Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.3 v2.4.0 no alerts, no blocking…

    Scheduled Pinned Locked Moved pfSense Packages
    12 Posts 6 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • _
      _igor_
      last edited by

      updated snort, but now no alerts nor blocking works. :(

      logs in /var/log/snort are empty.

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Just check to see that your rules and preprocessors are enabled.

        1 Reply Last reply Reply Quote 0
        • F
          Fesoj
          last edited by

          Updating the package and the rules work, but starting up fails with this message in the system logs:

          snort[10689]: FATAL ERROR: /usr/local/etc/snort/snort_2791_em0/snort.conf(120) => Failed to parse: No end brace found

          1 Reply Last reply Reply Quote 0
          • V
            vito
            last edited by

            same here

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              Heh fixed the ssl port definition of ports.
              I had tested it with custom SSL ignore range.

              Anyway in 15 minutes will be safe to upgrade and issue will be fixed.

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                @miles267:

                ugh.  snort seems to get progressively worse with each build.  hasn't functioned reliably in months.  next time I get it to work, no way I'm updating again.  now:

                Thank you for helping in testing.

                1 Reply Last reply Reply Quote 0
                • M
                  miles267
                  last edited by

                  Updated to: Snort 2.9.2.3 pkg v. 2.4.1

                  Noticed that no matter what I enter into the If Settings > 'Advanced Configuration Pass Through' dialog box, it gets converted to a string of random characters.

                  For example, if I enter: portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] and SAVE.  When I go back, it will then display in the same dialog box:

                  cG9ydHZhciBGSUxFX0RBVEFfUE9SVFMgWyRIVFRQX1BPUlRTLDExMCwxNDNd

                  Also, despite entering: 443 563
                  into the Define SSL_IGNORE dialog box, snort still will not start.  And returns the following:

                  snort[26571]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(54) Missing argument to SSL_PORTS_IGNORE

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    Fixed also.
                    Again test after 15minutes.

                    1 Reply Last reply Reply Quote 0
                    • M
                      miles267
                      last edited by

                      @ermal:

                      Fixed also.
                      Again test after 15minutes.

                      OK - great.  Will there be a 2.4.2? or have you already fixed 2.4.1?  I've re-installed 2.4.1 as of 7:30 PM CT but the same issue persists.  Perhaps I updated too soon.

                      1 Reply Last reply Reply Quote 0
                      • C
                        Cino
                        last edited by

                        install went well but snort isn't alerting. Usually a common port scan from https://www.grc.com/x/ne.dll?bh0bkyd2 will generate an alert

                        1 Reply Last reply Reply Quote 0
                        • E
                          eri--
                          last edited by

                          Reinstall with latest fixes it should behave better.

                          1 Reply Last reply Reply Quote 0
                          • _
                            _igor_
                            last edited by

                            deinstalled snort, installed it newly, did a reboot after updating, snort started, but still no alerts nor blocking… :(
                            But at all the overhaul was great! Behaves much better!!!!

                            edit: snort started reporting alerts, but still no blocking :(

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.