Snort not working at all ?
-
Hello,
I'm using Snort on my PFsense Install (2.0.1) and it looks like it's not doing anything at all.
I can see the snort process present with "top", but it don't consume any CPU even under high load, and don't detect anything after many hours (on a WAN connection). (I tried to portscan from the WAN but it don't detect it too)Here are the boot logs (in double, I don't know why):
Dec 20 11:13:35 snort[19362]: Found pid path directive (/var/run) Dec 20 11:13:35 snort[19362]: Found pid path directive (/var/run) Dec 20 11:13:35 snort[19362]: Running in IDS mode Dec 20 11:13:35 snort[19362]: Running in IDS mode Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: --== Initializing Snort ==-- Dec 20 11:13:35 snort[19362]: --== Initializing Snort ==-- Dec 20 11:13:35 snort[19362]: Initializing Output Plugins! Dec 20 11:13:35 snort[19362]: Initializing Output Plugins! Dec 20 11:13:35 snort[19362]: Initializing Preprocessors! Dec 20 11:13:35 snort[19362]: Initializing Preprocessors! Dec 20 11:13:35 snort[19362]: Initializing Plug-ins! Dec 20 11:13:35 snort[19362]: Initializing Plug-ins! Dec 20 11:13:35 snort[19362]: Parsing Rules file "/usr/local/etc/snort/snort_55093_em0/snort.conf" Dec 20 11:13:35 snort[19362]: Parsing Rules file "/usr/local/etc/snort/snort_55093_em0/snort.conf" Dec 20 11:13:35 snort[19362]: PortVar 'DNS_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'DNS_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 53 ] Dec 20 11:13:35 snort[19362]: [ 53 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'SMTP_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'SMTP_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 25 ] Dec 20 11:13:35 snort[19362]: [ 25 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'MAIL_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'MAIL_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 25 143 465 691 ] Dec 20 11:13:35 snort[19362]: [ 25 143 465 691 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'HTTP_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'HTTP_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 80 ] Dec 20 11:13:35 snort[19362]: [ 80 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'ORACLE_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'ORACLE_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 1521 ] Dec 20 11:13:35 snort[19362]: [ 1521 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'MSSQL_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'MSSQL_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 1433 ] Dec 20 11:13:35 snort[19362]: [ 1433 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'TELNET_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'TELNET_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 23 ] Dec 20 11:13:35 snort[19362]: [ 23 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'SNMP_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'SNMP_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 161 ] Dec 20 11:13:35 snort[19362]: [ 161 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'FTP_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'FTP_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 21 ] Dec 20 11:13:35 snort[19362]: [ 21 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'SSH_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'SSH_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 22 ] Dec 20 11:13:35 snort[19362]: [ 22 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'POP2_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'POP2_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 109 ] Dec 20 11:13:35 snort[19362]: [ 109 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'POP3_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'POP3_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 110 ] Dec 20 11:13:35 snort[19362]: [ 110 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'IMAP_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'IMAP_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 143 ] Dec 20 11:13:35 snort[19362]: [ 143 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'SIP_PROXY_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'SIP_PROXY_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 5060:5090 16384:32768 ] Dec 20 11:13:35 snort[19362]: [ 5060:5090 16384:32768 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'SIP_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'SIP_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 5060:5090 16384:32768 ] Dec 20 11:13:35 snort[19362]: [ 5060:5090 16384:32768 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'AUTH_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'AUTH_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 113 ] Dec 20 11:13:35 snort[19362]: [ 113 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'FINGER_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'FINGER_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 79 ] Dec 20 11:13:35 snort[19362]: [ 79 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'IRC_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'IRC_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 6665:6669 7000 ] Dec 20 11:13:35 snort[19362]: [ 6665:6669 7000 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'SMB_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'SMB_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 139 445 ] Dec 20 11:13:35 snort[19362]: [ 139 445 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'NNTP_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'NNTP_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 119 ] Dec 20 11:13:35 snort[19362]: [ 119 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'RLOGIN_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'RLOGIN_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 513 ] Dec 20 11:13:35 snort[19362]: [ 513 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'RSH_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'RSH_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 514 ] Dec 20 11:13:35 snort[19362]: [ 514 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'SSL_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'SSL_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 443 465 563 636 989:990 992:995 ] Dec 20 11:13:35 snort[19362]: [ 443 465 563 636 989:990 992:995 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'FILE_DATA_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'FILE_DATA_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 80 110 143 ] Dec 20 11:13:35 snort[19362]: [ 80 110 143 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'SHELLCODE_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'SHELLCODE_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 0:79 81:65535 ] Dec 20 11:13:35 snort[19362]: [ 0:79 81:65535 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'SUN_RPC_PORTS' defined : Dec 20 11:13:35 snort[19362]: PortVar 'SUN_RPC_PORTS' defined : Dec 20 11:13:35 snort[19362]: [ 111 32770:32779 ] Dec 20 11:13:35 snort[19362]: [ 111 32770:32779 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_IP_TCP' defined : Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_IP_TCP' defined : Dec 20 11:13:35 snort[19362]: [ 139 445 ] Dec 20 11:13:35 snort[19362]: [ 139 445 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCADG_IP_UDP' defined : Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCADG_IP_UDP' defined : Dec 20 11:13:35 snort[19362]: [ 138 1024:65535 ] Dec 20 11:13:35 snort[19362]: [ 138 1024:65535 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_IP_LONG' defined : Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_IP_LONG' defined : Dec 20 11:13:35 snort[19362]: [ 135 139 445 593 1024:65535 ] Dec 20 11:13:35 snort[19362]: [ 135 139 445 593 1024:65535 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_UDP_LONG' defined : Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_UDP_LONG' defined : Dec 20 11:13:35 snort[19362]: [ 135 1024:65535 ] Dec 20 11:13:35 snort[19362]: [ 135 1024:65535 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined : Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined : Dec 20 11:13:35 snort[19362]: [ 135 593 1024:65535 ] Dec 20 11:13:35 snort[19362]: [ 135 593 1024:65535 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_TCP' defined : Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_NCACN_TCP' defined : Dec 20 11:13:35 snort[19362]: [ 2103 2105 2107 ] Dec 20 11:13:35 snort[19362]: [ 2103 2105 2107 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_BRIGHTSTORE' defined : Dec 20 11:13:35 snort[19362]: PortVar 'DCERPC_BRIGHTSTORE' defined : Dec 20 11:13:35 snort[19362]: [ 6503:6504 ] Dec 20 11:13:35 snort[19362]: [ 6503:6504 ] Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Detection: Dec 20 11:13:35 snort[19362]: Detection: Dec 20 11:13:35 snort[19362]: Search-Method = AC-Full-Q Dec 20 11:13:35 snort[19362]: Search-Method = AC-Full-Q Dec 20 11:13:35 snort[19362]: Found pid path directive (/var/run) Dec 20 11:13:35 snort[19362]: Found pid path directive (/var/run) Dec 20 11:13:35 snort[19362]: Tagged Packet Limit: 256 Dec 20 11:13:35 snort[19362]: Tagged Packet Limit: 256 Dec 20 11:13:35 snort[19362]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine... Dec 20 11:13:35 snort[19362]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine... Dec 20 11:13:35 snort[19362]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so... Dec 20 11:13:35 snort[19362]: Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so... Dec 20 11:13:35 snort[19362]: done Dec 20 11:13:35 snort[19362]: done Dec 20 11:13:35 snort[19362]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine Dec 20 11:13:35 snort[19362]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine Dec 20 11:13:35 snort[19362]: Loading all dynamic detection libs from /usr/local/etc/snort/snort_55093_em0/dynamicrules... Dec 20 11:13:35 snort[19362]: Loading all dynamic detection libs from /usr/local/etc/snort/snort_55093_em0/dynamicrules... Dec 20 11:13:35 snort[19362]: WARNING: No dynamic libraries found in directory /usr/local/etc/snort/snort_55093_em0/dynamicrules. Dec 20 11:13:35 snort[19362]: WARNING: No dynamic libraries found in directory /usr/local/etc/snort/snort_55093_em0/dynamicrules. Dec 20 11:13:35 snort[19362]: Finished Loading all dynamic detection libs from /usr/local/etc/snort/snort_55093_em0/dynamicrules Dec 20 11:13:35 snort[19362]: Finished Loading all dynamic detection libs from /usr/local/etc/snort/snort_55093_em0/dynamicrules Dec 20 11:13:35 snort[19362]: Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor... Dec 20 11:13:35 snort[19362]: Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor... Dec 20 11:13:35 snort[19362]: WARNING: No dynamic libraries found in directory /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor. Dec 20 11:13:35 snort[19362]: WARNING: No dynamic libraries found in directory /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor. Dec 20 11:13:35 snort[19362]: Finished Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor Dec 20 11:13:35 snort[19362]: Finished Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_55093_em0/dynamicpreprocessor Dec 20 11:13:35 snort[19362]: Log directory = /var/log/snort/snort_em055093 Dec 20 11:13:35 snort[19362]: Log directory = /var/log/snort/snort_em055093 Dec 20 11:13:35 snort[19362]: Frag3 global config: Dec 20 11:13:35 snort[19362]: Frag3 global config: Dec 20 11:13:35 snort[19362]: Max frags: 8192 Dec 20 11:13:35 snort[19362]: Max frags: 8192 Dec 20 11:13:35 snort[19362]: Fragment memory cap: 4194304 bytes Dec 20 11:13:35 snort[19362]: Fragment memory cap: 4194304 bytes Dec 20 11:13:35 snort[19362]: Frag3 engine config: Dec 20 11:13:35 snort[19362]: Frag3 engine config: Dec 20 11:13:35 snort[19362]: Bound Address: default Dec 20 11:13:35 snort[19362]: Bound Address: default Dec 20 11:13:35 snort[19362]: Target-based policy: BSD Dec 20 11:13:35 snort[19362]: Target-based policy: BSD Dec 20 11:13:35 snort[19362]: Fragment timeout: 60 seconds Dec 20 11:13:35 snort[19362]: Fragment timeout: 60 seconds Dec 20 11:13:35 snort[19362]: Fragment min_ttl: 1 Dec 20 11:13:35 snort[19362]: Fragment min_ttl: 1 Dec 20 11:13:35 snort[19362]: Fragment Anomalies: Alert Dec 20 11:13:35 snort[19362]: Fragment Anomalies: Alert Dec 20 11:13:35 snort[19362]: Overlap Limit: 0 Dec 20 11:13:35 snort[19362]: Overlap Limit: 0 Dec 20 11:13:35 snort[19362]: Min fragment Length: 0 Dec 20 11:13:35 snort[19362]: Min fragment Length: 0 Dec 20 11:13:35 snort[19362]: Stream5 global config: Dec 20 11:13:35 snort[19362]: Stream5 global config: Dec 20 11:13:35 snort[19362]: Track TCP sessions: ACTIVE Dec 20 11:13:35 snort[19362]: Track TCP sessions: ACTIVE Dec 20 11:13:35 snort[19362]: Max TCP sessions: 262144 Dec 20 11:13:35 snort[19362]: Max TCP sessions: 262144 Dec 20 11:13:35 snort[19362]: Memcap (for reassembly packet storage): 8388608 Dec 20 11:13:35 snort[19362]: Memcap (for reassembly packet storage): 8388608 Dec 20 11:13:35 snort[19362]: Track UDP sessions: ACTIVE Dec 20 11:13:35 snort[19362]: Track UDP sessions: ACTIVE Dec 20 11:13:35 snort[19362]: Max UDP sessions: 131072 Dec 20 11:13:35 snort[19362]: Max UDP sessions: 131072 Dec 20 11:13:35 snort[19362]: Track ICMP sessions: ACTIVE Dec 20 11:13:35 snort[19362]: Track ICMP sessions: ACTIVE Dec 20 11:13:35 snort[19362]: Max ICMP sessions: 65536 Dec 20 11:13:35 snort[19362]: Max ICMP sessions: 65536 Dec 20 11:13:35 snort[19362]: Track IP sessions: INACTIVE Dec 20 11:13:35 snort[19362]: Track IP sessions: INACTIVE Dec 20 11:13:35 snort[19362]: Log info if session memory consumption exceeds 1048576 Dec 20 11:13:35 snort[19362]: Log info if session memory consumption exceeds 1048576 Dec 20 11:13:35 snort[19362]: Send up to 0 active responses Dec 20 11:13:35 snort[19362]: Send up to 0 active responses Dec 20 11:13:35 snort[19362]: Protocol Aware Flushing: ACTIVE Dec 20 11:13:35 snort[19362]: Protocol Aware Flushing: ACTIVE Dec 20 11:13:35 snort[19362]: Maximum Flush Point: 16384 Dec 20 11:13:35 snort[19362]: Maximum Flush Point: 16384 Dec 20 11:13:35 snort[19362]: Stream5 TCP Policy config: Dec 20 11:13:35 snort[19362]: Stream5 TCP Policy config: Dec 20 11:13:35 snort[19362]: Bound Address: default Dec 20 11:13:35 snort[19362]: Bound Address: default Dec 20 11:13:35 snort[19362]: Reassembly Policy: BSD Dec 20 11:13:35 snort[19362]: Reassembly Policy: BSD Dec 20 11:13:35 snort[19362]: Timeout: 30 seconds Dec 20 11:13:35 snort[19362]: Timeout: 30 seconds Dec 20 11:13:35 snort[19362]: Maximum number of bytes to queue per session: 1048576 Dec 20 11:13:35 snort[19362]: Maximum number of bytes to queue per session: 1048576 Dec 20 11:13:35 snort[19362]: Maximum number of segs to queue per session: 2621 Dec 20 11:13:35 snort[19362]: Maximum number of segs to queue per session: 2621 Dec 20 11:13:35 snort[19362]: Reassembly Ports: Dec 20 11:13:35 snort[19362]: Reassembly Ports: Dec 20 11:13:35 snort[19362]: 0 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 0 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 1 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 1 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 2 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 2 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 3 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 3 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 4 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 4 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 5 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 5 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 6 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 6 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 7 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 7 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 8 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 8 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 9 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 9 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 10 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 10 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 11 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 11 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 12 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 12 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 13 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 13 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 14 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 14 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 15 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 15 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 16 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 16 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 17 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 17 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 18 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 18 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 19 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: 19 client (Footprint) server (Footprint) Dec 20 11:13:35 snort[19362]: additional ports configured but not printed. Dec 20 11:13:35 snort[19362]: additional ports configured but not printed. Dec 20 11:13:35 snort[19362]: Stream5 UDP Policy config: Dec 20 11:13:35 snort[19362]: Stream5 UDP Policy config: Dec 20 11:13:35 snort[19362]: Timeout: 30 seconds Dec 20 11:13:35 snort[19362]: Timeout: 30 seconds Dec 20 11:13:35 snort[19362]: Stream5 ICMP Policy config: Dec 20 11:13:35 snort[19362]: Stream5 ICMP Policy config: Dec 20 11:13:35 snort[19362]: Timeout: 30 seconds Dec 20 11:13:35 snort[19362]: Timeout: 30 seconds Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: Dec 20 11:13:35 snort[19362]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Dec 20 11:13:35 snort[19362]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Dec 20 11:13:35 snort[19362]: Initializing rule chains... Dec 20 11:13:35 snort[19362]: Initializing rule chains... Dec 20 11:13:36 snort[19362]: 405 Snort rules read Dec 20 11:13:36 snort[19362]: 405 Snort rules read Dec 20 11:13:36 snort[19362]: 0 detection rules Dec 20 11:13:36 snort[19362]: 0 detection rules Dec 20 11:13:36 snort[19362]: 142 decoder rules Dec 20 11:13:36 snort[19362]: 142 decoder rules Dec 20 11:13:36 snort[19362]: 263 preprocessor rules Dec 20 11:13:36 snort[19362]: 263 preprocessor rules Dec 20 11:13:36 snort[19362]: 405 Option Chains linked into 1 Chain Headers Dec 20 11:13:36 snort[19362]: 405 Option Chains linked into 1 Chain Headers Dec 20 11:13:36 snort[19362]: 0 Dynamic rules Dec 20 11:13:36 snort[19362]: 0 Dynamic rules Dec 20 11:13:36 snort[19362]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Dec 20 11:13:36 snort[19362]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: +-------------------[Rule Port Counts]--------------------------------------- Dec 20 11:13:36 snort[19362]: +-------------------[Rule Port Counts]--------------------------------------- Dec 20 11:13:36 snort[19362]: | tcp udp icmp ip Dec 20 11:13:36 snort[19362]: | tcp udp icmp ip Dec 20 11:13:36 snort[19362]: | src 0 0 0 0 Dec 20 11:13:36 snort[19362]: | src 0 0 0 0 Dec 20 11:13:36 snort[19362]: | dst 0 0 0 0 Dec 20 11:13:36 snort[19362]: | dst 0 0 0 0 Dec 20 11:13:36 snort[19362]: | any 405 0 0 0 Dec 20 11:13:36 snort[19362]: | any 405 0 0 0 Dec 20 11:13:36 snort[19362]: | nc 405 0 0 0 Dec 20 11:13:36 snort[19362]: | nc 405 0 0 0 Dec 20 11:13:36 snort[19362]: | s+d 0 0 0 0 Dec 20 11:13:36 snort[19362]: | s+d 0 0 0 0 Dec 20 11:13:36 snort[19362]: +---------------------------------------------------------------------------- Dec 20 11:13:36 snort[19362]: +---------------------------------------------------------------------------- Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: +-----------------------[detection-filter-config]------------------------------ Dec 20 11:13:36 snort[19362]: +-----------------------[detection-filter-config]------------------------------ Dec 20 11:13:36 snort[19362]: | memory-cap : 1048576 bytes Dec 20 11:13:36 snort[19362]: | memory-cap : 1048576 bytes Dec 20 11:13:36 snort[19362]: +-----------------------[detection-filter-rules]------------------------------- Dec 20 11:13:36 snort[19362]: +-----------------------[detection-filter-rules]------------------------------- Dec 20 11:13:36 snort[19362]: | none Dec 20 11:13:36 snort[19362]: | none Dec 20 11:13:36 snort[19362]: ------------------------------------------------------------------------------- Dec 20 11:13:36 snort[19362]: ------------------------------------------------------------------------------- Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: +-----------------------[rate-filter-config]----------------------------------- Dec 20 11:13:36 snort[19362]: +-----------------------[rate-filter-config]----------------------------------- Dec 20 11:13:36 snort[19362]: | memory-cap : 1048576 bytes Dec 20 11:13:36 snort[19362]: | memory-cap : 1048576 bytes Dec 20 11:13:36 snort[19362]: +-----------------------[rate-filter-rules]------------------------------------ Dec 20 11:13:36 snort[19362]: +-----------------------[rate-filter-rules]------------------------------------ Dec 20 11:13:36 snort[19362]: | none Dec 20 11:13:36 snort[19362]: | none Dec 20 11:13:36 snort[19362]: ------------------------------------------------------------------------------- Dec 20 11:13:36 snort[19362]: ------------------------------------------------------------------------------- Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: +-----------------------[event-filter-config]---------------------------------- Dec 20 11:13:36 snort[19362]: +-----------------------[event-filter-config]---------------------------------- Dec 20 11:13:36 snort[19362]: | memory-cap : 1048576 bytes Dec 20 11:13:36 snort[19362]: | memory-cap : 1048576 bytes Dec 20 11:13:36 snort[19362]: +-----------------------[event-filter-global]---------------------------------- Dec 20 11:13:36 snort[19362]: +-----------------------[event-filter-global]---------------------------------- Dec 20 11:13:36 snort[19362]: +-----------------------[event-filter-local]----------------------------------- Dec 20 11:13:36 snort[19362]: +-----------------------[event-filter-local]----------------------------------- Dec 20 11:13:36 snort[19362]: | none Dec 20 11:13:36 snort[19362]: | none Dec 20 11:13:36 snort[19362]: +-----------------------[suppression]------------------------------------------ Dec 20 11:13:36 snort[19362]: +-----------------------[suppression]------------------------------------------ Dec 20 11:13:36 snort[19362]: | none Dec 20 11:13:36 snort[19362]: | none Dec 20 11:13:36 snort[19362]: ------------------------------------------------------------------------------- Dec 20 11:13:36 snort[19362]: ------------------------------------------------------------------------------- Dec 20 11:13:36 snort[19362]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Dec 20 11:13:36 snort[19362]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Dec 20 11:13:36 snort[19362]: Verifying Preprocessor Configurations! Dec 20 11:13:36 snort[19362]: Verifying Preprocessor Configurations! Dec 20 11:13:36 snort[19362]: IP tracking disabled, no IP sessions allocated Dec 20 11:13:36 snort[19362]: IP tracking disabled, no IP sessions allocated Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: Dec 20 11:13:36 snort[19362]: [ Port Based Pattern Matching Memory ] Dec 20 11:13:36 snort[19362]: [ Port Based Pattern Matching Memory ] Dec 20 11:13:36 snort[19362]: pcap DAQ configured to passive. Dec 20 11:13:36 snort[19362]: pcap DAQ configured to passive. Dec 20 11:13:36 snort[19362]: The DAQ version does not support reload. Dec 20 11:13:36 snort[19362]: The DAQ version does not support reload. Dec 20 11:13:36 snort[19362]: Acquiring network traffic from "em0". Dec 20 11:13:36 snort[19362]: Acquiring network traffic from "em0". Dec 20 11:13:36 snort[19362]: Initializing daemon mode Dec 20 11:13:36 snort[19362]: Initializing daemon mode Dec 20 11:13:36 snort[19668]: Daemon initialized, signaled parent pid: 19362 Dec 20 11:13:36 snort[19668]: Daemon initialized, signaled parent pid: 19362 Dec 20 11:13:36 snort[19668]: Reload thread starting... Dec 20 11:13:36 snort[19668]: Reload thread starting... Dec 20 11:13:36 snort[19668]: Reload thread started, thread 0x28c98140 (19668) Dec 20 11:13:36 snort[19668]: Reload thread started, thread 0x28c98140 (19668) Dec 20 11:13:36 snort[19668]: Decoding Ethernet Dec 20 11:13:36 snort[19668]: Decoding Ethernet Dec 20 11:13:36 snort[19668]: Checking PID path... Dec 20 11:13:36 snort[19668]: Checking PID path... Dec 20 11:13:36 snort[19668]: PID path stat checked out ok, PID path set to /var/run Dec 20 11:13:36 snort[19668]: PID path stat checked out ok, PID path set to /var/run Dec 20 11:13:36 snort[19668]: Writing PID "19668" to file "/var/run/snort_em055093.pid" Dec 20 11:13:36 snort[19668]: Writing PID "19668" to file "/var/run/snort_em055093.pid" Dec 20 11:13:36 snort[19668]: Dec 20 11:13:36 snort[19668]: Dec 20 11:13:36 snort[19668]: --== Initialization Complete ==-- Dec 20 11:13:36 snort[19668]: --== Initialization Complete ==-- Dec 20 11:13:36 snort[19668]: Commencing packet processing (pid=19668) Dec 20 11:13:36 snort[19668]: Commencing packet processing (pid=19668) Dec 20 10:13:37 php: /snort/snort_interfaces.php: Interface Rule START for Snort on WAN(em0)...
Do you have any idea on how to fix this ?
Thank you.
Best regards -
I have pfSense 2.02 and my snort is not working also… i tried a pentest tool and snort is not logging anything even though it is up and running...
can anyone help please i spend hours on this problem...
thanks
-
I used this to get mine working yesterday.
http://www.smallnetbuilder.com/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense?start=2
Note; you'll want to create a new suppress file and add this to it.
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120,sig_id 3 -
I miss the ruleset: Snort. I have Emerging Threats running….
How to get Snort rules??
-
I miss the ruleset: Snort. I have Emerging Threats running….
How to get Snort rules??
That happened to me the first time as well.
I unchecked the ET threats box then tried the updates again. It worked the second time with no ET.
Make sure you have your oinkid in.
-
Doesnt do it here :(
OinkID is in….
-
I cant for the world get it to use snort rules!
Even if I manually copy rules to the rules folder and reboot….
It ONLY uses emerging rules or NOTHING at all despite the rules beeing in the right folder.
I am going crazy about this shit....!!!!!!!!!!!
-
Reinstalled Snort and began again.
Now it could DL the rules and everything is fine.
Its very sensitive to things….. :D