Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort is configured but not blocking or generating alerts

    Scheduled Pinned Locked Moved pfSense Packages
    12 Posts 8 Posters 15.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rockinthesixstring
      last edited by

      I've got PFSense V 2.0-RC1 (i386) and I've got the latest version of Snort installed

      I've loaded up a bunch of rules from Oinkmaster, I've enabled all of the preprocessors, and I've ensured the service is started.

      When I let it sit for a while and then check my Alerts and Block list, there are no entries. Even when I test it by logging into Skype (skype is listed as a Rule from P2P), I don't get any entries in the logs.

      If you need any further information, please let me know… I simply can't figure this one out.

      Chase
      Link Removed
      PFSense 2.0.1 - RELEASE

      1 Reply Last reply Reply Quote 0
      • B
        barefootpanda
        last edited by

        I have the exact same issue on 2.0-RC1 (amd64) built on Sat Feb 26 18:07:23 EST 2011 (yes there is a newer build) with Snort 2.8.6.1 pkg v. 1.34

        I have installed (reinstalled actually) from disk to HDD, boot, setup interfaces, install Snort package from GUI, drop in Oinkcode, setup interface for Snort (WAN)

        No rule updates are working if I tell it to use Snort (emerging threats do work) but nothing is being blocked as far as I can tell. I enable rules, but nothing changes and no alerts or blocks are showing in the logs.

        Everything is green in gui as far as services and config.

        1 Reply Last reply Reply Quote 0
        • D
          dzeanah
          last edited by

          I'm running the May 9th build, Snort installed and running on the WAN interface, blocking disabled, and alerts are showing up as I'd expect.

          Just another data point.

          1 Reply Last reply Reply Quote 0
          • P
            Preacher22
            last edited by

            Hello,

            I appear to be having the same problem

            I am running Snort 2.8.6.1 pkg v. 1.34 on pfsense 2.0 RC1

            I read through a couple pages and saw a similar thread where a user had to enable preprocessors. I admit I'm not the most experienced with pfsense and snort - I used to run pfsense 1.2.3 RC3 which was later upgraded to 1.2.3 RELEASE IIRC on an older machine - When I setup that box I spent quite a few days researching everything but that was a couple years ago now and I admit I havnt paid too much attention to it beyond checking in on the services every now and again…

            Hopefully it helps but my setup is pretty straight forward - Modem>pfsense router>PC - the box itself is newer as I just upgraded my desktop pc and decided to use the old box as a new router so it has 8gb of ram (I notice pfsense will ignore 4gb of that) it is also a dual core chip with SMP selected during install. The board has dual on board gigabit ethernet ports which I am using for my WAN and LAN interfaces

            I have tried installing the emerging threats rules as well as the snort rules using an oinkmaster code (Alternatively) but no alerts are being generated..

            Snort is enabled on WAN and LAN in the snort interfaces tab
            Snort is configured to run in AC mode for both interfaces
            I have set snort to attempt to post alerts to the pfsense logs as well as unchecking this option

            At the moment my snort general configuration page looks like so:
            Install snort.org rules: no (I have tried enabling this while disabling emerging threats)
            Snort code: Populated
            Install emerging threats rules: yes
            Update rules automatically: Daily
            Keep settings after reinstall: Yes

            Under status>services snort is running

            The rules will appear to download if I attempt a manual download - if I try again, I'm told the rules are up-to-date

            Please let me know if you would like any additional information but please let me know where to collect it from

            Thanks very much for your time!

            Update - Facepalm I had been having troubles locating the list of rules to use - I believe it has moved since the old version - Anyway, I enabled a bunch of rules... I'm pretty sure this will have fixed MY problem but I'll wait a day and see if any alerts are generated and confirm with you folks

            Update - Still not getting any alerts, tried installing tor and testing the tor rule that is selected - No alerts generated while connected to the tor network... Skype activity would be blocked using the pfsense-voip category of rules I assume? I installed skype and connected to the call testing service - was able to record a message and have it played back... No alerts generated

            I've likely done something silly, any thoughts?

            1 Reply Last reply Reply Quote 0
            • A
              abobritta
              last edited by

              I'm having the same problem.

              pfSense version:
              Tried build May 3rd and updated then to the latest (May 12) which didn't help.

              Snort version
              2.8.6.1 pkg v. 1.34

              Problem:

              • Not getting any alerts or blocks.

              • I've added the Dashboard widget called "Service Status" and it says Snort is Stopped. When I try to start it it says with the button next to it (status_services.php?mode=startservice&service=snort) it says "snort has been started." but Snort is still listed as off in the "Service Status".

              Config:

              • Tired different rules and tried to trigger them without any success.

              • Tried different Interfaces (WAN and LAN) without any success.

              1 Reply Last reply Reply Quote 0
              • C
                Cino
                last edited by

                Snort is still being worked on for 2.0. We have to wait for the package to be updated by the developer.

                1 Reply Last reply Reply Quote 0
                • D
                  dzeanah
                  last edited by

                  From Services -> Snort, if it's enabled then the left-hand box will be green.  If not, then manually update the rules (I need to do this every time I update the firmware), and click the interface you're applying the rules on and make sure some rules are applied.  In my case I also had to start all the preprocessors as well, to get rid of the Snort error messages in the logs.

                  1 Reply Last reply Reply Quote 0
                  • A
                    abobritta
                    last edited by

                    @Derek:

                    From Services -> Snort, if it's enabled then the left-hand box will be green.  If not, then manually update the rules (I need to do this every time I update the firmware), and click the interface you're applying the rules on and make sure some rules are applied.  In my case I also had to start all the preprocessors as well, to get rid of the Snort error messages in the logs.

                    Thanks for the help! I got it working now.

                    Versions

                    • pfSense - Built On: Thu May 12 10:52:38 EDT 2011

                    • Snort 2.8.6.1 pkg v. 1.34

                    Problem

                    • No blocks or alerts were showing up.

                    • Snort didn't seem to run (Dashboard - Services Status Said Snort was stopped)

                    • I updated the firmware and didn't download the rules (manually update the rules as Derek Zeanah said)

                    Solution

                    • I updated the rules manually

                    For some reason it still says

                    INSTALLED SIGNATURE RULESET
                    SNORT.ORG >>>  N/A
                    EMERGINGTHREATS.NET >>>  N/A

                    but if I enter the interface Snort is enabled on and look under Categories the rules were listed.

                    • I enabled the preprocessor

                    I enabled Performance Statistics and scan detect

                    Performance Statistics for this interface.

                    Detects various types of portscans and portsweeps.

                    • Started Snort on the interface

                    Under If settings on the Snort enabled interface i pressed Start. The service is now listed as Running under Dashboard - Services Status.

                    Last notes

                    • I'm not sure if all steps are necessary but I did all these things before I noticed any alerts.

                    • To test snort I enabled the chat filter which triggered on IRC messages

                    Hope this helps someone and thanks for the help!

                    1 Reply Last reply Reply Quote 0
                    • R
                      rblake
                      last edited by

                      @Preacher22:

                      –------
                      Update - Facepalm I had been having troubles locating the list of rules to use - I believe it has moved since the old version - Anyway, I enabled a bunch of rules... I'm pretty sure this will have fixed MY problem but I'll wait a day and see if any alerts are generated and confirm with you folks

                      I can't seem to find the list of rules. Would you please let us know where they went?

                      1 Reply Last reply Reply Quote 0
                      • D
                        dzeanah
                        last edited by

                        Services -> Snort.
                        Click the edit button next to your interface.
                        Select Categories.  You may need to enable preprocessors too.

                        Did that help?

                        1 Reply Last reply Reply Quote 0
                        • B
                          Bai Shen
                          last edited by

                          @Preacher22:

                          I read through a couple pages and saw a similar thread where a user had to enable preprocessors.

                          That was probably me.  I'll try and remember to check my box when I get home and see where I enabled the preprocessors.  I think they had their own tab, but I'm not sure.

                          1 Reply Last reply Reply Quote 0
                          • B
                            Bai Shen
                            last edited by

                            I checked my setup last night.

                            Make sure you go to the Preprocessors tab and check all of the check boxes there.  If you don't, Snort won't inspect the http traffic, etc.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.