Snort 2.9.2.3 pkg v. 2.3.0 Issue Thread



  • Couple of issues i've noticed that are still pending but figured I would start a new thread.

    Snort GUI:
    The Status Icon shows is Snort is running but Red/Green status has been removed. Can this be brought back? It was really the only way you can tell if barnyard2 was running or not.

    Alerts Page:
    Doesn't display Alert Description. Their was a patch for the last version but it doesn't work with the latest changes
    Please add this patch http://forum.pfsense.org/index.php/topic,51168.msg274405.html#msg274405

    Interface GUI:
    Please add the light grey background.. White is blinding

    Suppress List:
    Page is not saving and my first line puts a double tab from my old settings I had. Missing Snort Menu tab, have to go back to Services:Snort
    adding a rule to the supress-list (or simply save the list) adds a space at the first line. So the first line is walking to the right side
    font size is too small to read

    Cron Job Issue:
    After every install/reinstall, you have to save the Global Settings and Interface page (with Blocked Enabled) for the Cron job to be created. Is there a way to fix it so the package does a check automatically to see if that setting is set?

    barnyard2:
    Doesn't start on system reboot, have to manually stop and start within Snort GUI.. Stopping doesn't kill barnyard2 process, starts another one up when you restart
    Services GUI kills all snort/barnyard2 processes but doesn't start barnyard2 process when you restart or start

    P.S Will Snort 2.3.x have IPv6 support or will that be 3.x that Robert is working on?

    As always, thank you for your working :-)



  • Wow.  Just when I said I'd never update snort again, I went and updated to 2.3.0 and not it won't even start:

    snort[53318]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(154) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.

    Is there no QA done on these releases? ;-)



  • @miles267:

    snort[53318]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(154) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.

    Same issue, enabling the http_inspect prep-processor adds a line like:

    
    preprocessor http_inspect: global /usr/local/etc/snort, iis_unicode_map unicode.map 1252 
    
    

    And snort fails to load with error:
    snort[44013]: FATAL ERROR: /usr/local/etc/snort/snort_xxx/snort.conf(xxx) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.



  • Fixed apart IPv6 for now.



  • @zinger:

    @miles267:

    snort[53318]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(154) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.

    Same issue, enabling the http_inspect prep-processor adds a line like:

    
    preprocessor http_inspect: global /usr/local/etc/snort, iis_unicode_map unicode.map 1252 
    
    

    And snort fails to load with error:
    snort[44013]: FATAL ERROR: /usr/local/etc/snort/snort_xxx/snort.conf(xxx) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.

    same issue here

    quick fix for now:

    change file /usr/local/pkg/snort/snort.inc
    line 1555

    preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
    

    line 1614

    preprocessor ftp_telnet: global \
    

    a couple minutes testing: barnyard2 has 3 instances running, blocked page doesn't have descriptions, and only the icon shows if snort is running. Interface page has the grey background, but what happen to the suppress page? the font is really tiny (at least to me), and there is a space on the first line that I can't seem to remove after save but I am able to save new lines.

    I only did a couple of minutes of testing. I'll go thru everything sometime tomorrow and report back… Thanks again



  • Missed those.
    I am not sure about the small font all looks good to me?

    Or you mean inised the textarea?



  • @ermal:

    Missed those.
    I am not sure about the small font all looks good to me?

    Or you mean inised the textarea?

    Inside the textarea/textbox in the Suppression list edit page. It's now set to

    
    .formpre {
        font-family: Courier New,Courier,monospaced;
        font-size: 10px;
    }
    
    

    It used to be

    
    .formpre {
        font-family: arial;
        font-size: 1.1em;
    }
    
    

    ..I think.



  • looking at lot better.. uninstalled, removed any trace of snort on the hard-drive… installed... updated rules and guess what, it started with no errors =D

    I think I found what the issue is with barnyard2 not stopping.. It doesn't stop for anything now.. Its creating a PID file this: barnyard2_39737_em339737.pid when I think the code is looking to stop barnyard2_em339737.pid. I think the PID file should be 'barnyard2_em3_39737.pid'

    I'll do some more testing later but hopefully other users will report there findings.

    thanks again!!!



  • I think i found the issue with barnyard2 pid file.
    Just re-install snort after 15 minutes and check it out.

    Thank you for the testing.
    But after this cleanup more things are manageable with less effort.



  • That did it for barnyard2! Able to stop and start via Snort GUI and Services. Haven't tried a reboot yet.. But since Services uses /usr/local/etc/rc.d/snort.sh as well, I would think it would work also.

    I'll have to do a deep drive later but I think its all small stuff..but..

    I see now on the Snort Interface page, Barnyard2 is shaded Red when its turn off and White when its enabled. Could it be Green when its enabled? Also, can we do the same for the Interface also? Don't know if it should go under 'If' or 'Snort' columns. It was under 'If' but to keep it the same as barnyard2, i would put it under 'Snort'…idk.. you decide on what is easier and looks more functionally.

    thankyou for getting barnyard2 working correctly..



  • Tested upgrading from v2.2.4 to v2.3.0 on AMD64 works without any problems.
    As soon as everything works I will upgrade my production machine from Snort 2.9.1 pkg v. 2.1.1 (AMD64) to this version.

    As Cino said, I too would prefer green/red colors, just like the stop and play buttons.



  • Aside from the problems listed in the original post, version 2.3.0 is running smoothly for myself. For a quick "blocked alerts description" fix see post 274405.

    Thanks for the hard work Ermal!



  • I've crossed out what has been resolved on the first post and added some…

    @10101000 your patch worked for me.. thank you



  • Cron Job Issue:
    After every install/reinstall, you have to save the Global Settings and Interface page (with Blocked Enabled) for the Cron job to be created. Is there a way to fix it so the package does a check automatically to see if that setting is set?

    Maybe -if- the Global settings was saved, after an update of the package, automatically updates the rules before starting Snort.



  • If you have more than a single snort interface running, only the message of the 1st instance can be cleared (already described somewhere else). I noticed some code changes in snort_alert.php, but the code does not work correctly.

    It looks as if the state of the settings are not properly maintained. $instanceid does receive the correct value, but after hitting the clear-button the value is back to its default value 0 before the clear action gets executed, so other interfaces never get a chance to get rid of their messages (to study this behavior I am dumping some diagnostics into a temporary file).

    Not being familiar with php, I'd say the problem is due to the way php scripts get initialized and executed and after hitting a button like "Clear", your're essentially back to a fresh page. With the proper knowledge this can probably be fixed easily.



  • With this version the Emerging Threats rules are working for me, but the Snort rules don't.

    I did some tests with the p2p rules, and the Snort rules neither generated alerts nor did blocking work.



  • In 2.4.0 all these issues should be solved apart the colors in the interface page





  • on and off snort does quits when it tries to block an IP

    
    Jul 11 14:24:32 	snort[22453]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
    Jul 11 14:24:32 	snort[22453]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
    
    


  • That is rather awkward.
    Can you identify the line that caused that? In alerts?



  • the alert at 14:24.

    
    2 	2 	UDP 	ET SCAN Sipvicious User-Agent Detected (friendly-scanner) 	Attempted Information Leak 	98.172.131.198 	5071 	-> 	x.x.x.x 	5060 	1:2011716:3 	07/11-14:24:32
    3 	2 	UDP 	ET SCAN Sipvicious User-Agent Detected (friendly-scanner) 	Attempted Information Leak 	98.172.131.198 	5067 	-> 	x.x.x.x 	5060 	1:2011716:3 	07/11-09:07:36
    
    

    going to update to 2.4.1 shortly.. but this kind of issue I would think is because of the binary



  • Is this afetr a snort soft restart(with HUP signal)?


Locked