SNORT - 2.9.1 pkg v. 2.0.2 - Specific Threat Issue



  • Hey guys,

    I noticed after I updated SNORT to the latest ruleset, the 'snort_specific-threats.rules' category is broken. (I am using pfsense 2.0.1 AMD 64 with SNORT - 2.9.1 pkg v. 2.0.2)

    I receive this error:

    Dec 29 10:52:36 snort[56180]: Initializing rule chains…
    Dec 29 10:52:36 snort[56180]: Initializing rule chains…
    Dec 29 10:52:36 snort[56180]: FATAL ERROR: /usr/local/etc/snort/snort_25726_em0/rules/snort_specific-threats.rules(747) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.
    Dec 29 10:52:36 snort[56180]: FATAL ERROR: /usr/local/etc/snort/snort_25726_em0/rules/snort_specific-threats.rules(747) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.
    Dec 29 10:52:36 SnortStartup[56322]: Interface Rule START for 0_25726_em0…

    After doing some research the VRT blog (http://t.co/lALWbvB6) said to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] to snort.conf if snort breaks or to download the latest snort.conf.  Both of which do not work.

    Of course, SNORT starts without issue if you un-check the specific-threats category.  However, I would like to use this category.

    I have un-installed and re-installed SNORT, re-did all of my settings and it's a no go.

    Seems we may have to wait until the SNORT package itself is updated again.

    Thanks,

    th3r3isnospoon



  • works for me but i'm running i386.. have you looked at your snort.conf to see if its there or not? also you could try add it manually to "Advanced configuration" option under the interface.



  • @Cino:

    works for me but i'm running i386.. have you looked at your snort.conf to see if its there or not? also you could try add it manually to "Advanced configuration" option under the interface.

    I did add the new portvar to my snort.conf file, however this did not work.

    I did not try the 'Advanced Configuration' option, would this be any different than adding it directly to the snort.conf file?

    Thanks,

    th3r3isnospoon



  • the advance will add it to your /usr/local/etc/snort/snort_xxxxx_xxx/snort.conf



  • I will see if i can bump the snort port to include the fixes.



  • @ermal:

    I will see if i can bump the snort port to include the fixes.

    Awesome! Thanks ermal!

    -th3r3isnospoon



  • adding:
    portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
    to the advanced config section does solve the problem



  • @Cino:

    the advance will add it to your /usr/local/etc/snort/snort_xxxxx_xxx/snort.conf

    @Ulich05:

    adding:
    portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
    to the advanced config section does solve the problem

    Good call guys.  I just tried this and voila it worked!  Strange because I did add it manually to snort.conf and it was a no go.

    Fixed.

    Thanks guys!

    -th3r3isnospoon



  • will there be a fix where you dont have to edit the .conf ?  …i DID have all my 'servers' defined in the ....uhhh 'define servers' ....the bam...snort hit a bad rail and bummed itself stupid.

    i dont mind editing the .conf ...but it would be nice for a person who doesnt really know what they are doing and just work...right? just imo  :-X



  • @genic:

    will there be a fix where you dont have to edit the .conf ?

    It's on ermal todo list…

    @ermal:

    I will see if i can bump the snort port to include the fixes.



  • @Cino:

    the advance will add it to your /usr/local/etc/snort/snort_xxxxx_xxx/snort.conf

    @Ulich05:

    adding:
    portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
    to the advanced config section does solve the problem

    Thanks, this worked for me also :)



  • Gents,

    Having an issue with the listed fix. When I add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] to /usr/local/etc/snort/snort_51441_em0/snort.conf. When I save the file, and then immediately reopen it the new line is there. When I start snort I get the same error in the logs, and when I look at the conf again, the line is removed. I have uninstalled and re installed snort, but I get the same issue. Any ideas?



  • You have to put this config on gui, not in conf file.

    adding:
    portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
    to the advanced config section does solve the problem



  • @marcelloc:

    You have to put this config on gui, not in conf file.

    adding:
    portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
    to the advanced config section does solve the problem

    Guess I'm just derpin. That worked perfectly, thanks!



  • What is the problem?
    snort[48943]: FATAL ERROR: /usr/local/etc/snort/snort_2***_re0/snort.conf(145) ) => Invalid keyword 'compress_depth' for 'global' configuration.



  • Well, I just installed snort for 1st time and found Barnyard2 wasn't installed!

    Services: Snort 2.9.1 pkg v. 2.0.2

    Help!





  • @Cino:

    search will be your greatest friend

    http://forum.pfsense.org/index.php/topic,42016.0.html

    pkg_add -r http://files.pfsense.com/packages/8/All/barnyard2.tbz

    LOL thanks!

    Download link is dead, but got it from another place.



  • @Gradius:

    @Cino:

    search will be your greatest friend

    http://forum.pfsense.org/index.php/topic,42016.0.html

    pkg_add -r http://files.pfsense.com/packages/8/All/barnyard2.tbz

    LOL thanks!

    Download link is dead, but got it from another place.

    I corrected the link



  • New issue seems to have come up.

    The fix above works….however, I no longer receive any alerts in the Alerts tab (yes alerts are enabled) and I'm not sure it's blocking offenders.

    If I use GRC.com's ShieldsUp! yes, it will detect that and block it.

    Now, FWIW, I recently installed and configured pfBlocker and am having it block a few countries that used to show up in my logs a lot.  Perhaps that's why I am seeing a lot less offenders being blocked?  I suppose that makes sense.  But, the fact that I no longer see Alerts is odd.

    Just curious of anyone who implemented the above fix noticed this?

    Thanks!

    -th3r3isnospoon


Locked