Snort Won't Start After Upgrade

bmeeks

My problem now is  more like "selective Snort starting".  What I mean is that selecting certain rule categories will not let Snort start successfully.  Not selecting them will allow Snort to start.

These are the rule categories that do not work for me on 2.0-RC3 using the i386 build –

• snort_spyware-put.rules

• snort_web-activex.rules

• snort_web-client.rules

Also, for some of the rule categories that do work, if I select any of the matching Shared Objects rule categories then Snort will not start successfully.  One example of this behavior is as follows.

• snort_bad-traffic.rules

• snort_bad-traffic.so.rules

If I select just snort_bad-traffic.rules, then Snort starts.  If I try to add snort_bad-traffic.so.rules, then Snort will not start.

hmishra

ermal,

I mean, nowhere I have evidence that Snort is even running on my system!

Previously, I always found Snort on my list of running services as well as in System Acticity.


eri--

Yeah i know about the status->services problem.
A ps -ax | grep snort should tell you.

@DynamoHum,

check before in this thread.

DynamoHum

duh ! :-\ 1st i had skiped over yer post and 2nd, find / -name "snort" works better then  find / -name "snrot" :-X

Thanks again for your great work and devotion to this project.

hmishra

Thanks ermal. I think 'ps -ax | grep snort' reveals that snort is not running…..

43792  0  S+    0:00.02 grep snort

Doesn't the above mean grep ran and a running instance of snort was not found?

Cino

@ermal:

Cino, i am not sure what changed to have snort not detect autoblocking.
Maybe a new directive is needed?! But the config is right afaik.

i stated that auto-blocking is working when a rule is trigger.. port scanning wasn't being detected….

I'm about to do a firmware update. i'll fully uninstall snort and re-install after my firmware is updated and see how snort is working.

NightHawk007

@Cino:

@ermal:

Cino, i am not sure what changed to have snort not detect autoblocking.
Maybe a new directive is needed?! But the config is right afaik.

i stated that auto-blocking is working when a rule is trigger.. port scanning wasn't being detected….

I'm about to do a firmware update. i'll fully uninstall snort and re-install after my firmware is updated and see how snort is working.

I am having the same problem snort is not detecting a port scan at all .i know it did about 3 firmware updates ago .

Cino

@NightHawk007 I did a firmware update for other reasons, nothing to do with snort… probably shouldn't had mention it.. The Snort package has had its binary updated to a more recent version from Snort. A side effect it seems is that port scanning detecting isn't working. From my current testing, any attack that matches a rule is being detected.

strasharo

@Jare:

@strasharo:

With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:

[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn
[2.0-RC3][root@kainak]/usr/local/bin(7):

I didn't have time to examine the real cause why barnyard2 binary fails to install. Since it's just a single binary file you can download and "install" it manually by executing one of these commands:

amd64

/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2

i386

/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2

At least for me it seems to be working and logging now just like it should…  ;)

Thanks a lot for the tip, Jare! ;D At last I got it running with Snorby.  ::)

P.S. Portscan detection still isn't working, I launched a portscan from GRC.com + a remote full portscan with nmap and the only alerts that I got from that are those who match specific rules from the signature (for example ET SCAN Potential VNC Scan 5900-5920 ).  :-[

valshare

Hi,

if i want edit a rule, i get this error:

Fatal error: Call to undefined function get_middle() in /usr/local/www/snort/snort_rules_edit.php on line 99

Regards, Valle

eri--

Reinstall, already fixed.

Cino

Not realy a bug but I noticed when I try to shutdown snort from the main snort page, I have to refresh the page for the status to update. Before the recent changes were made; i would click on the little icon to disable snort, the page would refresh after snort was shutdown for that interface.

digdug3

Snort and EM update work like they did before. (2.0-RC3 (i386) built on Mon Sep 5 04:07:51 EDT 2011)

I disabled the 'keep settings after update' and this reinstalls Snort without any problems.
Of course you have to setup Snort every time after each update…

Thanks Ermal for all you effort!

eri--

Portscan and other preprocessors should work ok now.
Just reinstall the package files.
It is not needed a full upgrade.

Cino

@ermal:

Portscan and other preprocessors should work ok now.
Just reinstall the package files.
It is not needed a full upgrade.

Thanks ermal!! I did a uninstall, install… The port scan detection is working, looks a little different in the alert log. But its good!

2 2 PROTO:255 PSNG_TCP_FILTERED_PORTSCAN Attempted Information Leak 4.79.142.206 empty -> xx.xx.xx.xx empty 122:5:1 09/05-17:23:39

I see you added a sleep timer when disabling snort, thank you.... So far so good. Only issue left is being able to clear the alerts from the gui.

btw, all my testing is on i386.. Someone else will have to confirm amd64. also, i have not testing Barnyard2. When I get back home next week, i'll play around with it.

hmishra

ermal,

As per your suggestion, I ran ps -ax | grep snort and here is the output:

56884  0  S+    0:00.02 grep snort

Doesn't this mean snort is not running on my system?

Thanks!

Cino

@ermal I noticed that snort was built to have ipv6 now… Can the alert and block page be setup to display ipv6 addresses down the road? I had a line under my block page that displayed NA for the ip. I couldn't remove it, so i went to the snort2c table and it was a ipv6 address. The alert looked like this:

4 2 PROTO:255 PSNG_TCP_PORTSWEEP_FILTERED Attempted Information Leak empty empty -> empty empty 122:7:1 09/05-21:40:01

[**] [122:7:1] PSNG_TCP_PORTSWEEP_FILTERED [**]
[Classification: Attempted Information Leak] [Priority: 2] 
09/05-21:40:01.891026 2001:0470:1f07:xxxx:0000:0000:0000:8c60 -> 2001:4860:b009:0000:0000:0000:0000:0065
PROTO:255 TTL:63 TOS:0x0 ID:0 IpLen:40 DgmLen:234

Go figure it was one of my internal ipv6s… When I get back in a week, i'll see if i can add ipv6 to the whitelist and netlist.

thanks again for all your hard work on snort!

another example of ipv6:

1 	1 	UDP 	BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt 	Attempted Administrator Privilege Gain 	empty 	29652 	-> 	empty 	52225 	3:13287:4 	09/05-22:17:32

Delete 	 2 	 empty 	 N\A

[**] [3:13287:4] BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
09/05-22:17:32.979947 2002:43b1:e866:0000:0000:0000:43b1:e866:29652 -> 2001:0470:1f07:xxxx:0000:0000:0000:0100:52225
UDP TTL:118 TOS:0x0 ID:0 IpLen:40 DgmLen:68
Len: 20
[Xref => http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0069]

P.S I only have my IPv4 interface configured within Snort. I use a HE tunnel so I find it a little odd but good to see it can work with IPv6 traffic now

breusshe

@Cino:

btw, all my testing is on i386.. Someone else will have to confirm amd64. also, i have not testing Barnyard2. When I get back from home next week, i'll play around with it.

I have pfsense on x64 and snort seems to work fine now.  I did as suggested and updated the firmware to the latest RC3 micro-version deleted the /usr/lib/snort/* folders after uninstalling the snort module.  I did not delete my settings, however.  Upon reinstalling Snort and doing the rules update, Snort came right up.  No issues at all.  I didn't even have to do the Snort fixes that I spoke of in earlier posts.  Oh, as with Cino, I am not running Barnyard2.

Looks like you guys got it, thanks pfSense Team!

marcelloc

At my x64 2.0 RC3 its working too, including block ofenders.

I'm just saw a delay when I press the "x" gif to start snort. The daemon starts but gui stays waiting…(not a big deal.)

Thanks again for the fix.

breusshe

Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?