Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
Is this a bug or intentional feature / behavior that Snort doesn't download new rules after a uninstall / install (pfSense snapshot update)? I need to go and download the rules which will then start Snort when finished. Shouldn't this happen during the first start?
I'm fairly sure it ran just fine after a snapshot update before the latest changes. Today I updated from 24th January snapshot to:
2.1-BETA1 (amd64)
built on Sun Jan 27 20:37:59 EST 2013 -
I put a fix on new pacakge to reapply the update during reinstall if the keep settings is on.
Normally your rules should be preserved during a reinstall but…. -
Is there a limit on the number of download of the snort rules per hour?
-
Yes :)
-
Hej ermal
Thanks for all your valuable knowledge and help here on snort.
Since libmysqlclient.so.18 file is missing after a reboot and not libmysqlclient.so.16
may I ask why it would not be more appropriate to apply```
pkg_add -v http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.5.29.tbzthis will give version 18 and not 16 as version 5.1.53 would do…or does it not matter ? @ermal: > Hrm that is a problem with the building of the package. > barnyard2 requires mysql but snort does not require it. > > Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz > i386 > ``` > > pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbz > > ``` > > AMD64 > ``` > > http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz > > ``` > > For 2.1 PBI should include that
-
Is there a limit on the number of download of the snort rules per hour?
once per 15 minutes is what it has told me in the past.
-
@ermal:
You have to create a whitelist to override.
If you run snort on the LAN interface then there is no reason to trust your hosts, no?Thanks for the feedback, But I'm not sure I'm following you…
I have this rule:
alert tcp any any -> any $HTTP_PORTS (msg:"INT-Babylon Detected"; flow:from_client; content:"User-Agent|3A20|Babylon"; HTTP_header; sid:1000007; classtype:policy-violation;)
It should monitor and notify me about a specific program being used - The only way it will work in by monitoring my LAN interface, with HOME_NET containing my LAN network. Appreciate if you can clear that for me.
-
@spi:
Hej ermal
Thanks for all your valuable knowledge and help here on snort.
Since libmysqlclient.so.18 file is missing after a reboot and not libmysqlclient.so.16
may I ask why it would not be more appropriate to apply```
pkg_add -v http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.5.29.tbzthis will give version 18 and not 16 as version 5.1.53 would do…or does it not matter ?
Hi,
pkg_add -v -f -F http://files.pfsense.org/packages/8/All/mysql-client-5.5.29.tbz
worked on my machine. I had to use the "force" command because it complained about already having the package installed.
-
It should monitor and notify me about a specific program being used - The only way it will work in by monitoring my LAN interface, with HOME_NET containing my LAN network. Appreciate if you can clear that for me.
If I understood you right, you would be monitoring a network (LAN) that you have completely whitelisted -> nothing is getting filtered and no warnings will trigger.
-
If I understood you right, you would be monitoring a network (LAN) that you have completely whitelisted -> nothing is getting filtered and no warnings will trigger.
This is what happening when HOME_NET does not contains my LAN. When I set it manually (via snort.inc modification) I get the warnings and everything works as it should.
Am I doing something wrong and there is another way to get this information, or does the HOME_NET should include my local network?
-
Corrected teh HOME_NET generation.
Also the libmysql issues should be fixed. -
Ermal,
I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue. -
I get these errors when trying to change the ports of "Home NET"
-
First of all….
I get these false positives even if I have created them in the Suppress lists!!
-
Suppress list is here….
Tell me why Snort doesnt respect it.......... :-\
-
You need to have an alias cannot put ports there.
I wild guess about the suppression is a missing revision?
-
Ermal,
I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.Can you check /etc/crontab if it has the entries for snort?
I pushed a fix which should help here.
Just resave yor settings on Global tab. -
@ermal:
Ermal,
I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.Can you check /etc/crontab if it has the entries for snort?
I pushed a fix which should help here.
Just resave yor settings on Global tab.Here is what cron is showing. Looks like no time settings are entered. Looks like the remove host is doing the same thing as its blank too.. May explain why they arent being removed like they should.
-
I am not seeing the update on the dashboard… Guess it takes a while to recognize.. Will check back on it.. What version number is it up to now?
-
@ermal:
You need to have an alias cannot put ports there.
I wild guess about the suppression is a missing revision?
Why an alias when the specific ports are needed??
By the way, running on 2.5.4 so unless package has been updated, then I am on the latest revision.