Snort 2.9.2.3 pkg v. 2.4.2 Issues
-
@HOD:
I did a complete reinstall of snort (10min ago) and i have the same error of my last post.
snort[23088]: FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument
@ermal:
For all the others having issues with blocking please whenever you have system log of 'unable to parse', get the file under the /usr/local/etc/snort/snort_$iface*/$whitelistname and post it here.
cat /usr/local/etc/snort/snort_18407_pppoe0/whitlsit
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 10
suppress gen_id 122, sig_id 26
suppress gen_id 137, sig_id 1greetz HOD
EDIT: my System 2.0.1-RELEASE (amd64) Snort 2.9.2.3 pkg v. 2.4.2
This should have been fixed also.
HOD can yo uconfirm that you have the same name for the suppress and whitelist selected? -
Ermal, I'm happy to finally see you working on the Snort package.
Could you provide some info about how Snort interfaces with PF, in order to provide IPS functionality (ie to auto block offending IPs ) ? When I last checked some weeks ago, it seemed that both SnortSam and your enhanced version of spoink were enabled.
-
where is all snot rules? I have only 10-15 and i have premium account :(
i dont have a premium account but we are missing a lot of rules and all the shared .so ones.
-
Hi Ermal,
just updated. If I have again problems I will report it.Btw, I confirm that I lost half of the snort.org rules after the update.
Thanks,
Michele -
1.) 2.4.2 log returns the following error:
snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.
The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):
FILE_DATA_PORTS [$HTTP_PORTS,110,143]
2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
I had the same error, someone suggested that commas are now required even though it says spaces this corrected the problem.
I had the same error. Quotes fixed it for me.
-
1.) 2.4.2 log returns the following error:
snort[62803]: FATAL ERROR: /usr/local/etc/snort/snort_60243_em3/snort.conf(235) Unknown rule type: FILE_DATA_PORTS.
The only entry in my Advanced Config Pass Through dialog box is as follows (on both WAN and LAN interfaces):
FILE_DATA_PORTS [$HTTP_PORTS,110,143]
2.) if I enter any ports into the Define SSL_Ignore box (for example: 443 563 995 etc) when i attempt to start the interface, it returns the following error:
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
3.) BLOCKED page only shows the IP address but all Alert Descriptions are blank
snort[37766]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(55) Missing argument to SSL_PORTS_IGNORE
I had the same error, someone suggested that commas are now required even though it says spaces this corrected the problem.
I had the same error. Quotes fixed it for me.
-
@ermal:
Can you put the alert file here and tell me if its full alert style logging or fast?
There is no more alert type. There was until I removed the package and reinstalled to see if that would fix the issues I'm seeing, but since then, no more alert type. Tried uninstall and reinstall again (without saving snort xml configuration each time) with same results. No alert type available. I can also confirm other's findings that a good deal of the snort rules are not showing up any longer. I also have a new one, I think. I have snort configured twice on my WAN interface. One for block only rules, one for alert only rules. This worked fine until the v2.4.2 upgrade. Now I can only have one instance of Snort per interface, so I can either have blocking rules or alert only rules, but not both.
-
@ermal:
Can you put the alert file here and tell me if its full alert style logging or fast?
There is no more alert type. There was until I removed the package and reinstalled to see if that would fix the issues I'm seeing, but since then, no more alert type. Tried uninstall and reinstall again (without saving snort xml configuration each time) with same results. No alert type available. I can also confirm other's findings that a good deal of the snort rules are not showing up any longer. I also have a new one, I think. I have snort configured twice on my WAN interface. One for block only rules, one for alert only rules. This worked fine until the v2.4.2 upgrade. Now I can only have one instance of Snort per interface, so I can either have blocking rules or alert only rules, but not both.
I do not understand the both instances and blocking vs alerting one?
-
Ermal, I'm happy to finally see you working on the Snort package.
Could you provide some info about how Snort interfaces with PF, in order to provide IPS functionality (ie to auto block offending IPs ) ? When I last checked some weeks ago, it seemed that both SnortSam and your enhanced version of spoink were enabled.
I do not see a problem with that!
What gets enabled in config gets added to the action. -
I have not been able to get snort working last few versions. I have been busy so have not had the chance to see why.
I reset all the settings and started again after the last update and cleared off the dynamic .so rules which fixed it previously. When I run /usr/local/bin/snort it seems to work without any problems. But when I try to run snort form the web gui it does not change to a status of started and there is no snort process. The syslog looks like it started ok as there are no snort errors in it.
I have also tried reinstalling the gui.
-
Ok there were some issues with download script directory references.
Fixed that please try again with a re-update of the package. -
I just removed it completely and reinstalled and it is working ok now.
-
Just reinstalled and it seems to work so far.
On rule update I noticed following Warning:Warning: unlink(/usr/local/etc/snort/tmp/so_rules): Operation not permitted in /usr/local/pkg/snort/snort_check_for_rule_updates.php on line 200
-
@ermal:
Please reinstall again in 30 minutes.
You need a new binary again.I think i fixed the alert_pf issues with the ioctl.
Ermal do have a fix for this:
snort.sh start
pgrep: Pidfile/var/run/snort_em064038.pid' is empty /libexec/ld-elf.so.1: /usr/local/lib/libpcre.so.1: unsupported file layout pgrep: Pidfile/var/run/snort_em124899.pid' is empty
/libexec/ld-elf.so.1: /usr/local/lib/libpcre.so.1: unsupported file layout -
@ermal:
Please reinstall again in 30 minutes.
You need a new binary again.I think i fixed the alert_pf issues with the ioctl.
Ermal do have a fix for this:
snort.sh start
pgrep: Pidfile/var/run/snort_em064038.pid' is empty /libexec/ld-elf.so.1: /usr/local/lib/libpcre.so.1: unsupported file layout pgrep: Pidfile/var/run/snort_em124899.pid' is empty
/libexec/ld-elf.so.1: /usr/local/lib/libpcre.so.1: unsupported file layoutThe first is not an error its ok to be there.
For the other 2 i am unsure why you get them?
What pfSense version are you?
Does the installation of pacakges go well? -
Just reinstalled and it seems to work so far.
On rule update I noticed following Warning:Warning: unlink(/usr/local/etc/snort/tmp/so_rules): Operation not permitted in /usr/local/pkg/snort/snort_check_for_rule_updates.php on line 200
Should be fixed in about 30 minutes.
-
Alert descriptions on the snort Blocked tab are once again N/A in the latest build. Please correct this in the next snort build. Thanks!
-
The new (?) "add to suppress list" feature ist great.
But could you please revert back the sorting on alerts page? It is not great to scroll down all alerts to see the last one.Thx for your efforts ermal!
EDIT: If you modify the number of log entries on the alerts page, they get cut off showing for example only the oldest 50, not the newest 50 due to the new sort order.
-
latest 2.4.2 is working. Love the + add to suppress list on Alerts page :-)
Descriptions under blocking though read N/A.
Cheers,
Dennis. -
Hi Ermal, Hello everybody,
just woke up and updated snort, everything looks working great! Thanks a lot!!I will keep an eye on it for the next couple of days, if I notice something strange I will report it!
Thanks again,
Michele