Snort 2.9.2.3 pkg v. 2.4.2 Issues



  • I just updated to 2.9.2.3 pkg v. 2.4.2. Installation worked fine. ET rules seem to work for me, but the alert messages seem to be scrambled, i.e. instead of p2p related messages (because I enabled the p2p rules), I got some vague gzip related message. I've seen that before. Blocking is working, though no alert descriptions in the "Blocked" tab.

    I haven't tested the Snort rules yet.



  • Can you put the alert file here and tell me if its full alert style logging or fast?



  • Things I've noticed with the latest version:

    1. Going to interface settings -> categories, click on a category -> "no rules found" and when you return to categories none are selected. If you save, snort makes a new interface.

    2. There's some code poking trough the top of the categories page:

    
    ";
    
    
    1. I'm not seeing anything blocked by snort or ET rules, only PSNG_-stuff.

    2. White list doesn't seem to whitelist my WAN IP at all. Custom whitelist with all options checked (ADD WAN IP, etc) doesn't seem to whitelist my WAN IP correctly. From alert

    
    [**] [122:22:1] PSNG_UDP_FILTERED_DECOY_PORTSCAN [**]
    [Classification: Attempted Information Leak] [Priority: 2] 
    07/12-13:22:47.715290 66.8.211.46 -> my wan ip
    PROTO:255 TTL:114 TOS:0x0 ID:18376 IpLen:20 DgmLen:171
    
    

    Edit:

    1. Interface settings -> Home net and External net -drop menus lists default and my whitelist lists, which I'm fairly sure weren't there before.

    2. Old issues with Suppress page, adding a space at the start of the main textbox and small font.



  • Hi ermal,

    I'll be out of town for a couple of hours. When I'll be back I'll check the system again and post the messages and the relevant parts of the system log.

    Also, trying to clear the alert messages currently freezes the GUI (actually the interface, but existing connections are not affected).



  • ermal,

    here are some screenshots–-more to come.






  • Life would be sooo boring without snort testing:

    2.4.2 kicked me completely out after installation. I did not even start it. After rule update my VPN connection dropped.
    Lets see what surprises arsise when I get back home.



  • Pressing the start/stop button on the interface page doesn't stop snort or barnyard.



  • 1.) 2.4.2 log returns the following error:

    snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.

    The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):

    FILE_DATA_PORTS [$HTTP_PORTS,110,143]

    2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:

    snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE

    3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank



  • @miles267:

    1.) 2.4.2 log returns the following error:

    snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.

    The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):

    FILE_DATA_PORTS [$HTTP_PORTS,110,143]

    2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:

    snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE

    3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank

    snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE

    I had the same error, someone suggested that commas are now required even though it says spaces this corrected the problem.



  • The cron jobs are not being created for either of these functions:

    1. Update rules automatically

    2. Remove blocked hosts every

    The old trick of selecting never then saving the reselecting a time does not work either.



  • and, another thing if I can help.

    Using the same rules/configuration, now Snort eats about 20-25% of CPU, before was about 4-5%. I don't know if it's only me or also some other user is experiencing that.

    Thanks,
    Michele



  • @mschiek01:

    @miles267:

    1.) 2.4.2 log returns the following error:

    snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.

    The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):

    FILE_DATA_PORTS [$HTTP_PORTS,110,143]

    2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:

    snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE

    3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank

    snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE

    I had the same error, someone suggested that commas are now required even though it says spaces this corrected the problem.

    Thank you.  This resolved the SSL_IGNORE issue.  Hope they update the UI to explain that commas are now REQUIRED.



  • I have problems with the suppression list. when auto blocking is disabled on interface it's starts fine. but when i enable auto blocking i become this error.

    FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument
    

    here is my suppression list

     suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 31
    suppress gen_id 119, sig_id 32
    suppress gen_id 120, sig_id 3
    suppress gen_id 120, sig_id 6
    suppress gen_id 120, sig_id 8
    suppress gen_id 120, sig_id 10
    suppress gen_id 122, sig_id 26
    suppress gen_id 137, sig_id 1
    

    (everytime i save this it becomes one more leading space)

    greetz



  • Issues:

    1.) Alert Descriptions are now blank on the BLOCKED tab

    2.) Snort doesn't appear to be referencing the WHITELIST and/or SUPPRESS rules.  For example, Snort is currently blocking my internet gateway IP for the first time ever.  Despite adding both a suppress rule for the PORTSWEEP (it's reporting from my router) and adding the gateway IP to the WHITELIST, snort keeps adding it back to the BLOCKED tab.



  • @HOD:

    I have problems with the suppression list. when auto blocking is disabled on interface it's starts fine. but when i enable auto blocking i become this error.

    FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument
    

    here is my suppression list

     suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 31
    suppress gen_id 119, sig_id 32
    suppress gen_id 120, sig_id 3
    suppress gen_id 120, sig_id 6
    suppress gen_id 120, sig_id 8
    suppress gen_id 120, sig_id 10
    suppress gen_id 122, sig_id 26
    suppress gen_id 137, sig_id 1
    

    (everytime i save this it becomes one more leading space)

    greetz

    I concur - same behavior on my system with 2.4.2.



  • I am not experiencing the fatal error messages that are reported here. I have 2 interfaces defined, non-default whitelists and different suppression lists for each interface. I have attached the associated system logs for the startup procedure of each interface. There is nothing really unusual (except that there are duplicated lines and a minor warning).

    I've been very careful lately when I update the package. First, I stop all running snort instances, then I deinstall the package. Then I check for any remaining debris (find / -name 'snort*' –- the latest deinstall procedure works fine, though), then and only then I install the updated package, followed by a rule update. Maybe this helps a bit to sort out things.

    I cannot confirm the high CPU load that mdima reported.

    The next thing to look at will be a normal client session, followed by a malicious session that should trigger blocking. Once I'll have done that, I'll report.

    system-wan.txt
    system-lan.txt



  • I always tell snort to retain the configuring on uninstall (global, checkbox) when upgrading from one version to the next.  is this not a good practice?  while it usually works, lately it may be causing the nightmares.  just trying to avoid manually entering suppress, settings and whitelists, redefining categories by interface, etc.



  • I always tell snort to retain the configuring on uninstall (global, checkbox) when upgrading from one version to the next.  is this not a good practice?

    I am doing the same–no problems so far.



  • updated today and still no blocking nor alerts. snort itswelf starts without "problems". Snort logs are empty.

    I'm retaining my config between updates too, never had any problem with it.



  • At least I'm not alone in that practice of retaining configuration from one version to another.  Has anyone figured out a fix for blank alert descriptions on the BLOCKED tab?  Mine only shows an IP with no alert description.  Hasn't included a description for the past several months.  Thanks.



  • … I started a client session with simple internet access (no p2p offenses, etc). On the server I disabled blocking, just in case, and because I wanted to study the normal reporting. After a few seconds the client connection was dead and on the pfsense box one of the interfaces went down with the well known system log message:

    snort[53641]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device

    Is this Kafkaesque or just plain good old Greek mythology? I mean the story about Σίσυφος who was Aeolus of Thessaly's and Enarete's son.



  • No blocking could be caused by broken libpcap package.



  • @_igor_:

    updated today and still no blocking nor alerts. snort itswelf starts without "problems". Snort logs are empty.

    I'm retaining my config between updates too, never had any problem with it.

    I'm having the same issue.

    I have a custom NETLIST so it includes the cable modem private subnet, my config file isn't picking it up, normally it would be under HOME_NET. I've noticed the Whitelist interface doesn't allow you to pick from NETLIST or WHITELIST.. Shouldn't that be there?

    noticed the home_net doesn't include wan,gateway ips either

    my snort.conf btw

    
    # snort configuration file
    # generated automatically by the pfSense subsystems do not modify manually
    
    # Define Local Network  #
    var HOME_NET [209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24]
    var EXTERNAL_NET [!$HOME_NET]
    
    # Define Rule Paths #
    var RULE_PATH /usr/local/etc/snort/snort_39737_em3/rules
    var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
    
    # Define Servers  #
    var DNS_SERVERS [$HOME_NET]
    var SMTP_SERVERS [$HOME_NET]
    var HTTP_SERVERS [$HOME_NET]
    var WWW_SERVERS [$HOME_NET]
    var SQL_SERVERS [$HOME_NET]
    var TELNET_SERVERS [$HOME_NET]
    var SNMP_SERVERS [$HOME_NET]
    var FTP_SERVERS [$HOME_NET]
    var SSH_SERVERS [$HOME_NET]
    var POP_SERVERS [$HOME_NET]
    var IMAP_SERVERS [$HOME_NET]
    var SIP_PROXY_IP [$HOME_NET]
    var SIP_SERVERS [$HOME_NET]
    var RPC_SERVERS [$HOME_NET]
    var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
    
    # Define Server Ports  #
    portvar DNS_PORTS [53]
    portvar SMTP_PORTS [25]
    portvar MAIL_PORTS [25,143,465,691]
    portvar HTTP_PORTS [80]
    portvar ORACLE_PORTS [1521]
    portvar MSSQL_PORTS [1433]
    portvar TELNET_PORTS [23]
    portvar SNMP_PORTS [161]
    portvar FTP_PORTS [21]
    portvar SSH_PORTS [22]
    portvar POP2_PORTS [109]
    portvar POP3_PORTS [110]
    portvar IMAP_PORTS [143]
    portvar SIP_PROXY_PORTS [5060:5090,16384:32768]
    portvar SIP_PORTS [5060:5090,16384:32768]
    portvar AUTH_PORTS [113]
    portvar FINGER_PORTS [79]
    portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
    portvar SMB_PORTS [139,445]
    portvar NNTP_PORTS [119]
    portvar RLOGIN_PORTS [513]
    portvar RSH_PORTS [514]
    portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995]
    portvar SSL_PORTS_IGNORE [443,465,563,636,989,990,992,993,994,995]
    portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
    portvar SHELLCODE_PORTS [!80]
    portvar SUN_RPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
    portvar DCERPC_NCACN_IP_TCP [139,445]
    portvar DCERPC_NCADG_IP_UDP [138,1024:]
    portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
    portvar DCERPC_NCACN_UDP_LONG [135,1024:]
    portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
    portvar DCERPC_NCACN_TCP [2103,2105,2107]
    portvar DCERPC_BRIGHTSTORE [6503,6504]
    
    # Configure the snort decoder  #
    config checksum_mode: all
    config disable_decode_alerts
    config disable_tcpopt_experimental_alerts
    config disable_tcpopt_obsolete_alerts
    config disable_ttcp_alerts
    config disable_tcpopt_alerts
    config disable_ipopt_alerts
    config disable_decode_drops
    
    # Configure the detection engine  #
    config detection: search-method ac-bnfa max_queue_events 5
    config event_queue: max_queue 8 log 3 order_events content_length
    
    #Configure dynamic loaded libraries
    dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
    dynamicengine directory /usr/local/lib/snort/dynamicengine
    dynamicdetection directory /usr/local/lib/snort/dynamicrules
    
    # Flow and stream #
    preprocessor frag3_global: max_frags 8192
    preprocessor frag3_engine: policy bsd detect_anomalies
    
    preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes
    preprocessor stream5_tcp: policy BSD, ports both all
    preprocessor stream5_udp:
    preprocessor stream5_icmp:
    
    # Performance Statistics #
    preprocessor perfmonitor: time 300 file /var/log/snort/snort_em339737/em3.stats pktcnt 10000
    
    # HTTP Inspect  #
    preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
    
    preprocessor http_inspect_server: server default \
                            ports  { 80 8080 }  \
                            non_strict \
                            non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                            flow_depth 0  \
                            apache_whitespace no \
                            directory no \
                            iis_backslash no \
                            u_encode yes \
    			extended_response_inspection \
    			inspect_gzip \
    			normalize_utf \
    			normalize_javascript \
    			unlimited_decompress \
                            ascii no \
                            chunk_length 500000 \
                            bare_byte yes \
                            double_decode yes \
                            iis_unicode no \
                            iis_delimiter no \
                            multi_slash no
    
    # Other preprocs #
    preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    preprocessor bo
    
    # ftp preprocessor  #
    preprocessor ftp_telnet: global \
    inspection_type stateless
    
    preprocessor ftp_telnet_protocol: telnet \
       normalize \
       ayt_attack_thresh 200
    
    preprocessor ftp_telnet_protocol: \
        ftp server default \
        def_max_param_len 100 \
        ports { 21 } \
        ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
        ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
        ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
        ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
        ftp_cmds { FEAT CEL CMD MACB } \
        ftp_cmds { MDTM REST SIZE MLST MLSD } \
        ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
        alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
        alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
        alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
        alt_max_param_len 256 { RNTO CWD } \
        alt_max_param_len 400 { PORT } \
        alt_max_param_len 512 { SIZE } \
        chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
        chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
        chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
        chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
        chk_str_fmt { FEAT CEL CMD } \
        chk_str_fmt { MDTM REST SIZE MLST MLSD } \
        chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
        cmd_validity MODE < char ASBCZ > \
        cmd_validity STRU < char FRP > \
        cmd_validity ALLO < int [ char R int ] > \
        cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
        cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
        cmd_validity PORT < host_port >
    
    preprocessor ftp_telnet_protocol: ftp client default \
       max_resp_len 256 \
       bounce yes \
       telnet_cmds yes
    
    # SMTP preprocessor #
    preprocessor SMTP: \
        ports { 25 465 691 } \
        inspection_type stateful \
        normalize cmds \
        valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
    CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
        normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
    PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
        max_header_line_len 1000 \ 
        max_response_line_len 512 \
        alt_max_command_line_len 260 { MAIL } \
        alt_max_command_line_len 300 { RCPT } \
        alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
        alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
        alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
        alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
        alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
        xlink2state { enable }
    
    # sf Portscan  #
    preprocessor sfportscan: scan_type { all } \
                             proto  { all } \
                             memcap { 10000000 } \
                             sense_level { medium } \
                             ignore_scanners { $HOME_NET }
    
    # DCE/RPC 2   #
    preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
    preprocessor dcerpc2_server: default, policy WinXP, \
        detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
        autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
        smb_max_chain 3
    
    # DNS preprocessor #
    preprocessor dns: \
        ports { 53 } \
        enable_rdata_overflow
    
    # Ignore SSL and Encryption  #
    preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted
    
    # Snort Output Logs #
    output unified: filename snort_39737_em3.log, limit 128
    output alert_full: alert
    
    output unified2: filename snort_39737_em3.u2, limit 128
    output alert_pf: /usr/local/etc/snort/snort_39737_em3/MainWhiteList,snort2c,src,kill
    
    # Misc Includes #
    include /usr/local/etc/snort/snort_39737_em3/reference.config
    include /usr/local/etc/snort/snort_39737_em3/classification.config
    
    include /usr/local/etc/snort/snort_39737_em3/MainSuppressList
    
    # Snort user pass through configuration
    
    # Rules Selection #
    include $RULE_PATH/snort_attack-responses.rules
    include $RULE_PATH/snort_bad-traffic.so.rules
    include $RULE_PATH/emerging-attack_response.rules
    include $RULE_PATH/snort_backdoor.rules
    include $RULE_PATH/emerging-botcc.rules
    include $RULE_PATH/snort_bad-traffic.rules
    include $RULE_PATH/snort_blacklist.rules
    include $RULE_PATH/snort_exploit.so.rules
    include $RULE_PATH/emerging-ciarmy.rules
    include $RULE_PATH/snort_botnet-cnc.rules
    include $RULE_PATH/emerging-compromised.rules
    include $RULE_PATH/emerging-current_events.rules
    include $RULE_PATH/snort_content-replace.rules
    include $RULE_PATH/snort_misc.so.rules
    include $RULE_PATH/snort_ddos.rules
    include $RULE_PATH/emerging-dos.rules
    include $RULE_PATH/snort_dos.rules
    include $RULE_PATH/emerging-dshield.rules
    include $RULE_PATH/emerging-exploit.rules
    include $RULE_PATH/snort_exploit.rules
    include $RULE_PATH/snort_specific-threats.so.rules
    include $RULE_PATH/snort_web-client.so.rules
    include $RULE_PATH/snort_web-misc.so.rules
    include $RULE_PATH/emerging-malware.rules
    include $RULE_PATH/emerging-misc.rules
    include $RULE_PATH/emerging-mobile_malware.rules
    include $RULE_PATH/snort_indicator-compromise.rules
    include $RULE_PATH/snort_indicator-obfuscation.rules
    include $RULE_PATH/snort_misc.rules
    include $RULE_PATH/emerging-rpc.rules
    include $RULE_PATH/emerging-scan.rules
    include $RULE_PATH/emerging-shellcode.rules
    include $RULE_PATH/snort_other-ids.rules
    include $RULE_PATH/snort_phishing-spam.rules
    include $RULE_PATH/emerging-trojan.rules
    include $RULE_PATH/emerging-user_agents.rules
    include $RULE_PATH/emerging-virus.rules
    include $RULE_PATH/emerging-web_client.rules
    include $RULE_PATH/emerging-worm.rules
    include $RULE_PATH/snort_scan.rules
    include $RULE_PATH/snort_shellcode.rules
    include $RULE_PATH/snort_specific-threats.rules
    include $RULE_PATH/snort_spyware-put.rules
    include $RULE_PATH/snort_virus.rules
    include $RULE_PATH/snort_web-attacks.rules
    include $RULE_PATH/snort_web-client.rules
    include $RULE_PATH/snort_web-misc.rules
    
    

    PS Neither block or update rule cron jobs are created. I've re-saved every page



  • Cino you are missing
    include $PREPROC_RULE_PATH/preprocessor.rules
    include $PREPROC_RULE_PATH/decoder.rules

    Probably from issues of install reinstalling!?

    I also fixed your issue of cronjobs.

    For all the others having issues with blocking please whenever you have system log of 'unable to parse', get the file under the /usr/local/etc/snort/snort_$iface*/$whitelistname and post it here.

    Also the HOME_NET issue has been fixed.



  • thanks Ermal! next time i'll read the whole config file  ;)

    I'm thinking from the all the (de)(re)installing…

    I did uninstall... Search/delete anything reference to snort then install... I may just wipe my config out all together and start from fresh if it happen again.



  • Also the HOME_NET issue has been fixed.

    After your latest update snort chokes on

    snort[360n0]: FATAL ERROR: /usr/local/etc/snort/snort_n7n1_em0/snort.conf(6) Failed to parse the IP address: [1n7.0.0.1,1nn.168.1n0.n1/3n,1nn.168.1n0.nn/3n,1nn.168.nn.0/nn,1nn.168.10.0/nn1nn.168.1n0.101/nn,1nn.168.n.1/nn,1nn.168.1n0.1,n17.n37.1n0.11n,n17.n37.1n1.n0n].

    I've replaced some numbers by n. This is essentially the default whitelist augmented by some ips and other local subnets.



  • ermal,

    looks like a very minor thing. I just compared the HOME_NET strings for different interfaces and in case of a modified HOME_NET there is a separator (,) missing when the modified ips/nets are added to the default settings.

    UPDATE: looks as if one of the ".=" concatenations in function snort_build_list() in snort.inc is responsible for this one.



  • Also, I did notice that the ALERT DESCRIPTION field on the Snort BLOCKED (tab) is displaying N/A instead of a blank field.  Although this is an improvement, how can the functionality be restored to display the actual alert description text?  In my global settings, I have this set to FULL which is did display correctly some time ago.  Thanks.



  • @miles267:

    Also, I did notice that the ALERT DESCRIPTION field on the Snort BLOCKED (tab) is displaying N/A instead of a blank field.  Although this is an improvement, how can the functionality be restored to display the actual alert description text?  In my global settings, I have this set to FULL which is did display correctly some time ago.  Thanks.

    That means that the ip is in the table and not in the alerts file



  • @Fesoj:

    ermal,

    looks like a very minor thing. I just compared the HOME_NET strings for different interfaces and in case of a modified HOME_NET there is a separator (,) missing when the modified ips/nets are added to the default settings.

    UPDATE: looks as if one of the ".=" concatenations in function snort_build_list() in snort.inc is responsible for this one.

    Fixed, update after 15 minutes and should be ok.



  • If you are using an augmented home net, the interface doesn't start.

    The problem is possibly the line 105 in /usr/local/pkg/snort/snort.inc:

    $home_net .= trim($whitelist['address'])
    

    which should be replaced by

    $home_net .= trim($whitelist['address']) . ' ';

    .i.e. the concatenated string should be terminated by space (so that the array building stuff at the end of the function works properly).





  • @ermal:

    Cino you are missing
    include $PREPROC_RULE_PATH/preprocessor.rules
    include $PREPROC_RULE_PATH/decoder.rules

    Probably from issues of install reinstalling!?

    I also fixed your issue of cronjobs.

    For all the others having issues with blocking please whenever you have system log of 'unable to parse', get the file under the /usr/local/etc/snort/snort_$iface*/$whitelistname and post it here.

    Also the HOME_NET issue has been fixed.

    I still do not see the cron jobs being created.



  • neyn, you allowed for string interpolation, which is not necessary here.  ;)



  • With "Blocking" is enabled, the system still freezes. I guess it is the old ioctl problem, but I still need to verfy this.



  • Well, blocking triggers

    snort[15653]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device

    so, currently, blocking should be disabled.



  • Also, you can still not clear alert messages for interfaces other than the first one.

    If nobody minds, I'd like to hand in my quick&dirty solution tomorrow…



  • @ermal:

    Cino you are missing
    include $PREPROC_RULE_PATH/preprocessor.rules
    include $PREPROC_RULE_PATH/decoder.rules

    I also fixed your issue of cronjobs.

    Also the HOME_NET issue has been fixed.

    I removed my interface config and built a new one…they still aren't there. cron looks fixed, noticed a new cron job for a file i haven't seen before.. have to check that out. HOME_NET looks good so far... still testing

    
    # snort configuration file
    # generated automatically by the pfSense subsystems do not modify manually
    
    # Define Local Network  #
    var HOME_NET [127.0.0.1,10.0.0.0/8,x.x.x.x/22,192.168.0.1/24,192.168.200.1/32,172.16.50.1/32,192.168.5.1/24,x.x.x.x,209.18.47.61,209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24]
    var EXTERNAL_NET [!$HOME_NET]
    
    # Define Rule Paths #
    var RULE_PATH /usr/local/etc/snort/snort_60770_em3/rules
    var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
    
    # Define Servers  #
    var DNS_SERVERS [$HOME_NET]
    var SMTP_SERVERS [$HOME_NET]
    var HTTP_SERVERS [$HOME_NET]
    var WWW_SERVERS [$HOME_NET]
    var SQL_SERVERS [$HOME_NET]
    var TELNET_SERVERS [$HOME_NET]
    var SNMP_SERVERS [$HOME_NET]
    var FTP_SERVERS [$HOME_NET]
    var SSH_SERVERS [$HOME_NET]
    var POP_SERVERS [$HOME_NET]
    var IMAP_SERVERS [$HOME_NET]
    var SIP_PROXY_IP [$HOME_NET]
    var SIP_SERVERS [$HOME_NET]
    var RPC_SERVERS [$HOME_NET]
    var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
    
    # Define Server Ports  #
    portvar DNS_PORTS [53]
    portvar SMTP_PORTS [25]
    portvar MAIL_PORTS [25,143,465,691]
    portvar HTTP_PORTS [80]
    portvar ORACLE_PORTS [1521]
    portvar MSSQL_PORTS [1433]
    portvar TELNET_PORTS [23]
    portvar SNMP_PORTS [161]
    portvar FTP_PORTS [21]
    portvar SSH_PORTS [22]
    portvar POP2_PORTS [109]
    portvar POP3_PORTS [110]
    portvar IMAP_PORTS [143]
    portvar SIP_PROXY_PORTS [5060:5090,16384:32768]
    portvar SIP_PORTS [5060:5090,16384:32768]
    portvar AUTH_PORTS [113]
    portvar FINGER_PORTS [79]
    portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
    portvar SMB_PORTS [139,445]
    portvar NNTP_PORTS [119]
    portvar RLOGIN_PORTS [513]
    portvar RSH_PORTS [514]
    portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995]
    portvar SSL_PORTS_IGNORE [443,465,563,636,989,990,992,993,994,995]
    portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
    portvar SHELLCODE_PORTS [!80]
    portvar SUN_RPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
    portvar DCERPC_NCACN_IP_TCP [139,445]
    portvar DCERPC_NCADG_IP_UDP [138,1024:]
    portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
    portvar DCERPC_NCACN_UDP_LONG [135,1024:]
    portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
    portvar DCERPC_NCACN_TCP [2103,2105,2107]
    portvar DCERPC_BRIGHTSTORE [6503,6504]
    
    # Configure the snort decoder  #
    config checksum_mode: all
    config disable_decode_alerts
    config disable_tcpopt_experimental_alerts
    config disable_tcpopt_obsolete_alerts
    config disable_ttcp_alerts
    config disable_tcpopt_alerts
    config disable_ipopt_alerts
    config disable_decode_drops
    
    # Configure the detection engine  #
    config detection: search-method ac-bnfa max_queue_events 5
    config event_queue: max_queue 8 log 3 order_events content_length
    
    #Configure dynamic loaded libraries
    dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
    dynamicengine directory /usr/local/lib/snort/dynamicengine
    dynamicdetection file /usr/local/lib/snort/dynamicrules/bad-traffic.so
    dynamicdetection file /usr/local/lib/snort/dynamicrules/exploit.so
    dynamicdetection file /usr/local/lib/snort/dynamicrules/misc.so
    dynamicdetection file /usr/local/lib/snort/dynamicrules/specific-threats.so
    dynamicdetection file /usr/local/lib/snort/dynamicrules/web-client.so
    dynamicdetection file /usr/local/lib/snort/dynamicrules/web-misc.so
    
    # Flow and stream #
    preprocessor frag3_global: max_frags 8192
    preprocessor frag3_engine: policy bsd detect_anomalies
    
    preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes
    preprocessor stream5_tcp: policy BSD, ports both all
    preprocessor stream5_udp:
    preprocessor stream5_icmp:
    
    # Performance Statistics #
    preprocessor perfmonitor: time 300 file /var/log/snort/snort_em360770/em3.stats pktcnt 10000
    
    # HTTP Inspect  #
    preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
    
    preprocessor http_inspect_server: server default \
                            ports  { 80 8080 }  \
                            non_strict \
                            non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                            flow_depth 0  \
                            apache_whitespace no \
                            directory no \
                            iis_backslash no \
                            u_encode yes \
    			extended_response_inspection \
    			inspect_gzip \
    			normalize_utf \
    			normalize_javascript \
    			unlimited_decompress \
                            ascii no \
                            chunk_length 500000 \
                            bare_byte yes \
                            double_decode yes \
                            iis_unicode no \
                            iis_delimiter no \
                            multi_slash no
    
    # Other preprocs #
    preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    
    # Back Orifice
    preprocessor bo
    
    # ftp preprocessor  #
    preprocessor ftp_telnet: global \
    inspection_type stateless
    
    preprocessor ftp_telnet_protocol: telnet \
       normalize \
       ayt_attack_thresh 200
    
    preprocessor ftp_telnet_protocol: \
        ftp server default \
        def_max_param_len 100 \
        ports { 21 } \
        ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
        ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
        ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
        ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
        ftp_cmds { FEAT CEL CMD MACB } \
        ftp_cmds { MDTM REST SIZE MLST MLSD } \
        ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
        alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
        alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
        alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
        alt_max_param_len 256 { RNTO CWD } \
        alt_max_param_len 400 { PORT } \
        alt_max_param_len 512 { SIZE } \
        chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
        chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
        chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
        chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
        chk_str_fmt { FEAT CEL CMD } \
        chk_str_fmt { MDTM REST SIZE MLST MLSD } \
        chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
        cmd_validity MODE < char ASBCZ > \
        cmd_validity STRU < char FRP > \
        cmd_validity ALLO < int [ char R int ] > \
        cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
        cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
        cmd_validity PORT < host_port >
    
    preprocessor ftp_telnet_protocol: ftp client default \
       max_resp_len 256 \
       bounce yes \
       telnet_cmds yes
    
    # SMTP preprocessor #
    preprocessor SMTP: \
        ports { 25 465 691 } \
        inspection_type stateful \
        normalize cmds \
        valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
    CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
        normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
    PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
        max_header_line_len 1000 \ 
        max_response_line_len 512 \
        alt_max_command_line_len 260 { MAIL } \
        alt_max_command_line_len 300 { RCPT } \
        alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
        alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
        alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
        alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
        alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
        xlink2state { enable }
    
    # sf Portscan  #
    preprocessor sfportscan: scan_type { all } \
                             proto  { all } \
                             memcap { 10000000 } \
                             sense_level { medium } \
                             ignore_scanners { $HOME_NET }
    
    # DCE/RPC 2   #
    preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
    preprocessor dcerpc2_server: default, policy WinXP, \
        detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
        autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
        smb_max_chain 3
    
    # DNS preprocessor #
    preprocessor dns: \
        ports { 53 } \
        enable_rdata_overflow
    
    # Ignore SSL and Encryption  #
    preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted
    
    # Snort Output Logs #
    output unified: filename snort_60770_em3.log, limit 128
    output alert_full: alert
    
    output unified2: filename snort_60770_em3.u2, limit 128
    output alert_pf: /usr/local/etc/snort/snort_60770_em3/MainWhiteList,snort2c,src,kill
    
    # Misc Includes #
    include /usr/local/etc/snort/snort_60770_em3/reference.config
    include /usr/local/etc/snort/snort_60770_em3/classification.config
    
    include /usr/local/etc/snort/snort_60770_em3/MainSuppressList
    
    # Snort user pass through configuration
    
    # Rules Selection #
    include $RULE_PATH/snort_attack-responses.rules
    include $RULE_PATH/snort_bad-traffic.so.rules
    include $RULE_PATH/emerging-attack_response.rules
    include $RULE_PATH/snort_backdoor.rules
    include $RULE_PATH/emerging-botcc.rules
    include $RULE_PATH/snort_bad-traffic.rules
    include $RULE_PATH/snort_blacklist.rules
    include $RULE_PATH/snort_exploit.so.rules
    include $RULE_PATH/emerging-ciarmy.rules
    include $RULE_PATH/snort_botnet-cnc.rules
    include $RULE_PATH/emerging-compromised.rules
    include $RULE_PATH/emerging-current_events.rules
    include $RULE_PATH/snort_content-replace.rules
    include $RULE_PATH/snort_misc.so.rules
    include $RULE_PATH/snort_ddos.rules
    include $RULE_PATH/emerging-dos.rules
    include $RULE_PATH/snort_dos.rules
    include $RULE_PATH/emerging-dshield.rules
    include $RULE_PATH/emerging-exploit.rules
    include $RULE_PATH/snort_exploit.rules
    include $RULE_PATH/snort_specific-threats.so.rules
    include $RULE_PATH/snort_web-client.so.rules
    include $RULE_PATH/snort_web-misc.so.rules
    include $RULE_PATH/emerging-misc.rules
    include $RULE_PATH/emerging-mobile_malware.rules
    include $RULE_PATH/snort_indicator-compromise.rules
    include $RULE_PATH/snort_misc.rules
    include $RULE_PATH/emerging-rpc.rules
    include $RULE_PATH/emerging-scan.rules
    include $RULE_PATH/emerging-shellcode.rules
    include $RULE_PATH/snort_other-ids.rules
    include $RULE_PATH/snort_phishing-spam.rules
    include $RULE_PATH/emerging-trojan.rules
    include $RULE_PATH/emerging-user_agents.rules
    include $RULE_PATH/emerging-virus.rules
    include $RULE_PATH/emerging-web_client.rules
    include $RULE_PATH/emerging-worm.rules
    include $RULE_PATH/snort_scan.rules
    include $RULE_PATH/snort_shellcode.rules
    include $RULE_PATH/snort_specific-threats.rules
    include $RULE_PATH/snort_spyware-put.rules
    include $RULE_PATH/snort_virus.rules
    include $RULE_PATH/snort_web-attacks.rules
    include $RULE_PATH/snort_web-client.rules
    include $RULE_PATH/snort_web-misc.rules
    
    

    overall its looking good, thank again for this package re-write



  • @ermal:

    @miles267:

    Also, I did notice that the ALERT DESCRIPTION field on the Snort BLOCKED (tab) is displaying N/A instead of a blank field.  Although this is an improvement, how can the functionality be restored to display the actual alert description text?  In my global settings, I have this set to FULL which is did display correctly some time ago.  Thanks.

    That means that the ip is in the table and not in the alerts file

    What does this mean – in the table and not in the alert file? doesn't the info in the alerts tab map to an IP listed in the BLOCKED tab?  In the past, I've always had Alert Descriptions populated with actual full details as opposed to N/A or blank.  Please elaborate for education.  Thanks.



  • Getting this on AMD64 2.0.1 with a clean install of 2.4.2:

    Jul 12 21:34:54 php: /snort/snort_interfaces.php: Interface Rule START for CABLE(re1)…
    Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.
    Jul 12 21:34:54 snort[8220]: FATAL ERROR: /usr/local/etc/snort/snort_7680_re1/snort.conf(101) Maximum number of loaded libriaries of this dynamic library type exceeded: 16.

    Snort exits on this.

    If I uncheck a few .so rules (love the new categories interface!) Snort will start.  Is this by design?

    Cheers,
    Dennis.


Log in to reply