Snort Won't Start After Upgrade

eri--

I just made some other changes that should make it behave better in regards to rule downloading.

I couldn't test with snort.org since it was slow and did not have an account to test with.

Cino

This makes sense if i'm reading this last couple of post correctly.  Snort being maintained my the core dev team.. If users want more then a basic Snort package… They have the option to pay for the Orion IDS.

@Ermal I'll give it a shot but you are right! Snort.org is really slow today... My manual updating from the cmd failed due to timeouts

Cino

Snorts site is timing out so i can't test. emergingnet rules downloaded with no problems.

When I tried to start snort on my WAN interface, this is the error i received:

Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 92 Warning: fopen(/usr/local/etc/snort/suppress/): failed to open stream: Is a directory in /usr/local/pkg/snort/snort.inc on line 1184 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 192 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 193 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 194 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 195 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 196 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 197 

This is in my system log:

Aug 2 13:20:31 	php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.
Aug 2 13:20:31 	php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.

I don't know if this is relate to adding snort or my mornings gitsync but when i look at my system log i get the below errors. I'm able to see the system log tho but this is at the header of the page. Also, none of the other tabs are showing this error(firewall,dhcp,openvpn)

Warning: Unknown: GC cache entry '/usr/local/www/guiconfig.inc' (dev=109 ino=801962) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/usr/local/www/csrf/csrf-magic.php' (dev=109 ino=801951) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/xmlparse.inc' (dev=109 ino=7301225) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/util.inc' (dev=109 ino=7301219) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.defs.inc' (dev=109 ino=7301206) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.inc' (dev=109 ino=7301205) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv/user.priv.inc' (dev=109 ino=7301204) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/notices.inc' (dev=109 ino=7301195) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/led.inc' (dev=109 ino=7301192) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/IPv6.inc' (dev=109 ino=7301190) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/globals.inc' (dev=109 ino=7301185) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/crypt.inc' (dev=109 ino=7301178) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.lib.inc' (dev=109 ino=7301176) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.gui.inc' (dev=109 ino=7301175) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/authgui.inc' (dev=109 ino=7301168) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/auth.inc' (dev=109 ino=7301167) was on gc-list for 3659 seconds in Unknown on line 0 Warning: session_start(): Cannot send session cache limiter - headers already sent in /etc/inc/auth.inc on line 1260 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 47 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 51 

Now i'm asking for too much, could it be possible to add a index.php in the root of the snort www directory with the below code? So when i click on the pfSense image in the upper left corner, it brings back to the main dashboard page instead of page no found.

EDIT: The permissions are wrong on the /usr/local/etc/rc.d/snort.sh file I believe. Its currently 644, should 755. i tried to manually start snort using the snort.sh but i think there is an syntax error with the interface

[2.1-DEVELOPMENT][root@]/root/custom(7): /usr/local/etc/rc.d/snort.sh start
ls: /tmp/snort.sh.pid: No such file or directory
ls: /tmp/snort.sh.pid: No such file or directory
rm: /var/run/snort_7758_em3.pid: No such file or directory
rm: /var/run/snort_7758_em3.pid.lck: No such file or directory
[2.1-DEVELOPMENT][root@]/root/custom(8): usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file target_file
       cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file ... target_directory

valshare

Hello,

i am running the latest pfsense 2.0 rc3 from today and have installed the snort 2.0 package as a virtual machine on kvm. If i want to edit the network interface in the snort settings, i get an "error: no uuid". How can i fix this problem?

Regards, valle

eri--

@Cino,

should be fixed, just reinstall.

@valshare,

please give me the right error message since that does not mean anything!

NightHawk007

The thing on this forum that just does not sense .People do not read the forum snort has been broken for a long time now .there was a couple of posts on the forum saying it will be awhile before it gets fixed .
Will someone tell us how far it has come and is the beta out yet for us to test out .
I am using my standbye UTM software with snort in there operating system and it works perfect .

Cino

@ermal:

@Cino,

should be fixed, just reinstall.

Almost there… it seems to forget the interface.. I noticed that you made some changes to how it puts the interface, wondering if something is missing there.

I deleted all my snort configs... Added a interface... told me i had no rules... updated the rules again.... checked some rules.... tried to start it, didn't start. Went back to the categorizes and was told i dont have rules... its picking the wrong directory or something.

Aug 2 17:10:29 	SnortStartup[35682]: Interface Rule START for 0_39737_...
Aug 2 17:10:29 	snort[34151]:
Aug 2 17:10:29 	snort[34151]:
Aug 2 17:10:29 	snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source.
Aug 2 17:10:29 	snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source.

eri--

Can you show me hte generated snort conf?

Cino

@ermal:

Can you show me hte generated snort conf?

Here you go:

#!/bin/sh
########
# This file was automatically generated
# by the pfSense service handler.
# Code added to protect from double starts on pfSense bootup
######## Begining of Main snort.sh

rc_start() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then

		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0

	fi

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid

	#### Remake the configs on boot Important!
	/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php &
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..."

###### For Each Iface

#### Fake start only used on bootup and Pfsense IP changes
#### Only try to restart if snort is running on Iface
if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" != "" ]; then

	snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`"
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart"

	#### Restart Iface
	/bin/kill -HUP ${snort_pid}
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For 39737_..."

fi

	/bin/rm /tmp/snort.sh.pid

	#### If on Fake start snort is NOT running DO a real start.
	if [ "`/bin/ps -auwx | grep -v grep | grep "R 39737" | awk '{print $2;}'`" = "" ]; then

		rc_start_real

	fi
}

rc_start_real() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0
	fi

	###### For Each Iface

# If Snort proc is NOT running
if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" = "" ]; then

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid

	# Start snort and barnyard2
	/bin/rm /var/run/snort_39737_.pid
	/bin/rm /var/run/snort_39737_.pid.lck

	/usr/local/bin/snort -u snort -g snort -R 39737 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 39737 -c /usr/local/etc/snort/snort_39737_/snort.conf -i 

	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For 39737_..."

fi

	/bin/rm /tmp/snort.sh.pid

}

rc_stop() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0
	fi

pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`
sleep 3
pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_39737_.u2" | /usr/bin/awk '{print $2;}'`

if [ ${pid_s} ] ; then

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For 39737_..."

	/bin/kill ${pid_s}
	sleep 3
	/bin/kill ${pid_b}

	/bin/rm /var/run/snort_39737_.pid.lck
	/bin/rm /var/run/snort_39737_.pid

fi

	/bin/rm /tmp/snort.sh.pid
	/bin/rm /var/run/snort*

}

case $1 in
	start)
		rc_start
		;;
	start_real)
		rc_start_real
		;;
	stop)
		rc_stop
		;;
	restart)
		rc_stop
		rc_start_real
		;;
esac

eri--

Try the new update i just made.

That is the startup script and not the config. But for now all should be fixed.

Cino

@ermal:

That is the startup script and not the config. But for now all should be fixed.

sorry about that… Just tried the new updates and seeing a different error... snort engine is trying to start tho. When i'm in 'Snort: Interface Edit:' the server, preprocessors, barnyard2 tab show the interface as '0em3' instead of '39737 em3' but the other tabs are showing the interface correctly.

Aug 2 20:39:43 	SnortStartup[22178]: Interface Rule START for 0_39737_em3...
Aug 2 20:39:43 	snort[21986]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(292) => Invalid ip_list to 'ignore_scanners' option.
Aug 2 20:39:43 	snort[21986]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(292) => Invalid ip_list to 'ignore_scanners' option.
Aug 2 20:39:43 	snort[21986]: alert_multiple_requests: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_multiple_requests: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_incomplete: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_incomplete: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_large_fragments: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_large_fragments: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_fragments: INACTIVE
Aug 2 20:39:43 	snort[21986]: alert_fragments: INACTIVE
Aug 2 20:39:43 	snort[21986]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Aug 2 20:39:43 	snort[21986]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Aug 2 20:39:43 	snort[21986]: rpc_decode arguments:
Aug 2 20:39:43 	snort[21986]: rpc_decode arguments:

here is my conf

# snort configuration file
# generated by the pfSense
# package manager system
# see /usr/local/pkg/snort.inc
# for more information
#	snort.conf
#   Snort can be found at http://www.snort.org/
#
#	Copyright (C) 2009-2010 Robert Zelaya
#	part of pfSense
#	All rights reserved.
#
#	Redistribution and use in source and binary forms, with or without
#	modification, are permitted provided that the following conditions are met:
#
#	1\. Redistributions of source code must retain the above copyright notice,
#	   this list of conditions and the following disclaimer.
#
#	2\. Redistributions in binary form must reproduce the above copyright
#	   notice, this list of conditions and the following disclaimer in the
#	   documentation and/or other materials provided with the distribution.
#
#	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
#	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
#	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
#	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
#	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
#	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
#	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
#	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#	POSSIBILITY OF SUCH DAMAGE.

#########################
                        #
# Define Local Network  #
                        #
#########################

var HOME_NET [68.xxx.xxx.xxx/22,192.168.0.1/24,192.168.200.1/32,192.168.201.1/32,/,192.168.5.1/24,68.xxx.xxx.x,2001:xxx:xx::2,8.8.8.8,8.8.4.4,127.0.0.1]
var EXTERNAL_NET !$HOME_NET

###################
                  #
# Define Servers  #
                  #
###################

var DNS_SERVERS [$HOME_NET]
var SMTP_SERVERS [$HOME_NET]
var HTTP_SERVERS [$HOME_NET]
var SQL_SERVERS [$HOME_NET]
var TELNET_SERVERS [$HOME_NET]
var SNMP_SERVERS [$HOME_NET]
var FTP_SERVERS [$HOME_NET]
var SSH_SERVERS [$HOME_NET]
var POP_SERVERS [$HOME_NET]
var IMAP_SERVERS [$HOME_NET]
var RPC_SERVERS $HOME_NET
var WWW_SERVERS [$HOME_NET]
var SIP_PROXY_IP [$HOME_NET]
var AIM_SERVERS \
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

########################
                       #
# Define Server Ports  #
                       #
########################

portvar HTTP_PORTS [80]
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS [1521]
portvar AUTH_PORTS [113]
portvar DNS_PORTS [53]
portvar FINGER_PORTS [79]
portvar FTP_PORTS [21]
portvar IMAP_PORTS [143]
portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
portvar MSSQL_PORTS [1433]
portvar NNTP_PORTS [119]
portvar POP2_PORTS [109]
portvar POP3_PORTS [110]
portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
portvar RLOGIN_PORTS [513]
portvar RSH_PORTS [514]
portvar SMB_PORTS [139,445]
portvar SMTP_PORTS [25]
portvar SNMP_PORTS [161]
portvar SSH_PORTS [222]
portvar TELNET_PORTS [23]
portvar MAIL_PORTS [25,143,465,691]
portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995]
portvar SIP_PROXY_PORTS [5060:5090,16384:32768]

# DCERPC NCACN-IP-TCP
portvar DCERPC_NCACN_IP_TCP [139,445]
portvar DCERPC_NCADG_IP_UDP [138,1024:]
portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
portvar DCERPC_NCACN_UDP_LONG [135,1024:]
portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
portvar DCERPC_NCACN_TCP [2103,2105,2107]
portvar DCERPC_BRIGHTSTORE [6503,6504]

#####################
                    #
# Define Rule Paths #
                    #
#####################

var RULE_PATH /usr/local/etc/snort/snort_39737_em3/rules
# var PREPROC_RULE_PATH ./preproc_rules

################################
                               #
# Configure the snort decoder  #
                               #
################################

config checksum_mode: all
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops

###################################
                                  #
# Configure the detection engine  #
# Use lower memory models         #
                                  #
###################################

config detection: search-method ac-bnfa max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length

#Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort/dynamicrules

###################
                  #
# Flow and stream #
                  #
###################

preprocessor frag3_global: max_frags 8192
preprocessor frag3_engine: policy bsd detect_anomalies

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp yes, track_icmp yes
preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes
preprocessor stream5_udp:
preprocessor stream5_icmp:

	##########################
                         #
# NEW                    #
# Performance Statistics #
                         #
##########################

preprocessor perfmonitor: time 300 file /var/log/snort/snort_39737_em3.stats pktcnt 10000

	#################
                #
# HTTP Inspect  #
                #
#################

preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
                        ports  { 80 8080 }  \
                        non_strict \
                        non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                        flow_depth 0  \
                        apache_whitespace no \
                        directory no \
                        iis_backslash no \
                        u_encode yes \
                        ascii no \
                        chunk_length 500000 \
                        bare_byte yes \
                        double_decode yes \
                        iis_unicode no \
                        iis_delimiter no \
                        multi_slash no

	##################
                 #
# Other preprocs #
                 #
##################

preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
preprocessor bo

	#####################
                    #
# ftp preprocessor  #
                    #
#####################

preprocessor ftp_telnet: global \
inspection_type stateless

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: \
    ftp server default \
    def_max_param_len 100 \
    ports { 21 } \
    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
    ftp_cmds { FEAT CEL CMD MACB } \
    ftp_cmds { MDTM REST SIZE MLST MLSD } \
    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
    alt_max_param_len 256 { RNTO CWD } \
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE } \
    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
    chk_str_fmt { FEAT CEL CMD } \
    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity STRU < char FRP > \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity PORT < host_port >

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes

	#####################
                    #
# SMTP preprocessor #
                    #
#####################

preprocessor SMTP: \
    ports { 25 465 691 } \
    inspection_type stateful \
    normalize cmds \
    valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    max_header_line_len 1000 \ 
    max_response_line_len 512 \
    alt_max_command_line_len 260 { MAIL } \
    alt_max_command_line_len 300 { RCPT } \
    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
    alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
    alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    xlink2state { enable }

	################
               #
# sf Portscan  #
               #
################

preprocessor sfportscan: scan_type { all } \
                         proto  { all } \
                         memcap { 10000000 } \
                         sense_level { medium } \
                         ignore_scanners { $HOME_NET }

############################
                           #
# OLD                      #
# preprocessor dcerpc: \   #
#    autodetect \          #
#    max_frag_size 3000 \  #
#    memcap 100000         #
                           #
############################

	###############
              #
# NEW         #
# DCE/RPC 2   #
              #
###############

preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

	####################
                   #
# DNS preprocessor #
                   #
####################

preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow

##############################
                             #
# NEW                        #
# Ignore SSL and Encryption  #
                             #
##############################

preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted

#####################
                    #
# Snort Output Logs #
                    #
#####################

	output unified: filename snort_39737_em3.log, limit 128
	output alert_full: alert

#################
                #
# Misc Includes #
                #
#################

include /usr/local/etc/snort/snort_39737_em3/reference.config
include /usr/local/etc/snort/snort_39737_em3/classification.config

# Snort user pass through configuration

###################
                  #
# Rules Selection #
                  #
###################

	include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/emerging-ciarmy.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-current_events.rules
include $RULE_PATH/emerging-deleted.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/emerging-dshield.rules
include $RULE_PATH/emerging-exploit.rules

EDIT: I found the issue in the conf file under var HOME_NET    01.1/32,/,192.168.5.1/24

was able to manually start snort after editing the conf file :-)

It doesnt create the folder/file for the suppress list

Aug 2 21:59:38 	snort[13300]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.
Aug 2 21:59:38 	snort[13300]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.

swinn

I have a couple of issues:

1. When updating rules, when it tries to download the snort.org rules, the following error is shown at the bottom of the page and the rules are not processed:

Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 820

2. If I have the option enabled to "Keep snort settings after deinstall" and then reinstall the package, the menu link for Snort does not appear and Snort is not listed in the "Status: Services" page. I have to backup the config, remove the "snortglobal" section, upload the new config and reinstall Snort to fix it.

Thanks!

robo

Thank you all for great work - snort kicks back online on my router - I really felt naked during last few weeks.
BTW. If I understand it correctly classic snort package maintenance was shifted from JamesDean, I really admire his work, I can only hope that you will get on well.

@swinn:

I have a couple of issues:

1. When updating rules, when it tries to download the snort.org rules, the following error is shown at the bottom of the page and the rules are not processed:

Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 820

2. If I have the option enabled to "Keep snort settings after deinstall" and then reinstall the package, the menu link for Snort does not appear and Snort is not listed in the "Status: Services" page. I have to backup the config, remove the "snortglobal" section, upload the new config and reinstall Snort to fix it.

Thanks!

I think that no 1 is fixed with the latest update (package version did not change).
I encountered the same issue as in no 2, although I didn't try fiddling with config yet.
What I did was simply use direct link to snort webconfiguration:
http://192.168.1.1/snort/snort_interfaces.php
to update rules and start snort and it seems to be working correctly.
During the snort "holiday" break I messed up with the snort-dev package - maybe something left over from it.

Gloom

2.0-RC3 (amd64)
built on Tue Aug 2 22:54:59 EDT 2011

First let me say thanks for getting this package back now I can go back to testing  ;D

The only problem I've found is that if you tick the Block Offenders under the if settings tab then snort refuses to restart. The following error is logged.

snort[9497]: FATAL ERROR: /usr/local/etc/snort/snort_50697_bce0/snort.conf(351) Unknown output plugin: "alert_pf"

Untick the box and it fires up fine but obviously no hosts get added to the block list.

th3r3isnospoon

Just got the e-mail that this was fixed.  Awesome!  Thank you!

http://redmine.pfsense.org/issues/1590

-th3r3isnospoon

Cino

@Ermal great work! I found small bug with the Suppress List. The interface doesn't seem to be saving the file needed for the interface to come up. Is the path wrong?

Aug 3 09:03:12 	snort[57613]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.
Aug 3 09:03:12 	snort[57613]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.

I'm going to do more testing with white list and home net list today and report back… I know white list wasn't working in the old package but the work around was to use the home net instead if you needed to white list an IP.

eri--

All the issues should be solved now.
Please reinstall and test.

Cino

@ermal:

All the issues should be solved now.
Please reinstall and test.

new problem.. After updating snort, all the menu items for other packages are missing. I did a full firmware update so it would re-download all the packages.. Same thing, all package menu items are removed but Services-Snort is there..

countryblock, LCDproc, cron, shellcmd, vnstat2, ntop, notes are all missing from the menu

EDIT: I removed the code that was added to pkg-utils.inc, https://github.com/bsdperimeter/pfsense/commit/27018d3cc4f12c995efadf5dc5ba90eb7c1aa641  Rebooted the box and did a package re-install.. Now my package menu items are there

Cino

white list doesn't work.. I put the IPs into my home net list and snort also blocked them.

i checked my conf file and var HOME_NET contains none of the IPs i added. Not sure how the white list works since it broke a long time ago. The file "MainWhiteList 10285" doesn't contain any of the IPs i put in that list either.. Also, there is a space in the file name..

eri--

Well the whitelist option in snort:interfaces:edit works only if Block offenders is on!