Snort bugs



  • Hi,

    on v 1.33 snort i have problem with link to pfSense index page and under tab update,  Rule Update i can t open
        * Upload Custom Rules
        * Gui Update



  • I don't think james is done with the code for those features



  • Code not done yet, maybe in a week.

    James



  • found another snort bug.  existed before…
    Whilelists, edit, add another entry.  link is to..
    http://x.x.x.x/snort/snort_interfaces_whitelist_edit.php?id=0#  (xx is correct address)
    but does not do anything.  I can't add another entry.
    Is there a limit to the number of entries, or the add is broken again?

    Anyone else having issues here?



  • I have a issue I have been dealing with for a while that happens on all the pfsense systems I have running SNORT. This is not a new bug, it seems to have been around for a while and was wondering if anyone has any idea on how to correct it?

    SNORT for some reason will not release a blocked offender after the set time to release. I have offenders set to release after 1 hour and I will notice every IP that was blocked never gets removed after the set time. I have tried different setting, uninstall of the package, reinstall of the package, reboots, and restarts of the service. I can reproduce the issue on multiple boxes and even after fresh installs of the 1.2.3-release. I will noticed IP's still in the blocked section that has a time of being blocked like 35 hr's ago and should of released after 1 hour.

    The problem has put me in a position to disable SNORT for the time being, because I have some IP's getting blocked that belong to remote site locations. This is how I discovered the proble a while ago.

    Any ideas on this?

    Thanks



  • SNORT for some reason will not release a blocked offender after the set time to release.

    Are you sure that the blocked IP is not releasing (correctly) and then immediately being put back on the block list when it tries to gain access?



  • Yeah I am sure it is not that, because I will look at the alert log and can match it up that way. Because that very thought crossed my head, but that is not it. I even would write down a series of blocked IP's and wait for a few hours and then check to see if all matched up and not one thing changed or released. I am currently using SNORT 2.8.6.1 pkg v. 1.33 with premium VRT rules.



  • @tester_02:

    found another snort bug.  existed before…
    Whilelists, edit, add another entry.  link is to..
    http://x.x.x.x/snort/snort_interfaces_whitelist_edit.php?id=0#   (xx is correct address)
    but does not do anything.  I can't add another entry.
    Is there a limit to the number of entries, or the add is broken again?

    Anyone else having issues here?

    I just upgraded to 2.8.6.1 pkg v. 1.33 and am experiencing a similar issue.  I can add 2 whitelist entries; when I try to add a third, it replaces the second.  I tried it several times and it was always repeatable.



  • @darklogic:

    Yeah I am sure it is not that, because I will look at the alert log and can match it up that way. Because that very thought crossed my head, but that is not it. I even would write down a series of blocked IP's and wait for a few hours and then check to see if all matched up and not one thing changed or released. I am currently using SNORT 2.8.6.1 pkg v. 1.33 with premium VRT rules.

    I saw this issue after I upgraded to 2.8.6.1 pkg v. 1.33.  I looked at syslog and noticed the cron job to expire the blocked items (/usr/local/sbin/expiretable) was not running, even though the entry in /etc/crontab seemed ok.  I also noticed that the cron job to update the rules (/usr/local/pkg/snort/snort_check_for_rule_updates.php) was not running even though the crontab entry seemed ok.

    The fix that worked for me was to go into the Services: Snort: Global Settings, change the values I had chosen for "Update rules automatically" and "Remove blocked hosts every" entries, then save/apply.  I'm sorry that I can't remember at this point whether I stopped and restarted the Snort interface after that before it began working.

    btw, many thanks to jamesdean for this excellent package!  I recently chose pfSense in part because of this Snort capability.

    • Justin


  • Hi all,

    As it's the 2nd time I have this issue, let's discuss about it ! :)
    After few months of good service, I had exactly this issue
    http://www.mail-archive.com/support@pfsense.com/msg15583.html

    Not sure about the age of my CF card I decided to change it with a brand new one.

    Then yesterday, exactly the same crash, 6 months after the new installation !

    Just before the "last" reboot of the machine I could see that my /var/ partition was 101% full (yes… -4.6mb free...). The size of the partition is around 58MB and there was 5 fat files (around 10mb each) in the /var/log/snort/ folder.
    Do you think that SNORT could cause a kind of "disk overflow" by writing too much ?! This could eventually be explain the complete crash of the system (and config lose) after reboot !
    config.xml file was ok before reboot but all the fields were blank in the webadmin!

    By chance I have a 2nd CF card ready as a backup but if somebody could explain this issue it could be cool... and I will kick out SNORT from now !

    Here is the config

    • Mini-itx
    • 2GB CF card
    • 2GB RAM
    • Embedded PFSense (latest version)
    • 1 GB LAN
    • 3 WAN with 3 different static IP and "load balancing"
    • 2mb symmetric total internet line
    • Only 5 computers are using this gateway

    And I'm in Argentina while the system is in Switzerland ! Yeah lucky me ! :-)



  • Fixed the whitelist bug.

    Fixed Snort not completely uninstalling in 2.0 was do to bug outside of Snort Package. Fix will be in latter snapshots.

    TODO:
    Snort Package causing errors in CF card installs win log dir gets over 10mb. Going to add a cron job that monitors the directory and clears it
    when /var/log/snort gets over 10mb.

    James



  • @jamesdean:

    Fixed the whitelist bug.

    Mucho gracias mi amigo



  • I can t start snort on x64 pfSense 2.0B4 last build (i have disable bad-traffic.so and bad-traffic, and i have the same problem): What can i do?

    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
    Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
    Sep 4 23:28:01 snort[11754]: [ 135 139 445 593 1024:65535 ]
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
    Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
    Sep 4 23:28:01 snort[11754]: [ 135 1024:65535 ]
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
    Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
    Sep 4 23:28:01 snort[11754]: [ 135 593 1024:65535 ]
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_NCACN_TCP' defined :
    Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
    Sep 4 23:28:01 snort[11754]: [ 2103 2105 2107 ]
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
    Sep 4 23:28:01 snort[11754]: PortVar 'DCERPC_BRIGHTSTORE' defined :
    Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
    Sep 4 23:28:01 snort[11754]: [ 6503:6504 ]
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]:
    Sep 4 23:28:01 snort[11754]: Detection:
    Sep 4 23:28:01 snort[11754]: Detection:
    Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
    Sep 4 23:28:01 snort[11754]: Search-Method = AC-BNFA-Q
    Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
    Sep 4 23:28:01 snort[11754]: Found pid path directive (/var/log/snort/run)
    Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
    Sep 4 23:28:01 snort[11754]: Tagged Packet Limit: 256
    Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
    Sep 4 23:28:01 snort[11754]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so…
    Sep 4 23:28:01 snort[11754]: done
    Sep 4 23:28:01 snort[11754]: done
    Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
    Sep 4 23:28:01 snort[11754]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/…
    Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
    Sep 4 23:28:01 snort[11754]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so…
    Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
    Sep 4 23:28:01 snort[11754]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules//bad-traffic.so: /usr/local/lib/snort/dynamicrules//bad-traffic.so: unsupported file layout
    Sep 4 23:28:01 SnortStartup[12043]: Interface Rule START for 0_25855_em1…
    Sep 4 23:28:04 check_reload_status: syncing firewall



  • Simby

    Precompiled shared object rules ("so.rules") are rules that private companies have given to snort.org in binary format. Snort.org is currently only building freebsd 32 bit versions of said rules.

    I have to turn off so.rules for Pfsense 2.0 64 bit until snort.org builds 64 bit versions of said rules.

    James



  • what is the difference on rules

    .snort
    .so
    .emergenty

    ?



    • emerging-* Are the emerging threats rules maintained by emergingthreats.net

    • snort*.so    Are precompiled shared object rules that private companies have given to snort.org in binary format

    • snort*        Without .so rules are Sourcefire VRT Certified Rules that have been developed, tested and approved by the Sourcefire Vulnerability Research Team (VRT).

    • pfsense*    Are the only ones and am not so sure about. I thought they were rules exclusive to the pfSense build of snort. Me only having one pfsense-voip.rules category now makes me think I might have something wrong.



  • There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.

    I have never had this issue before.

    Thanks for any help.



  • @darklogic:

    There are so major issues with the New SNORT Package V 1.34 that just released. I cannot get the package to start. I have uninstalled, reinstalled, rebooted, deleted interface, unchecked save my settings and then uninstall and reinstall. Basically start from strach.

    I have never had this issue before.

    Thanks for any help.

    I have the same problem after updating to the new 1.34



  • Sorry about that.

    Doing code clean up.

    Fixed

    James



  • Thanks once again James !


Log in to reply