Snort is configured but not blocking or generating alerts


  • I've got PFSense V 2.0-RC1 (i386) and I've got the latest version of Snort installed

    I've loaded up a bunch of rules from Oinkmaster, I've enabled all of the preprocessors, and I've ensured the service is started.

    When I let it sit for a while and then check my Alerts and Block list, there are no entries. Even when I test it by logging into Skype (skype is listed as a Rule from P2P), I don't get any entries in the logs.

    If you need any further information, please let me know… I simply can't figure this one out.


  • I have the exact same issue on 2.0-RC1 (amd64) built on Sat Feb 26 18:07:23 EST 2011 (yes there is a newer build) with Snort 2.8.6.1 pkg v. 1.34

    I have installed (reinstalled actually) from disk to HDD, boot, setup interfaces, install Snort package from GUI, drop in Oinkcode, setup interface for Snort (WAN)

    No rule updates are working if I tell it to use Snort (emerging threats do work) but nothing is being blocked as far as I can tell. I enable rules, but nothing changes and no alerts or blocks are showing in the logs.

    Everything is green in gui as far as services and config.


  • I'm running the May 9th build, Snort installed and running on the WAN interface, blocking disabled, and alerts are showing up as I'd expect.

    Just another data point.


  • Hello,

    I appear to be having the same problem

    I am running Snort 2.8.6.1 pkg v. 1.34 on pfsense 2.0 RC1

    I read through a couple pages and saw a similar thread where a user had to enable preprocessors. I admit I'm not the most experienced with pfsense and snort - I used to run pfsense 1.2.3 RC3 which was later upgraded to 1.2.3 RELEASE IIRC on an older machine - When I setup that box I spent quite a few days researching everything but that was a couple years ago now and I admit I havnt paid too much attention to it beyond checking in on the services every now and again…

    Hopefully it helps but my setup is pretty straight forward - Modem>pfsense router>PC - the box itself is newer as I just upgraded my desktop pc and decided to use the old box as a new router so it has 8gb of ram (I notice pfsense will ignore 4gb of that) it is also a dual core chip with SMP selected during install. The board has dual on board gigabit ethernet ports which I am using for my WAN and LAN interfaces

    I have tried installing the emerging threats rules as well as the snort rules using an oinkmaster code (Alternatively) but no alerts are being generated..

    Snort is enabled on WAN and LAN in the snort interfaces tab
    Snort is configured to run in AC mode for both interfaces
    I have set snort to attempt to post alerts to the pfsense logs as well as unchecking this option

    At the moment my snort general configuration page looks like so:
    Install snort.org rules: no (I have tried enabling this while disabling emerging threats)
    Snort code: Populated
    Install emerging threats rules: yes
    Update rules automatically: Daily
    Keep settings after reinstall: Yes

    Under status>services snort is running

    The rules will appear to download if I attempt a manual download - if I try again, I'm told the rules are up-to-date

    Please let me know if you would like any additional information but please let me know where to collect it from

    Thanks very much for your time!

    Update - Facepalm I had been having troubles locating the list of rules to use - I believe it has moved since the old version - Anyway, I enabled a bunch of rules... I'm pretty sure this will have fixed MY problem but I'll wait a day and see if any alerts are generated and confirm with you folks

    Update - Still not getting any alerts, tried installing tor and testing the tor rule that is selected - No alerts generated while connected to the tor network... Skype activity would be blocked using the pfsense-voip category of rules I assume? I installed skype and connected to the call testing service - was able to record a message and have it played back... No alerts generated

    I've likely done something silly, any thoughts?


  • I'm having the same problem.

    pfSense version:
    Tried build May 3rd and updated then to the latest (May 12) which didn't help.

    Snort version
    2.8.6.1 pkg v. 1.34

    Problem:

    • Not getting any alerts or blocks.

    • I've added the Dashboard widget called "Service Status" and it says Snort is Stopped. When I try to start it it says with the button next to it (status_services.php?mode=startservice&service=snort) it says "snort has been started." but Snort is still listed as off in the "Service Status".

    Config:

    • Tired different rules and tried to trigger them without any success.

    • Tried different Interfaces (WAN and LAN) without any success.


  • Snort is still being worked on for 2.0. We have to wait for the package to be updated by the developer.


  • From Services -> Snort, if it's enabled then the left-hand box will be green.  If not, then manually update the rules (I need to do this every time I update the firmware), and click the interface you're applying the rules on and make sure some rules are applied.  In my case I also had to start all the preprocessors as well, to get rid of the Snort error messages in the logs.


  • @Derek:

    From Services -> Snort, if it's enabled then the left-hand box will be green.  If not, then manually update the rules (I need to do this every time I update the firmware), and click the interface you're applying the rules on and make sure some rules are applied.  In my case I also had to start all the preprocessors as well, to get rid of the Snort error messages in the logs.

    Thanks for the help! I got it working now.

    Versions

    • pfSense - Built On: Thu May 12 10:52:38 EDT 2011

    • Snort 2.8.6.1 pkg v. 1.34

    Problem

    • No blocks or alerts were showing up.

    • Snort didn't seem to run (Dashboard - Services Status Said Snort was stopped)

    • I updated the firmware and didn't download the rules (manually update the rules as Derek Zeanah said)

    Solution

    • I updated the rules manually

    For some reason it still says

    INSTALLED SIGNATURE RULESET
    SNORT.ORG >>>  N/A
    EMERGINGTHREATS.NET >>>  N/A

    but if I enter the interface Snort is enabled on and look under Categories the rules were listed.

    • I enabled the preprocessor

    I enabled Performance Statistics and scan detect

    Performance Statistics for this interface.

    Detects various types of portscans and portsweeps.

    • Started Snort on the interface

    Under If settings on the Snort enabled interface i pressed Start. The service is now listed as Running under Dashboard - Services Status.

    Last notes

    • I'm not sure if all steps are necessary but I did all these things before I noticed any alerts.

    • To test snort I enabled the chat filter which triggered on IRC messages

    Hope this helps someone and thanks for the help!


  • @Preacher22:

    –------
    Update - Facepalm I had been having troubles locating the list of rules to use - I believe it has moved since the old version - Anyway, I enabled a bunch of rules... I'm pretty sure this will have fixed MY problem but I'll wait a day and see if any alerts are generated and confirm with you folks

    I can't seem to find the list of rules. Would you please let us know where they went?


  • Services -> Snort.
    Click the edit button next to your interface.
    Select Categories.  You may need to enable preprocessors too.

    Did that help?


  • @Preacher22:

    I read through a couple pages and saw a similar thread where a user had to enable preprocessors.

    That was probably me.  I'll try and remember to check my box when I get home and see where I enabled the preprocessors.  I think they had their own tab, but I'm not sure.


  • I checked my setup last night.

    Make sure you go to the Preprocessors tab and check all of the check boxes there.  If you don't, Snort won't inspect the http traffic, etc.