning: flowbits key 'http.bmp' is checked but not ever set.
    Warning: flowbits key 'wav_file.request' is set but not ever checked.
    Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
    Warning: flowbits key 'realmedia_file.request' is set but not ever checked.
    Warning: flowbits key 'wmp.playlist.download' is checked but not ever set.
    Warning: flowbits key 'visio.request' is checked but not ever set.
    Warning: flowbits key 'http.m3u.download' is set but not ever checked.
    Warning: flowbits key 'excel.download' is set but not ever checked.
    Warning: flowbits key 'aiff_file.request' is set but not ever checked.
    Warning: flowbits key 'http.pls.download' is set but not ever checked.
    Warning: flowbits key 'snipernet' is set but not ever checked.
    Warning: flowbits key 'csv.download' is checked but not ever set.
    Warning: flowbits key 'http.asf' is checked but not ever set.
    Warning: flowbits key 'caff_request' is set but not ever checked.
    Warning: flowbits key 'works.download' is checked but not ever set.
    461 out of 512 flowbits in use.
    ***
    *** interface device lookup found: em0
    ***
    Initializing Network Interface em0
    ERROR: Bpf compilation failed: syntax error.  PCAP filter: -.
    Fatal Error, Quitting..
    #
    #
    # 
    

    Is this OK? :)

    p.s.: link (green) to start snort on interface status is not working / firefox 3.6 ;)</build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build>



  • I have to rebuild the snort-dev binaries tonight.
    There seems to be a bug because I compiled with MMX and 3DNOW code.

    P.S. Snort is only crashing when using so.rules on my end.

    Try to reinstall tomorrow morning.

    Sorry
    James



  • THANKS!!!!



  • Snort is now ok,… but no log and no blocking IP ;)



  • I think when user ping my ip, i can t see blocked IP in snort log. Before it was working.

    I have also try with grc.com scan,… no blocked IP.

    There are currently no items being blocked by snort.

    Will snort now only drop this packet?



  • Should be working now.

    One of the pfsense dev removed the blocking option for some reson.

    James



  • it's a live  ;D

    Thanks snort master :)


Log in to reply