Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort-dev ready for testing. Post issues here.

    pfSense Packages
    10
    23
    9229
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jamesdean last edited by

      Snort-dev 2.9.2.3 pkg v. 2.2:

      You can watch my updates here https://github.com/bsdperimeter/pfsense-packages/tree/master/config/snort-dev.

      WARNING:

      Do not install snort-dev package with the mainline snort package.

      Finished work:

      Snort-Dev ready to be installed.

      I have updated the snort.conf code so that it is synced with 2.9.2.3, wow took me a few hours to do this.

      TODO:

      Need to add gui for all the new preprocessors in 2.9.2.3.

      help_and_info.php tab cause its a mess.

      Rule files need to be split like the following example.

      var RULE_PATH /usr/local/etc/snort/snort_15922_em0/rules
      var PREPROC_RULE_PATH /usr/local/etc/snort/snort_15922_em0/preproc_rules
      var SO_RULE_PATH /usr/local/etc/snort/snort_15922_em0/so_rules

      Known bugs:

      NETLIST isn't picking up IPv6 addresses for LAN or WAN interfaces

      Snort is not stopping in snort_interfaces.php (FIXED)

      snort_blocked.php is not showing blocked hosts

      NOTES:

      Users will see more alerts than average until we fine tune the snort.conf.

      Snort-Widget will not work with snort-dev until Snort-dev-Widget is up.

      Robert

      1 Reply Last reply Reply Quote 0
      • C
        Cino last edited by

        I gave it try tonight on 2.1. If I Block Offenders enabled, i get the below error… If its uncheck, it snort starts

        
        Jun 16 23:13:00 	snort[29613]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(669) Unknown output plugin: "alert_pf"
        Jun 16 23:13:00 	snort[29613]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(669) Unknown output plugin: "alert_pf"
        
        

        I've seen this before in old builds… Thinking a patch was needed or something

        EDIT: After a reboot, snort didn't start.. 2 different errors, one php and another from snort:

        
        [17-Jun-2012 03:56:19 UTC] PHP Deprecated:  Function split() is deprecated in /usr/local/pkg/snort/snort.inc on line 1645
        
        
        
        Jun 16 23:56:46 	snort[48093]: FATAL ERROR: SetupGTP(): The Stream preprocessor must be enabled.
        Jun 16 23:56:46 	snort[48093]: FATAL ERROR: SetupGTP(): The Stream preprocessor must be enabled.
        Jun 16 23:56:46 	snort[48093]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
        Jun 16 23:56:46 	snort[48093]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
        
        

        but i was able to manually start snort

        1 Reply Last reply Reply Quote 0
        • C
          Cino last edited by

          found a bug with the alert gui, the alert file is being updated but the gui is not displaying it.
          EDIT: I copied the stable snort_alerts.php page and corrected the alert file it looking for
          snort_alerts.php

          
          .
           Copyright (C) 2003-2004 Manuel Kasper ```
          1 Reply Last reply Reply Quote 0
          • S
            sronsen last edited by

            Jamesdean,

            Thanks for letting me know that the issues are receiving attention.  I can be patient now knowing that the right guys are aware of the problem.

            1 Reply Last reply Reply Quote 0
            • C
              Cino last edited by

              the new pbi allows the block setting to be checked, but i haven't been able to test it yet

              can't stop snort from its package status page, using Services pages to restart…

              snort is unable to open rules..... not sure what the problem is, thinking the syntax or something

              
              snort[30707]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/snort_39737_em3/rules/emerging-attack_response.rules||emerging-ciarmy.rules||emerging-compromised.rules||emerging-current_events.rules||emerging-dos.rules||emerging-drop.rules||emerging-dshield.rules||emerging-exploit.rules||emerging-inappropriate.rules||emerging-malware.rules||emerging-mobile_malware.rules||emerging-rbn-malvertisers.rules||emerging-scada.rules||emerging-scan.rules||emerging-shellcode.rules||emerging-trojan.rules||emerging-virus.rules||emerging-worm.rules": No such file or directory.
              
              
              
              snort[35944]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/snort_39737_em3/rules/emerging-attack_response.rules||snort_attack-responses.rules||snort_backdoor.rules": No such file or directory.
              
              
              1 Reply Last reply Reply Quote 0
              • C
                Cino last edited by

                latest fixes fixed the rule issue i was having

                other issues…  NETLIST isn't picking up IPv6 addresses for LAN or WAN interfaces... When manually added them to a NETLIST, its being ignored... Looks like it works with a WHITELIST but can't put IPv6 subnet in it, its ignored.

                Is there a way to turn off IPv6 in snort without rebuilding? It was working prior to 2.9.2.3, worked in 2.9.0.5. Turned the Block feature off for now..

                You already noted its a mess, but the block page isn't displaying anything.. Was able to tell via snort2c table

                1 Reply Last reply Reply Quote 0
                • J
                  jamesdean last edited by

                  If you are having "/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout" errors that meanse there is somthing corrupt
                  with your installation of snort.

                  Error may come from mixing am64 pfsense with 32 bit binaries.

                  Error may come from mixing snort pbi and snort tbz files.

                  I suggest you remove everything snort related or do a fresh pfSense OS install.

                  Robert

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cino last edited by

                    noticed when i uncheck log alerts to system log, it still logs to the system log

                    1 Reply Last reply Reply Quote 0
                    • J
                      jamesdean last edited by

                      Thanks Cino.

                      I'll get to the "system log" issue when Im done with ipv6 support NETLISTS.

                      Robert

                      1 Reply Last reply Reply Quote 0
                      • C
                        Cino last edited by

                        @jamesdean:

                        Thanks Cino.

                        I'll get to the "system log" issue when Im done with ipv6 support NETLISTS.

                        Robert

                        Thanks Robert! No rush on this one ;-) As i find them, big or small; I'll report'em

                        Stephen

                        PS Jim found an issue with the builder for pbi, where certain options weren't being added during the build process. He has fixed it but now he has to rebuild all the pbi's.. Wondering if it will resolve the NETLIST issue when the next snort pbi is build

                        1 Reply Last reply Reply Quote 0
                        • S
                          SectorNine50 last edited by

                          This is really unimportant, but…

                          Is there any chance you can make add a /snort/index.php that redirects to the /index.php for pfSense?

                          Every time I'm in snort and I want to get back to my dashboard, I click the pfSense logo and get a "404 Not Found" error because the browser wants to stay in the /snort/ directory...

                          I guess I could do it myself, but figured it'd be nice to have in the package! :)

                          1 Reply Last reply Reply Quote 0
                          • D
                            DigitalDeviant last edited by

                            I'm running a fresh install of Snort-dev on 2.0.1-RELEASE (amd64) and nothing is showing under the blocked tab. /tmp/snort_blocked.cache seems to have the correct entries so I think it's blocking and just a GUI bug.

                            1 Reply Last reply Reply Quote 0
                            • C
                              Cino last edited by

                              @DigitalDeviant:

                              I'm running a fresh install of Snort-dev on 2.0.1-RELEASE (amd64) and nothing is showing under the blocked tab. /tmp/snort_blocked.cache seems to have the correct entries so I think it's blocking and just a GUI bug.

                              I reported this last week. its blocking, look at the snort2c table

                              1 Reply Last reply Reply Quote 0
                              • D
                                digdug3 last edited by

                                @SectorNine50:

                                This is really unimportant, but…

                                Is there any chance you can make add a /snort/index.php that redirects to the /index.php for pfSense?

                                Every time I'm in snort and I want to get back to my dashboard, I click the pfSense logo and get a "404 Not Found" error because the browser wants to stay in the /snort/ directory...

                                I guess I could do it myself, but figured it'd be nice to have in the package! :)

                                Doesn't this only happen when you have the widescreen package installed?

                                1 Reply Last reply Reply Quote 0
                                • C
                                  Cino last edited by

                                  @digdug3:

                                  @SectorNine50:

                                  This is really unimportant, but…

                                  Is there any chance you can make add a /snort/index.php that redirects to the /index.php for pfSense?

                                  Every time I'm in snort and I want to get back to my dashboard, I click the pfSense logo and get a "404 Not Found" error because the browser wants to stay in the /snort/ directory...

                                  I guess I could do it myself, but figured it'd be nice to have in the package! :)

                                  Doesn't this only happen when you have the widescreen package installed?

                                  I think your right. Works fine on 2.1 right now

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    SectorNine50 last edited by

                                    @digdug3:

                                    Doesn't this only happen when you have the widescreen package installed?

                                    Ah okay good to know!  Thanks.

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      judex last edited by

                                      Snort-dev seems to loose blocked hosts on 2.0.1 amd64.
                                      My blocking time is set to 3 hours. A host gets blocked correctly when a matching rule fires. Sometimes this host gets out of snort2c table even if there where multiple new alerts from the same host meanwhile. So it also seems that the remaining blocking time does not get updated after a new alert.

                                      Greets, Judex

                                      2.1-RELEASE (amd64)
                                      built on Wed Sep 11 18:17:48 EDT 2013
                                      FreeBSD 8.3-RELEASE-p11

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        judex last edited by

                                        It seems that snort-dev shuts down on the first alert after an automatic rule update. I observed that at leats twice.

                                        Here's the log:

                                        Jun 29 00:10:07 gatekeeper snort[62591]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Bad file descriptor
                                        Jun 29 00:10:07 gatekeeper kernel: em1: promiscuous mode disabled

                                        2.1-RELEASE (amd64)
                                        built on Wed Sep 11 18:17:48 EDT 2013
                                        FreeBSD 8.3-RELEASE-p11

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          Cino last edited by

                                          @judex:

                                          It seems that snort-dev shuts down on the first alert after an automatic rule update. I observed that at leats twice.

                                          Here's the log:

                                          Jun 29 00:10:07 gatekeeper snort[62591]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Bad file descriptor
                                          Jun 29 00:10:07 gatekeeper kernel: em1: promiscuous mode disabled

                                          I was testing whitelist changes today and enabled blocking, I'm seeing the same issues.

                                          Is there an issue with the pf patch that was applied?

                                          
                                          Jul 4 08:28:56 	snort[4839]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
                                          Jul 4 08:28:56 	snort[4839]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
                                          
                                          
                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            dwood last edited by

                                            attempted snort-dev install on two amd64 boxes.  Installation does not finish.  It hangs at "loading package information".

                                            Cheers,
                                            Dennis.

                                            1 Reply Last reply Reply Quote 0
                                            • J
                                              judex last edited by

                                              @dwood:

                                              attempted snort-dev install on two amd64 boxes.  Installation does not finish.  It hangs at "loading package information".

                                              Cheers,
                                              Dennis.

                                              +1

                                              2.1-RELEASE (amd64)
                                              built on Wed Sep 11 18:17:48 EDT 2013
                                              FreeBSD 8.3-RELEASE-p11

                                              1 Reply Last reply Reply Quote 0
                                              • marcelloc
                                                marcelloc last edited by

                                                It seems like php closure code that you used on snort.inc file is compatible only with php5.3(pfsense 2.1)
                                                $snort_calc_iface_subnet_list = function($int) use(&$home_net)

                                                Starting package snort-dev…
                                                Parse error: syntax error, unexpected T_FUNCTION in /usr/local/pkg/snort/snort.inc on line 183

                                                Treinamentos de Elite: http://sys-squad.com

                                                Help a community developer! ;D

                                                1 Reply Last reply Reply Quote 0
                                                • rcfa
                                                  rcfa last edited by

                                                  I get this error:

                                                  Warning: file_get_contents(/var/log/snort/59183_lagg0/alert): failed to open stream: No such file or directory in /usr/local/www/snort/snort_alerts.php on line 396

                                                  when I go to the Alerts tab (Services : Snort : Snort Alerts)

                                                  Rules are downloaded successfully, WAN interface is enabled for snort, but it ain't running.

                                                  Any ideas?

                                                  1 Reply Last reply Reply Quote 0
                                                  • First post
                                                    Last post