Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
bmeeks,
https://github.com/Fesoj/pfsense-packages/compare/patch-3 :)
Update: Initially I picked the wrong patch.
I see now, I misunderstood the full flow of the code. I was thinking the entire contents of the rule archive (either Emerging Threats or Snort) were extracted first in a temp directory, and then copied over to the working directory in pieces. That appears to be not true for everything. Looks like by the time the snippet of code I posted earlier gets executed, it's too late because code further up above has already overwritten the files. Changing the order as you did is the best idea for now.
I did have one thought, though. Is it not possible that from time to time there may be legitimate differences in the config files from Emerging Threats and Snort such that simply using the Snort version might cause a different problem? What about a technique that compared the two files and made sure all unique lines from both files got merged into the final classification.config and the other configuration files?
-
kilthro,
I dont see a memory setting in the snort package.
as far as I remember, the some of the snort preprocessors have this option. See the default snort.conf from the package (not the ones in the interface directories). Maybe that helps.
-
bmeeks,
What about a technique that compared the two files…
the best thing is probably to build a union of all type declarations and in case of duplicate entries, maybe the one with the longer description could be chosen. Looks like a freshman homework problem. :)
-
The issue with this snort thingy is that they do not seem to do a good job at keeping things isolated.
If you need preprocessor x for rule x there should be a better linkage of that, or displayed somewhere.Otherwise its very easy to break stuff.
Someone surely could go and identify which preprocessor inserts which rule option and parse the rules for that and do the enable disable during reload!
Is that worth doing?
Probably upstream should fix that rather than workaround that? -
I just updated the snort package and now upon restart its giving me
Jul 22 12:38:41 snort[26253]: FATAL ERROR: /usr/local/etc/snort/snort_44959_re0/rules/snort_botnet-cnc.rules(372) Unknown rule option: 'ssl_state'.
Jul 22 12:38:41 snort[26253]: FATAL ERROR: /usr/local/etc/snort/snort_44959_re0/rules/snort_botnet-cnc.rules(372) Unknown rule option: 'ssl_state'.I havent changed my rules/categories. The same as i have been running for some time.
Good news was when I updated I didnt get the errors in the system log like i did before upon completion of the install.
I noticed a new SSL option on the preprocesser Tab.
Enable that option and restarted no issues/errors so far.
I want to say thanks for all the work you all have been doing on this package to keep it updated/adding new features/ resolving bugs.
I cant imagine not having snort up and running. :-)
Where is this SSL option? I do not see it on any snort preprocessors tab. There is an "Sensitive Data" option although after it's checked, I'm not quite sure how to use or configure it?
-
I confirm that after the installation of the latest package (2.5.1) the issue of blocking whitelisted IPs has been resolved! :)
If I am right the problem with the auto-update is still pending.
@miles267: Please install the latest package and you will find there the SSL data Preprocessor.
-
I just updated the snort package and now upon restart its giving me
Jul 22 12:38:41 snort[26253]: FATAL ERROR: /usr/local/etc/snort/snort_44959_re0/rules/snort_botnet-cnc.rules(372) Unknown rule option: 'ssl_state'.
Jul 22 12:38:41 snort[26253]: FATAL ERROR: /usr/local/etc/snort/snort_44959_re0/rules/snort_botnet-cnc.rules(372) Unknown rule option: 'ssl_state'.I havent changed my rules/categories. The same as i have been running for some time.
Good news was when I updated I didnt get the errors in the system log like i did before upon completion of the install.
I noticed a new SSL option on the preprocesser Tab.
Enable that option and restarted no issues/errors so far.
I want to say thanks for all the work you all have been doing on this package to keep it updated/adding new features/ resolving bugs.
I cant imagine not having snort up and running. :-)
Where is this SSL option? I do not see it on any snort preprocessors tab. There is an "Sensitive Data" option although after it's checked, I'm not quite sure how to use or configure it?
What version are you on? I am on 2.9.2.3 pkg v. 2.5.1
On the preporcessor tab (within the interface your monitoring) right above enable sensitive data is one that says enable ssl data. That is the one I turned on. If the option is not there, I would suggest upgrading or reinstalling the package. -
ermal,
If you need preprocessor x for rule x there should be a better linkage of that, or displayed somewhere.
it's even more complicated, because snort allows to maintain state info between different rules (the "flowbits" stuff). In order to get a consistent set of activated preprocessors and rules, one should also scan all enabled and disabled rules, look at the required preprocessors and the corresponding flowbits statements (set, isset, …). If you view all these items as resources, a dependency graph should be created and then evaluate the graph for all activated items and write the proper configuration files, which might include activating previously disabled rules.
Is it worth it? I typically have only a few manageable rules and hardly need anything more than http_inspect (more or less), so I wouldn't need it. But, it might be a cool feature---you click on a single rule, dependencies are evaluated, and dependent rules and preprocs are "drawn in" by a ghost hand.
-
ermal,
If you need preprocessor x for rule x there should be a better linkage of that, or displayed somewhere.
it's even more complicated, because snort allows to maintain state info between different rules (the "flowbits" stuff). In order to get a consistent set of activated preprocessors and rules, one should also scan all enabled and disabled rules, look at the required preprocessors and the corresponding flowbits statements (set, isset, …). If you view all these items as resources, a dependency graph should be created and then evaluate the graph for all activated items and write the proper configuration files, which might include activating previously disabled rules.
Is it worth it? I typically have only a few manageable rules and hardly need anything more than http_inspect (more or less), so I wouldn't need it. But, it might be a cool feature---you click on a single rule, dependencies are evaluated, and dependent rules and preprocs are "drawn in" by a ghost hand.
I'm still a Snort rookie, but aren't the above tasks exactly what the Pulled Pork help application is supposed to accomplish automatically? If so, is there a way to incorporate it into the pfSense build of Snort? I will do some more research on how Pulled Pork operates, but off the top of my head I seem to remember it was a command-line utility (Perl script, I think) that does the magic.
-
bmeeks,
i am not sure that you can tell pulledpork these are my preprocessors make my snort start!
-
bmeeks,
exactly. I haven't used PulledPork so far. Perl would again be part of the Snort package. I'd think that evaluating PulledPork should be done and then coding should be in php. GUI-wise only an option "Enable auto dependencies" or s.th. like that would suffice. Generating the dependency graph should not be too difficult.
-
Sorry, but I need to go home now…
-
@ermal:
bmeeks,
i am not sure that you can tell pulledpork these are my preprocessors make my snort start!
Ermal:
From my limited research, it appears Pulled Pork offers three pre-defined rule sets that automatically enable or disable particular rules (and I assume associated preprocessors). You choose a protection level by choosing a rule set, and Pulled Pork does the rest (I think… :)) The pre-defined rule sets are Connectivity, Balanced and Security. Of course, you can still individually select rules for enabling, disabling or modifying. Pulled Pork remembers those changes across rule updates. The Snort blogs say it also makes sure the correct Flow Bits dependencies are set for the activated rules. In fact, the Snort blogs now say Pulled Pork is a requisite for running Snort optimally.
So if Pulled Pork were integrated into the Snort GUI in pfSense (or maybe available as a separate package that integrates with the Snort package), then novice pfSense users would have an easy way to select a starting rule set based on their security needs. Connectivity preserves speed and connectivity above pure security. Balanced is a blend of both, and is recommended for new users and average users. Security targets threat protection above connectivity and performance.
One idea I had was the addition of a Pulled Pork tab into the current Snort tab layout. On the Pulled Pork page you would choose a pre-defined rule set from the list of three based on your needs. The selected GUI values would get translated into config values for Pulled Pork, and then the Pulled Pork script would be called to "do its thing".
-
I'm now intrigued by Pulled Pork. I saw the .tar.gz file available on this site: http://code.google.com/p/pulledpork/
How do you install it under pfsense and run it? I think many can benefit from these instructions. Wasn't even aware that it existed.
-
@ermal:
I removed subnets/cidr mask from auto generated addreses for whitelist and you can put them with the alias you configure if you want.
I bumped the package to 2.5.1
Thanks a lot Ermal, now my WAN ip addresses don't get blocked anymore!
Cheers,
Michele -
Hi guys,
there is no permanent fix (included in the latest package) for the auto-update issue yet, right?
The duplicate log entries of snort in the system log is something related to pfsense and not snort? :-\ -
auto updating works with 2.5.1
-
Thanks Ermal! Im away from my box but was able to update remotely. Whitelist only, seems to be working the way it was in the past. My WAN isn't being block. With the way everything is now, we need away to Whitelisttt subnets. I would suggest changing Netlist back to the way it was. Where an .IP or subnet would be exempt from being block. Default list would include interface IPs, DNS, VPN subnets,etc (whatever was there before)fore). it would be up to the user to create a custom NETLIST if they didn't want certainn IPs that were included by the default NETLIST(HOME_LIST)
-
I thought I'd wake this thread up and let you guys know I just had the same problem as previously listed in the thread. I had all of the above problems. I had to uninstall Snort, remove anything snort from command line including un-ticking the "Keep settings" option in snort prior to removing snort and reinstall to resolve a couple of the issues. Then I had to un-tick Enable Sensitive Data to get Snort to fire back up correctly.
Was a bit of a pain and I'm concerned the Snort breaks so often. As it is I have to fire Snort back up every time it auto updates -
I pushed some fixes that should help with snort not starting after rule update.
Reinstall and test.
