Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    N00b snort "issues"

    pfSense Packages
    4
    17
    5791
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      unforeseen last edited by

      Hey all….

      I just started to use the snort package to blackhole/block offending IP's that scan/hammer/etc. on my network.  I read through some previous forum posts about snort and am using the "ac" method, I have my Oinkmaster code and have select: Block offenders, Update rules automatically, Convert Snort alerts urls to clickable links, and Associate events on Blocked tab.  I have run the update to download the new rules, etc.  I have almost all of the rules checked except about 4 out of the list.  I have also even went onto bleeding snort and imported some of those rules.

      My question or problem in short is that with all these rules in place I still have yet to see anything blocked or show up in any of the logs/tabs nor in my syslog servers logs.  I'm sure many of you think that is a good thing but I have been using snort for about two days and been checking very, very often.  I have been running file sharing programs, a chat program (gaim), went to shields up and have been port scanning, searched for adult key words/sites, etc.  And still I am not receiving any alerts (and yes those are all rule lists which I am using)  So is there a way to test this to ensure it is properly working?  IE- make sure "xyz" list is checked off and go to "abc" or open program "123"

      Any info would be helpful as I'm sure it's something incorrect on my part.

      Thanks

      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        Do you run snort on more than one interface? I think there is still a problem when it's listening on more than on. Try to enable it only at wan.

        1 Reply Last reply Reply Quote 0
        • U
          unforeseen last edited by

          Currently it is only set to listen on the wan interface. Come to think of it, when I first set it up, I over looked the interface section and got an error when I tried to save my settings.  I went back by hitting back on my browser and chose WAN, that corrected the issue.  Do you think that by not selecting it in the very beginning and trying to save the config I broke it?

          1 Reply Last reply Reply Quote 0
          • H
            hoba last edited by

            Not sure but try to uninstall the package and install it again.

            1 Reply Last reply Reply Quote 0
            • U
              unforeseen last edited by

              I tried that and even one upped it by doing a format and reinstall of pfsense.  I went through and chose the same options and made sure to select the WAN interface when first setting it up.  I also copied some or the new bleeding rules and put those in as well.  So far, there is no change.  Nothing has caused any alerts nor are there any blocked IP's.

              Has anyone else out there had similar experiences or have Any experience on their setups they would like to share?

              Thanks

              1 Reply Last reply Reply Quote 0
              • Y
                yoda715 last edited by

                I am having the same issue now. Snort was working perfectly. I rebooted the firewall once and now its not working anymore. I used to get alerts constantly of blocked pings, 1x1 gif exploits, etc. Now I don't get anything. I also did a complete reinstall of pfsense, configured snort the same way, and now I do not get any alerts. Also, it appears to be blocking some things but not logging them. IE when I have snort enabled I am unable to log into MSN messenger but nothing is being logged as blocked. Also I have the chat rules uncheck but still appears to be blocking messenger sessions.

                1 Reply Last reply Reply Quote 0
                • U
                  unforeseen last edited by

                  Great….. As long as this issue is just not me  :-[ ... From the time I have posted that I reinstalled, until now, I still have yet to see anything blocked.  I have also been testing with shields up and nothing.

                  Have you been able to figure out why it worked before and not now?  Could it be the rules?  Anyone else out there have some experience with this???

                  1 Reply Last reply Reply Quote 0
                  • Y
                    yoda715 last edited by

                    So far, no. All I know is that it stopped working when I changed from ac-banded to lowmem. Reinstalling pfsense then configuring to ac-banded did not work. Reinstalling to lowmem did not work. NO clue what happened.

                    1 Reply Last reply Reply Quote 0
                    • Y
                      yoda715 last edited by

                      Well I got snort working again. Reinstalled pfsense. Configured snort to lowmem, rebooted and it started working. Although now I have a new problem. Now MSN messenger will not work at all from the LAN side. I can have all rulesets unchecked, click save, and I still will not be able to sign into messenger. The only way I can connect to msn messenger is to add the LAN IP of my server into the whitelist. Anyone else experiencing this issue?

                      1 Reply Last reply Reply Quote 0
                      • U
                        unforeseen last edited by

                        hmm.. that's strange… You said that it stopped working when you changed from ac-banded to lowmem but then you reinstalled and configured snort with ac-banded/lowmem right off the bat, that still didn't do the trick?  What I'm getting at is maybe I did what you did my first couple of attempts (switching from on scheme to another) but then again the second part of your trials seem that it's  hit or miss whether it will work or not. That is not really the news I was looking for but gives some insight to the issues I am seeing.

                        Some other background info: I swapped all hardware from a PIII 550 with 192mb ram to a PIII 800 with 512mb ram. I thought bad hardware or lack of ram/CPU speed maybe the cause or snort not functioning. Removed/resinstalled package, reinstalled pfsense and used new configs (not my backedup copy), stopped and started services numerous times.  Also the first couple of attempts I was also using Ntop and Darkstat along side snort, now I decided after the reinstall to only test snort without other packages.

                        Can anyone else confirm this (or just tell us that we are nuts)?  (I'd rather the first part but I'm sure we are going to get some of the second)  :'(

                        Thanks for everyone's help so far!

                        1 Reply Last reply Reply Quote 0
                        • Y
                          yoda715 last edited by

                          Yep, it appears to be hit or miss for me as well. I am only running snort atm, but I am still having the same issues as you.

                          1 Reply Last reply Reply Quote 0
                          • U
                            unforeseen last edited by

                            It looks like I have hit a brick wall with all my trials.  Any experienced pf admin out there have anymore suggestions.. I'll try whatever

                            Thanks

                            1 Reply Last reply Reply Quote 0
                            • U
                              unforeseen last edited by

                              Ok.. for anyone that's been following- I figured out the issue (at least for me)  I reinstalled again, and enabled shell access. Right after the install I poked around the shell and saw how everything was running. I enabled everything as usual and noticed the snort process hover at about 95% cpu and using almost 500mb of ram (outta 512 total) within seconds of starting. So I stopped that process and changed to lowmem. Nothing. Looked in /var/log/snort and they were empty except for a few unreadable characters via cat.  Formatted and started again and enable snort but this time only enabled 2 or 3 rules.  This time after the update and shields up scan, it worked.

                              Conclusion: On a PIII 800 with 512mb ram, choose your rules carefully!  I'm not sure if it was one rule that was going crazy but that is where I'm going to start. I'm now curious about changing the detection method to see if it will continue to work or if it's going to crap out again.  Either way, I'm glad I was able to work it down.

                              I hope this helps any others that may experience issues with snort.  ;)

                              1 Reply Last reply Reply Quote 0
                              • D
                                davidemiccone last edited by

                                @unforeseen:

                                Ok.. for anyone that's been following- I figured out the issue (at least for me)  I reinstalled again, and enabled shell access. Right after the install I poked around the shell and saw how everything was running. I enabled everything as usual and noticed the snort process hover at about 95% cpu and using almost 500mb of ram (outta 512 total) within seconds of starting. So I stopped that process and changed to lowmem. Nothing. Looked in /var/log/snort and they were empty except for a few unreadable characters via cat.  Formatted and started again and enable snort but this time only enabled 2 or 3 rules.  This time after the update and shields up scan, it worked.

                                Conclusion: On a PIII 800 with 512mb ram, choose your rules carefully!  I'm not sure if it was one rule that was going crazy but that is where I'm going to start. I'm now curious about changing the detection method to see if it will continue to work or if it's going to crap out again.  Either way, I'm glad I was able to work it down.

                                I hope this helps any others that may experience issues with snort.  ;)

                                Mee too I had some problem, enabling all snort categories snort occupies 95% CPU and after near one minute die.
                                My system is a P4 3Ghz

                                Now I tried to only enable the following rules categories
                                attack-responses.rules
                                backdoor.rules
                                bad-traffic.rules
                                chat.rules
                                ddos.rules
                                deleted.rules
                                dns.rules
                                dos.rules

                                snort start and don't die. Have you found the rules that hang?

                                Any conseil about rules to enable will be appreciated.

                                Davide

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hoba last edited by

                                  If nothing helps, enable upper half of rules, test. if nothing dies try lower half of rules and test. If it dies then continue the same way for the half that it died on. Check half of these rules, test. Go on like this until you found the rule that causes issues and let us know ;)

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    davidemiccone last edited by

                                    @hoba:

                                    If nothing helps, enable upper half of rules, test. if nothing dies try lower half of rules and test. If it dies then continue the same way for the half that it died on. Check half of these rules, test. Go on like this until you found the rule that causes issues and let us know ;)

                                    I done several check.

                                    The problem (CPU 95%, snort hang) seem to arise when enabling new categories.
                                    Initially with rel. 1.01 I get into CPU 95% problem when enabling snort categories beginning with "s" (until rservices.rules no problems).

                                    There is also another strange behaviour: WebGui snort setting "Performance" has been set to "ac-sparsebands", the system logs display "lowmem":
                                    SnortStartup[751]: Ram free BEFORE starting Snort: 11M – Ram free AFTER starting Snort: 17M -- Mode lowmem -- Snort memory usage:

                                    If I change to "lowmem" and restart snort, system logs display "ac-sparseband":
                                    SnortStartup[6593]: Ram free BEFORE starting Snort: 111M – Ram free AFTER starting Snort: 111M -- Mode ac-sparsebands -- Snort memory usage:

                                    Now I updated to 1.0.1-SNAPSHOT-02-27-2007 now CPU don't get to 95% (all categories enabled) but snort don't start when touching (enable/disable) categories.
                                    To let snort start I had to change Performance settings (from ac-sparsebands to lowmem) so that snort start.

                                    I'm very confused about snort behaviour.  ???

                                    1 Reply Last reply Reply Quote 0
                                    • Y
                                      yoda715 last edited by

                                      I am going to review the code shortly, since I have seen this issue as well. For some reason, in order for snort performance settings to take effect, you have to click save twice under Snort settings.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post

                                      Products

                                      • Platform Overview
                                      • TNSR
                                      • pfSense
                                      • Appliances

                                      Services

                                      • Training
                                      • Professional Services

                                      Support

                                      • Subscription Plans
                                      • Contact Support
                                      • Product Lifecycle
                                      • Documentation

                                      News

                                      • Media Coverage
                                      • Press
                                      • Events

                                      Resources

                                      • Blog
                                      • FAQ
                                      • Find a Partner
                                      • Resource Library
                                      • Security Information

                                      Company

                                      • About Us
                                      • Careers
                                      • Partners
                                      • Contact Us
                                      • Legal
                                      Our Mission

                                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                      Subscribe to our Newsletter

                                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                      © 2021 Rubicon Communications, LLC | Privacy Policy