Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
Did you look at your log? You shuold post error messages you are getting in log. Snort works fine fine with 2.1
-
I have copied the results of my log below. BTW, did you mean 2.01? Because version 2.1. Version 2.1! Great Scott! In the future I bet anyone can get version 2.1 at the corner drugstore, but here in 2012 it's a bit hard to come by.
Feb 13 18:37:46 snort[9185]: 11 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 11 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 12 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 12 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 13 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 13 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 14 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 14 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 15 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 15 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 16 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 16 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 17 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 17 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 18 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 18 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 19 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: 19 client (Footprint) server (Footprint)
Feb 13 18:40:00 snort[13307]: additional ports configured but not printed.
Feb 13 18:40:00 snort[13307]: additional ports configured but not printed.
Feb 13 18:40:00 snort[13307]: Stream5 UDP Policy config:
Feb 13 18:40:00 snort[13307]: Stream5 UDP Policy config:
Feb 13 18:40:00 snort[13307]: Timeout: 180 seconds
Feb 13 18:40:00 snort[13307]: Timeout: 180 seconds
Feb 13 18:40:00 snort[13307]: PerfMonitor config:
Feb 13 18:40:00 snort[13307]: PerfMonitor config:
Feb 13 18:40:00 snort[13307]: Time: 300 seconds
Feb 13 18:40:00 snort[13307]: Time: 300 seconds
Feb 13 18:40:00 snort[13307]: Flow Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Flow Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Flow IP Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Flow IP Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Event Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Event Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Max Perf Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Max Perf Stats: INACTIVE
Feb 13 18:40:00 snort[13307]: Console Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: Console Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: File Mode: /var/log/snort/snort_re337603/re3.stats
Feb 13 18:40:00 snort[13307]: File Mode: /var/log/snort/snort_re337603/re3.stats
Feb 13 18:40:00 snort[13307]: SnortFile Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: SnortFile Mode: INACTIVE
Feb 13 18:40:00 snort[13307]: Packet Count: 10000
Feb 13 18:40:00 snort[13307]: Packet Count: 10000
Feb 13 18:40:00 snort[13307]: Dump Summary: No
Feb 13 18:40:00 snort[13307]: Dump Summary: No
Feb 13 18:40:00 snort[13307]: Max file size: 2147483648
Feb 13 18:40:00 snort[13307]: Max file size: 2147483648
Feb 13 18:40:00 snort[13307]: FATAL ERROR: /usr/local/etc/snort/snort_37603_re3/snort.conf(125) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/snort_37603_re3/unicode.map'.
Feb 13 18:40:00 snort[13307]: FATAL ERROR: /usr/local/etc/snort/snort_37603_re3/snort.conf(125) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/snort_37603_re3/unicode.map'.
Feb 13 18:40:00 SnortStartup[13378]: Snort START For LAN(37603_re3)… -
No 2.01 I mean 2.1 2.1-BETA1 (amd64)
built on Sat Feb 9 11:39:22 EST 2013 -
Look here
http://www.linuxquestions.org/questions/linux-security-4/snort-refuses-to-read-config-file-163252/ -
First thing to check is that you actually have some downloaded rules. That missing file is part of a rules update package. Just to be sure, do a rules update from the UPDATES tab. That should force everything to be created and copied to the correct places.
-
Thanks Triton, that link helped. It's not fixed yet but it looks like the problem is the conf file is looking for the unicode.map file and it's missing. I'll have to find it and cp it over. BTW, bmeeks, I have tried reloading the rules as well as comlete reinstall a couple times, none of this helped. snort(interface).conf is corrupt.
-
SUCCESS! THANKS TO TRITRON for putting me on the right track!!! Steps to recover from the unicode.map error
1.) make a tmp directry and fetch the latest snort there. It's currently available from: http://www.snort.org/dl/snort-current/snort-2.9.2.3.tar.gz
2.)untar the file above ie:
tar -xvf snort-2.9.2.3.tar.gz3.) locate the unicode.map file:
find / -name unicode.map4.) copy the file found above to the location the logs say it was missing from:
cp snort-2.9.2.3/etc/unicode.map /usr/local/etc/snort/snort_46603_re0/5.) restart snort from GUI and VOILA!
Thanks guys. The only bad new is now I have to redo my snort configs for my LAN and DMZ since I removed them thinking that would help. O well, maybe I could just increase the mem profile on the WAN.
-
rules are not working. even after enabling all the emerging threat rules. nothing is detected on alerts
-
Hi all !
I decided to try snort on my pfSense installation. Snort 2.9.2.3 pkg v. 2.5.4, pfSense 2.0.2 RELEASE.
It works OK, but I had to disable a lot of rules otherwise a lot of legit traffic was blocked.
I found other threads with similar problems, but I do not understand why these rules give false postives in the first place. Is it because my snort configuration is bad, or because these rules are not well definded ?Here is the list of rules that I had to disable :
# (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 # (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 # (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 # (smtp) Base64 Decoding failed. suppress gen_id 124, sig_id 10 # (smtp) Quoted-Printable Decoding failed suppress gen_id 124, sig_id 11 # (smtp) 7bit/8bit/binary/text Extraction failed. suppress gen_id 124, sig_id 12 # (http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 # (http_inspect) SIMPLE REQUEST suppress gen_id 119, sig_id 32 #(IMAP) Unknown IMAP4 command suppress gen_id 141, sig_id 1 #(IMAP) No memory available for decoding. Memcap exceeded suppress gen_id 141, sig_id 3 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7 #(smtp) Attempted response buffer overflow: 517 chars suppress gen_id 124, sig_id 3Since some of the rules seem to be related to content encoding, I did a bit of search and found out that there was a unicode.map parameter in snort.conf (but not in the GUI apparently). It is set at 1252, but the webservers on my IIS installation deliver mainly UTF8 content. Can this be a problem ?
Otherwise, I had to disable some SMTP/IMAP rules, even though I am sure that the traffic that they blocked was legit. Are the rules too restrictive ?
Thanks a lot for your comments on this.
-
I see a lot of false positives on my systems. It annoys me like hell tbh.
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#PSNG_TCP_PORTSWEEP
suppress gen_id 122, sig_id 3
#ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)
suppress gen_id 1, sig_id 2011124
#ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
suppress gen_id 1, sig_id 2002994
#PSNG_TCP_PORTSWEEP_FILTERED
suppress gen_id 122, sig_id 7
#ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
suppress gen_id 1, sig_id 2002994
#FILE-IDENTIFY download of executable content
suppress gen_id 1, sig_id 11192
#FILE-IDENTIFY Portable Executable binary file magic detected
suppress gen_id 1, sig_id 15306
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419
#ET INFO Packed Executable Download
suppress gen_id 1, sig_id 2014819#FILE-IDENTIFY Portable Executable binary file magic detected
suppress gen_id 1, sig_id 15306This is my suppress list, but its not nearly as long as it should be!
(http_inspect) IIS UNICODE CODEPOINT ENCODING - 02/22-03:06:06 is triggered.
FILE-IDENTIFY download of executable content - 02/02-06:01:51
ET INFO Packed Executable Download - 02/02-06:01:51
ET POLICY PE EXE or DLL Windows file download - 02/02-06:01:51
FILE-IDENTIFY Portable Executable binary file magic detected - 02/02-06:01:51Is triggered on whitelisted SRC IP's. It blocks Windows Update among other things.
So snort is in my view not working as it should and its CORE functionality for a modern FW.
