Snort 2.9.3 v2.4.0 no alerts, no blocking…
-
updated snort, but now no alerts nor blocking works. :(
logs in /var/log/snort are empty.
-
Just check to see that your rules and preprocessors are enabled.
-
Updating the package and the rules work, but starting up fails with this message in the system logs:
snort[10689]: FATAL ERROR: /usr/local/etc/snort/snort_2791_em0/snort.conf(120) => Failed to parse: No end brace found
-
same here
-
Heh fixed the ssl port definition of ports.
I had tested it with custom SSL ignore range.Anyway in 15 minutes will be safe to upgrade and issue will be fixed.
-
ugh. snort seems to get progressively worse with each build. hasn't functioned reliably in months. next time I get it to work, no way I'm updating again. now:
Thank you for helping in testing.
-
Updated to: Snort 2.9.2.3 pkg v. 2.4.1
Noticed that no matter what I enter into the If Settings > 'Advanced Configuration Pass Through' dialog box, it gets converted to a string of random characters.
For example, if I enter: portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] and SAVE. When I go back, it will then display in the same dialog box:
cG9ydHZhciBGSUxFX0RBVEFfUE9SVFMgWyRIVFRQX1BPUlRTLDExMCwxNDNd
Also, despite entering: 443 563
into the Define SSL_IGNORE dialog box, snort still will not start. And returns the following:snort[26571]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(54) Missing argument to SSL_PORTS_IGNORE
-
Fixed also.
Again test after 15minutes. -
@ermal:
Fixed also.
Again test after 15minutes.OK - great. Will there be a 2.4.2? or have you already fixed 2.4.1? I've re-installed 2.4.1 as of 7:30 PM CT but the same issue persists. Perhaps I updated too soon.
-
install went well but snort isn't alerting. Usually a common port scan from https://www.grc.com/x/ne.dll?bh0bkyd2 will generate an alert
-
Reinstall with latest fixes it should behave better.
-
deinstalled snort, installed it newly, did a reboot after updating, snort started, but still no alerts nor blocking… :(
But at all the overhaul was great! Behaves much better!!!!edit: snort started reporting alerts, but still no blocking :(