Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Specific rules cause snort not to run.

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 3 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrmunkey
      last edited by

      Hi,
      I am sorry for my noobish question or comments.

      EDIT: I was able to figure out that some of the rules had caused snort not to work on an iface.

      
      misc.rules
      multimedia.rules
      mysql.rules
      netbios.rules
      
      

      The above rules seemed to cause snort not to show as running on ifaces. Perhaps my machine is misconfigured ( very likely ). However, I just wanted to post it in hope of aiding others. I am not running barnyard2 due to my not running mysql ( i think ). FreeBSD and pfsense are new to me. If I need to provide any other info to clear anything up please let me know.
      With Snort, should I be seeing a the ENABLES box as green or red? I have tried starting Snort from cli and am getting an error

      Running in IDS mode
      
              --== Initializing Snort ==--
      Initializing Output Plugins!
      Initializing Preprocessors!
      Initializing Plug-ins!
      Parsing Rules file "/usr/local/etc/snort/snort.conf"
      PortVar 'HTTP_PORTS' defined :  [ 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
      PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
      PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
      PortVar 'SSH_PORTS' defined :  [ 22 ]
      PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
      Detection:
         Search-Method = AC-Full-Q
          Split Any/Any group = enabled
          Search-Method-Optimizations = enabled
          Maximum pattern length = 20
      ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.
      Fatal Error, Quitting..
      
      

      I seem to remember the box being green in the web gui when an Iface had snort applied and working?

      Your help is appreciated.

      1 Reply Last reply Reply Quote 0
      • nesenseN
        nesense
        last edited by

        I'm facing the same issue on nanoBSD "2.0-RC2 (i386) built on Mon May 23 13:22:17 EDT 2011" Snort 2.8.6.1 pkg v. 1.34

        EDIT
        Seems like its a directory path/naming issue, you have to move the directories under "/usr/local/lib/snort/" into "/usr/local/lib/snort_*" by renaming each individual directory, for example "/usr/local/lib/snort/dynamicpreprocessor" into "/usr/local/lib/snort_dynamicpreprocessor"

        another thing you got to fix is in /usr/local/etc/snort/snort.conf under the path for rules:

        var RULE_PATH ../rules
        var SO_RULE_PATH ../so_rules
        var PREPROC_RULE_PATH ../preproc_rules

        remove the "../" right next to every directory path to fix this & then update your rules

        1 Reply Last reply Reply Quote 0
        • M
          mrmunkey
          last edited by

          EDIT: I guess the rules are broken. I have seen some older post ref this same kind of activity. However, I am not sure which log to check for the errors. nothing shows up with errors in syslo and I dont know what daemon.log would be in freeBSD / pfsense.
          Did "Un-checking" the above rules allow snort to work on your interface? ( see my edit )
          The rules that seemed to cause the issue for me are :
          misc.rules
          multimedia.rules
          mysql.rules
          netbios.rules

          1 Reply Last reply Reply Quote 0
          • nesenseN
            nesense
            last edited by

            I have updated my post with a what seems like a fix for it

            1 Reply Last reply Reply Quote 0
            • nesenseN
              nesense
              last edited by

              I tried adding some rules and it turns out they are named in a wrong way too, you have for example ../rules/snort_attack-responses.rules should be named attack-responses.rules instead

              1 Reply Last reply Reply Quote 0
              • M
                mrmunkey
                last edited by

                ahh. Thanks man!

                1 Reply Last reply Reply Quote 0
                • nesenseN
                  nesense
                  last edited by

                  ERROR: /usr/local/etc/snort/snort.conf(200) => Invalid keyword 'compress_depth' for 'global' configuration.
                  Fatal Error, Quitting..

                  fixing this requires the package to be recompiled with —enable-zlib  :'(

                  1 Reply Last reply Reply Quote 0
                  • A
                    Animus
                    last edited by

                    How would one recompile a the zlib library from the Web Configurator? If it has to be done via command line, what is the pkg_add command that would do this?  ???

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.