Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and Interface Enable/Disable

    Scheduled Pinned Locked Moved pfSense Packages
    60 Posts 8 Posters 20.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      derim422
      last edited by

      Hi-

      I'm looking at Snort, and its acting a bit funky. If I restart the service manually, it says that the service is started and the log shows that it is inspecting packets correctly for my interfaces, but the interfaces show Snort as disabled and Barnyard2 Enabled. It looks as if somehow the Snort Services page is reporting the wrong status for the interface?

      See attached images if you're curious what I'm seeing.

      EDIT: Forgot something important. Running pfSense 2.0.1-RELEASE (i386), Snort 2.9.2.3 pkg v. 2.5.2

      EDIT2: And somehow it starts out looking as if it is enabled, and then turns off. I'm not sure what is turning it off though, as nothing is showing up in the log! ideas?
      PackagePage.jpg
      PackagePage.jpg_thumb
      ServicesPage.jpg
      ServicesPage.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • D
        derim422
        last edited by

        Lets talk something even WEIRDER. Restarting Snort seems to also be resetting the active rules. I turn off iTunes user agent blocking (for example) and then the next day I come in and find that the rule is back on! Anyone else seen this sort of thing?

        1 Reply Last reply Reply Quote 0
        • S
          Supermule Banned
          last edited by

          Yes….when I turn off a rule, and the rules get updated, then its back on and blocking...That way one can shut yourself out if youre unlucky.

          It doesnt respect that you disabled the rule...

          1 Reply Last reply Reply Quote 0
          • D
            derim422
            last edited by

            This seems like a real mixed thing, as it means you need to run some sort of script to update the rules back to your desired preferences after every rules update. I wonder how PulledPork deals with this.

            It seems like a diff or just respecting your rules choices would be a better choice. If you lock yourself out of the box, that seems like it would require other ways to fix. Except that, as you mentioned in your post, the whitelists aren't being respected…

            1 Reply Last reply Reply Quote 0
            • S
              Supermule Banned
              last edited by

              Exactly :) So in a coorporate environment, it has issues that needs urgent attention if colocating or remote sites uses snort as well.

              1 Reply Last reply Reply Quote 0
              • D
                derim422
                last edited by

                supermule- got it in one. We can't use it here at our office for just this reason, right now. The integration just isn't there.

                at least we can use it on the WAN side of things to block stuff from the outside. It seems a bit backward to need a separate Snort box to get stuff done.

                1 Reply Last reply Reply Quote 0
                • D
                  derim422
                  last edited by

                  Do you know who is developing Snort as a package?

                  1 Reply Last reply Reply Quote 0
                  • S
                    Supermule Banned
                    last edited by

                    No unfortunately not.

                    1 Reply Last reply Reply Quote 0
                    • D
                      derim422
                      last edited by

                      Well, thanks for the info and the assistance. Amazing speed on that speedtest.net report.

                      1 Reply Last reply Reply Quote 0
                      • S
                        Supermule Banned
                        last edited by

                        It rocks to have a nice internet throughput :)

                        When I come to think of it, I think its Ermal who integrates Snort in Pfsense !

                        1 Reply Last reply Reply Quote 0
                        • D
                          derim422
                          last edited by

                          I noticed that in the other thread! Looks like he's been quite active recently. This sort of thing really makes me want to get more involved in the developer side of things though.

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned
                            last edited by

                            I was I had the competence in FreeBSD to help out….but I havent :(

                            1 Reply Last reply Reply Quote 0
                            • D
                              derim422
                              last edited by

                              Supermule- not sure if this helps, but if you really want things running, some people have done some interesting stuff:

                              http://www.bellera.cat/josep/snort2pfsense/

                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned
                                last edited by

                                Thx :)

                                1 Reply Last reply Reply Quote 0
                                • T
                                  tj.krause
                                  last edited by

                                  Supermule,

                                  From looking at your screenshots snort IS running on the selected interface and barnyard2 is NOT running. You can tell by the X and the Checkmark that appear on these services. It shows the state of the service if you click the indicator not its running state.

                                  As for rules enabling themselves or snort shutting down, I have found this to occur if you are changing setting in an interface Snort is listening on. However, we run Snort in production without any issue whatsoever. Its helped us find malware and protected us from many different attacks. Just be sure you suppress some of the warning if you use HTTP inspect and watch the alerts before turning on block. But as far as the package being broken, I have not found this to be true.

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    derim422
                                    last edited by

                                    TJ-

                                    I'd love to know how you got it running or your versions for everything, because I'm running with barnyard 2 active and my rulesets for the interfaces are constantly resetting. In addition, I mentioned in this thread about the icons. Even though Snort IS running, and is generating alerts, the icon for the interface is showing as a red 'X'. This isn't making any sense.

                                    The big issue is the Emerging Threat Policy rules that keeps resetting, which would block Pandora, iTunes, and other non-risky programs. I'm currently using Snort on my WAN and is is blocking IPs and traffic generated from rules-matching for non-whitelist traffic, but I've now had the Emerging Threat rules reset on me twice.

                                    -Josh

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      I am not the Snort package maintainer, but I have been working the last month on some fixes/updates for the Snort package and plan to post them soon for others to test in non-production setups.  Here are some of the things I currently have working –

                                      • Auto-flowbit rule resolution like PulledPork implements.  This automatically scans your enabled rules and turns on any non-active rules that are required to satisfy flowbit dependencies in your selected rules.  If you don't want alerts from any of the auto-flowbit rules, you just add their SID to the Suppression List.

                                      • I fixed a bug in the http_inspect code that sets up the snort.conf file.  This code was not properly reading and setting some values.  Also in http_inspect, I've added some new settings that are part of the current Snort binary but were not available back when the original Snort package was created on pfSense.  In my updates, you can individually select inspect depths for "server" and "client".  Finally, I added a configurable "no_alerts" parameter that lets you utilize the http_inspect normalization without getting any alerts.

                                      • Fixed a gap in how the Snort package handles the critical classification.config and reference.config files during rule updates.  When running both Emerging Threats and Snort VRT rules, these two files were not properly generated to contain information from both rule sets. As a result, barnyard2 logging lacked details for some alerts, and at least on my system, I saw some Snort failures and stops when it alerted on a rule but could not find the corresponding classification parameter in the classification.config file.  The correct procedure when using both ET and VRT rules is to produce a combined classification.config file and reference.config file that has the entries from both rule sets.

                                      • The stream5 preprocessor also had a bug I fixed where it did not properly recognize the max_segs and max_queued bytes parameters.  I also added a new configuration parameter for memcap in stream5.  These have stopped all the log errors on big file downloads saying "…session pruned that exceeded max queued bytes...", etc.

                                      • I added configuration parameters for the Modbus and DNP3 SCADA preprocessors.  These are used in industrial control systems.

                                      • I am working on implementing the Snort pre-defined IDS-Policies now available in the rules.  Here is a link to the VRT blog with details on the policies and flowbit auto-resolution:  http://blog.snort.org/2012/01/importance-of-pulledpork.html

                                      I believe I also see the errors in the current package that are causing disabled rules to get enabled again.  Basically the "disablesid" functionality is not getting called during rule updates.  I will look at fixing that while I'm working on my other updates.

                                      I want to touch base with the pfSense forum admins before I do, but my plan is to post my changes as files (with installation instructions) that some others can test in non-production environments.  I do not know how to build the actual Snort package for installation, so all I can provide for now are the individual PHP files needed to implement my updates.

                                      1 Reply Last reply Reply Quote 1
                                      • AhnHELA
                                        AhnHEL
                                        last edited by

                                        @bmeeks:

                                        • The stream5 preprocessor also had a bug I fixed where it did not properly recognize the max_segs and max_queued bytes parameters.  I also added a new configuration parameter for memcap in stream5.  These have stopped all the log errors on big file downloads saying "…session pruned that exceeded max queued bytes...", etc.

                                        Oh how I have been sooo waiting for this, :)

                                        AhnHEL (Angel)

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Supermule Banned
                                          last edited by

                                          I believe I also see the errors in the current package that are causing disabled rules to get enabled again.  Basically the "disablesid" functionality is not getting called during rule updates.  I will look at fixing that while I'm working on my other updates.

                                          This is the one thing pissing me off big time! :D

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            derim422
                                            last edited by

                                            bmeeks-

                                            Truly amazing. If you need any help testing anything or implementing any changes, let me know. We have 2 systems here, and getting this up and running really would simplify so many matters on our end. Hopefully the moderators pick this up!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.