Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
I fixed the missing file issue by just adding the checks.
Supermule you can already sort afaik in the gui by clcking on the headers, no?
-
Snort doesnt respect whitelisted Alias on the WAN side. Got blocked out and had to use the back entrance :D
Can you explain here and you are taling about pfblocker or about the default homelist generated?
-
¨Whitelist in Snort…you create an alias and use that as whitelist. IP adresses listed in this doesnt get respected if on the WAN side. Local servers are fine, but external IP doesnt get whitelisted.
-
Nope…
@ermal:
I fixed the missing file issue by just adding the checks.
Supermule you can already sort afaik in the gui by clcking on the headers, no?
-
@ermal:
I fixed the missing file issue by just adding the checks.
Supermule you can already sort afaik in the gui by clcking on the headers, no?
Hi Ermal:
By my count, there were four places in the code where this potential issue existed. Three in snort.inc, and one in snort_check_for_rule_updates.php. They are in the following functions:
snort_build_sid_msg_map()
snort_load_rules_map()
snort_generate_conf()
snort_apply_customizations()Bill
-
Have been following this closely & This is awesome. Thanks bmeeks!
-
Have been following this closely & This is awesome. Thanks bmeeks!
No problem. Enjoyed tinkering with the code and trying to make Snort work even better.
I submitted a small batch of changes last evening that Ermal and team merged to fix the remaining glitches with the missing files warning messages, and to make sure that flowbit rules get included (if enabled) during the initial Rules Update after a re-install or a fresh install. These last fixes should make the package 100% functional. Please post if any other bugs show up.
There are some outstanding to-do features/improvements on my list. Supermule and others have posted some of them in this thread such as some problems with external IP whitelisting surviving reboots, column sorting, etc. A move to the Snort 2.9.4.x binary is needed as well, but I have some more to learn about how binary packages are built and tested with the pfSense platform.
Bill
-
No problems Bill!
I think you should work closely with Ermal to get this going asap! Combine talents :)
-
I grabbed the update and prior to the update i had no issues. after this update and redloading rules I am getting this error when i try to start snort.
Jan 24 10:23:46 snort[24008]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
Jan 24 10:23:46 snort[24008]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"Not sure why this is appearing now. Any ideas?
-
I ended up uninstalling the package and searching for all snort related items and deleting them. I set it up fresh and all seems to be working ok now.. Not sure what was going on.
-
It seems that the reinstall is broken somehow, but a fresh install works.
Its almost worse than windows :D
-
I ended up uninstalling the package and searching for all snort related items and deleting them. I set it up fresh and all seems to be working ok now.. Not sure what was going on.
Yes, this a partially documented problem. I say "partially" because there is some mention of it in some previous threads here on the forum from the summer of 2012.
It seems to be a problem with the package manager tools used to install, un-install and re-install packages. During a re-install of an existing package, some symbolic links or something don't get properly cleaned up. I'm not sure about the details. Others more cognizant of the inner workings of FreeBSD have explained it better.
The workaround is to always do an uninstall of a package, and then install it again so it is the same as a fresh install. That works.
-
Maybe update the package Description "Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. "
to mention not to re-install ;) -
Maybe update the package Description "Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. "
to mention not to re-install ;)Would be better, in my opinion, if the re-install just worked correctly. I'm no BSD guru, but I will take a look and see if maybe the Snort uninstall code is doing something weird to hose itself on the subsequent re-install. No promises on this one, though. I'm definitely a newb with FreeBSD deep down under-the-hood magic.
-
Is it possible when you release a IP in the "Alerts" section, then its added to a whitelist?
The "Blocked" list can be added without alias and it would be nice to have a simple list there instead of creating a very long alias list….
-
Is it possible when you release a IP in the "Alerts" section, then its added to a whitelist?
Are you talking about clicking the little "+" icon that adds the GID:SID to the Suppression List, or what do you mean by "release an IP"? Perhaps an example will help me undestand this question better.
The "Blocked" list can be added without alias and it would be nice to have a simple list there instead of creating a very long alias list….
I think you're asking here to be able to directly add an IP address instead of having to jump through the hoops of creating an alias under the Firewall tab. Is this correct? If yes, then I believe this can be easily accomplished.
Bill
-
This is the Alerts tab…
Clicking and releasing the source IP of an alert automatically adds it to a whitelist.
![alerts_whitelist IP.jpg](/public/imported_attachments/1/alerts_whitelist IP.jpg)
![alerts_whitelist IP.jpg_thumb](/public/imported_attachments/1/alerts_whitelist IP.jpg_thumb) -
This is the Suppress tab.
A lot easier to add entries as IP's here than adding an alias.
So could the alias list become the same "look" as the suppress tab?
Would make the entry a lot easier.
-
So in short, clicking the "release" icon in alerts tab, insert it in the suppress page with SID and SRC IP.
-
So in short, clicking the "release" icon in alerts tab, insert it in the suppress page with SID and SRC IP.
I understand now. Thanks for the explanation and screen shots. I will add it to my list of stuff.
By the way, I have the RULES tab scrolling issue solved you asked about, but I'm not 100% happy with the result. I will wait and collect up a batch of improvements before posting another Pull Request for Ermal, but I have this working in my testing box. After clicking the icon to enable or disable a SID, when the page returns, it scrolls the last clicked SID to the top of the page. The ugly part is, for now, it's scrolling the headers and other stuff above the list of rules up out of view. I have some ideas to make that prettier: if I can get the Javascript working for me.