Snort 2.9.2.3 pkg v. 2.4.2 Issues

judex

On the interfaces rules page we still have the problem, that not all categories show up.

EDIT: Sorry for that - just realized that only activated categories show up which is ok. Problem left is you can not preview the rules of a category, if you do not activate it first.

Fesoj

Updating worked && the categories show up for each interface.

My current problems are:
(1) Blocking does not work (on ET rules)
(2) Snort seems to be active only on the first interface (no alert messages for the 2nd one), independent on whether blocking is enabled or not.

judex

@Fesoj: strange - on my 2.0.1 amd64 system the ET rules trigger blocking also…

Cino

@ermal Great work!!! So far so good.. Its alerting and blocking.

Issues I've noticed
1: Have the alert description show up on the block page. I noticed you did some tweaks for the snort binary.. Hopefully when its built, it will resolve this.

2: On the alert page, Priority Column is grabbing data from the date time-stamp with seconds. Noticed the time-stamp is in the alert file a couple of times.. I don't see Priority in the new alert file format. Not sure if its used/or how by other users. I do miss the classification column tho

New Alert Format
07/15-08:07:58.167280 ,1,2402001,2666,"ET DROP Dshield Block Listed Source",UDP,69.175.126.170,33137,x.x.x.x,1900,0,07/15-08:07:58.167280 ,07/15-08:07:58.167280 ,

Old Alert Format
[**] [1:2402000:2650] ET DROP Dshield Block Listed Source [**]
[Classification: Misc Attack] [Priority: 2] 
07/01-11:04:.200:16189 -> x.x.x.x:22
TCP TTL:117 TOS:0x0 ID:10183 IpLen:20 DgmLen:48
******S* Seq: 0x3932295A  Ack: 0x661A02CF  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
[Xref => http://feeds.dshield.org/block.txt]

Hoping the new binary will resolve this issue too

3: Not sure if this is needed but I noticed the Default HOME_NET doesn't include the LAN subnet. Only the LAN IP of pfSense..

4: Clear Alert log only works for first interface, doesn't clear them for 2nd one

A couple of little things to tweak I think
1: Someone else brought this up, enable sorting within the alert page.. And IMHO i would have default sorting as last alert, not first alert

2: IMHO I think SRC/DST Ports should be put back into separate columns. The log format would be cleaner and allow sorting

3: Use the same font/size that used for the whitelist edit page for the suppress edit page

4: Folders/file names are not consistent,should follow this as an example: snort_60770_em3

Folders:
/var/log/snort/snort_em360770
Files:
/var/run/snort_em360770.pid

Future add-on
This would be really nice but I know its not in-scope right now
http://forum.pfsense.org/index.php/topic,42994.0.html

PS.  Its able to detect and block IPv6 addresses, still tweaking my NETLIST for it tho.. I've notice IPv6 address show up in the block list, which is really good! No more looking at the snort2c table.

Fesoj

@Fesoj: strange - on my 2.0.1 amd64 system the ET rules trigger blocking also…

judex: does blocking work on your system, or does it not work?

judex

On my system it works.

Fesoj

On the 2nd interface (LAN side) I found the following error message:

Jul 15 14:53:56 snort[62849]: FATAL ERROR: Unable to load pf args: No such file or directory

I think I'll reinstall the package.

breusshe

@ermal:

@breusshe:

@ermal:

Can you put the alert file here and tell me if its full alert style logging or fast?

There is no more alert type.  There was until I removed the package and reinstalled to see if that would fix the issues I'm seeing, but since then, no more alert type.  Tried uninstall and reinstall again (without saving snort xml configuration each time) with same results.  No alert type available.  I can also confirm other's findings that a good deal of the snort rules are not showing up any longer.  I also have a new one, I think.  I have snort configured twice on my WAN interface.  One for block only rules, one for alert only rules.  This worked fine until the v2.4.2 upgrade.  Now I can only have one instance of Snort per interface, so I can either have blocking rules or alert only rules, but not both.

I do not understand the both instances and blocking vs alerting one?

There are somethings on my interface that I know I want to block, so I block them.  However, other things I'm not so sure about so I just pop alerts so I can track frequency.  If they become too much of a problem, I move them to the blocking instance and tweak as needed to avoid issues with valid traffic no longer making through the interface.  Since the v.2.4.2 update, I could not save changes to either of my instances because they both used my WAN interface.  Two attempts at uninstalling and reinstalling Snort (without retaining my settings) did not fix this.  So, at this point, I only have one instance that blocks traffic on the WAN interface.  I'd like to get my alert interface back, as well.

Does this help clear up what I'm doing and why?

P.S. I reinstalled this morning and all of the Snort rules are showing up, so at least I can select all the ones that I wanted to block.

Cino

there a couple of rules that are missing but I figured out what happen to them. They are preprocessors.. I would prefer sensitive data be an option that we can turn on or off.. At first I commented it out in snort.inc but because its rule file loads, snort failed to start.. I guess we could suppress them but wouldn't that mean memory would be wasted?

@breusshe I thought of doing that a while ago…If it gets fix, let me know how it works for you.. I will have to try it.

Fesoj

The fatal error

Jul 15 14:53:56  snort[62849]: FATAL ERROR: Unable to load pf args: No such file or directory

seems to occur randomly, but a manual restart of the interface works.

So far I was not successful to make the snort p2p rules work.

The ET p2p rules work on the WAN interface. Even blocking is working. On the LAN interface nothing is working: no alerts and blocking a fortiori. Maybe this is due to a different behavior of the latest snort version. It could be that the HOME_NET is always considered "white" such that no alerts occur, but this would mean that company policy violations can not be tracked (on the WAN side you would typically see only the gateway). Can somebody confirm this?

dwood

Fesoj, saw the same error :```
Jul 15 14:53:56  snort[62849]: FATAL ERROR: Unable to load pf args: No such file or directory

simby

fresh install pfsense + snort, and snort wont block any ip or send alert to snort log.

what is the problem.

PFsense x64 2.0.1

Fesoj

simby:

my current experience is that some rules work and others don't. It seems that I cannot activate a second interface. On the first interface (WAN side), only the emerging threat rules work (alerting & blocking), but not the snort rules. I have tested essentially only the p2p rules.

What rules are you using?

simby

ALL rules of snort premium & E.

My snort is crashing on 2-5 min. from on to off  ???

On 8GB memory and quad cpu

simby

from system log:

Jul 15 19:35:03 snort[40704]: FATAL ERROR: Unable to load pf args: Interrupted system call
Jul 15 19:35:03 snort[40704]: FATAL ERROR: Unable to load pf args: Interrupted system call
Jul 15 19:35:02 snort[40704]: [ Number of null byte prefixed patterns trimmed: 11328 ]
Jul 15 19:35:02 snort[40704]: [ Number of null byte prefixed patterns trimmed: 11328 ]
Jul 15 19:35:02 snort[40704]: +–-----------------------------------------------
Jul 15 19:35:02 snort[40704]: +–-----------------------------------------------

Cino

Added some more suggestions/issues to post http://forum.pfsense.org/index.php/topic,51387.msg275159.html#msg275159

@breusshe

If you dont mind changing commenting out some php code, you can get your 2nd WAN interface back:

lines 82 and 83 in /usr/local/www/snort/snort_interfaces_edit.php

make them look like this:

#		if ($natent['interface'] == $_POST['interface'])
#			$input_errors[] = "This interface is already configured for another instance";

This allowed me to create another WAN interface, and it has a different ID:

 ps -aux | grep snort
root   61341 23.7    ??  Ss    1:56PM   0:01.29 /usr/pbi/snort-i386/bin/snort -R 36745 -D -q -l /var/log/snort/snort_em336745 --pid-path /var/run --nolock-pidfile -G 36745 -c /usr/
root   59209  0.2    ??  Ss    1:54PM   0:01.13 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/
root    3143  0.0  0.3 13048  8384  ??  Ss    1:54PM   0:00.06 /usr/local/bin/barnyard2 -r 60770 -f snort_60770_em3.u2 --pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_60770_em3
root   35410  0.0  0.0  3536  1256   0  S+    1:56PM   0:00.01 grep snort

Fesoj

simby:

have you tried deactivating all rules (such that only the preprocessors are active)?

The message

Jul 15 19:35:03    snort[40704]: FATAL ERROR: Unable to load pf args: Interrupted system call

has been observed by myself and others, but, after manually restarting the interface, snort remains stable (on my machine).

eri--

@Fesoj:

simby:

have you tried deactivating all rules (such that only the preprocessors are active)?

The message

Jul 15 19:35:03    snort[40704]: FATAL ERROR: Unable to load pf args: Interrupted system call

has been observed by myself and others, but, after manually restarting the interface, snort remains stable (on my machine).

Please reinstall the new binary this has been fixed.

eri--

@Cino:

Added some more suggestions/issues to post http://forum.pfsense.org/index.php/topic,51387.msg275159.html#msg275159

@breusshe

If you dont mind changing commenting out some php code, you can get your 2nd WAN interface back:

lines 82 and 83 in /usr/local/www/snort/snort_interfaces_edit.php

make them look like this:

#		if ($natent['interface'] == $_POST['interface'])
#			$input_errors[] = "This interface is already configured for another instance";

This allowed me to create another WAN interface, and it has a different ID:

 ps -aux | grep snort
root   61341 23.7    ??  Ss    1:56PM   0:01.29 /usr/pbi/snort-i386/bin/snort -R 36745 -D -q -l /var/log/snort/snort_em336745 --pid-path /var/run --nolock-pidfile -G 36745 -c /usr/
root   59209  0.2    ??  Ss    1:54PM   0:01.13 /usr/pbi/snort-i386/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/
root    3143  0.0  0.3 13048  8384  ??  Ss    1:54PM   0:00.06 /usr/local/bin/barnyard2 -r 60770 -f snort_60770_em3.u2 --pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_60770_em3
root   35410  0.0  0.0  3536  1256   0  S+    1:56PM   0:00.01 grep snort

Use event_filter configurations for this it makes no sense to do this!

eri--

@Cino:

@ermal Great work!!! So far so good.. Its alerting and blocking.

Issues I've noticed
1: Have the alert description show up on the block page. I noticed you did some tweaks for the snort binary.. Hopefully when its built, it will resolve this.

Still checking on this

2: On the alert page, Priority Column is grabbing data from the date time-stamp with seconds. Noticed the time-stamp is in the alert file a couple of times.. I don't see Priority in the new alert file format. Not sure if its used/or how by other users. I do miss the classification column tho

With new binary this should be ok, if not shout.

New Alert Format
07/15-08:07:58.167280 ,1,2402001,2666,"ET DROP Dshield Block Listed Source",UDP,69.175.126.170,33137,x.x.x.x,1900,0,07/15-08:07:58.167280 ,07/15-08:07:58.167280 ,

Old Alert Format
[**] [1:2402000:2650] ET DROP Dshield Block Listed Source [**]
[Classification: Misc Attack] [Priority: 2] 
07/01-11:04:.200:16189 -> x.x.x.x:22
TCP TTL:117 TOS:0x0 ID:10183 IpLen:20 DgmLen:48
******S* Seq: 0x3932295A  Ack: 0x661A02CF  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
[Xref => http://feeds.dshield.org/block.txt]

Hoping the new binary will resolve this issue too

3: Not sure if this is needed but I noticed the Default HOME_NET doesn't include the LAN subnet. Only the LAN IP of pfSense..

That is how i think it should be.
There is no reason to trust your lan is there?
From my side its there just because old code put the ips of all interfaces, it should only put the ip of the interface its listening on!
Though i just still thinking about doing that change.

4: Clear Alert log only works for first interface, doesn't clear them for 2nd one

Should be fixed

A couple of little things to tweak I think
1: Someone else brought this up, enable sorting within the alert page.. And IMHO i would have default sorting as last alert, not first alert

Done

2: IMHO I think SRC/DST Ports should be put back into separate columns. The log format would be cleaner and allow sorting

done

3: Use the same font/size that used for the whitelist edit page for the suppress edit page

Not sure here displays fine!

4: Folders/file names are not consistent,should follow this as an example: snort_60770_em3

Folders:
/var/log/snort/snort_em360770
Files:
/var/run/snort_em360770.pid

I would like to remove the interface from the paths but just want do it.
And anyway its backend.

Future add-on
This would be really nice but I know its not in-scope right now
http://forum.pfsense.org/index.php/topic,42994.0.html

Not from me.
Use barnyard or something else for that. I consider that in depth analysis.

PS.  Its able to detect and block IPv6 addresses, still tweaking my NETLIST for it tho.. I've notice IPv6 address show up in the block list, which is really good! No more looking at the snort2c table.

Will add soon.