N00b snort "issues"



  • Hey all….

    I just started to use the snort package to blackhole/block offending IP's that scan/hammer/etc. on my network.  I read through some previous forum posts about snort and am using the "ac" method, I have my Oinkmaster code and have select: Block offenders, Update rules automatically, Convert Snort alerts urls to clickable links, and Associate events on Blocked tab.  I have run the update to download the new rules, etc.  I have almost all of the rules checked except about 4 out of the list.  I have also even went onto bleeding snort and imported some of those rules.

    My question or problem in short is that with all these rules in place I still have yet to see anything blocked or show up in any of the logs/tabs nor in my syslog servers logs.  I'm sure many of you think that is a good thing but I have been using snort for about two days and been checking very, very often.  I have been running file sharing programs, a chat program (gaim), went to shields up and have been port scanning, searched for adult key words/sites, etc.  And still I am not receiving any alerts (and yes those are all rule lists which I am using)  So is there a way to test this to ensure it is properly working?  IE- make sure "xyz" list is checked off and go to "abc" or open program "123"

    Any info would be helpful as I'm sure it's something incorrect on my part.

    Thanks



  • Do you run snort on more than one interface? I think there is still a problem when it's listening on more than on. Try to enable it only at wan.



  • Currently it is only set to listen on the wan interface. Come to think of it, when I first set it up, I over looked the interface section and got an error when I tried to save my settings.  I went back by hitting back on my browser and chose WAN, that corrected the issue.  Do you think that by not selecting it in the very beginning and trying to save the config I broke it?



  • Not sure but try to uninstall the package and install it again.



  • I tried that and even one upped it by doing a format and reinstall of pfsense.  I went through and chose the same options and made sure to select the WAN interface when first setting it up.  I also copied some or the new bleeding rules and put those in as well.  So far, there is no change.  Nothing has caused any alerts nor are there any blocked IP's.

    Has anyone else out there had similar experiences or have Any experience on their setups they would like to share?

    Thanks



  • I am having the same issue now. Snort was working perfectly. I rebooted the firewall once and now its not working anymore. I used to get alerts constantly of blocked pings, 1x1 gif exploits, etc. Now I don't get anything. I also did a complete reinstall of pfsense, configured snort the same way, and now I do not get any alerts. Also, it appears to be blocking some things but not logging them. IE when I have snort enabled I am unable to log into MSN messenger but nothing is being logged as blocked. Also I have the chat rules uncheck but still appears to be blocking messenger sessions.



  • Great….. As long as this issue is just not me  :-[ ... From the time I have posted that I reinstalled, until now, I still have yet to see anything blocked.  I have also been testing with shields up and nothing.

    Have you been able to figure out why it worked before and not now?  Could it be the rules?  Anyone else out there have some experience with this???



  • So far, no. All I know is that it stopped working when I changed from ac-banded to lowmem. Reinstalling pfsense then configuring to ac-banded did not work. Reinstalling to lowmem did not work. NO clue what happened.



  • Well I got snort working again. Reinstalled pfsense. Configured snort to lowmem, rebooted and it started working. Although now I have a new problem. Now MSN messenger will not work at all from the LAN side. I can have all rulesets unchecked, click save, and I still will not be able to sign into messenger. The only way I can connect to msn messenger is to add the LAN IP of my server into the whitelist. Anyone else experiencing this issue?



  • hmm.. that's strange… You said that it stopped working when you changed from ac-banded to lowmem but then you reinstalled and configured snort with ac-banded/lowmem right off the bat, that still didn't do the trick?  What I'm getting at is maybe I did what you did my first couple of attempts (switching from on scheme to another) but then again the second part of your trials seem that it's  hit or miss whether it will work or not. That is not really the news I was looking for but gives some insight to the issues I am seeing.

    Some other background info: I swapped all hardware from a PIII 550 with 192mb ram to a PIII 800 with 512mb ram. I thought bad hardware or lack of ram/CPU speed maybe the cause or snort not functioning. Removed/resinstalled package, reinstalled pfsense and used new configs (not my backedup copy), stopped and started services numerous times.  Also the first couple of attempts I was also using Ntop and Darkstat along side snort, now I decided after the reinstall to only test snort without other packages.

    Can anyone else confirm this (or just tell us that we are nuts)?  (I'd rather the first part but I'm sure we are going to get some of the second)  :'(

    Thanks for everyone's help so far!



  • Yep, it appears to be hit or miss for me as well. I am only running snort atm, but I am still having the same issues as you.



  • It looks like I have hit a brick wall with all my trials.  Any experienced pf admin out there have anymore suggestions.. I'll try whatever

    Thanks



  • Ok.. for anyone that's been following- I figured out the issue (at least for me)  I reinstalled again, and enabled shell access. Right after the install I poked around the shell and saw how everything was running. I enabled everything as usual and noticed the snort process hover at about 95% cpu and using almost 500mb of ram (outta 512 total) within seconds of starting. So I stopped that process and changed to lowmem. Nothing. Looked in /var/log/snort and they were empty except for a few unreadable characters via cat.  Formatted and started again and enable snort but this time only enabled 2 or 3 rules.  This time after the update and shields up scan, it worked.

    Conclusion: On a PIII 800 with 512mb ram, choose your rules carefully!  I'm not sure if it was one rule that was going crazy but that is where I'm going to start. I'm now curious about changing the detection method to see if it will continue to work or if it's going to crap out again.  Either way, I'm glad I was able to work it down.

    I hope this helps any others that may experience issues with snort.  ;)



  • @unforeseen:

    Ok.. for anyone that's been following- I figured out the issue (at least for me)  I reinstalled again, and enabled shell access. Right after the install I poked around the shell and saw how everything was running. I enabled everything as usual and noticed the snort process hover at about 95% cpu and using almost 500mb of ram (outta 512 total) within seconds of starting. So I stopped that process and changed to lowmem. Nothing. Looked in /var/log/snort and they were empty except for a few unreadable characters via cat.  Formatted and started again and enable snort but this time only enabled 2 or 3 rules.  This time after the update and shields up scan, it worked.

    Conclusion: On a PIII 800 with 512mb ram, choose your rules carefully!  I'm not sure if it was one rule that was going crazy but that is where I'm going to start. I'm now curious about changing the detection method to see if it will continue to work or if it's going to crap out again.  Either way, I'm glad I was able to work it down.

    I hope this helps any others that may experience issues with snort.  ;)

    Mee too I had some problem, enabling all snort categories snort occupies 95% CPU and after near one minute die.
    My system is a P4 3Ghz

    Now I tried to only enable the following rules categories
    attack-responses.rules
    backdoor.rules
    bad-traffic.rules
    chat.rules
    ddos.rules
    deleted.rules
    dns.rules
    dos.rules

    snort start and don't die. Have you found the rules that hang?

    Any conseil about rules to enable will be appreciated.

    Davide



  • If nothing helps, enable upper half of rules, test. if nothing dies try lower half of rules and test. If it dies then continue the same way for the half that it died on. Check half of these rules, test. Go on like this until you found the rule that causes issues and let us know ;)



  • @hoba:

    If nothing helps, enable upper half of rules, test. if nothing dies try lower half of rules and test. If it dies then continue the same way for the half that it died on. Check half of these rules, test. Go on like this until you found the rule that causes issues and let us know ;)

    I done several check.

    The problem (CPU 95%, snort hang) seem to arise when enabling new categories.
    Initially with rel. 1.01 I get into CPU 95% problem when enabling snort categories beginning with "s" (until rservices.rules no problems).

    There is also another strange behaviour: WebGui snort setting "Performance" has been set to "ac-sparsebands", the system logs display "lowmem":
    SnortStartup[751]: Ram free BEFORE starting Snort: 11M – Ram free AFTER starting Snort: 17M -- Mode lowmem -- Snort memory usage:

    If I change to "lowmem" and restart snort, system logs display "ac-sparseband":
    SnortStartup[6593]: Ram free BEFORE starting Snort: 111M – Ram free AFTER starting Snort: 111M -- Mode ac-sparsebands -- Snort memory usage:

    Now I updated to 1.0.1-SNAPSHOT-02-27-2007 now CPU don't get to 95% (all categories enabled) but snort don't start when touching (enable/disable) categories.
    To let snort start I had to change Performance settings (from ac-sparsebands to lowmem) so that snort start.

    I'm very confused about snort behaviour.  ???



  • I am going to review the code shortly, since I have seen this issue as well. For some reason, in order for snort performance settings to take effect, you have to click save twice under Snort settings.


Log in to reply