Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
Dude…..Can you give me your account number so I can transfer some funds for your work? I would like to donate a little to your working efforts!
Thank you for the offer, but I don't have one. I'm contributing my efforts gratis since I also use the product. I made the changes originally for my own benefit, and decided to see if the community could benefit from them as well.
I still have a few little quirks to clean up that some folks have identified.
-
Its always there if you need it ;)
Have you considered the ability to sort all coloumns of the blocked IP's tab??
So one can sort it on number, IP Alert description and time?
And the same on the alerts tab?
-
Its always there if you need it ;)
Have you considered the ability to sort all coloumns of the blocked IP's tab??
So one can sort it on number, IP Alert description and time?
And the same on the alerts tab?
Yes on that, and also to sort the SIDs on the RULES tab. Tried to pull that off to begin with, but the way PHP handles multidimension arrays and sorting was giving me fits. Decided to put the changes out first to introduce the functionality, and then come back and add the bells and whistles.
Bill
-
Remove and Install latest v2.5.3
Got this behind the install frame window
Warning: file(/usr/local/etc/snort/rules/emerging-virus.rules): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 947 Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 953
Got this when I stop and started the snort interface
22:55 mardi 22 janvier 2013 Warning: file(/usr/local/etc/snort/rules/emerging-virus.rules): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 947 Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 953 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 129 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 130 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 131 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 132 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 133 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 136
However snort seems to be running fine.
I cycle power on the DSL modem and it did not block the WAN IP. Its seems to behave ok.
Update on this report: I found the cause. I was doing some poor error checking. Basically what's happening is that upon package remove and re-install, the Rules directory is empty of all files, but your saved "selected categories" (which are really just the filenames with no content) are saved in the pfSense config.xml file. So when you remove and re-install Snort with the "save configuration option" checked, it remembers your previous rule categories.
Upon the first startup following the package re-installation, it tries to read those files to get the rule contents, but because a Rules update has not been done and the Rules directory is empty, it pops up the error you see. This error will show different files for different folks depending on what rule categories they had previously enabled.
I can add an easy fix for this to basically check that the files exist before trying to read them. My mistake for not thinking of that to start with… :-[
I am collecting up the fixes for these little glitches and will submit them to Ermal for an update.
Bill
-
Damn nice!! Nothing more to say :)
-
I fixed the missing file issue by just adding the checks.
Supermule you can already sort afaik in the gui by clcking on the headers, no?
-
Snort doesnt respect whitelisted Alias on the WAN side. Got blocked out and had to use the back entrance :D
Can you explain here and you are taling about pfblocker or about the default homelist generated?
-
¨Whitelist in Snort…you create an alias and use that as whitelist. IP adresses listed in this doesnt get respected if on the WAN side. Local servers are fine, but external IP doesnt get whitelisted.
-
Nope…
@ermal:
I fixed the missing file issue by just adding the checks.
Supermule you can already sort afaik in the gui by clcking on the headers, no?
-
@ermal:
I fixed the missing file issue by just adding the checks.
Supermule you can already sort afaik in the gui by clcking on the headers, no?
Hi Ermal:
By my count, there were four places in the code where this potential issue existed. Three in snort.inc, and one in snort_check_for_rule_updates.php. They are in the following functions:
snort_build_sid_msg_map()
snort_load_rules_map()
snort_generate_conf()
snort_apply_customizations()Bill
-
Have been following this closely & This is awesome. Thanks bmeeks!
-
Have been following this closely & This is awesome. Thanks bmeeks!
No problem. Enjoyed tinkering with the code and trying to make Snort work even better.
I submitted a small batch of changes last evening that Ermal and team merged to fix the remaining glitches with the missing files warning messages, and to make sure that flowbit rules get included (if enabled) during the initial Rules Update after a re-install or a fresh install. These last fixes should make the package 100% functional. Please post if any other bugs show up.
There are some outstanding to-do features/improvements on my list. Supermule and others have posted some of them in this thread such as some problems with external IP whitelisting surviving reboots, column sorting, etc. A move to the Snort 2.9.4.x binary is needed as well, but I have some more to learn about how binary packages are built and tested with the pfSense platform.
Bill
-
No problems Bill!
I think you should work closely with Ermal to get this going asap! Combine talents :)
-
I grabbed the update and prior to the update i had no issues. after this update and redloading rules I am getting this error when i try to start snort.
Jan 24 10:23:46 snort[24008]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
Jan 24 10:23:46 snort[24008]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"Not sure why this is appearing now. Any ideas?
-
I ended up uninstalling the package and searching for all snort related items and deleting them. I set it up fresh and all seems to be working ok now.. Not sure what was going on.
-
It seems that the reinstall is broken somehow, but a fresh install works.
Its almost worse than windows :D
-
I ended up uninstalling the package and searching for all snort related items and deleting them. I set it up fresh and all seems to be working ok now.. Not sure what was going on.
Yes, this a partially documented problem. I say "partially" because there is some mention of it in some previous threads here on the forum from the summer of 2012.
It seems to be a problem with the package manager tools used to install, un-install and re-install packages. During a re-install of an existing package, some symbolic links or something don't get properly cleaned up. I'm not sure about the details. Others more cognizant of the inner workings of FreeBSD have explained it better.
The workaround is to always do an uninstall of a package, and then install it again so it is the same as a fresh install. That works.
-
Maybe update the package Description "Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. "
to mention not to re-install ;) -
Maybe update the package Description "Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. "
to mention not to re-install ;)Would be better, in my opinion, if the re-install just worked correctly. I'm no BSD guru, but I will take a look and see if maybe the Snort uninstall code is doing something weird to hose itself on the subsequent re-install. No promises on this one, though. I'm definitely a newb with FreeBSD deep down under-the-hood magic.
-
Is it possible when you release a IP in the "Alerts" section, then its added to a whitelist?
The "Blocked" list can be added without alias and it would be nice to have a simple list there instead of creating a very long alias list….