SNORT is driving me crazy…...!!


  • Banned

    Quoting the Stig….

    Some say its running, some say its not.... but all we know is that I dont have any hair left because of SNORT!





  • Banned

    More…

    Cannot use ANY of the .so rules due to undefined symbol...



  • Banned

    More

    Jan 3 17:20:29 snort[40746]: FATAL ERROR: /usr/local/etc/snort/snort_25199_em0/rules/snort_malware-other.rules(9) Unknown rule option: 'dce_iface'.
    Jan 3 17:20:29 snort[40746]: FATAL ERROR: /usr/local/etc/snort/snort_25199_em0/rules/snort_malware-other.rules(9) Unknown rule option: 'dce_iface'.
    Jan 3 17:20:26 snort[40746]: WARNING: /usr/local/etc/snort/snort_25199_em0/rules/emerging-attack_response.rules(386) threshold (in rule) is deprecated; use detection_filter instead.
    Jan 3 17:20:26 snort[40746]: WARNING: /usr/local/etc/snort/snort_25199_em0/rule



  • Part of your Snort installation definitely seems out of whack.  I am running the same rules without a problem that you are posting an error from in your logs.  I am running on Snort 2.0.2 (32-bit) code.  Are you running 32-bit or 64-bit?  Is it possible that during an upgrade you wound up with some weird combination of 32-bit and 64-bit Snort pieces?

    My suggestion at this point would be to totally and completely remove Snort (and un-check the option to save settings on un-install).  Then reboot the firewall and start over with Snort package installation.  See how that goes.  Also, others have posted in the past (look back in the early Summer 2012 threads) about how difficult it can be to truly remove all the parts and pieces so a fresh install can happen.  There were some posted steps back in the May-July 2012 timefram that may prove helpful.


  • Banned

    32 bit…and a clean install!



  • In GUI don't use malware-cnc, malware-other, malware-pup etc although the blacklist rules and CNC rules are fine in pfsense for the VRT rules as I think they have introduced rule options which do not have the preprocessor configuring correctly although I have not looked into it in much depth. To make sure you are covered however use emergingthreats rule, especially emerging-malware, emerging-trojan, emerging-worm and emerging-current_events.

    You can also use emerging-botcc, emerging-rbn etc although using pfblocking lists with the following IP lists blocking inbound and outbound traffic will accomplish this much better and you won't need to waste cycles for snort just to check IPs.

    Has shadowserver botnet cncs, Russian business network, dshield etc.

    http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

    Compromised hosts potentially being used for bad stuff

    http://rules.emergingthreats.net/blockrules/compromised-ips.txt

    And other useful ones for pfblocker:
    http://www.ciarmy.com/list/ci-badguys.txt
    https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
    https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
    http://malc0de.com/bl/IP_Blacklist.txt

    There are others but this should have you well covered and if you use pfblocker on dashboard you can see hits for the IP

    Always have the firewall and pfblocker on dashboard so you can see blocked hits and also if any of them are hitting for legitimate sites but keep an eye on connections from machines in case of infection as if connection can't establish to CnC snort rules that may exist won't highlight it but obviously it is best to cut off all communication with the bad guys.

    Hope that helps.
    Kind Regards,
    Kevin



  • Oh and in pfblocker you will be much better protected against malware and malicious activity to use countryblocking. Depending on where you are block countries you don't expect to see traffic; especially areas where there may be cybercrime. For instance for me it was safe to block south america, most of eastern europe, Russia, China and most of asia as well as Africa and other countries (pretty much everything actually not western europe, Canada and US with no issue).

    There can be a few sites and things you may do which needs higher access but at home I can just add my PC into a higher rule or allow access to particular IPs in firewall as needed (keeping in mind when pfblocker updates it goes above any other rules).


  • Banned

    Thx mate!! Very appreciated :)



  • This is a really great list of bad stuff ip's. Perhaps you could talk to the maintainer of PFblocker to have these lists added.
    Thanks Kevross33!


  • Banned

    Its Marcello and Tommyboy180 in here!


  • Banned


  • Banned

    snort[44549]: FATAL ERROR: /usr/local/etc/snort/snort_25199_em0/rules/custom.rules(2) Duplicate rule with same gid (1) and no sid. To avoid this, make sure all of your rules define an sid.

    The problem is, that I dont have any custom rules at all!!

    I am going out of my fucking mind here…..I need a guy to monitor this one FW all day....to make sure its running and working. I upgraded the memory in the VM to 4GB and it all went berserk.....

    I am so fucking fed up with this shit that I just want to go back to my TMG and just use this a a frontend with port forwards...

    It doesnt seem to be up for the job at the moment. "¤%&%¤#¤%&#¤%&!!!!!!!!!!



  • Snort does not work here as well.  ::)  :(






  • Never seen this or even a custom.rules. Are you using the main snort in the package list or the development version? Also have a look at your rule options in the GUI and see if a custom.rules exists and if it does untick it. Another thing is to make sure in the pre-processor tab you have everything enabled aside from performance and portscan one due to false positives (The sensitive data may not interest you either unless you are protecting databases of credit card numbers although I think you can do more with it).

    You don't want to go back to TMG as unfortunately it is a dead product (as in you can't buy it apparently after the start of December 2012 (although I haven't tried to).  :'( Makes a decent reverse proxy though if you have other firewalls in the way. If you are looking at having pfsense as a reverse proxy consider using pfblocker to block inbound traffic from countries you do not think would likely access your published servers; you could also set it to create the alias only and then make your own firewall rules to say for instance block all traffic from Eastern europe to these servers (in another alias) and so on.

    Also try the apache & modsecurity package to get a web application firewall although I have not used it (typically when I have used modsecurity it has gone on the server with various rules to protect against web application attacks) but you might want to give it a try.

    Oh and a few more IP lists I use on mine; there likely will be some IPs or ranges duplicated between them but they are good to use:
    http://www.malwaredomainlist.com/hostslist/ip.txt

    Spyware

    http://list.iblocklist.com/?list=bt_spyware&fileformat=cidr&archiveformat=gz

    @Supermule:

    snort[44549]: FATAL ERROR: /usr/local/etc/snort/snort_25199_em0/rules/custom.rules(2) Duplicate rule with same gid (1) and no sid. To avoid this, make sure all of your rules define an sid.

    The problem is, that I dont have any custom rules at all!!

    I am going out of my fucking mind here…..I need a guy to monitor this one FW all day....to make sure its running and working. I upgraded the memory in the VM to 4GB and it all went berserk.....

    I am so fucking fed up with this shit that I just want to go back to my TMG and just use this a a frontend with port forwards...

    It doesnt seem to be up for the job at the moment. "¤%&%¤#¤%&#¤%&!!!!!!!!!!



  • Oh and can you run the following commands and put the output in a post please?

    Run this and when it errors and stops paste in the last few lines that show the reason

    snort -i YOUR_INTERFACE -c /usr/local/etc/snort/snort_YOUR_FOLDER_FOR_INTERFACE/snort.conf -A console

    To show the snort version.

    snort -V

    Also can you attach the snort.conf file that will be autogenerated and go here (there shouldn't be anything  too specific to your enviroment I don't think but before you upload it serach for var $HOME_NET and change everything to say OMMITED so we know they have been removed instead of the list of IPs and also do the same for another other IPs you may have entered for these variables in the variables tab in the GUI:

    /usr/local/etc/snort/snort_YOUR_FOLDER_FOR_INTERFACE/snort.conf#

    Thanks,
    Kevin


  • Banned

    Will do when it crashes!! Thx :)


  • Banned

    Jan 4 21:54:39 snort[14092]: FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter: No such file or directory
    Jan 4 21:54:39 snort[14092]: FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter: No such file or directory

    Upgraded the VM from 2GB to 4GB memory and did nothing else….


  • Banned

    Went back to 2GB on the same VM and Snort works no issues…..

    This is driving mw crazy! I firmly believe that its time to go back to basics regarding Pfsense.

    Its like its over their head in this.....one little mod, and it breaks 10 other things.... :(



  • Hmm maybe something to do with not being able to use that much RAM if it is 32 bit or some other weirdness. Did you install snort before or after you upgraded RAM? Also did you install pfsense before or after you upgraded RAM too?

    I am not sure what the issue is because it doesn't sound like a config issue. If this is production - especially if you are publishing important servers you are best keeping things as simple as possible on the box so there is less to go wrong and then if need be split out your intrusion detection with Snort or Suricata onto another box with a mirrored port. Sure you won't block unless you put it inline but you can log all you want and if you have disk space do a full packet capture for as much disk space as you have. Keeping snort seperate will allow better control, better performance and also allow you to extract more information.

    @Supermule:

    Went back to 2GB on the same VM and Snort works no issues…..

    This is driving mw crazy! I firmly believe that its time to go back to basics regarding Pfsense.

    Its like its over their head in this.....one little mod, and it breaks 10 other things.... :(


  • Banned

    Its the first one out of 6 FW that I have converted to 2.0.2 from 1.2.3. Its a fresh install in a VM and yes, I just upgraded the memory and rebooted. Snort was installed before.

    I may have to try a fresh install with 4GB memory and a 32bit machine.


  • Banned

    After the table increase, then I upped memory to 4GB and rebooted.

    IT WORKS!! No issues at all and even snort started without complaints :D

    Thx mate! Really appreciated!


Locked