Snort service stops - wrong rules used?



  • Let me start by saying I'm new to this and learning.

    I have a pfsense 2.0 release (i386) installed on a dual processor Pentium III 1.2 processor machine with 4GB RAM and a 250 GB HDD which was installed in September.  If I enable the rule snort_specific-threats.rules the Snort service stops right away. Restarting the service results in an immediate stop as well.  Disabling that one rule again and Snort will restart fine.

    When I check the system logs I see the error:
    snort[10944]: FATAL ERROR: /usr/local/etc/snort/snort_56345_fxp0/rules/snort_specific-threats.rules(249) Unknown rule option: 'dce_iface'.
    each time I restart the service with that rule enabled.

    So.. being new to this I posted a topic over on the Snort forum where I was politely told that I'm running the wrong version of the rule set with the wrong version of Snort. I then later read on this forum that the pfsense version of snort isn't the standard snort and that I should come here for support and not to snort.org so here I am.

    If I'm running the wrong version, does that mean my oinkcode is wrong?  How would I correct that?  I don't see a place to get a new oinkcode.  Would I get that new code from snort.org or from pfsense?  And if it's not a problem with the oinkcode, then how do I get it to download the correct set of rules for pfsense?  I know, all newbie questions but that's where I am, a newbie trying to protect a production web server.



  • According to the folks over at snort.org I'm using the wrong set of rules for the version of Snort that's running in pfsense.  I see on the snort site that you must edit the configuration to get the right set of rules.  http://www.snort.org/account/oinkcode

    What I don't know is how that applies to the version of snort running under pfsense.  I'd done an ISO installation of pfsense/snort so I would have thought it would be correct but it doesn't seem so.  Do I need to make the edits mentioned in the other URL and if so, where do I find that configuration file?

    Jerry



  • Works fine for me. make sure you have all the preprocessors enabled



  • Mine works UNTIL I turn on the snort_specific-threats.rules and then the service stops almost instantly.    Being new, I posted something about this in the snort.org community along with all the information about what versions I was running.  One of the senior members told me that I'm running an old version of snort and the wrong version of the rules for the version I'm running, and that the pfsense version isn't supported at snort.org.  Everything I have was installed from the ISO install disc.

    If it's pulling the wrong version of the rules as he says, then I'd like to correct that situation but I don't know how.  And since they don't support the pfsense version of snort, I'm back here trying to figure it out.



  • I'll ask again, do you have all the preprocessors enabled?

    snort on pfsense is a little behind but it is 2.9.0.5 and is pulling snortrules-snapshot-2905.tar.gz  check the files at /usr/local/pkg/snort

    There are no ISO installations for snort on pfsense, only packages. The ISO is for pfSense only.



  • Sorry. I must have read over the preprocessor question.  I left it at the default settings from the package installation.  It looks like
    RPC Decoded and Back Orifice detector is off. 
    FTP and TElnet Normalizer is off.
    SMTP Normalizer is off.
    Portscan Detection is On. 
    DCE/RPC2 Detection is off.
    DNS Detection is On.

    Should they all be turned on?

    Sorry but I don't understand the difference between an installation and a package but yes, I was done by installing (is that the wrong word?) the Snort package from inside pfsense.    It's a great combination BTW and I'm really happy it's here.  Does the snort package get funded separately from pfsense? I'd like to support the continuation of this combination, but that's probably a different thread.



  • turn them all on… I can't remember which is for what but a lot of the rules depend on the pre-processors being on.

    I would start a new thread about donating because there are 2 packages right now. The original package dev is working on snort-dev while the old snort package was created by him, the pfsense core dev team has picked up support for it. The core pfsense dev team goal is to make sure that the original package works... Nothing else, no add-ons and such. While the new package will include samsnort in it i believe and some other goodies.



  • Ah! That must have been it.  I turned on all the preprocessors then enabled that rule again and it didn't stop.

    I will go post about the funding.

    Thanks again!

    Jerry



  • Your welcome!



  • My AMD64 Snort 2.9.1 pkg v. 2.0 is loading snort ruleset 2.9.0.5.  Any snort catagories enabled yields snort won't start.  I can use emerging threats rules but no snort rules.  Tried to edit /usr/local/pkg/snort/snort_check_for_rule_updates.php with 2905, 2910, 2911, 2912 and edge but while they update, snort won't start with any snort catagories selected.

    Also, update log button doesn't do anything and when I look at the html source "sexybuttons disabled".  Odd.



  • having the same issue as ac3243  on amd64. on v2.0.2



  • I'm assuming you've read the rest of this thread. The fix for me was turning the preprocessors on.  If that didn't solve your problem then it's not the same as mine was.



  • all preprocessors on, and barnyard off.



  • Remove snort
    Install snort, it often solve these issues

    You could also start from scratch:
    Uncheck Keep snort settings after deinstall, Save, Reset, Save, remove snort, install snort

    I do not use Reinstall this package as it never reinstall ok.



  • done that . no luck


Log in to reply