Snort 2.9.2.3 pkg v. 2.2.2 - No Alert Description
-
I also came from 2.2.1. How many instances of snort are running (pgrep snort), in case one instance is kind of blocking another one?
I doubt that it has any major influence, but I also changed the line (in file "/usr/local/pkg/snort/snort.inc")
$snort_rules_file = "snortrules-snapshot-2922.tar.gz";
to
$snort_rules_file = "snortrules-snapshot-2923.tar.gz";
to reflect the current version.
-
thanks, I will try it tomorrow.
-
I did what you told,
I checked the snort instances (pid) but there is no additional processes. I made the correction in snort.inc file and restarted the snort. But when snort blocked the ip, no alert description (in Blocked tab)
1 172.16.1.152 N\A
In 'Alerts' Tab, there is no alerts. If I change interface to lan, it comes back to Wan.
-
In 'Alerts' Tab, there is no alerts. If I change interface to lan, it comes back to Wan.
Yes, the interface is a bit stubborn. If there aren't any messages, it doesn't want to switch to LAN, but this is only GUI stuff.
The next thing to try is to deinstall and reinstall the entire package.
BTW, my pfSense2 system are all running on x86 Intel processors (32-bit) and I just checked whether snort works correctly on one of the boxes. It does. All the alerts I triggered were displayed with messages and I was blocked correctly (because I enabled blocking).
-
From last one month, every day morning I am doing the same work. As I am having standby box with Pfsense 1.2.3, I am using that for production and 2.0 box for testing snort.
During early updates, (snort 2.2.1), there was a setting to clear alert on removal of blocked host. I don't remember it correctly. But whenever I re-install the snort, my old settings are automatically restored.
Should I remove this setting (save settings for re install) and reinstall snort?
-
chowtamah,
see my thread http://forum.pfsense.org/index.php/topic,51217.0.html. I'd say the package probably needs some fixes, maybe some code restructuring to make updates more generic, and what works and what doesn't probably depends to a high degree on which rules you activate.
In your case it looks benefitial to reinstall the the package by not allowing to keep the settings after reinstallation. If Snort runs fine without any rules activated (and hopefully without any stuff left from previous installations), you can be sure your problem is related to specific rules (aka update related code). Then you can continue to add rules and see what happens.
-
Thanks Fesoj, tomorrow I will try it again.
–------------------------------------------
I re-installed snort after doing a uninstall.Now snort is - Snort 2.9.2.3 pkg v. 2.2.3, but the problem still continues. It blocks, but there are no alert descriptions.
After upgrading to this version (2.2.3), it is not downloading Emerging Threats rules.
-
same here: No emerging threats rules. Trying to redownload rules results in a message "Rules not up to date", "Emerging threats rules are up to date"
-
Trying to redownload rules results in a message "Rules not up to date", "Emerging threats rules are up to date"
I saw the same messages when I updated from 2.2.1. Did you remove the out of sync files from /usr/local/lib/snort/dynamicrules? The emerging threats rules work currently fine for me.
-
… since 2.3.2 ET no longer works.
-
Hello,
Please give this patch a try. I haven't tested it anywhere but my own system so as usual, USE AT YOUR OWN RISK. For patching information, please read: http://doc.pfsense.org/index.php/System_Patches. This should work with or without the "Ignore Whitespace" option enabled. Use 0 for "Path Strip Count" and /usr/local/www/snort/ for "Base Directory". Let me know if you find any problems.
UPDATE: Fixed a bug with $blocked_ips_array:
--- /usr/local/www/snort/snort_blocked.php.broken 2012-07-07 21:54:14.000000000 -0600 +++ /usr/local/www/snort/snort_blocked.php 2012-07-08 03:38:13.000000000 -0600 @@ -39,6 +39,7 @@ $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') $bnentries = '500'; @@ -69,7 +70,7 @@ exec('/bin/mkdir /tmp/snort_blocked'); exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); - $blocked_ips_array_save = str_replace(' ', '', explode("\n", file_get_contents('/tmp/snort_block.pf'))); + $blocked_ips_array_save = preg_replace("\s+", '', file('/tmp/snort_block.pf')); if ($blocked_ips_array_save[0] != '') { /* build the list */ @@ -131,7 +132,7 @@ function get_snort_alert_disc($fileline) { /* disc */ - if (preg_match("/[\*\*] ([.*]) (.*) ([\*\*])/", $fileline, $matches)) + if (preg_match("/[\*\*]\s+([[0-9:]+])\s+(.+)\s+([\*\*])/", $fileline, $matches)) $alert_disc = "$matches[2]"; return $alert_disc; @@ -282,27 +283,31 @@ /* set the arrays */ exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); - $blocked_ips_array = explode("\n", str_replace(' ', '', file_get_contents('/tmp/snort_block.cache'))); + $blocked_ips_array = preg_replace("/\s+/", '', file('/tmp/snort_block.cache')); if (!empty($blocked_ips_array)) { $input = array(); $alert_ip_src_array = array(); foreach (glob("/var/log/snort/*/alert") as $alert) { - $alerts_array = array_reverse(explode("\n\n", file_get_contents($alert))); - if (!empty($alerts_array[0])) { + if ($pconfig['snortalertlogtype'] == 'full') { + $alerts_array = array_reverse(explode("\n\n", file_get_contents($alert))); + } else { + $alerts_array = array_reverse(file($alert)); + } + if (!empty($alerts_array)) { /* build the list and compare blocks to alerts */ $counter = 0; foreach($alerts_array as $fileline) { + if (!empty($fileline)) { + $counter++; - $counter++; - - $alert_ip_src = get_snort_alert_ip_src($fileline); - $alert_ip_disc = get_snort_alert_disc($fileline); - $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); - - if (in_array("$alert_ip_src", $blocked_ips_array)) - $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); + + if (in_array("$alert_ip_src", $blocked_ips_array)) + $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + } } - } }
Original patch:--- /usr/local/www/snort/snort_blocked.php.broken 2012-07-07 21:54:14.000000000 -0600 +++ /usr/local/www/snort/snort_blocked.php 2012-07-07 22:46:54.000000000 -0600 @@ -39,6 +39,7 @@ $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') $bnentries = '500'; @@ -131,7 +132,7 @@ function get_snort_alert_disc($fileline) { /* disc */ - if (preg_match("/[\*\*] ([.*]) (.*) ([\*\*])/", $fileline, $matches)) + if (preg_match("/[\*\*]\s+([[0-9:]+])\s+(.+)\s+([\*\*])/", $fileline, $matches)) $alert_disc = "$matches[2]"; return $alert_disc; @@ -287,22 +288,26 @@ $input = array(); $alert_ip_src_array = array(); foreach (glob("/var/log/snort/*/alert") as $alert) { - $alerts_array = array_reverse(explode("\n\n", file_get_contents($alert))); - if (!empty($alerts_array[0])) { + if ($pconfig['snortalertlogtype'] == 'full') { + $alerts_array = array_reverse(explode("\n\n", file_get_contents($alert))); + } else { + $alerts_array = array_reverse(file($alert)); + } + if (!empty($alerts_array)) { /* build the list and compare blocks to alerts */ $counter = 0; foreach($alerts_array as $fileline) { + if (!empty($fileline)) { + $counter++; - $counter++; - - $alert_ip_src = get_snort_alert_ip_src($fileline); - $alert_ip_disc = get_snort_alert_disc($fileline); - $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); - - if (in_array("$alert_ip_src", $blocked_ips_array)) - $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); + + if (in_array("$alert_ip_src", $blocked_ips_array)) + $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + } } - } }
Sincerely,
10101000
-
Thanks, I will try this patch and Will come back.
-
Please note that I've updated the patch to fix a bug. See post: 273828.
Thanks
-
A8,
thanks for the patch. I've installed System: Patches, but testing your patch gives
Patch can be applied cleanly
which is good, but
Patch can NOT be reverted cleanly
which is probably bad. The details are:
Output of full patch revert test:
/usr/bin/patch –directory=/usr/local/www/snort/ -f -p0 -i /var/patches/4ff962e6d4837.patch --check --reverseHmm... Looks like a unified diff to me...
The text leading up to this was:-- /usr/local/www/snort/snort_blocked.php.broken 2012-07-07 21:54:14.000000000 -0600
+++ /usr/local/www/snort/snort_blocked.php 2012-07-08 03:38:13.000000000 -0600 Patching file /usr/local/www/snort/snort_blocked.php using Plan A... Hunk #1 failed at 39. Hunk #2 failed at 69. Hunk #3 failed at 131. Hunk #4 failed at 282. 4 out of 4 hunks failed--saving rejects to /usr/local/www/snort/snort_blocked.php.rej done Do I need to worry about this?
-
Gave it try this morning and its working for me. Thanks!
-
@Fesoj You don't need to worry about that because you didn't apply the patch. Once your apply, it will be the other way around
-
Cino,
thanx for the info–I just didn't want to run into more problems. Of course, deleting and reinstalling the package also doesn't take too much time.
The patch works for me as well. :)
-
Fesoj, whether this patch can be included in the next snort release?
-
It's not up to me to decide that. A8s patch seems to work, so it should be included to get the alert descriptions.
Unfortunately there is more to do to get snort running smoothly again. I am currently taking a crash course (coming from C/C++) on php in order to take care of some of the more peripheric issues myself and slowly learn more about the package. I have also started to setup a test environment for more experiments…
Maybe the ioctl error is currently the most severe problem. I cannot repeat it reliably yet, and it sometimes seems to be associated with a total freeze of the interface (so you can no longer log into the box, but existing connections are not affected).
-
installed 2.2.4 and added this patch.
Alert description have returned :-) Thank you for your efforts.
Cheers,
Dennis -
This patch on 2.2.4 (clean install, AMD64, 2.01) worked for me.
Descriptions in blocked IPs are back :-) Thanks again and as always for your efforts guys.
Cheers,
Dennis. -
Today reinstalled Snort 2.9.2.3 pkg v. 2.2.4,
In Blocked tab, Alert description still shows N/A.
But in Alerts tab, alerts are showing up.In Alerts tab, If I select Wan or Lan from the Instance to inspect, nothing shows up. If I click 'Alerts' tab again, list comes back.
I didn't tried the patch, as I could not install the System Patches package due to repository error. It shows, 'Unable to retrieve package info from www.pfsense.com. Cached data will be used.'
-
You do need the System Patches (or do a manual merge ;D).
I installed the package yesterday and all went well–-maybe it is a temporary problem.
The GUI Alert portion of the snort package still needs work. As described somewhere else in this forum, the php code that distinguishes the selected snort interface is incomplete. -
Applied the patch on v2.2.4 of snort and got back descriptions. Great work!!! Thx! :)
-
Today reinstalled Snort 2.9.2.3 pkg v. 2.2.4,
In Blocked tab, Alert description still shows N/A.
But in Alerts tab, alerts are showing up.In Alerts tab, If I select Wan or Lan from the Instance to inspect, nothing shows up. If I click 'Alerts' tab again, list comes back.
I didn't tried the patch, as I could not install the System Patches package due to repository error. It shows, 'Unable to retrieve package info from www.pfsense.com. Cached data will be used.'
Chowtamah,
Actually you can apply the patch from a terminal session. For this I've attached snort_blocked_patch.txt. To test that the patch is successful run:
patch -C -p0 -i snort_blocked_patch.txt
If no errors are output, perform the actual patch:
patch -p0 -i snort_blocked_patch.txt
I am happy to hear that this is working for most.
Thanks
-
I merged your regex into the 2.3.0 so please test if it fixes.
-
It seems like the Alert Descriptions changed from N/A to nothing. Also I'm now unable to save my suppression list. It just returns to the same form with no input in any of the fields.
-
Can you put from different people small part of your alert files?
They are in /var/log/snort* -
Thanks to 10101000, Fesoj and ermal for all your efforts.
I will test snort 2.3.0 and raise issues in cino's thread.
-
Alert Descriptions are shown on the alerts page, but not on blocked.
From /var/log/snort/snort_em033213/alert
[**] [1:2002157:10] ET POLICY Skype User-Agent detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 07/10-05:26:57.360499 MYIP:47603 -> 204.9.163.247:80 TCP TTL:50 TOS:0x0 ID:31437 IpLen:20 DgmLen:542 DF ***A**** Seq: 0x26B83575 Ack: 0x7AAE8D12 Win: 0x1FFE TcpLen: 20 [Xref => http://doc.emergingthreats.net/2002157] [**] [1:2002157:10] ET POLICY Skype User-Agent detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 07/10-05:26:57.597973 MYIP:14580 -> 78.141.177.158:80 TCP TTL:52 TOS:0x0 ID:13728 IpLen:20 DgmLen:538 DF ***AP*** Seq: 0xB70BDB31 Ack: 0x989F230F Win: 0x1FFE TcpLen: 20 [Xref => http://doc.emergingthreats.net/2002157] [**] [1:2002157:10] ET POLICY Skype User-Agent detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 07/10-05:26:57.747503 MYIP:62744 -> 92.122.50.146:80 TCP TTL:55 TOS:0x0 ID:57600 IpLen:20 DgmLen:570 DF ***A**** Seq: 0x9C4E1C36 Ack: 0x4B26A476 Win: 0x3CC0 TcpLen: 32 [Xref => http://doc.emergingthreats.net/2002157] [**] [1:2406417:287] ET RBN Known Russian Business Network IP UDP (209) [**] [Classification: Misc Attack] [Priority: 2] 07/10-05:27:01.426947 46.21.146.190:51413 -> MYIP:64284 UDP TTL:52 TOS:0x0 ID:0 IpLen:20 DgmLen:58 DF Len: 30 [Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork] [**] [1:2406823:287] ET RBN Known Russian Business Network IP UDP (412) [**] [Classification: Misc Attack] [Priority: 2] 07/10-05:27:14.971087 89.248.163.5:53340 -> MYIP:60685 UDP TTL:117 TOS:0x0 ID:6851 IpLen:20 DgmLen:58 Len: 30 [Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork] [**] [1:2520104:1165] ET TOR Known Tor Exit Node TCP Traffic (53) [**] [Classification: Misc Attack] [Priority: 2] 07/10-05:28:31.199256 77.247.181.165:50103 -> MYIP:64284 TCP TTL:50 TOS:0x0 ID:48027 IpLen:20 DgmLen:52 DF ******S* Seq: 0x85AA7429 Ack: 0x0 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 10 [Xref => http://doc.emergingthreats.net/bin/view/Main/TorRules]
-
Alert Descriptions are shown on the alerts page, but not on blocked.
ditto.
Nevertheless, with some emerging threats rules enabled, my pfsense system is snorting (snort 2.9.2.3 pkg v. 2.3.0).
-
Thanks Ermal,
I presume that those with blank alerts have enabled FULL alert descriptions. The only problem that I can find at first glance is that "$pconfig['snortalertlogtype']" is not declared. This patch solves the problem.
--- /usr/local/www/snort/snort_blocked.php.broken 2012-07-10 23:01:18.000000000 -0600 +++ /usr/local/www/snort/snort_blocked.php 2012-07-10 23:27:11.000000000 -0600 @@ -38,6 +38,7 @@ $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; if (empty($pconfig['blertnumber'])) $bnentries = '500';
Sincerely,
10101000
-
What is the fix to get Alert Descriptions to properly display on the BLOCKED tab? ALERTS tab is populated, but BLOCKED tab should be showing an Alert Description adjacent to each blocked IP vs blank or NA.
-
Hi Miles, this time the problem is a simple typo. This should restore the blocked alert descriptions (for version 2.4.2):
--- /usr/local/www/snort/snort_blocked.php.broken 2012-07-12 14:38:45.000000000 -0600 +++ /usr/local/www/snort/snort_blocked.php 2012-07-12 14:43:41.000000000 -0600 @@ -38,7 +38,7 @@ $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; -$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; if (empty($pconfig['blertnumber'])) $bnentries = '500';
-
Hi Miles, this time the problem is a simple typo. This should restore the blocked alert descriptions (for version 2.4.2):
--- /usr/local/www/snort/snort_blocked.php.broken 2012-07-12 14:38:45.000000000 -0600 +++ /usr/local/www/snort/snort_blocked.php 2012-07-12 14:43:41.000000000 -0600 @@ -38,7 +38,7 @@ $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; -$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; if (empty($pconfig['blertnumber'])) $bnentries = '500';
Thank you for the patch. I've just applied and returned to Snort > BLOCKED tab and the Alert Descriptions are still missing from previously existing blocked IPs (prior to me applying the patch). Is this normal? Will alert descriptions only be available for net new blocked IPs?
-
Actually the snort blocked tab pulls the alert descriptions from matching entries inside the alerts log. If the alerts log has been cleared after an IP had been initially blocked (like upon package upgrade), this is why you don't see any alert descriptions. I would suggest using an online firewall test like GRC ShieldsUP to verify that newly blocked entries display the alert description.
-
10101000, I apologize - was an error on my part. I installed the System Patches package and copied your fix but failed to APPLY it :-) Since I've applied the fix and run the GR Shields Up test, the alert descriptions have been restored. Thanks again!
Is there any chance they will incorporate your fix into the snort package?
-
Please reinstall again!
You need a new snort binary for the alerts to be displayed correctly. -
@ermal:
Please reinstall again!
You need a new snort binary for the alerts to be displayed correctly.OK - since removing and reinstalling the latest snort package, the alert descriptions have returned to being N/A. Doesn't appear 10101000's patch has been included within the latest binary unfortunately. I suppose I can try to reapply his patch once more. Could you please correct this blank/NA alert description functionality for Blocked IPs in the next build? Thanks.
EDIT: I attempted to apply his latest system patch and it doesn't qualify to be applied.