Snort 2.9.2.3 pkg v. 2.5.0 Issues

Phoenix912

It seems very weird because if I create a folder, after rebooting it is still there, but a modifications like the package is not working.

I suppose pfsense or Freebsd is blocking my modifications, is it possible to force the modification or disable the thing which is unabling me to saves changes ?

Thanks in advance

Supermule

Are we seeing the end of this when Ermal/Bmeeks committed the last changes or do we have to wait until the package is bumped to 2.5.5??? So far running fine here, but havent upgraded to the last snaps from Ermal. Running the changed files from Bmeeks.

kilthro

I have the latest downloaded and installed and everything seems to be working just fine here.

bmeeks

@Supermule:

Are we seeing the end of this when Ermal/Bmeeks committed the last changes or do we have to wait until the package is bumped to 2.5.5??? So far running fine here, but havent upgraded to the last snaps from Ermal. Running the changed files from Bmeeks.

The "big pieces" for this update cycle are done, I think.  My main focus was getting auto-flowbit resolution working and integrating the VRT Policy rules selection.  Along with those main goals were some incidental fixes like the stream5 preprocessor memcap setting and some items related to http_inspect.  At Ermal's request, the last change was some code to automatically scan for and disable any rules in the selected rule sets that depended on disabled preprocessors.  This is necessary because certain preprocessor-dependent rule options (such as the ssl_state and ssl_version options associated with the SSL preprocessor) will cause Snort to error out and not start if the associated preprocessor is not enabled.

In my view, the next "big piece" is to update to the latest 2.4.x Snort binary.  I am not ready to jump out there and start that project on my own, though.  Still not experienced enough with the pfSense/BSD platform and its package building tools.

Bill

fragged

I'm still seeing a minor oddity when updating to a new snapshot of 2.1 and snort being re-installed during the reboot. When pfSense is all up and running, snort would show as running and presumably does have some rules to use, but the updates tab shows no rules installed. I have the "Keep snort settings after deinstall" option checked.

So in summary:
Snort re-installs fine
Snort is blocking offenders after re-install
But Updates tab shows no rules installed

Also the "Update log" button seems to still be broken. It's not inactive / greyed out anymore, but it doesn't do anything when clicked.

bmeeks

@fragged:

Also the "Update log" button seems to still be broken. It's not inactive / greyed out anymore, but it doesn't do anything when clicked.

This is a problem that likely can be fixed, and I will take a look at getting the button working.  One small complication here is that the Update Log is only created when the automatic update cron job runs.  The log is not created during a manual update.  Basically what happens currently is the console output of the cron job rule update is redirected to a file in the /tmp/ directory.

daehnomel

Help! Snort will not start from the webgui after update to pfsense 2.02, currently running snort 2.9.2.3 pkg v. 2.5.4.  GUI reports service is stopped so I attempt to restart and it just stays stopped.  Individual interfaces respond similarly.  I have tried reinstalling snort as well, no dice.  I tried suggestions on this thread as well to no avail : http://forum.pfsense.org/index.php?topic=58175.0 .  Snort seems to start by simply typing "snort" in shell but webgui doesn't respond.  Any suggestions would be appreciated. BTW, I have read the thread and it seems this problem is ongoing, is it just best to wait for version 2.5.5?  Is snort really running and just not reported in the GUI?  Thanks in advance for your help.

tritron

Did you look at your log? You shuold post error messages you are getting in log. Snort works fine fine with 2.1

daehnomel

I have copied the results of my log below. BTW, did you mean 2.01? Because version 2.1. Version 2.1!  Great Scott! In the future I bet anyone can get version 2.1 at the corner drugstore, but here in 2012 it's a bit hard to come by.

Feb 13 18:37:46 snort[9185]: 11 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 11 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 12 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 12 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 13 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 13 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 14 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 14 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 15 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 15 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 16 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 16 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 17 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 17 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 18 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 18 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 19 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 19 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: additional ports configured but not printed.
Feb 13 18:40:00 snort[13307]: additional ports configured but not printed.
Feb 13 18:40:00 snort[13307]: Stream5 UDP Policy config:
Feb 13 18:40:00 snort[13307]: Stream5 UDP Policy config:
Feb 13 18:40:00 snort[13307]: Timeout: 180 seconds
Feb 13 18:40:00 snort[13307]: Timeout: 180 seconds
Feb 13 18:40:00 snort[13307]: PerfMonitor config:
Feb 13 18:40:00 snort[13307]: PerfMonitor config:
Feb 13 18:40:00 snort[13307]: Time: 300 seconds
Feb 13 18:40:00 snort[13307]: Time: 300 seconds
Feb 13 18:40:00 snort[13307]: Flow Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Flow Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Flow IP Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Flow IP Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Event Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Event Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Max Perf Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Max Perf Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Console Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: Console Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: File Mode: /var/log/snort/snort_re337603/re3.stats
Feb 13 18:40:00 snort[13307]: File Mode: /var/log/snort/snort_re337603/re3.stats
Feb 13 18:40:00 snort[13307]: SnortFile Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: SnortFile Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: Packet Count: 10000
Feb 13 18:40:00 snort[13307]: Packet Count: 10000
Feb 13 18:40:00 snort[13307]: Dump Summary: No
Feb 13 18:40:00 snort[13307]: Dump Summary: No
Feb 13 18:40:00 snort[13307]: Max file size: 2147483648
Feb 13 18:40:00 snort[13307]: Max file size: 2147483648
Feb 13 18:40:00 snort[13307]: FATAL ERROR: /usr/local/etc/snort/snort_37603_re3/snort.conf(125) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/snort_37603_re3/unicode.map'.
Feb 13 18:40:00 snort[13307]: FATAL ERROR: /usr/local/etc/snort/snort_37603_re3/snort.conf(125) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/snort_37603_re3/unicode.map'.
Feb 13 18:40:00 SnortStartup[13378]: Snort START For LAN(37603_re3)…

tritron

No 2.01 I mean 2.1  2.1-BETA1  (amd64)
built on Sat Feb 9 11:39:22 EST 2013

tritron

Look here
http://www.linuxquestions.org/questions/linux-security-4/snort-refuses-to-read-config-file-163252/

bmeeks

First thing to check is that you actually have some downloaded rules.  That missing file is part of a rules update package.  Just to be sure, do a rules update from the UPDATES tab.  That should force everything to be created and copied to the correct places.

daehnomel

Thanks Triton,  that link helped.  It's not fixed yet but it looks like the problem is the conf file is looking for the unicode.map file and it's missing.  I'll have to find it and cp it over.  BTW,  bmeeks, I have tried reloading the rules as well as comlete reinstall a couple times, none of this helped.  snort(interface).conf is corrupt.

daehnomel

SUCCESS! THANKS TO TRITRON for putting me on the right track!!! Steps to recover from the unicode.map error

1.) make a tmp directry and fetch the latest snort there. It's currently available from: http://www.snort.org/dl/snort-current/snort-2.9.2.3.tar.gz

2.)untar the file above ie:
tar -xvf snort-2.9.2.3.tar.gz

3.) locate the unicode.map file:
find / -name unicode.map

4.) copy the file found above to the location the logs say it was missing from:
cp snort-2.9.2.3/etc/unicode.map /usr/local/etc/snort/snort_46603_re0/

5.) restart snort from GUI and VOILA!

Thanks guys.  The only bad new is now I have to redo my snort configs for my LAN and DMZ since I removed them thinking that would help.  O well, maybe I could just increase the mem profile on the WAN.

Koti

rules are not working. even after enabling all the emerging threat rules. nothing is detected on alerts

thewild

Hi all !

I decided to try snort on my pfSense installation. Snort 2.9.2.3 pkg v. 2.5.4, pfSense 2.0.2 RELEASE.
It works OK, but I had to disable a lot of rules otherwise a lot of legit traffic was blocked.
I found other threads with similar problems, but I do not understand why these rules give false postives in the first place. Is it because my snort configuration is bad, or because these rules are not well definded ?

Here is the list of rules that I had to disable :

# (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
# (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6
# (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
# (smtp) Base64 Decoding failed.
suppress gen_id 124, sig_id 10
# (smtp) Quoted-Printable Decoding failed
suppress gen_id 124, sig_id 11
# (smtp) 7bit/8bit/binary/text Extraction failed.
suppress gen_id 124, sig_id 12
# (http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
# (http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1
#(IMAP) No memory available for decoding. Memcap exceeded
suppress gen_id 141, sig_id 3
#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7
#(smtp) Attempted response buffer overflow: 517 chars
suppress gen_id 124, sig_id 3

Since some of the rules seem to be related to content encoding, I did a bit of search and found out that there was a unicode.map parameter in snort.conf (but not in the GUI apparently). It is set at 1252, but the webservers on my IIS installation deliver mainly UTF8 content. Can this be a problem ?

Otherwise, I had to disable some SMTP/IMAP rules, even though I am sure that the traffic that they blocked was legit. Are the rules too restrictive ?

Thanks a lot for your comments on this.

Supermule

I see a lot of false positives on my systems. It annoys me like hell tbh.

#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

suppress gen_id 120, sig_id 3

(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

suppress gen_id 120, sig_id 8
#PSNG_TCP_PORTSWEEP
suppress gen_id 122, sig_id 3
#ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)
suppress gen_id 1, sig_id 2011124
#ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
suppress gen_id 1, sig_id 2002994
#PSNG_TCP_PORTSWEEP_FILTERED
suppress gen_id 122, sig_id 7
#ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
suppress gen_id 1, sig_id 2002994
#FILE-IDENTIFY download of executable content
suppress gen_id 1, sig_id 11192
#FILE-IDENTIFY Portable Executable binary file magic detected
suppress gen_id 1, sig_id 15306
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419
#ET INFO Packed Executable Download
suppress gen_id 1, sig_id 2014819

#FILE-IDENTIFY Portable Executable binary file magic detected
suppress gen_id 1, sig_id 15306

This is my suppress list, but its not nearly as long as it should be!

(http_inspect) IIS UNICODE CODEPOINT ENCODING - 02/22-03:06:06 is triggered.

FILE-IDENTIFY download of executable content - 02/02-06:01:51
ET INFO Packed Executable Download - 02/02-06:01:51
ET POLICY PE EXE or DLL Windows file download - 02/02-06:01:51
FILE-IDENTIFY Portable Executable binary file magic detected - 02/02-06:01:51

Is triggered on whitelisted SRC IP's. It blocks Windows Update among other things.

So snort is in my view not working as it should and its CORE functionality for a modern FW.