Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
$ ps aux | grep snort
root 17164 0.0 0.1 9120 1124 ?? S 1:24AM 0:00.01 grep snortI do not see any interface running, just a grep process that searches for snort…
Anyway, the impacts seem to be very different. So I have to delete the MD5 file and snort rules get downloaded. If I do not do that and update manually snort keeps running - no sdf error any more. Autoupdate always returns that "download 15 min blabla etc..." message.
-
I've suggested a code change (https://github.com/Fesoj/pfsense-packages/compare/patch-2). This and obeying aaronritter's remark (http://forum.pfsense.org/index.php/topic,51493.msg275905.html#msg275905) seems to let the sensitive data preproc run correctly. Currently, the classification.config files should be patched by hand after every update of the rules.
I haven't found the place that writes the classification.config files. If this gets patched, snort should survive updates again.
UPDATE: with package vs. 2.5.1 this is obsolete
-
Hello,
just uninstalled/reinstalled this morning, the package works fine (Sensitive Data Processor disabled), but it still blocks the WAN addresses… so I am still running with blocking off.Thanks,
Michele -
mdima,
do you mean with WAN address the WAN side of your box or any outside address? If it is the WAN address of your box, then you need to add the ip to the whitelist of the interface.
-
@Fesoj: It's the same, with or without whitelist… and by default it should exclude local IP addresses and so on.
Probably this can help: my current HomeNet is an Alias that contains sub-aliases of local and remote IP addresses that should not be detected/blocked by Snort...
Thanks,
Michele -
mdima,
HOME_NET != WHITELIST. On the WAN side, I have the default HOME_NET, but a special whitelist (including the IP address on the WAN side (I don't know what to do in case of an ISP supplied address using DHCP)) and this works fine. It's just the way things are setup. As I said before, it is now easier than ever to shoot oneself in the foot.
-
snort[57587]: FATAL ERROR: /usr/local/etc/snort/snort_56964_re1/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
has been observed here several times. If you have installed only the ET rules, the file classification.config does not contain the required entry. The rules from Snort.org do have the definition. Both rule sets contain their own classification.config file. I think only 1 of them gets installed (but I may be wrong).
ermal, could you please have a look at this issue?
UPDATE: with package vs. 2.5.1 this is obsolete
-
mdima,
HOME_NET != WHITELIST. On the WAN side, I have the default HOME_NET, but a special whitelist (including the IP address on the WAN side (I don't know what to do in case of an ISP supplied address using DHCP)) and this works fine. It's just the way things are setup. As I said before, it is now easier than ever to shoot oneself in the foot.
Fesoj, I already specified as Whitelist the Alias where my WAN network is, and anyway it gets blocked. Before this didn't happen, I think it has something to do with the new features of the whitelist management…
-
snort[57587]: FATAL ERROR: /usr/local/etc/snort/snort_56964_re1/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
has been observed here several times. If you have installed only the ET rules, the file classification.config does not contain the required entry. The rules from Snort.org do have the definition. Both rule sets contain their own classification.config file. I think only 1 of them gets installed (but I may be wrong).
ermal, could you please have a look at this issue?
I too am now consistently receiving this same error in my system log and am unable to start my interface manually. I wish snort still auto-updated snort rules and successfully restarted after the rules update. Has since become a manual process recently.
snort[57587]: FATAL ERROR: /usr/local/etc/snort/snort_56964_re1/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
-
I currently have no problems and everything works as expected.
Did you have a look at
(1) http://forum.pfsense.org/index.php/topic,51493.msg275905.html#msg275905
(2) http://forum.pfsense.org/index.php/topic,51493.msg276246.html#msg276246
(3) http://forum.pfsense.org/index.php/topic,51493.msg276317.html#msg276317
?What happens when you deactivate all rules? Which IPs are blocked (whitelisting works on my machine)?
UPDATE: with package vs. 2.5.1 this is obsolete
Update: Also http://forum.pfsense.org/index.php/topic,51493.msg276334.html#msg276334 matters.
-
Fesoj, I reviewed the hyperlinks you suggested and didn't see a fix for the FATAL ERROR (sdf issue). If anything, someone said there isn't a fix for the sdf issue. I will try to disable all rules and see whether snort will start on the interface. Thanks.
EDIT: deselecting all rules for the interface and attempting to manually start the snort on the interface fails. still returns same (sdf) error.
-
miles267,
first the files classification.config are incomplete. Secondly the sed commands in snort.inc are srambled. You need to take care of both issues.
… I am currently working on a patch to allow automatic updates (of the rules---not the package, because you'll need patched sources).
-
miles267,
here's the source patch for snort.inc: https://github.com/Fesoj/pfsense-packages/compare/patch-2
You need to edit 4 places by hand. Good luck.
Update: If someone feels uncomfortable with that, I could post my patched file…
UPDATE: with package vs. 2.5.1 this is obsolete
-
miles267,
here's the source patch for snort.inc: https://github.com/Fesoj/pfsense-packages/compare/patch-2
You need to edit 4 places by hand. Good luck.
Update: If someone feels uncomfortable with that, I could post my patched file…
Fesoj, thank you SO MUCH. Edited the snort.inc file with the (4) lines of code you suggested (delete/add lines) and the interface started without issue. Appreciate your help and attention to detail.
-
miles267, it aint't over yet. Make sure you patch the various classification.config files as well. The manual patches to classification.config won't survive any rule updates…
-
miles267, it aint't over yet. Make sure you patch the various classification.config files as well. The manual patches to classification.config won't survice any rule updates…
Fesoj, understood. Can you point me to info on how to patch the classification.config file(s) also? Sorry I must've overlooked that detail. Thanks for your patience.
-
(1) Find all the classification.config files with find /usr/local -name 'classification.config*'. If you have n interfaces defined for snort you should get at least n+1 copies.
(2) Append config classification: sdf,Sensitive Data was Transmitted Across the Network,2 to the end of each file if the sdf classification is missing.
This is a long story short.
UPDATE: with package vs. 2.5.1 this is obsolete
-
Hi,
I pretty sure that I have a quick patch for the update problem, though I am not sure whether I should post it.
If others can confirm my recent patches, i.e. snort with sensible data preproc enabled, I could go on with this, otherwise it simply does not make any sense. Please reply if you have some time left.
-
mdima,
HOME_NET != WHITELIST. On the WAN side, I have the default HOME_NET, but a special whitelist (including the IP address on the WAN side (I don't know what to do in case of an ISP supplied address using DHCP)) and this works fine. It's just the way things are setup. As I said before, it is now easier than ever to shoot oneself in the foot.
Fesoj, I already specified as Whitelist the Alias where my WAN network is, and anyway it gets blocked. Before this didn't happen, I think it has something to do with the new features of the whitelist management…
Hi mdima, hi Fesoj,
I have the same problem with blocking my WAN gateway (local IP, not public). I left the default setting for Home_Net and I use a Whitelist with all my subnets (internal, external). Using the same config (blocking src and dst) I had no problem with the previous snort version but I have with this one. It is clear that it blocks the WAN IP which is included in the Whitelist.
/CS
-
Can you publish a screen dump of your whitelist? Just to make sure that you are using aliases. If you have upgraded from a previous version there might still be the old style list (which probably no longer works).