Snort Won't Start After Upgrade
-
@cmb:
We need to be able to dedicate more of our core developer resources to clean this up and keep it working, as is it's largely just Rob's volunteer efforts, where the base system is largely done by people on our payroll (who, no offense to Rob, are far more experienced developers). What gets done by our core developers is largely what people are willing to pay for, and it's been years since we've had anyone interested in paying for Snort work. I've dedicated 10 hours of Ermal's time (with no funding, as a favor to a partner) to cleaning up bugs and bad code in the Snort package this week, which has lead to this massive clean up today, with more work to be done on it tomorrow.
https://github.com/bsdperimeter/pfsense-packages/commit/c8b7c369d1b391fc687e4ad09ee156dbec37043aThat's not going to leave things in perfect shape (there are other improvements I'd like to see), but it will at least be much better. That's limited to the main snort package, not snort-dev, which Rob can continue to do whatever he wants with, but nothing will be merged back into the main snort package from now on without review and merge approval to keep things sane.
If anyone can dedicate some money to furthering our efforts here, please contact me (cmb at pfsense dot org). I'd love to get more of our resources on it, but we also have to make payroll so we're limited in what we can do because we want to do it.
funny I just checked github to see what updates are out there and Ermal has been busy!! I see the old snort package is enable… Who is going to be the brave soul and try it? Well i gave it shot and it installed on my system but it couldn't download the rules from snort.org
Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 859
I guess i should wait until the devs say its good to go.
going to see if i can manually download them
-
@cmb is right snort should be maintained by the core paid developers. My work on snort package will stop immediately and will move my code to a package called Orion.
I have really enjoyed giving my free time and code to the pfSense snort community. I hope people continue to enjoy my GUI I have built and code I have donated.
Those of you that expect the Old snort gui to return dont worry, 90% of my snort 1.2.3 code will not change for 2.0.My snort 2.0 package I was working on will become Orion IDS package and will likely become private for paid supporters. This will help me give my full attention to this package.
I think I have a base now that can support me to work on this package on a limited part time.Moreover, this should give me the freedom to add features as fast as possible.
Robert
-
I just made some other changes that should make it behave better in regards to rule downloading.
I couldn't test with snort.org since it was slow and did not have an account to test with.
-
This makes sense if i'm reading this last couple of post correctly. Snort being maintained my the core dev team.. If users want more then a basic Snort package… They have the option to pay for the Orion IDS.
@Ermal I'll give it a shot but you are right! Snort.org is really slow today... My manual updating from the cmd failed due to timeouts
-
Snorts site is timing out so i can't test. emergingnet rules downloaded with no problems.
When I tried to start snort on my WAN interface, this is the error i received:
Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 92 Warning: fopen(/usr/local/etc/snort/suppress/): failed to open stream: Is a directory in /usr/local/pkg/snort/snort.inc on line 1184 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 192 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 193 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 194 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 195 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 196 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 197
This is in my system log:
Aug 2 13:20:31 php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing. Aug 2 13:20:31 php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.
I don't know if this is relate to adding snort or my mornings gitsync but when i look at my system log i get the below errors. I'm able to see the system log tho but this is at the header of the page. Also, none of the other tabs are showing this error(firewall,dhcp,openvpn)
Warning: Unknown: GC cache entry '/usr/local/www/guiconfig.inc' (dev=109 ino=801962) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/usr/local/www/csrf/csrf-magic.php' (dev=109 ino=801951) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/xmlparse.inc' (dev=109 ino=7301225) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/util.inc' (dev=109 ino=7301219) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.defs.inc' (dev=109 ino=7301206) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.inc' (dev=109 ino=7301205) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv/user.priv.inc' (dev=109 ino=7301204) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/notices.inc' (dev=109 ino=7301195) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/led.inc' (dev=109 ino=7301192) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/IPv6.inc' (dev=109 ino=7301190) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/globals.inc' (dev=109 ino=7301185) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/crypt.inc' (dev=109 ino=7301178) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.lib.inc' (dev=109 ino=7301176) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.gui.inc' (dev=109 ino=7301175) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/authgui.inc' (dev=109 ino=7301168) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/auth.inc' (dev=109 ino=7301167) was on gc-list for 3659 seconds in Unknown on line 0 Warning: session_start(): Cannot send session cache limiter - headers already sent in /etc/inc/auth.inc on line 1260 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 47 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 51
Now i'm asking for too much, could it be possible to add a index.php in the root of the snort www directory with the below code? So when i click on the pfSense image in the upper left corner, it brings back to the main dashboard page instead of page no found.
EDIT: The permissions are wrong on the /usr/local/etc/rc.d/snort.sh file I believe. Its currently 644, should 755. i tried to manually start snort using the snort.sh but i think there is an syntax error with the interface
[2.1-DEVELOPMENT][root@]/root/custom(7): /usr/local/etc/rc.d/snort.sh start ls: /tmp/snort.sh.pid: No such file or directory ls: /tmp/snort.sh.pid: No such file or directory rm: /var/run/snort_7758_em3.pid: No such file or directory rm: /var/run/snort_7758_em3.pid.lck: No such file or directory [2.1-DEVELOPMENT][root@]/root/custom(8): usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file target_file cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file ... target_directory
-
Hello,
i am running the latest pfsense 2.0 rc3 from today and have installed the snort 2.0 package as a virtual machine on kvm. If i want to edit the network interface in the snort settings, i get an "error: no uuid". How can i fix this problem?
Regards, valle
-
-
The thing on this forum that just does not sense .People do not read the forum snort has been broken for a long time now .there was a couple of posts on the forum saying it will be awhile before it gets fixed .
Will someone tell us how far it has come and is the beta out yet for us to test out .
I am using my standbye UTM software with snort in there operating system and it works perfect . -
@ermal:
should be fixed, just reinstall.
Almost there… it seems to forget the interface.. I noticed that you made some changes to how it puts the interface, wondering if something is missing there.
I deleted all my snort configs... Added a interface... told me i had no rules... updated the rules again.... checked some rules.... tried to start it, didn't start. Went back to the categorizes and was told i dont have rules... its picking the wrong directory or something.
Aug 2 17:10:29 SnortStartup[35682]: Interface Rule START for 0_39737_... Aug 2 17:10:29 snort[34151]: Aug 2 17:10:29 snort[34151]: Aug 2 17:10:29 snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source. Aug 2 17:10:29 snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source.
-
Can you show me hte generated snort conf?
-
@ermal:
Can you show me hte generated snort conf?
Here you go:
#!/bin/sh ######## # This file was automatically generated # by the pfSense service handler. # Code added to protect from double starts on pfSense bootup ######## Begining of Main snort.sh rc_start() { #### Check for double starts, Pfsense has problems with that if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 fi /bin/echo "snort.sh run" > /tmp/snort.sh.pid #### Remake the configs on boot Important! /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php & /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." ###### For Each Iface #### Fake start only used on bootup and Pfsense IP changes #### Only try to restart if snort is running on Iface if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" != "" ]; then snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" #### Restart Iface /bin/kill -HUP ${snort_pid} /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For 39737_..." fi /bin/rm /tmp/snort.sh.pid #### If on Fake start snort is NOT running DO a real start. if [ "`/bin/ps -auwx | grep -v grep | grep "R 39737" | awk '{print $2;}'`" = "" ]; then rc_start_real fi } rc_start_real() { #### Check for double starts, Pfsense has problems with that if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 fi ###### For Each Iface # If Snort proc is NOT running if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" = "" ]; then /bin/echo "snort.sh run" > /tmp/snort.sh.pid # Start snort and barnyard2 /bin/rm /var/run/snort_39737_.pid /bin/rm /var/run/snort_39737_.pid.lck /usr/local/bin/snort -u snort -g snort -R 39737 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 39737 -c /usr/local/etc/snort/snort_39737_/snort.conf -i /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For 39737_..." fi /bin/rm /tmp/snort.sh.pid } rc_stop() { #### Check for double starts, Pfsense has problems with that if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 fi pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'` sleep 3 pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_39737_.u2" | /usr/bin/awk '{print $2;}'` if [ ${pid_s} ] ; then /bin/echo "snort.sh run" > /tmp/snort.sh.pid /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For 39737_..." /bin/kill ${pid_s} sleep 3 /bin/kill ${pid_b} /bin/rm /var/run/snort_39737_.pid.lck /bin/rm /var/run/snort_39737_.pid fi /bin/rm /tmp/snort.sh.pid /bin/rm /var/run/snort* } case $1 in start) rc_start ;; start_real) rc_start_real ;; stop) rc_stop ;; restart) rc_stop rc_start_real ;; esac
-
Try the new update i just made.
That is the startup script and not the config. But for now all should be fixed.
-
@ermal:
That is the startup script and not the config. But for now all should be fixed.
sorry about that… Just tried the new updates and seeing a different error... snort engine is trying to start tho. When i'm in 'Snort: Interface Edit:' the server, preprocessors, barnyard2 tab show the interface as '0em3' instead of '39737 em3' but the other tabs are showing the interface correctly.
Aug 2 20:39:43 SnortStartup[22178]: Interface Rule START for 0_39737_em3... Aug 2 20:39:43 snort[21986]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(292) => Invalid ip_list to 'ignore_scanners' option. Aug 2 20:39:43 snort[21986]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(292) => Invalid ip_list to 'ignore_scanners' option. Aug 2 20:39:43 snort[21986]: alert_multiple_requests: ACTIVE Aug 2 20:39:43 snort[21986]: alert_multiple_requests: ACTIVE Aug 2 20:39:43 snort[21986]: alert_incomplete: ACTIVE Aug 2 20:39:43 snort[21986]: alert_incomplete: ACTIVE Aug 2 20:39:43 snort[21986]: alert_large_fragments: ACTIVE Aug 2 20:39:43 snort[21986]: alert_large_fragments: ACTIVE Aug 2 20:39:43 snort[21986]: alert_fragments: INACTIVE Aug 2 20:39:43 snort[21986]: alert_fragments: INACTIVE Aug 2 20:39:43 snort[21986]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Aug 2 20:39:43 snort[21986]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Aug 2 20:39:43 snort[21986]: rpc_decode arguments: Aug 2 20:39:43 snort[21986]: rpc_decode arguments:
here is my conf
# snort configuration file # generated by the pfSense # package manager system # see /usr/local/pkg/snort.inc # for more information # snort.conf # Snort can be found at http://www.snort.org/ # # Copyright (C) 2009-2010 Robert Zelaya # part of pfSense # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # 1\. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # # 2\. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. ######################### # # Define Local Network # # ######################### var HOME_NET [68.xxx.xxx.xxx/22,192.168.0.1/24,192.168.200.1/32,192.168.201.1/32,/,192.168.5.1/24,68.xxx.xxx.x,2001:xxx:xx::2,8.8.8.8,8.8.4.4,127.0.0.1] var EXTERNAL_NET !$HOME_NET ################### # # Define Servers # # ################### var DNS_SERVERS [$HOME_NET] var SMTP_SERVERS [$HOME_NET] var HTTP_SERVERS [$HOME_NET] var SQL_SERVERS [$HOME_NET] var TELNET_SERVERS [$HOME_NET] var SNMP_SERVERS [$HOME_NET] var FTP_SERVERS [$HOME_NET] var SSH_SERVERS [$HOME_NET] var POP_SERVERS [$HOME_NET] var IMAP_SERVERS [$HOME_NET] var RPC_SERVERS $HOME_NET var WWW_SERVERS [$HOME_NET] var SIP_PROXY_IP [$HOME_NET] var AIM_SERVERS \ [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] ######################## # # Define Server Ports # # ######################## portvar HTTP_PORTS [80] portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS [1521] portvar AUTH_PORTS [113] portvar DNS_PORTS [53] portvar FINGER_PORTS [79] portvar FTP_PORTS [21] portvar IMAP_PORTS [143] portvar IRC_PORTS [6665,6666,6667,6668,6669,7000] portvar MSSQL_PORTS [1433] portvar NNTP_PORTS [119] portvar POP2_PORTS [109] portvar POP3_PORTS [110] portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] portvar RLOGIN_PORTS [513] portvar RSH_PORTS [514] portvar SMB_PORTS [139,445] portvar SMTP_PORTS [25] portvar SNMP_PORTS [161] portvar SSH_PORTS [222] portvar TELNET_PORTS [23] portvar MAIL_PORTS [25,143,465,691] portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995] portvar SIP_PROXY_PORTS [5060:5090,16384:32768] # DCERPC NCACN-IP-TCP portvar DCERPC_NCACN_IP_TCP [139,445] portvar DCERPC_NCADG_IP_UDP [138,1024:] portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] portvar DCERPC_NCACN_UDP_LONG [135,1024:] portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] portvar DCERPC_NCACN_TCP [2103,2105,2107] portvar DCERPC_BRIGHTSTORE [6503,6504] ##################### # # Define Rule Paths # # ##################### var RULE_PATH /usr/local/etc/snort/snort_39737_em3/rules # var PREPROC_RULE_PATH ./preproc_rules ################################ # # Configure the snort decoder # # ################################ config checksum_mode: all config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops ################################### # # Configure the detection engine # # Use lower memory models # # ################################### config detection: search-method ac-bnfa max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so dynamicdetection directory /usr/local/lib/snort/dynamicrules ################### # # Flow and stream # # ################### preprocessor frag3_global: max_frags 8192 preprocessor frag3_engine: policy bsd detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes, track_icmp yes preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes preprocessor stream5_udp: preprocessor stream5_icmp: ########################## # # NEW # # Performance Statistics # # ########################## preprocessor perfmonitor: time 300 file /var/log/snort/snort_39737_em3.stats pktcnt 10000 ################# # # HTTP Inspect # # ################# preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ ports { 80 8080 } \ non_strict \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ flow_depth 0 \ apache_whitespace no \ directory no \ iis_backslash no \ u_encode yes \ ascii no \ chunk_length 500000 \ bare_byte yes \ double_decode yes \ iis_unicode no \ iis_delimiter no \ multi_slash no ################## # # Other preprocs # # ################## preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 preprocessor bo ##################### # # ftp preprocessor # # ##################### preprocessor ftp_telnet: global \ inspection_type stateless preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: \ ftp server default \ def_max_param_len 100 \ ports { 21 } \ ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ ftp_cmds { FEAT CEL CMD MACB } \ ftp_cmds { MDTM REST SIZE MLST MLSD } \ ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ alt_max_param_len 256 { RNTO CWD } \ alt_max_param_len 400 { PORT } \ alt_max_param_len 512 { SIZE } \ chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ chk_str_fmt { FEAT CEL CMD } \ chk_str_fmt { MDTM REST SIZE MLST MLSD } \ chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ cmd_validity MODE < char ASBCZ > \ cmd_validity STRU < char FRP > \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity PORT < host_port > preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes ##################### # # SMTP preprocessor # # ##################### preprocessor SMTP: \ ports { 25 465 691 } \ inspection_type stateful \ normalize cmds \ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ max_header_line_len 1000 \ max_response_line_len 512 \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ xlink2state { enable } ################ # # sf Portscan # # ################ preprocessor sfportscan: scan_type { all } \ proto { all } \ memcap { 10000000 } \ sense_level { medium } \ ignore_scanners { $HOME_NET } ############################ # # OLD # # preprocessor dcerpc: \ # # autodetect \ # # max_frag_size 3000 \ # # memcap 100000 # # ############################ ############### # # NEW # # DCE/RPC 2 # # ############### preprocessor dcerpc2: memcap 102400, events [smb, co, cl] preprocessor dcerpc2_server: default, policy WinXP, \ detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ smb_max_chain 3 #################### # # DNS preprocessor # # #################### preprocessor dns: \ ports { 53 } \ enable_rdata_overflow ############################## # # NEW # # Ignore SSL and Encryption # # ############################## preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted ##################### # # Snort Output Logs # # ##################### output unified: filename snort_39737_em3.log, limit 128 output alert_full: alert ################# # # Misc Includes # # ################# include /usr/local/etc/snort/snort_39737_em3/reference.config include /usr/local/etc/snort/snort_39737_em3/classification.config # Snort user pass through configuration ################### # # Rules Selection # # ################### include $RULE_PATH/emerging-attack_response.rules include $RULE_PATH/emerging-botcc.rules include $RULE_PATH/emerging-ciarmy.rules include $RULE_PATH/emerging-compromised.rules include $RULE_PATH/emerging-current_events.rules include $RULE_PATH/emerging-deleted.rules include $RULE_PATH/emerging-dos.rules include $RULE_PATH/emerging-dshield.rules include $RULE_PATH/emerging-exploit.rules
EDIT: I found the issue in the conf file under var HOME_NET 01.1/32,/,192.168.5.1/24
was able to manually start snort after editing the conf file :-)
It doesnt create the folder/file for the suppress list
Aug 2 21:59:38 snort[13300]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory. Aug 2 21:59:38 snort[13300]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.
-
I have a couple of issues:
1. When updating rules, when it tries to download the snort.org rules, the following error is shown at the bottom of the page and the rules are not processed:
Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 820
2. If I have the option enabled to "Keep snort settings after deinstall" and then reinstall the package, the menu link for Snort does not appear and Snort is not listed in the "Status: Services" page. I have to backup the config, remove the "snortglobal" section, upload the new config and reinstall Snort to fix it.
Thanks!
-
Thank you all for great work - snort kicks back online on my router - I really felt naked during last few weeks.
BTW. If I understand it correctly classic snort package maintenance was shifted from JamesDean, I really admire his work, I can only hope that you will get on well.I have a couple of issues:
1. When updating rules, when it tries to download the snort.org rules, the following error is shown at the bottom of the page and the rules are not processed:
Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 820
2. If I have the option enabled to "Keep snort settings after deinstall" and then reinstall the package, the menu link for Snort does not appear and Snort is not listed in the "Status: Services" page. I have to backup the config, remove the "snortglobal" section, upload the new config and reinstall Snort to fix it.
Thanks!
I think that no 1 is fixed with the latest update (package version did not change).
I encountered the same issue as in no 2, although I didn't try fiddling with config yet.
What I did was simply use direct link to snort webconfiguration:
http://192.168.1.1/snort/snort_interfaces.php
to update rules and start snort and it seems to be working correctly.
During the snort "holiday" break I messed up with the snort-dev package - maybe something left over from it. -
2.0-RC3 (amd64)
built on Tue Aug 2 22:54:59 EDT 2011First let me say thanks for getting this package back now I can go back to testing ;D
The only problem I've found is that if you tick the Block Offenders under the if settings tab then snort refuses to restart. The following error is logged.
snort[9497]: FATAL ERROR: /usr/local/etc/snort/snort_50697_bce0/snort.conf(351) Unknown output plugin: "alert_pf"
Untick the box and it fires up fine but obviously no hosts get added to the block list.
-
Just got the e-mail that this was fixed. Awesome! Thank you!
http://redmine.pfsense.org/issues/1590
-th3r3isnospoon
-
@Ermal great work! I found small bug with the Suppress List. The interface doesn't seem to be saving the file needed for the interface to come up. Is the path wrong?
Aug 3 09:03:12 snort[57613]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory. Aug 3 09:03:12 snort[57613]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.
I'm going to do more testing with white list and home net list today and report back… I know white list wasn't working in the old package but the work around was to use the home net instead if you needed to white list an IP.
-
All the issues should be solved now.
Please reinstall and test. -
@ermal:
All the issues should be solved now.
Please reinstall and test.new problem.. After updating snort, all the menu items for other packages are missing. I did a full firmware update so it would re-download all the packages.. Same thing, all package menu items are removed but Services-Snort is there..
countryblock, LCDproc, cron, shellcmd, vnstat2, ntop, notes are all missing from the menu
EDIT: I removed the code that was added to pkg-utils.inc, https://github.com/bsdperimeter/pfsense/commit/27018d3cc4f12c995efadf5dc5ba90eb7c1aa641 Rebooted the box and did a package re-install.. Now my package menu items are there