Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort service stops - wrong rules used?

    Scheduled Pinned Locked Moved pfSense Packages
    15 Posts 5 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • cdsJerryC
      cdsJerry
      last edited by

      Let me start by saying I'm new to this and learning.

      I have a pfsense 2.0 release (i386) installed on a dual processor Pentium III 1.2 processor machine with 4GB RAM and a 250 GB HDD which was installed in September.  If I enable the rule snort_specific-threats.rules the Snort service stops right away. Restarting the service results in an immediate stop as well.  Disabling that one rule again and Snort will restart fine.

      When I check the system logs I see the error:
      snort[10944]: FATAL ERROR: /usr/local/etc/snort/snort_56345_fxp0/rules/snort_specific-threats.rules(249) Unknown rule option: 'dce_iface'.
      each time I restart the service with that rule enabled.

      So.. being new to this I posted a topic over on the Snort forum where I was politely told that I'm running the wrong version of the rule set with the wrong version of Snort. I then later read on this forum that the pfsense version of snort isn't the standard snort and that I should come here for support and not to snort.org so here I am.

      If I'm running the wrong version, does that mean my oinkcode is wrong?  How would I correct that?  I don't see a place to get a new oinkcode.  Would I get that new code from snort.org or from pfsense?  And if it's not a problem with the oinkcode, then how do I get it to download the correct set of rules for pfsense?  I know, all newbie questions but that's where I am, a newbie trying to protect a production web server.

      1 Reply Last reply Reply Quote 0
      • cdsJerryC
        cdsJerry
        last edited by

        According to the folks over at snort.org I'm using the wrong set of rules for the version of Snort that's running in pfsense.  I see on the snort site that you must edit the configuration to get the right set of rules.  http://www.snort.org/account/oinkcode

        What I don't know is how that applies to the version of snort running under pfsense.  I'd done an ISO installation of pfsense/snort so I would have thought it would be correct but it doesn't seem so.  Do I need to make the edits mentioned in the other URL and if so, where do I find that configuration file?

        Jerry

        1 Reply Last reply Reply Quote 0
        • C
          Cino
          last edited by

          Works fine for me. make sure you have all the preprocessors enabled

          1 Reply Last reply Reply Quote 0
          • cdsJerryC
            cdsJerry
            last edited by

            Mine works UNTIL I turn on the snort_specific-threats.rules and then the service stops almost instantly.    Being new, I posted something about this in the snort.org community along with all the information about what versions I was running.  One of the senior members told me that I'm running an old version of snort and the wrong version of the rules for the version I'm running, and that the pfsense version isn't supported at snort.org.  Everything I have was installed from the ISO install disc.

            If it's pulling the wrong version of the rules as he says, then I'd like to correct that situation but I don't know how.  And since they don't support the pfsense version of snort, I'm back here trying to figure it out.

            1 Reply Last reply Reply Quote 0
            • C
              Cino
              last edited by

              I'll ask again, do you have all the preprocessors enabled?

              snort on pfsense is a little behind but it is 2.9.0.5 and is pulling snortrules-snapshot-2905.tar.gz  check the files at /usr/local/pkg/snort

              There are no ISO installations for snort on pfsense, only packages. The ISO is for pfSense only.

              1 Reply Last reply Reply Quote 0
              • cdsJerryC
                cdsJerry
                last edited by

                Sorry. I must have read over the preprocessor question.  I left it at the default settings from the package installation.  It looks like
                RPC Decoded and Back Orifice detector is off. 
                FTP and TElnet Normalizer is off.
                SMTP Normalizer is off.
                Portscan Detection is On. 
                DCE/RPC2 Detection is off.
                DNS Detection is On.

                Should they all be turned on?

                Sorry but I don't understand the difference between an installation and a package but yes, I was done by installing (is that the wrong word?) the Snort package from inside pfsense.    It's a great combination BTW and I'm really happy it's here.  Does the snort package get funded separately from pfsense? I'd like to support the continuation of this combination, but that's probably a different thread.

                1 Reply Last reply Reply Quote 0
                • C
                  Cino
                  last edited by

                  turn them all on… I can't remember which is for what but a lot of the rules depend on the pre-processors being on.

                  I would start a new thread about donating because there are 2 packages right now. The original package dev is working on snort-dev while the old snort package was created by him, the pfsense core dev team has picked up support for it. The core pfsense dev team goal is to make sure that the original package works... Nothing else, no add-ons and such. While the new package will include samsnort in it i believe and some other goodies.

                  1 Reply Last reply Reply Quote 0
                  • cdsJerryC
                    cdsJerry
                    last edited by

                    Ah! That must have been it.  I turned on all the preprocessors then enabled that rule again and it didn't stop.

                    I will go post about the funding.

                    Thanks again!

                    Jerry

                    1 Reply Last reply Reply Quote 0
                    • C
                      Cino
                      last edited by

                      Your welcome!

                      1 Reply Last reply Reply Quote 0
                      • A
                        ac3243
                        last edited by

                        My AMD64 Snort 2.9.1 pkg v. 2.0 is loading snort ruleset 2.9.0.5.  Any snort catagories enabled yields snort won't start.  I can use emerging threats rules but no snort rules.  Tried to edit /usr/local/pkg/snort/snort_check_for_rule_updates.php with 2905, 2910, 2911, 2912 and edge but while they update, snort won't start with any snort catagories selected.

                        Also, update log button doesn't do anything and when I look at the html source "sexybuttons disabled".  Odd.

                        1 Reply Last reply Reply Quote 0
                        • M
                          mbeat
                          last edited by

                          having the same issue as ac3243  on amd64. on v2.0.2

                          1 Reply Last reply Reply Quote 0
                          • cdsJerryC
                            cdsJerry
                            last edited by

                            I'm assuming you've read the rest of this thread. The fix for me was turning the preprocessors on.  If that didn't solve your problem then it's not the same as mine was.

                            1 Reply Last reply Reply Quote 0
                            • M
                              mbeat
                              last edited by

                              all preprocessors on, and barnyard off.

                              1 Reply Last reply Reply Quote 0
                              • RonpfSR
                                RonpfS
                                last edited by

                                Remove snort
                                Install snort, it often solve these issues

                                You could also start from scratch:
                                Uncheck Keep snort settings after deinstall, Save, Reset, Save, remove snort, install snort

                                I do not use Reinstall this package as it never reinstall ok.

                                2.4.5-RELEASE-p1 (amd64)
                                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mbeat
                                  last edited by

                                  done that . no luck

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.