Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort…working on Bugs today.....

    Scheduled Pinned Locked Moved pfSense Packages
    26 Posts 11 Posters 12.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      g4m3c4ck
      last edited by

      I am going to look into it more but the latest rules have broke all versions of snort for pfsense due to a missing directory for so_rules. I was just wondering if anyone else was experinceing this or was it just me.

      pfsence 1.2.3 release both versions of snort.

      Edit: Just notice a 0 byte file called touch off of root. Not sure if this is due to snort script but I have not noticed it before.

      Edit:Edit: I also noticed when I edit my VLAN interfaces in 2.8.5.3 pkg v. 1.22 it says "Snort: Interface Edit: 0 57641 vlan0" instead of what I have them aliased as.

      Edit:Edit:Edit: Hmm I checked /usr/local/pkg/snort/snort_check_for_rules_updates.php and it seems that anything that would generate that error is already commented out. wth I am kinda scared to try and reboot pfsense and see if that will fix it.

      1 Reply Last reply Reply Quote 0
      • G Offline
        g4m3c4ck
        last edited by

        James, as a side note or a suggested wish for the snort package. When I was diving through the update php file I noticed that there is an md5 check function in there. After running Update to see if I fixed it about a dozen times and it downloading the same file continuously do you think it would be possible to add code that would use the md5 routine to keep it from downloading the same file when a problem with the rules or a bug with the package occurs. Not a really huge deal but I fear getting banned due to excessive updates trying to see if I fixed the problem that I run into.

        1 Reply Last reply Reply Quote 0
        • G Offline
          g4m3c4ck
          last edited by

          Ok I have tracked the problem down to it being a VLAN issue. In order to get snort running manually in the latest version I copied the rules from /usr/local/etc/snort/rules to my corresponding vlan directories ie.  "/usr/local/etc/snort/snort_61611_vlan0/rules"

          Still baffles me how snort_old was broken but oh well I got it up again with 2.8.5.3 pkg v. 1.22.

          1 Reply Last reply Reply Quote 0
          • G Offline
            g4m3c4ck
            last edited by

            Seems like none of the "BLOCK" rules are working for me causing snort to fatal error on start. Is anyone else having this problem?

            snort[3898]: FATAL ERROR: /usr/local/etc/snort/snort_61611_vlan0/rules/emerging-compromised-BLOCK.rules(49) Unknown rule option: 'fwsam'.

            1 Reply Last reply Reply Quote 0
            • S Offline
              simby
              last edited by

              Directory so_rules does not exist…
              Error copying so_rules...

              pfsense 2.0 beta 1 and snort .22

              1 Reply Last reply Reply Quote 0
              • G Offline
                g4m3c4ck
                last edited by

                Do you use VLANs?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.