SNORT is driving me crazy…...!!
-
snort[44549]: FATAL ERROR: /usr/local/etc/snort/snort_25199_em0/rules/custom.rules(2) Duplicate rule with same gid (1) and no sid. To avoid this, make sure all of your rules define an sid.
The problem is, that I dont have any custom rules at all!!
I am going out of my fucking mind here…..I need a guy to monitor this one FW all day....to make sure its running and working. I upgraded the memory in the VM to 4GB and it all went berserk.....
I am so fucking fed up with this shit that I just want to go back to my TMG and just use this a a frontend with port forwards...
It doesnt seem to be up for the job at the moment. "¤%&%¤#¤%&#¤%&!!!!!!!!!!
-
Snort does not work here as well. ::) :(
-
Never seen this or even a custom.rules. Are you using the main snort in the package list or the development version? Also have a look at your rule options in the GUI and see if a custom.rules exists and if it does untick it. Another thing is to make sure in the pre-processor tab you have everything enabled aside from performance and portscan one due to false positives (The sensitive data may not interest you either unless you are protecting databases of credit card numbers although I think you can do more with it).
You don't want to go back to TMG as unfortunately it is a dead product (as in you can't buy it apparently after the start of December 2012 (although I haven't tried to). :'( Makes a decent reverse proxy though if you have other firewalls in the way. If you are looking at having pfsense as a reverse proxy consider using pfblocker to block inbound traffic from countries you do not think would likely access your published servers; you could also set it to create the alias only and then make your own firewall rules to say for instance block all traffic from Eastern europe to these servers (in another alias) and so on.
Also try the apache & modsecurity package to get a web application firewall although I have not used it (typically when I have used modsecurity it has gone on the server with various rules to protect against web application attacks) but you might want to give it a try.
Oh and a few more IP lists I use on mine; there likely will be some IPs or ranges duplicated between them but they are good to use:
http://www.malwaredomainlist.com/hostslist/ip.txtSpyware
http://list.iblocklist.com/?list=bt_spyware&fileformat=cidr&archiveformat=gz
snort[44549]: FATAL ERROR: /usr/local/etc/snort/snort_25199_em0/rules/custom.rules(2) Duplicate rule with same gid (1) and no sid. To avoid this, make sure all of your rules define an sid.
The problem is, that I dont have any custom rules at all!!
I am going out of my fucking mind here…..I need a guy to monitor this one FW all day....to make sure its running and working. I upgraded the memory in the VM to 4GB and it all went berserk.....
I am so fucking fed up with this shit that I just want to go back to my TMG and just use this a a frontend with port forwards...
It doesnt seem to be up for the job at the moment. "¤%&%¤#¤%&#¤%&!!!!!!!!!!
-
Oh and can you run the following commands and put the output in a post please?
Run this and when it errors and stops paste in the last few lines that show the reason
snort -i YOUR_INTERFACE -c /usr/local/etc/snort/snort_YOUR_FOLDER_FOR_INTERFACE/snort.conf -A console
To show the snort version.
snort -V
Also can you attach the snort.conf file that will be autogenerated and go here (there shouldn't be anything too specific to your enviroment I don't think but before you upload it serach for var $HOME_NET and change everything to say OMMITED so we know they have been removed instead of the list of IPs and also do the same for another other IPs you may have entered for these variables in the variables tab in the GUI:
/usr/local/etc/snort/snort_YOUR_FOLDER_FOR_INTERFACE/snort.conf#
Thanks,
Kevin -
Will do when it crashes!! Thx :)
-
Jan 4 21:54:39 snort[14092]: FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter: No such file or directory
Jan 4 21:54:39 snort[14092]: FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter: No such file or directoryUpgraded the VM from 2GB to 4GB memory and did nothing else….
-
Went back to 2GB on the same VM and Snort works no issues…..
This is driving mw crazy! I firmly believe that its time to go back to basics regarding Pfsense.
Its like its over their head in this.....one little mod, and it breaks 10 other things.... :(
-
Hmm maybe something to do with not being able to use that much RAM if it is 32 bit or some other weirdness. Did you install snort before or after you upgraded RAM? Also did you install pfsense before or after you upgraded RAM too?
I am not sure what the issue is because it doesn't sound like a config issue. If this is production - especially if you are publishing important servers you are best keeping things as simple as possible on the box so there is less to go wrong and then if need be split out your intrusion detection with Snort or Suricata onto another box with a mirrored port. Sure you won't block unless you put it inline but you can log all you want and if you have disk space do a full packet capture for as much disk space as you have. Keeping snort seperate will allow better control, better performance and also allow you to extract more information.
Went back to 2GB on the same VM and Snort works no issues…..
This is driving mw crazy! I firmly believe that its time to go back to basics regarding Pfsense.
Its like its over their head in this.....one little mod, and it breaks 10 other things.... :(
-
Its the first one out of 6 FW that I have converted to 2.0.2 from 1.2.3. Its a fresh install in a VM and yes, I just upgraded the memory and rebooted. Snort was installed before.
I may have to try a fresh install with 4GB memory and a 32bit machine.
-
After the table increase, then I upped memory to 4GB and rebooted.
IT WORKS!! No issues at all and even snort started without complaints :D
Thx mate! Really appreciated!