Snort 2.9.3 v2.4.0 no alerts, no blocking…

_igor_

updated snort, but now no alerts nor blocking works. :(

logs in /var/log/snort are empty.

eri--

Just check to see that your rules and preprocessors are enabled.

Fesoj

Updating the package and the rules work, but starting up fails with this message in the system logs:

snort[10689]: FATAL ERROR: /usr/local/etc/snort/snort_2791_em0/snort.conf(120) => Failed to parse: No end brace found

vito

same here

eri--

Heh fixed the ssl port definition of ports.
I had tested it with custom SSL ignore range.

Anyway in 15 minutes will be safe to upgrade and issue will be fixed.

eri--

@miles267:

ugh.  snort seems to get progressively worse with each build.  hasn't functioned reliably in months.  next time I get it to work, no way I'm updating again.  now:

Thank you for helping in testing.

miles267

Updated to: Snort 2.9.2.3 pkg v. 2.4.1

Noticed that no matter what I enter into the If Settings > 'Advanced Configuration Pass Through' dialog box, it gets converted to a string of random characters.

For example, if I enter: portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] and SAVE.  When I go back, it will then display in the same dialog box:

cG9ydHZhciBGSUxFX0RBVEFfUE9SVFMgWyRIVFRQX1BPUlRTLDExMCwxNDNd

Also, despite entering: 443 563
into the Define SSL_IGNORE dialog box, snort still will not start.  And returns the following:

snort[26571]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(54) Missing argument to SSL_PORTS_IGNORE

eri--

Fixed also.
Again test after 15minutes.

miles267

@ermal:

Fixed also.
Again test after 15minutes.

OK - great.  Will there be a 2.4.2? or have you already fixed 2.4.1?  I've re-installed 2.4.1 as of 7:30 PM CT but the same issue persists.  Perhaps I updated too soon.

Cino

install went well but snort isn't alerting. Usually a common port scan from https://www.grc.com/x/ne.dll?bh0bkyd2 will generate an alert

eri--

Reinstall with latest fixes it should behave better.

_igor_

deinstalled snort, installed it newly, did a reboot after updating, snort started, but still no alerts nor blocking… :(
But at all the overhaul was great! Behaves much better!!!!

edit: snort started reporting alerts, but still no blocking :(