Snort 2.9.2.3 pkg v. 2.4.2 Issues

eri--

BTW, where are my donations?

For those who want to donate please go to http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77

eri--

Fixed even blocked page.
Just reinstall, with a new binary.

Cino

thanks for the changes. Haven't gone thru all of them yet but snort won't start because of the sensitive-data change. When I disable it in the GUI and click Save, the checkbox is still checked.

Jul 15 18:46:23 	snort[38626]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_60770_em3//usr/local/etc/snort/preproc_rules/sensitive-data.rules/": No such file or directory.
Jul 15 18:46:23 	snort[38626]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_60770_em3//usr/local/etc/snort/preproc_rules/sensitive-data.rules/": No such file or directory.

after removing the / on line 1280

Jul 15 18:50:58 	snort[46423]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.
Jul 15 18:50:58 	snort[46423]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.

with removing / and enabling sensitive-data, snort starts.

going to go over the other changes and report back… thank you again!!

Edit: Did some quick testing with the blocking feature... Block Page looking good!! I would probably take out the msec(s) but if it would be a big change, i can live with it ;) A couple of tweaks but needed for the Alert page, see screen shots:

Cino

@ermal:

@Cino:

@ermal Great work!!! So far so good.. Its alerting and blocking.

Issues I've noticed
1: Have the alert description show up on the block page. I noticed you did some tweaks for the snort binary.. Hopefully when its built, it will resolve this.

Still checking on this

Fixed

2: On the alert page, Priority Column is grabbing data from the date time-stamp with seconds. Noticed the time-stamp is in the alert file a couple of times.. I don't see Priority in the new alert file format. Not sure if its used/or how by other users. I do miss the classification column tho

With new binary this should be ok, if not shout.

Fixed

New Alert Format
07/15-08:07:58.167280 ,1,2402001,2666,"ET DROP Dshield Block Listed Source",UDP,69.175.126.170,33137,x.x.x.x,1900,0,07/15-08:07:58.167280 ,07/15-08:07:58.167280 ,

Old Alert Format
[**] [1:2402000:2650] ET DROP Dshield Block Listed Source [**]
[Classification: Misc Attack] [Priority: 2] 
07/01-11:04:.200:16189 -> x.x.x.x:22
TCP TTL:117 TOS:0x0 ID:10183 IpLen:20 DgmLen:48
******S* Seq: 0x3932295A  Ack: 0x661A02CF  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
[Xref => http://feeds.dshield.org/block.txt]

Hoping the new binary will resolve this issue too

3: Not sure if this is needed but I noticed the Default HOME_NET doesn't include the LAN subnet. Only the LAN IP of pfSense..

That is how i think it should be.
There is no reason to trust your lan is there?
From my side its there just because old code put the ips of all interfaces, it should only put the ip of the interface its listening on!
Though i just still thinking about doing that change.

I'm leaning to agree with you on this one.. Probably no reason for it.

4: Clear Alert log only works for first interface, doesn't clear them for 2nd one

Should be fixed

Haven't tested yet

A couple of little things to tweak I think
1: Someone else brought this up, enable sorting within the alert page.. And IMHO i would have default sorting as last alert, not first alert

Done

Thank you!

2: IMHO I think SRC/DST Ports should be put back into separate columns. The log format would be cleaner and allow sorting

done

thank you but needs a couple of tweaks, see above post

miles267

@ermal:

Fixed even blocked page.
Just reinstall, with a new binary.

I can confirm the alert descriptions on the blocked page are back and working.  Thanks Ermal!

dwood

Ermal, on AMD64, 2.0.1 (this time a reinstall of 2.4.2 instead of the usual "clean" install I've been doing):

1. Alert descriptions are back visible on blocked IP

2.  2nd Interface alerts can now be cleared..and the interface is now staying active when selected.

3.  Love the new categories (select all) and add to suppress features.

4.  Issue with 2nd interface stopping after reboot is still there.```
Jul 15 20:52:03 snort[35121]: FATAL ERROR: Unable to load pf args: Interrupted system call

This is going on with two seperate installations, both AMD64, 2.0.1

Awesome work sir.  I am sending $$$ your way.

Cheers,
Dennis.

tester_02

@ermal:

BTW, where are my donations?

For those who want to donate please go to http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77

Done..  It's been a while so feeling bad about it.  Best home router ever!

Hoping people who use it for business contribute a lot more than me.

10101000

@ermal:

BTW, where are my donations?

For those who want to donate please go to http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77

So far, so good. I've sent a donation your way and look forward to future improvements.

Thanks

eri--

Should be fixed the other issues.

eri--

@dwood:

Ermal, on AMD64, 2.0.1 (this time a reinstall of 2.4.2 instead of the usual "clean" install I've been doing):

4.  Issue with 2nd interface stopping after reboot is still there.```
Jul 15 20:52:03 snort[35121]: FATAL ERROR: Unable to load pf args: Interrupted system call

Just make sure you reinstall the snort binary again.
Usually that comes up from snort reloading and that should be fixed on new binary.

This is going on with two seperate installations, both AMD64, 2.0.1

Awesome work sir.  I am sending $$$ your way.

Cheers,
Dennis.

Thank you for the contributions.

fragged

Snort won't start if I disable "Sensitive data" preproc

Jul 16 10:32:22 	snort[3755]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.
Jul 16 10:32:22 	snort[3755]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.

HOD

@ermal:

@HOD:

I did a complete reinstall of snort (10min ago) and i have the same error of my last post.

snort[23088]: FATAL ERROR: s2c_parse_load_wl() => Invalid data in whitelist file: Invalid argument

@ermal:

For all the others having issues with blocking please whenever you have system log of 'unable to parse', get the file under the /usr/local/etc/snort/snort_$iface*/$whitelistname and post it here.

cat /usr/local/etc/snort/snort_18407_pppoe0/whitlsit
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 10
suppress gen_id 122, sig_id 26
suppress gen_id 137, sig_id 1

greetz HOD

EDIT: my System 2.0.1-RELEASE (amd64) Snort 2.9.2.3 pkg v. 2.4.2

This should have been fixed also.
HOD can yo uconfirm that you have the same name for the suppress and whitelist selected?

Confirm it was the same name. Thx for fixing this.

@fragged:

Snort won't start if I disable "Sensitive data" preproc

Jul 16 10:32:22 	snort[3755]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.
Jul 16 10:32:22 	snort[3755]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.

I got the same error.

eri--

@fragged:

Snort won't start if I disable "Sensitive data" preproc

Jul 16 10:32:22 	snort[3755]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.
Jul 16 10:32:22 	snort[3755]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown rule option: 'sd_pattern'.

Fixed.

Cino

Nice work Ermal! I see IPv6 interface IPs are added and you change the whitelist to use Aliases.. Nice touch!!

Alert page looks really sharp, nanosec are gone :-) oh, and custom rules? That should be interesting… I'll play with that in a couple of weeks.

was about to report the sensitive data issue but you fixed it ;-)

thank you again..

FYI, when I fully uninstall, here is what is left over:

/tmp/snort.info
/tmp/snort_update.log
/usr/local/lib/snort/dynamicengine
/usr/local/lib/snort/dynamicrules/bad-traffic.so
/usr/local/lib/snort/dynamicrules/web-iis.so
/usr/local/lib/snort/dynamicrules/web-client.so
/usr/local/lib/snort/dynamicrules/web-activex.so
/usr/local/lib/snort/dynamicrules/specific-threats.so
/usr/local/lib/snort/dynamicrules/snmp.so
/usr/local/lib/snort/dynamicrules/smtp.so
/usr/local/lib/snort/dynamicrules/p2p.so
/usr/local/lib/snort/dynamicrules/nntp.so
/usr/local/lib/snort/dynamicrules/netbios.so
/usr/local/lib/snort/dynamicrules/multimedia.so
/usr/local/lib/snort/dynamicrules/misc.so
/usr/local/lib/snort/dynamicrules/imap.so
/usr/local/lib/snort/dynamicrules/icmp.so
/usr/local/lib/snort/dynamicrules/exploit.so
/usr/local/lib/snort/dynamicrules/dos.so
/usr/local/lib/snort/dynamicrules/chat.so
/usr/local/lib/snort/dynamicrules/web-misc.so
/usr/local/lib/snort/dynamicrules
/usr/local/lib/snort/dynamic_preproc
/usr/local/lib/snort/dynamicpreprocessor
/usr/local/lib/snort
rm: /usr/local/lib/snort/dynamicengine: No such file or directory
rm: /usr/local/lib/snort/dynamicrules: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/bad-traffic.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/web-iis.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/web-client.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/web-activex.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/specific-threats.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/snmp.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/smtp.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/p2p.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/nntp.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/netbios.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/multimedia.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/misc.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/imap.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/icmp.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/exploit.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/dos.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/chat.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/web-misc.so: No such file or directory
rm: /usr/local/lib/snort/dynamic_preproc: No such file or directory
rm: /usr/local/lib/snort/dynamicpreprocessor: No such file or directory
/usr/local/share/examples/snort
/usr/local/share/licenses/snort-2.9.2.3
/usr/local/include/snort/dynamic_preproc
/usr/local/include/snort
rm: /usr/local/include/snort/dynamic_preproc: No such file or directory
/usr/local/src/snort_dynamicsrc
/var/db/pbi/.hashqueue/snort-2.9.2.3-i386

judex

It is not fixed for my 2.0.1 system. I deleted the package an every file with snort in its name before reinstallation.
Still the same warning in 2.5.0

Cino

@judex:

It is not fixed for my 2.0.1 system. I deleted the package an every file with snort in its name before reinstallation.
Still the same warning in 2.5.0

did you reinstall?