Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
Hrm that is a problem with the building of the package.
barnyard2 requires mysql but snort does not require it.Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz
i386pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbz
AMD64
http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz
For 2.1 PBI should include that
-
I run mine in VM too…. So it shouldnt be a problem.
-
Hi,
The uninstall/install after reboot happens on my machine as well, with the same errors…
Another thing - I don't think HOME_NET is being populated correctly on my machine. On my LAN interface, instead of including my network it only includes pfSense IP (and my external IPs, DNS, etc) . I've ended up editing snort.inc and manually adding my network address but I guess this will hold only until next reboot and reinstall. Older posts mentioned the possibility if using the firewall aliases, but I can only choose "default" at the "Home net" dropdown list.
-
You have to create a whitelist to override.
If you run snort on the LAN interface then there is no reason to trust your hosts, no? -
Is this a bug or intentional feature / behavior that Snort doesn't download new rules after a uninstall / install (pfSense snapshot update)? I need to go and download the rules which will then start Snort when finished. Shouldn't this happen during the first start?
I'm fairly sure it ran just fine after a snapshot update before the latest changes. Today I updated from 24th January snapshot to:
2.1-BETA1 (amd64)
built on Sun Jan 27 20:37:59 EST 2013 -
I put a fix on new pacakge to reapply the update during reinstall if the keep settings is on.
Normally your rules should be preserved during a reinstall but…. -
Is there a limit on the number of download of the snort rules per hour?
-
Yes :)
-
Hej ermal
Thanks for all your valuable knowledge and help here on snort.
Since libmysqlclient.so.18 file is missing after a reboot and not libmysqlclient.so.16
may I ask why it would not be more appropriate to apply```
pkg_add -v http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.5.29.tbzthis will give version 18 and not 16 as version 5.1.53 would do…or does it not matter ? @ermal: > Hrm that is a problem with the building of the package. > barnyard2 requires mysql but snort does not require it. > > Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz > i386 > ``` > > pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbz > > ``` > > AMD64 > ``` > > http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz > > ``` > > For 2.1 PBI should include that
-
Is there a limit on the number of download of the snort rules per hour?
once per 15 minutes is what it has told me in the past.
-
@ermal:
You have to create a whitelist to override.
If you run snort on the LAN interface then there is no reason to trust your hosts, no?Thanks for the feedback, But I'm not sure I'm following you…
I have this rule:
alert tcp any any -> any $HTTP_PORTS (msg:"INT-Babylon Detected"; flow:from_client; content:"User-Agent|3A20|Babylon"; HTTP_header; sid:1000007; classtype:policy-violation;)
It should monitor and notify me about a specific program being used - The only way it will work in by monitoring my LAN interface, with HOME_NET containing my LAN network. Appreciate if you can clear that for me.
-
@spi:
Hej ermal
Thanks for all your valuable knowledge and help here on snort.
Since libmysqlclient.so.18 file is missing after a reboot and not libmysqlclient.so.16
may I ask why it would not be more appropriate to apply```
pkg_add -v http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.5.29.tbzthis will give version 18 and not 16 as version 5.1.53 would do…or does it not matter ?
Hi,
pkg_add -v -f -F http://files.pfsense.org/packages/8/All/mysql-client-5.5.29.tbz
worked on my machine. I had to use the "force" command because it complained about already having the package installed.
-
It should monitor and notify me about a specific program being used - The only way it will work in by monitoring my LAN interface, with HOME_NET containing my LAN network. Appreciate if you can clear that for me.
If I understood you right, you would be monitoring a network (LAN) that you have completely whitelisted -> nothing is getting filtered and no warnings will trigger.
-
If I understood you right, you would be monitoring a network (LAN) that you have completely whitelisted -> nothing is getting filtered and no warnings will trigger.
This is what happening when HOME_NET does not contains my LAN. When I set it manually (via snort.inc modification) I get the warnings and everything works as it should.
Am I doing something wrong and there is another way to get this information, or does the HOME_NET should include my local network?
-
Corrected teh HOME_NET generation.
Also the libmysql issues should be fixed. -
Ermal,
I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue. -
-
-
-
You need to have an alias cannot put ports there.
I wild guess about the suppression is a missing revision?
-
Ermal,
I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.Can you check /etc/crontab if it has the entries for snort?
I pushed a fix which should help here.
Just resave yor settings on Global tab. -
@ermal:
Ermal,
I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.Can you check /etc/crontab if it has the entries for snort?
I pushed a fix which should help here.
Just resave yor settings on Global tab.Here is what cron is showing. Looks like no time settings are entered. Looks like the remove host is doing the same thing as its blank too.. May explain why they arent being removed like they should.
-
I am not seeing the update on the dashboard… Guess it takes a while to recognize.. Will check back on it.. What version number is it up to now?
-
@ermal:
You need to have an alias cannot put ports there.
I wild guess about the suppression is a missing revision?
Why an alias when the specific ports are needed??
By the way, running on 2.5.4 so unless package has been updated, then I am on the latest revision.
-
No the version has not been bumped since some small fixes will come still.
When those are finished ti will be bumped. -
Thx Ermal!
-
Hi,
I have the issue with the lib mysql.18 which I was able to correct with pkg_add -v -f -F http://files.pfsense.org/packages/8/All/mysql-client-5.5.29.tbz
But when I reboot my VM, I have to do the command again, because snort won't start with my interfaces.
It is very weird because before rebooting everything was working perfectly fine, alerts were there, all interfaces were enabled…Anyone has an idea ?
Thanks in advance
-
It seems very weird because if I create a folder, after rebooting it is still there, but a modifications like the package is not working.
I suppose pfsense or Freebsd is blocking my modifications, is it possible to force the modification or disable the thing which is unabling me to saves changes ?
Thanks in advance
- 10 days later
-
Are we seeing the end of this when Ermal/Bmeeks committed the last changes or do we have to wait until the package is bumped to 2.5.5??? So far running fine here, but havent upgraded to the last snaps from Ermal. Running the changed files from Bmeeks.
-
I have the latest downloaded and installed and everything seems to be working just fine here.
-
Are we seeing the end of this when Ermal/Bmeeks committed the last changes or do we have to wait until the package is bumped to 2.5.5??? So far running fine here, but havent upgraded to the last snaps from Ermal. Running the changed files from Bmeeks.
The "big pieces" for this update cycle are done, I think. My main focus was getting auto-flowbit resolution working and integrating the VRT Policy rules selection. Along with those main goals were some incidental fixes like the stream5 preprocessor memcap setting and some items related to http_inspect. At Ermal's request, the last change was some code to automatically scan for and disable any rules in the selected rule sets that depended on disabled preprocessors. This is necessary because certain preprocessor-dependent rule options (such as the ssl_state and ssl_version options associated with the SSL preprocessor) will cause Snort to error out and not start if the associated preprocessor is not enabled.
In my view, the next "big piece" is to update to the latest 2.4.x Snort binary. I am not ready to jump out there and start that project on my own, though. Still not experienced enough with the pfSense/BSD platform and its package building tools.
Bill
-
I'm still seeing a minor oddity when updating to a new snapshot of 2.1 and snort being re-installed during the reboot. When pfSense is all up and running, snort would show as running and presumably does have some rules to use, but the updates tab shows no rules installed. I have the "Keep snort settings after deinstall" option checked.
So in summary:
Snort re-installs fine
Snort is blocking offenders after re-install
But Updates tab shows no rules installedAlso the "Update log" button seems to still be broken. It's not inactive / greyed out anymore, but it doesn't do anything when clicked.
-
Also the "Update log" button seems to still be broken. It's not inactive / greyed out anymore, but it doesn't do anything when clicked.
This is a problem that likely can be fixed, and I will take a look at getting the button working. One small complication here is that the Update Log is only created when the automatic update cron job runs. The log is not created during a manual update. Basically what happens currently is the console output of the cron job rule update is redirected to a file in the /tmp/ directory.
-
Help! Snort will not start from the webgui after update to pfsense 2.02, currently running snort 2.9.2.3 pkg v. 2.5.4. GUI reports service is stopped so I attempt to restart and it just stays stopped. Individual interfaces respond similarly. I have tried reinstalling snort as well, no dice. I tried suggestions on this thread as well to no avail : http://forum.pfsense.org/index.php?topic=58175.0 . Snort seems to start by simply typing "snort" in shell but webgui doesn't respond. Any suggestions would be appreciated. BTW, I have read the thread and it seems this problem is ongoing, is it just best to wait for version 2.5.5? Is snort really running and just not reported in the GUI? Thanks in advance for your help.
-
Did you look at your log? You shuold post error messages you are getting in log. Snort works fine fine with 2.1
-
I have copied the results of my log below. BTW, did you mean 2.01? Because version 2.1. Version 2.1! Great Scott! In the future I bet anyone can get version 2.1 at the corner drugstore, but here in 2012 it's a bit hard to come by.
Feb 13 18:37:46 snort[9185]: 11 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 11 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 12 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 12 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 13 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 13 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 14 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 14 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 15 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 15 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 16 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 16 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 17 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 17 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 18 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 18 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 19 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 19 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: additional ports configured but not printed.
Feb 13 18:40:00 snort[13307]: additional ports configured but not printed.
Feb 13 18:40:00 snort[13307]: Stream5 UDP Policy config:
Feb 13 18:40:00 snort[13307]: Stream5 UDP Policy config:
Feb 13 18:40:00 snort[13307]: Timeout: 180 seconds
Feb 13 18:40:00 snort[13307]: Timeout: 180 seconds
Feb 13 18:40:00 snort[13307]: PerfMonitor config:
Feb 13 18:40:00 snort[13307]: PerfMonitor config:
Feb 13 18:40:00 snort[13307]: Time: 300 seconds
Feb 13 18:40:00 snort[13307]: Time: 300 seconds
Feb 13 18:40:00 snort[13307]: Flow Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Flow Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Flow IP Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Flow IP Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Event Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Event Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Max Perf Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Max Perf Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Console Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: Console Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: File Mode: /var/log/snort/snort_re337603/re3.stats
Feb 13 18:40:00 snort[13307]: File Mode: /var/log/snort/snort_re337603/re3.stats
Feb 13 18:40:00 snort[13307]: SnortFile Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: SnortFile Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: Packet Count: 10000
Feb 13 18:40:00 snort[13307]: Packet Count: 10000
Feb 13 18:40:00 snort[13307]: Dump Summary: No
Feb 13 18:40:00 snort[13307]: Dump Summary: No
Feb 13 18:40:00 snort[13307]: Max file size: 2147483648
Feb 13 18:40:00 snort[13307]: Max file size: 2147483648
Feb 13 18:40:00 snort[13307]: FATAL ERROR: /usr/local/etc/snort/snort_37603_re3/snort.conf(125) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/snort_37603_re3/unicode.map'.
Feb 13 18:40:00 snort[13307]: FATAL ERROR: /usr/local/etc/snort/snort_37603_re3/snort.conf(125) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/snort_37603_re3/unicode.map'.
Feb 13 18:40:00 SnortStartup[13378]: Snort START For LAN(37603_re3)… -
No 2.01 I mean 2.1 2.1-BETA1 (amd64)
built on Sat Feb 9 11:39:22 EST 2013 -
Look here
http://www.linuxquestions.org/questions/linux-security-4/snort-refuses-to-read-config-file-163252/ -
First thing to check is that you actually have some downloaded rules. That missing file is part of a rules update package. Just to be sure, do a rules update from the UPDATES tab. That should force everything to be created and copied to the correct places.
-
Thanks Triton, that link helped. It's not fixed yet but it looks like the problem is the conf file is looking for the unicode.map file and it's missing. I'll have to find it and cp it over. BTW, bmeeks, I have tried reloading the rules as well as comlete reinstall a couple times, none of this helped. snort(interface).conf is corrupt.