Snort 2.8.6.1 pkg v1.34 on pfsense 1.2.3-RELEASE not working

pftdm007

Hello,

I installed snort via pfsense package applet and it installed fine, no errors were seen, but when I try to start the snort rule by clicking on the "play" green icon next to my interface, I get this output at the top iof the window:

Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 86 Warning: fopen(/usr/local/etc/snort/suppress/): failed to open stream: Is a directory in /usr/local/pkg/snort/snort.inc on line 1387 
Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:86) in /usr/local/www/snort/snort_interfaces.php on line 233 Warning: Cannot modify header information - 
headers already sent by (output started at /usr/local/pkg/snort/snort.inc:86) in /usr/local/www/snort/snort_interfaces.php on line 234 Warning: Cannot modify header information - headers already sent by (output started at 
/usr/local/pkg/snort/snort.inc:86) in /usr/local/www/snort/snort_interfaces.php on line 235 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:86) in 
/usr/local/www/snort/snort_interfaces.php on line 236 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:86) in /usr/local/www/snort/snort_interfaces.php on 
line 237 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:86) in /usr/local/www/snort/snort_interfaces.php on line 239

Then it appears that snort does not start.

Also, under the update tab, the tabs "Upload custom rules" & "GUI Update" wont work as I click on them and nothing happens.

Anybody can provide assistance?

Thanks a lot!

pftdm007

OK it seems that the problem I had is no longer happening.  Now that Snort seems to be working, I have to configure it and I wonder which rulesets I should unselect.  Since I have both the emerging and snort rulersets, I have a lot of rules and snort wont start.  In the logs, I see that the swap space ran out and that the process snort was killed.

I started by unselecting some rules I believed were probably useless for me… Since I am using only linux on my network, which rulesets should I de-activate to save some RAM?

Also, should I increase the swap space? If so, how?  I am noob in freebsd...

Any help appreciated.

Thanks

pftdm007

Bump!?

I believe there must be people using Snort here.  I've found multiple references of people having similar issues, but nobody suggested a fix or explained what are the rulesets.

I wonder which rulesets should I remove… I understand there is no definite answers to this question and I also understand that it should be customized to the type of traffic you expect on your network, but I am pretty sure there must be some kind of standard config people use, unless you have some specialized needs.

Anybody can provide a list of rulesets that should be deactivated?  At least some kind of description of what they do...

For example, can I safely deactivate the ruleset "  emerging-activex.rules" if I am using ONLY linux machines on my network??
Anynone?

Cino

Check out www.snort.org for info on the rulesets. For a baseline of rules to use, read this article from smallnetbuilders: http://www.smallnetbuilder.com/security/security-howto/31451-build-your-own-utm-with-pfsense-part-2?showall=&start=2

pftdm007

That snort stuff is getting… "filthy" !

I used the chart at http://www.smallnetbuilder.com/security/security-howto/31451-build-your-own-utm-with-pfsense-part-2?start=2  to activate only the necessary rulesets.

Using this selection, snort wont start.  the rules "snort_netbios.rules" cause this in the system logs:

May 18 16:14:31	snort[1334]: FATAL ERROR: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(72) GID 1 SID 2511 in rule duplicates previous rule, with different protocol.
May 18 16:14:31	snort[1334]: FATAL ERROR: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(72) GID 1 SID 2511 in rule duplicates previous rule, with different protocol.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(58): GID 1 SID 2349 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(58): GID 1 SID 2349 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(57): GID 1 SID 2258 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(57): GID 1 SID 2258 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(56): GID 1 SID 2257 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(56): GID 1 SID 2257 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(55): GID 1 SID 2252 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(55): GID 1 SID 2252 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(41): GID 1 SID 2191 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(41): GID 1 SID 2191 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(37): GID 1 SID 2103 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(37): GID 1 SID 2103 in rule duplicates previous rule. Ignoring old rule.
May 18 16:14:31	snort[1334]: /usr/local/etc/snort/snort_20163_re1/rules/snort_netbios.rules(36): GID 1 SID 2101 in rule duplicates previous rule. Ignoring old rule.

Deactivating the netbios related rules Snort will start, but I still see at least a thousand lines like these in the system logs:

May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17189, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17189, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18205, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18205, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18439, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18439, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 16317, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 16317, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 13511, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 13511, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17134, GID: 3 not registered properly. Disabling this rule.

SO whats going on with Snort?

Cino

I can't explain as I don't visit the snort forums often but sometimes certain rules wont make snort run. As for your system log, I personally just ignore them. if you want or need answer to why, check out many snort user groups out there http://www.snort.org/community/groups. They should be give you an answer.

jamesdean

From the snort source code,

/****************************************************************************
*

• Function: mergeDuplicateOtn()
• Purpose:  Conditionally removes duplicate SID/GIDs. Keeps duplicate with
• higher revision.  If revision is the same, keeps newest rule.
• Arguments: otn_dup => The existing duplicate
• rtn => the RTN chain to check
• char => String describing the rule
• rule_type => enumerated rule type (alert, pass, log)
• Returns: 0 if original rule stays, 1 if new rule stays

***************************************************************************/

So, in your interface rule directory you have duplicate SIDs with different protocols.

Some how your rules are all messed up. So delete all your rules and install new ones.

Like so:

**rm -r /usr/local/etc/snort/yourinterface_uuid/rules

cp -R /usr/local/etc/snort/rules /usr/local/etc/snort/yourinterface_uuid/rules**

Robert

pftdm007

Thank for replying!

I tried what you suggested, but I still have the same stuff in the system log:

May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17189, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17189, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18205, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18205, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18439, GID: 3 not registered properly. Disabling this rule.

Is it a big deal?  Does it mean that Snort is not functional??

jamesdean

@lpallard:

Thank for replying!

I tried what you suggested, but I still have the same stuff in the system log:

May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17189, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17189, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18205, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18205, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 17300, GID: 3 not registered properly. Disabling this rule.
May 18 16:20:50	snort[1597]: Encoded Rule Plugin SID: 18439, GID: 3 not registered properly. Disabling this rule.

You had two problems

1, Duplicate sid that didn't match ( looks like its fixed now).

2 One or more of your Snort Shared Object Rules don't have a rule file for them.

Dont worry about the second one just those few rules are disabled. Snort will run fine.

Robert

pftdm007

Hello again!

Snort is once again dead…

After a reboot, it did not start, so I looked in the system logs and saw this:

snort[2015]: FATAL ERROR: /usr/local/etc/snort/snort_20163_re1/snort.conf(423) Invalid configuration line: /snort_x11.rules
May 22 17:01:05	snort[2015]: FATAL ERROR: /usr/local/etc/snort/snort_20163_re1/snort.conf(423) Invalid configuration line: /snort_x11.rules

These rules were activated since I installed Snort.  Last time I posted here, they were activated and Snort was running fine (at least seemed to…)  So why now snort dies?