Snort 2.9.2.3 pkg v. 2.5.0 Issues

eri--

I made some fixes and bumped the snort version so check it out

Supermule

How many of Bills improvements have you incorporated Ermal??

eri--

I made fixes that might fix the issue on wan ip changing.

Supermule,
all he submitted and corrected some issues with it.
Why you asking?

Supermule

Just curious :)

I think he is doing a good job with this package! Thanks for the bump of package.

Everything seems to be running fine in this end :)

eri--

He did exactly what i wanted to do.
I corrected some issues on his code with the latest fixes mostly for preventing foot-shooting during update.

It just misses to select rules based on enabled preprocessors and it should be fairly stable in that regard.

I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.

Supermule

Thanks Ermal! Much appreciated :)

Great work both of you!

RonpfS

@ermal:

I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.

Thanks Ermal

I see the 2.5.4 available, but there are commits after this, will the version bump again when you get it recompiled or every commit generate a new package?

eri--

NAh i just pushed the last one which should be it.
I do not plan on committing more on it for now.

kilthro

Wow thanks for the quick responses. I will grab the update and give it a shot. You guys are awesome!

bmeeks

Ermal's fix and mine passed each other in cyberspace on the way to the servers… ;D

Hopefully the Snort package will be stable for all now with the new features for flowbit resolution and the ability to use Snort VRT pre-defined policies if you want to.  The pre-defined policy feature can be very useful to new Snort users, or even casual users, who just want some basic protection.  You can enable either the Connectivity or Balanced policy, and then just sort of let it run.

A big shout-out to Ermal for responding quickly and fixing the nasty bug in the rules update.  That one got introduced a little over a day ago while adding some robust error checking to the code.

Bill

kilthro

@ermal:

I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.

Thanks so much for this! It was annoying to have the sys log fill every restart.

swinn

Snort will no longer start: (I changed the IP's below with the asterisks)
Looks like there is no subnet set for the IPv6 address.

Jan 27 00:23:21 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... 
Jan 27 00:23:21 snort[43598]: FATAL ERROR: /usr/local/etc/snort/snort_51073_em0/snort.conf(6) Failed to parse the IP address: [127.0.0.1,192.168.0.0/16,75.131.*.*,2602:100:*:*::,75.131.*.*/20,2602:100:*:*::/,75.131.112.1,24.159.64.23,4.2.2.4,2607:f428:1::5353:1,2607:f428:2::5353:1,192.168.2.0/24]. 
Jan 27 00:23:19 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... 
Jan 27 00:22:13 check_reload_status: Syncing firewall 
Jan 27 00:20:54 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... 
Jan 27 00:20:54 snort[95541]: FATAL ERROR: /usr/local/etc/snort/snort_51073_em0/snort.conf(6) Failed to parse the IP address: [127.0.0.1,75.131.*.*,2602:100:*:*::,75.131.*.*/20,2602:100:*:*::/,75.131.112.1,24.159.64.23,4.2.2.4,2607:f428:1::5353:1,2607:f428:2::5353:1,192.168.2.0/24]. 
Jan 27 00:20:51 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... 

tester_02

Updated snort today, now it does not start.  Error is…

snort[4286]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

I disabled the bad traffic rules (so and non so) and it still fails to start.  reinstalled package again, and no go..  Was working for quite a while.  Had not updated for a month, but thought from the thread here that it was stable.

RonpfS

Just went for a re-install of Snort 2.9.2.3 pkg v. 2.5.4  ::)

2013-01-27 02:16:43	Auth.Emerg	172.24.42.254	php: /status_rrd_graph.php: Successful webConfigurator login for user 'admin' from 172.24.48.84
2013-01-27 02:16:45	Local0.Info	172.24.42.254	pf: 00:00:02.978226 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 9, id 34704, offset 0, flags [none], proto UDP (17), length 52)
2013-01-27 02:16:45	Local0.Info	172.24.42.254	pf:     68.209.243.115.34612 > 50.21.133.210.33526: UDP, length 24
2013-01-27 02:16:47	Local0.Info	172.24.42.254	pf: 00:00:01.870908 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 52039, offset 0, flags [DF], proto TCP (6), length 83)
2013-01-27 02:16:47	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x6769 (correct), seq 3683470708:3683470739, ack 2243077203, win 44064, options [nop,nop,TS val 1236008655 ecr 155036732], length 31
2013-01-27 02:16:48	Local0.Info	172.24.42.254	pf: 00:00:01.152559 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 9, id 34705, offset 0, flags [none], proto UDP (17), length 52)
2013-01-27 02:16:48	Local0.Info	172.24.42.254	pf:     68.209.243.115.34612 > 50.21.133.210.33527: UDP, length 24
2013-01-27 02:16:51	Local0.Info	172.24.42.254	pf: 00:00:03.027552 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 10, id 34706, offset 0, flags [none], proto UDP (17), length 52)
2013-01-27 02:16:51	Local0.Info	172.24.42.254	pf:     68.209.243.115.34612 > 50.21.133.210.33528: UDP, length 24
2013-01-27 02:17:00	Daemon.Notice	172.24.42.254	snort[41717]: S5: Session exceeded configured max bytes to queue 1048576 using 1049922 bytes (client queue). 135.19.140.229 52457 --> 172.24.48.32 18447 (0) : LWstate 0xf LWFlags 0x406007
2013-01-27 02:17:03	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:17:07	Daemon.Notice	172.24.42.254	snort[41717]: S5: Session exceeded configured max bytes to queue 1048576 using 1049226 bytes (server queue). 121.157.96.186 52598 --> 172.24.48.32 18447 (0) : LWstate 0xf LWFlags 0x406007
2013-01-27 02:17:13	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:17:15	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:17:25	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:17:25	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:17:25	Daemon.Error	172.24.42.254	snort[41717]: *** Caught Term-Signal
2013-01-27 02:17:25	Daemon.Error	172.24.42.254	snort[10973]: *** Caught Term-Signal
2013-01-27 02:17:25	Kernel.Info	172.24.42.254	kernel: bridge0: promiscuous mode disabled
2013-01-27 02:17:25	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:17:25	Kernel.Info	172.24.42.254	kernel: pppoe1: promiscuous mode disabled
2013-01-27 02:17:26	Daemon.Notice	172.24.42.254	snort[41717]: ===============================================================================
2013-01-27 02:17:26	Daemon.Notice	172.24.42.254	snort[41717]: Run time for packet processing was 91065.975548 seconds
2013-01-27 02:17:26	Daemon.Notice	172.24.42.254	snort[41717]: Snort processed 13503818 packets.

2013-01-27 02:17:27	Daemon.Notice	172.24.42.254	snort[10973]: | gen-id=120    sig-id=8          type=Suppress  tracking=none filtered=51
2013-01-27 02:17:35	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Beginning package installation for snort.
2013-01-27 02:17:36	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:17:40	Local0.Info	172.24.42.254	pf: 00:00:48.508720 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 105, id 19829, offset 0, flags [none], proto UDP (17), length 95)
2013-01-27 02:17:40	Local0.Info	172.24.42.254	pf:     71.45.120.110.6112 > 50.21.133.210.3912: UDP, length 67
2013-01-27 02:17:41	Local0.Info	172.24.42.254	pf: 00:00:01.004974 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 26462, offset 0, flags [DF], proto TCP (6), length 360)
2013-01-27 02:17:41	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855935432 ecr 155013193], length 308
2013-01-27 02:17:51	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:17:52	Local0.Info	172.24.42.254	pf: 00:00:11.146024 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 357, offset 0, flags [DF], proto TCP (6), length 83)
2013-01-27 02:17:52	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x6d33 (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236072708 ecr 155036732], length 31
2013-01-27 02:18:00	Cron.Info	172.24.42.254	/usr/sbin/cron[20360]: (*system*) RELOAD (/etc/crontab)
2013-01-27 02:18:01	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:18:06	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:06	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:06	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:07	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:07	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:18:07	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:18:08	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:18:15	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:18:25	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:18:45	Local0.Info	172.24.42.254	pf: 00:00:53.416103 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 10930, offset 0, flags [DF], proto TCP (6), length 360)
2013-01-27 02:18:45	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855936072 ecr 155013193], length 308
2013-01-27 02:18:47	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:18:49	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_smtp_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_ssl_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dce2_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dns_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_pop_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_imap_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_smtp_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dce2_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dns_preproc file. Snort might error out!
2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
2013-01-27 02:18:57	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:18:57	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:18:58	Local0.Info	172.24.42.254	pf: 00:00:12.500097 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 7989, offset 0, flags [DF], proto TCP (6), length 83)
2013-01-27 02:18:58	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x72fa (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236136764 ecr 155036732], length 31
2013-01-27 02:19:00	Cron.Info	172.24.42.254	/usr/sbin/cron[20360]: (*system*) RELOAD (/etc/crontab)
2013-01-27 02:19:06	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Snort MD5 Attempts: 1
2013-01-27 02:19:06	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: There is a new set of Snort.org rules posted. Downloading...
2013-01-27 02:19:07	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:19:23	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:19:31	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
2013-01-27 02:19:33	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:19:41	User.Notice	172.24.42.254	check_reload_status: Reloading filter
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf: 00:00:46.492618 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34037, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 3864903423, win 131, length 58
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf: 00:00:00.000044 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34038, offset 0, flags [DF], proto TCP (6), length 67)
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [FP.], cksum 0x0993 (correct), seq 58:85, ack 1, win 131, length 27
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf: 00:00:00.510370 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34039, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:19:45	Local0.Info	172.24.42.254	pf: 00:00:01.019304 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34040, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:45	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:19:48	Local0.Info	172.24.42.254	pf: 00:00:02.051460 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34041, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:48	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:19:49	Local0.Info	172.24.42.254	pf: 00:00:01.904027 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 42928, offset 0, flags [DF], proto TCP (6), length 360)
2013-01-27 02:19:49	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855936712 ecr 155013193], length 308
2013-01-27 02:19:52	Local0.Info	172.24.42.254	pf: 00:00:02.148327 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34042, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:19:52	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:19:59	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Snort Rules Attempts: 1
2013-01-27 02:19:59	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: There is a new set of Emergingthreats rules posted. Downloading...
2013-01-27 02:20:00	Local0.Info	172.24.42.254	pf: 00:00:08.102416 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34043, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:20:00	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:20:00	Cron.Info	172.24.42.254	/usr/sbin/cron[24641]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
2013-01-27 02:20:02	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Emergingthreats rules file update downloaded succsesfully
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: 00:00:03.031497 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 41, id 0, offset 0, flags [DF], proto UDP (17), length 441)
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf:     112.64.146.77.5101 > 50.21.133.210.5060: SIP, length: 413
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>OPTIONS sip:100@50.21.133.210 SIP/2.0
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>Via: SIP/2.0/UDP 112.64.146.77:5101;branch=z9hG4bK-89865205;rport
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>Content-Length: 0
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>From: "sipvicious"<sip:100@1.1.1.1>; ta#\0xd5\0x04Q\0xca3\0x04\0x00\0x93\0x00\0x00\0x00\0x93\0x00\0x00\0x00\0x14\0x00\0x00\0x00=\0x02\0x01\0x00bridge0\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x02\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00\0x8aQ\0x00\0x00\0x02\0x00\0x00\0x00E\0x00\0x00S!\0xbb@\0x000\0x06\0xe49L@\0x1c8\0xac\0x180 \0xeb$H\0x0f\0xdb\0x8dMt\0x85\0xb2\0xa4S\0x80\0x19\0xac x\0xd5\0x00\0x00\0x01\0x01\0x08\0x0aI\0xae\0xed`\0x09=\0xac<\0x0b\0x19T\0x1fr\0x0c*I\0xba\0x9ec\0xff\0xc0\0xbc\0xfa\0x14\0xe75\0xf9q\0xc8\0x0a\0xa4\0x96\0xddFT\0x178\0x84\0x0e^ \0xee\0xff\0xd3\0xe6]\0xbe\0xffP\0x18\0x00\0x83bY\0x00\0x00\0x17\0x03\0x01\0x005MT\0xe1H/\0xd7\0x9aN\0xaf\0xf3\0x11\0xd4pA\0x10is\0xa8\0x09;\0x8c\0xa8\0xe8\0xcf\0x81qJw\0xeb^B\0xbc\0x17f\0x07B\0x1b\0x11\0x98v\0xb2+z\0x17F{FV\0xc2\0xc6\0xf0w\0x80\0x00\0x00\0x00\0x00\0x00\0x00\0x00
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: 00:00:00.230625 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 8635, offset 0, flags [DF], proto TCP (6), length 83)
2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x78d5 (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236200800 ecr 155036732], length 31
2013-01-27 02:20:16	Local0.Info	172.24.42.254	pf: 00:00:13.026235 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34044, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:20:16	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:20:25	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Updating rules configuration for: WAN ...
2013-01-27 02:20:29	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Updating rules configuration for: LAN ...
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Found pid path directive (/var/run)
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Running in IDS mode
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:         --== Initializing Snort ==--
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Initializing Output Plugins!
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Initializing Preprocessors!
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Initializing Plug-ins!
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Parsing Rules file "/usr/local/etc/snort/snort_18203_pppoe1/snort.conf"
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: PortVar 'DNS_PORTS' defined :
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:  [ 53 ]

...

2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: PortVar 'MODBUS_PORTS' defined :
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:  [ 502 ]
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Detection:
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:    Search-Method = AC-BNFA-Q
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:     Search-Method-Optimizations = enabled
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:     Maximum pattern length = 20
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Found pid path directive (/var/run)
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Tagged Packet Limit: 256
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:   Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules...
2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:   Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so...
2013-01-27 02:20:32	Daemon.Error	172.24.42.254	snort[29577]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
2013-01-27 02:20:32	Daemon.Info	172.24.42.254	SnortStartup[29590]: Snort START For Wan Snort(18203_pppoe1)...
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Found pid path directive (/var/run)
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Running in IDS mode
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]:
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]:         --== Initializing Snort ==--
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Initializing Output Plugins!
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Initializing Preprocessors!
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Initializing Plug-ins!
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf"
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: PortVar 'DNS_PORTS' defined :
2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]:  [ 53 ]

...

2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Detection:
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:    Search-Method = AC-BNFA-Q
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:     Search-Method-Optimizations = enabled
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:     Maximum pattern length = 20
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Found pid path directive (/var/run)
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Tagged Packet Limit: 256
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:   Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules...
2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:   Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so...
2013-01-27 02:20:35	Daemon.Error	172.24.42.254	snort[30298]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
2013-01-27 02:20:35	Daemon.Info	172.24.42.254	SnortStartup[30417]: Snort START For Lan(53096_bridge0)...
2013-01-27 02:20:49	Local0.Info	172.24.42.254	pf: 00:00:32.574901 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34045, offset 0, flags [DF], proto TCP (6), length 98)
2013-01-27 02:20:49	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
2013-01-27 02:20:55	Local0.Info	172.24.42.254	pf: 00:00:05.274322 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 61566, offset 0, flags [DF], proto TCP (6), length 40)
2013-01-27 02:20:55	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [R.], cksum 0x605b (correct), seq 309, ack 1, win 8460, length 0
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Found pid path directive (/var/run)
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Running in IDS mode
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:         --== Initializing Snort ==--
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Initializing Output Plugins!
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Initializing Preprocessors!
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Initializing Plug-ins!
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Parsing Rules file "/usr/local/etc/snort/snort_18203_pppoe1/snort.conf"
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: PortVar 'DNS_PORTS' defined :
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:  [ 53 ]
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:

...

2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Detection:
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:    Search-Method = AC-BNFA-Q
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:     Search-Method-Optimizations = enabled
2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:     Maximum pattern length = 20
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Found pid path directive (/var/run)
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Tagged Packet Limit: 256
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]:   Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules...
2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]:   Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so...
2013-01-27 02:20:58	Daemon.Error	172.24.42.254	snort[34948]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
2013-01-27 02:20:58	Daemon.Info	172.24.42.254	SnortStartup[35000]: Snort START For Wan Snort(18203_pppoe1)...
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Found pid path directive (/var/run)
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Running in IDS mode
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]:
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]:         --== Initializing Snort ==--
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Initializing Output Plugins!
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Initializing Preprocessors!
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Initializing Plug-ins!
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf"
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: PortVar 'DNS_PORTS' defined :
2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]:  [ 53 ]</sip:100@1.1.1.1> 

No luck

Remove , install, update rules and it started ok

Is there a 'requirement' to have a re-install button?  ???
I could live without it  ;D

Supermule

Why does the package reinstall doesnt work, but the package delete- reinstall does?

eri--

It should work after updating to 2.5.4 previously it was removing some files that were not being restored after an update.
There is some resolution missing for enabled disabled preprocessors.

After you get it running it will run ok.
I will have to find some time to get back to solve this last bits and making it less error prone to this install/reinstall and using rules when the preprocessor is not active but for now you just have to find the preprocessors needed and activate them.

kilthro

So far I havent had any issues with the updated version. I am guessing the auto update worked fine as snort was still running this morning. I dont see any snort reload items in system log. (to be expected with the verbose items being turned off) Not sure if there is a way to find a good compromise of leaving all the other stuff off but still showing with the update runs and if its successful.

Thanks again for the quick fixes on the problems yesterday.

kilthro

@tester_02:

Updated snort today, now it does not start.  Error is…

snort[4286]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

I disabled the bad traffic rules (so and non so) and it still fails to start.   reinstalled package again, and no go..   Was working for quite a while.  Had not updated for a month, but thought from the thread here that it was stable.

I got this too. I had to delete snort, do a find all for snort and remove everything until nothing was returned. Then i reinstalled snort and configured. So far so good!

eri--

Normally you should have the logs from the update process itself.
Something like "Starting with your new set of rules…."

kilthro

I dont see this in the system log. When I go to the updated tab in snort the view updates log button doesnt do anything when clicked. I did a manual update and did see this in the sys log
Jan 27 11:49:12 php: /snort/snort_download_rules.php: The Rules update has finished…
Jan 27 11:49:12 php: /snort/snort_download_rules.php: Emerging threat rules are up to date...
Jan 27 11:49:12 php: /snort/snort_download_rules.php: Snort rules are up to date...
So i am guessing if the auto update ran I should see something similar? I do not see anything like this around midnight when the update generally runs.