Snort Package 2.5.7 – Issues



  • Please post any issues/problems encountered with the new Snort 2.5.7 package here.

    It's most helpful if you provide:

    1.  pFsense platform and version (2.0.x or 2.1 and 32-bit or 64-bit)

    2.  Your upgrade procedure:  package delete and reinstall, or just package reinstall

    Bill


  • Banned

    I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.

    This happens

    Apr 26 13:32:45    SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
    Apr 26 13:32:41    kernel: em0: promiscuous mode disabled
    Apr 26 13:32:41    snort[26004]: *** Caught Term-Signal
    Apr 26 13:32:41    snort[26004]: *** Caught Term-Signal
    Apr 26 13:32:40    SnortStartup[27109]: Snort STOP for Internet(9626_em0)…
    Apr 26 13:32:36    php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 13:32:32    php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 26 13:32:28    php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
    Apr 26 13:32:28    check_reload_status: Syncing firewall

    Go to services -> Snort and it shows Snort is not running. I click the green button and get this:

    Last 500 system log entries
    Apr 26 13:37:30    php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
    Apr 26 13:37:29    kernel: em0: promiscuous mode enabled
    Apr 26 13:35:43    php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 13:35:41    php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 26 13:35:39    php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Apr 26 13:35:39    php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
    Apr 26 13:35:23    kernel: em0: promiscuous mode disabled
    Apr 26 13:35:23    snort[43453]: *** Caught Term-Signal
    Apr 26 13:35:23    snort[43453]: *** Caught Term-Signal
    Apr 26 13:35:22    php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)…
    Apr 26 13:35:22    php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 13:35:21    php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)...
    Apr 26 13:35:21    php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 13:34:35    kernel: em0: promiscuous mode enabled
    Apr 26 13:34:35    SnortStartup[43762]: Snort START for Internet(9626_em0)…

    Takes a very long time to start Snort.

    The only difference that I noticed was the change in interface name... From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...

    2.0.3 x86 and package 2.9.4.1 v.2.5.7



  • @Supermule:

    I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.

    This happens

    Apr 26 13:32:45    SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
    Apr 26 13:32:41    kernel: em0: promiscuous mode disabled
    Apr 26 13:32:41    snort[26004]: *** Caught Term-Signal
    Apr 26 13:32:41    snort[26004]: *** Caught Term-Signal
    Apr 26 13:32:40    SnortStartup[27109]: Snort STOP for Internet(9626_em0)…
    Apr 26 13:32:36    php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 13:32:32    php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 26 13:32:28    php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
    Apr 26 13:32:28    check_reload_status: Syncing firewall

    Go to services -> Snort and it shows Snort is not running. I click the green button and get this:

    Last 500 system log entries
    Apr 26 13:37:30    php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
    Apr 26 13:37:29    kernel: em0: promiscuous mode enabled
    Apr 26 13:35:43    php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 13:35:41    php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 26 13:35:39    php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Apr 26 13:35:39    php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
    Apr 26 13:35:23    kernel: em0: promiscuous mode disabled
    Apr 26 13:35:23    snort[43453]: *** Caught Term-Signal
    Apr 26 13:35:23    snort[43453]: *** Caught Term-Signal
    Apr 26 13:35:22    php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)…
    Apr 26 13:35:22    php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 13:35:21    php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)...
    Apr 26 13:35:21    php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 13:34:35    kernel: em0: promiscuous mode enabled
    Apr 26 13:34:35    SnortStartup[43762]: Snort START for Internet(9626_em0)…

    Takes a very long time to start Snort.

    The only difference that I noticed was the change in interface name... From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...

    2.0.3 x86 and package 2.9.4.1 v.2.5.7

    No, the log message interface names should not really matter.  I will repeat your scenario and see if I can duplicate.  Remember that the Services Widget and Services…Snort show two different icon colors for running.  On the Services Widget screen, the green arrow icon means "running", while on the Services...Snort screen the red X means running.  Ermal changed these quite some time back (last July if I remember correctly).

    Bill


  • Banned

    I know but I have the same on both. The green on Services widget and the red button on the Services -> Snort page…

    It says running in the widget but its not.

    And its on a complete uninstall -> reinstall of Snort.



  • @Supermule:

    I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.

    This happens

    Apr 26 13:32:45    SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
      .....
    Apr 26 13:32:28    check_reload_status: Syncing firewall

    Go to services -> Snort and it shows Snort is not running. I click the green button and get this:

    Apr 26 13:37:30    php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
    Apr 26 13:37:29    kernel: em0: promiscuous mode enabled
    Apr 26 13:35:43    php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 13:35:41    php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
      .....
    Apr 26 13:34:35    kernel: em0: promiscuous mode enabled
    Apr 26 13:34:35    SnortStartup[43762]: Snort START for Internet(9626_em0)…

    Takes a very long time to start Snort.

    The only difference that I noticed was the change in interface name... From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...

    2.0.3 x86 and package 2.9.4.1 v.2.5.7

    Supermule:

    I tried this on my 2.0.3 i-386 virtual machine multiple times and it worked fine either way.  I restarted Snort from the Services Dashboard Widget, and also from the Services…Status menu option.  I went into the Snort tabs and made two edits on two different occasions.  I enabled two preprocessors one time, and the next time I added a pair of custom SSH ports to the Variables tab.  After each edit I restarted Snort successfully from the Services Dashboard Widget.

    Just to be 100% sure your Snort shell script is properly constructed, go to your Snort Interfaces tab, click the edit icon to get to the If Settings tab, and click Save.  This will force a rebuild of the snort.sh shell script in /usr/local/etc/rc.d on your machine.  See if that helps with your problem.

    Bill



  • @Supermule:

    I know but I have the same on both. The green on Services widget and the red button on the Services -> Snort page…

    It says running in the widget but its not.

    And its on a complete uninstall -> reinstall of Snort.

    You're confusing me a bit with your first sentence.  Green on the Services widget and the red button on the Services -> Snort page both indicate nothing is wrong and Snort is running.  Get to a shell prompt and issue this command to see if Snort is really running (and how many times) –

    ps -ax | grep snort
    

    You should see one instance of Snort per interface it's enabled for, plus one line just showing the "grep" command.

    Bill


  • Banned

    Did that…

    Last 500 system log entries
    Apr 26 14:12:20 SnortStartup[30714]: Snort STOP for Internet(9626_em0)…
    Apr 26 14:12:16 kernel: em0: promiscuous mode disabled
    Apr 26 14:12:16 snort[18032]: *** Caught Term-Signal
    Apr 26 14:12:16 snort[18032]: *** Caught Term-Signal
    Apr 26 14:12:15 SnortStartup[28044]: Snort STOP for Internet(9626_em0)…
    Apr 26 14:11:47 check_reload_status: Syncing firewall

    I will send you a link to the video so you can see it.

    Restarted it from Services -> Snort and:

    Apr 26 14:14:56 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
    Apr 26 14:14:10 kernel: em0: promiscuous mode enabled
    Apr 26 14:14:10 SnortStartup[21860]: Snort START for Internet(9626_em0)…
    Apr 26 14:13:09 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 14:13:07 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 26 14:13:05 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Apr 26 14:13:05 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...



  • @bmeeks:

    @Supermule:

    Takes a very long time to start Snort.

    The only difference that I noticed was the change in interface name… From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...

    2.0.3 x86 and package 2.9.4.1 v.2.5.7

    No, the log message interface names should not really matter.

    I thought the interface name always has a random number in front of it?



  • @gogol:

    @bmeeks:

    @Supermule:

    Takes a very long time to start Snort.

    The only difference that I noticed was the change in interface name… From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...

    2.0.3 x86 and package 2.9.4.1 v.2.5.7

    No, the log message interface names should not really matter.

    I thought the interface name always has a random number in front of it?

    The interface names seen in the Snort package are really a type of artificial construct to grease the skids for running multiple instances of Snort (on a box with multiple NICs) and letting the GUI keep them all straight.  You are correct that each interface has a random number associated with it in the Snort files.  The Snort GUI calls this the UUID.  You can think of it as a simplified version of the GUID on Windows or UNIX boxes.  For Snort, it's just usually a 4 or 5 digit number.  The real interface, and the only one that matters to the running Snort binary, is the NIC driver such as "em0" or "em1", or "re0", etc.

    The Snort GUI code actually stores and keeps track of three things related to interfaces:  (1) the real interface such as "em0"; (2) the friendly interface name given in the pfSense setup such as "WAN" or "LAN"; and (3) a descriptive name the user could provide in the Snort setup such as "Internet-Facing".  That UUID number gets used when naming the PID file in /var/run upon Snort startup. That's so the GUI code (and the shell script) can find the correct PID for a given Snort interface later on when it wants to shutdown or toggle a specific interface.

    Probably more detail than you wanted, but the point is I don't believe the change in the log message interface description is Supermule's problem.  I just altered which of those 3 fields I mentioned earlier was printed in the logs.

    Bill



  • I think I can partially reproduce Supermule problem:

    Apr 26 22:51:45	kernel: em0: promiscuous mode disabled
    Apr 26 22:51:45	snort[31039]: *** Caught Term-Signal
    Apr 26 22:51:45	SnortStartup[46963]: Snort START for WAN(54477_em0)...
    Apr 26 22:51:44	php: /snort/snort_interfaces.php: Snort STOP for WAN(em0)...
    Apr 26 22:51:44	php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 22:51:44	kernel: em0: promiscuous mode enabled
    Apr 26 22:51:31	SnortStartup[90854]: Snort STOP for WAN(54477_em0)...
    Apr 26 22:51:27	kernel: em0: promiscuous mode disabled
    Apr 26 22:51:27	snort[49210]: *** Caught Term-Signal
    Apr 26 22:51:26	SnortStartup[86273]: Snort STOP for WAN(54477_em0)...
    

    I think Supermule is impatient, because the log above appeared when I restart snort from the Services Widget, then after the page reloads completely I go fast to Services>> Snort and I see the green arrow ( I have to be fast or else I see the red cross). He then thinks snort has not started but is still starting up and presses the green arrow again.

    Supermule, can you try again and wait at least a few minutes? Maybe your system is a little bit slower.



  • @gogol:

    I think I can partially reproduce Supermule problem:

    Apr 26 22:51:45	kernel: em0: promiscuous mode disabled
    Apr 26 22:51:45	snort[31039]: *** Caught Term-Signal
    Apr 26 22:51:45	SnortStartup[46963]: Snort START for WAN(54477_em0)...
    Apr 26 22:51:44	php: /snort/snort_interfaces.php: Snort STOP for WAN(em0)...
    Apr 26 22:51:44	php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 22:51:44	kernel: em0: promiscuous mode enabled
    Apr 26 22:51:31	SnortStartup[90854]: Snort STOP for WAN(54477_em0)...
    Apr 26 22:51:27	kernel: em0: promiscuous mode disabled
    Apr 26 22:51:27	snort[49210]: *** Caught Term-Signal
    Apr 26 22:51:26	SnortStartup[86273]: Snort STOP for WAN(54477_em0)...
    

    I think Supermule is impatient, because the log above appeared when I restart snort from the Services Widget, then after the page reloads completely I go fast to Services>> Snort and I see the green arrow ( I have to be fast or else I see the red cross). He then thinks snort has not started but is still starting up and presses the green arrow again.

    Supermule, can you try again and wait at least a few minutes? Maybe your system is a little bit slower.

    This may be a key.  Having lots of enabled rules can make Snort take a long time to start.  This is caused first by the rules build process now in the Snort package for flowbit resolution and enable/disable SID mods, the rules are then written to the Snort.rules file, and then the actual Snort binary itself cranks up to parse and load all the rules.  This can take a while, but I've never seen it go over a minute.  More typical in my testing with an Atom 330 processor (not the fastest on the block, for sure) is maybe 45 seconds or so to startup with a full rule set.

    Bill



  • @gogol:

    I think Supermule is impatient, because the log above appeared when I restart snort from the Services Widget, then after the page reloads completely I go fast to Services>> Snort and I see the green arrow ( I have to be fast or else I see the red cross). He then thinks snort has not started but is still starting up and presses the green arrow again.

    Supermule, can you try again and wait at least a few minutes? Maybe your system is a little bit slower.

    One other thing I notice on my barely adequate Atom 330 box with Snort running on three interfaces, is the Snort Interfaces tab will many times not display correctly.  I get blanks for some values.  Sometimes it's fine, but other times I have to hit page refresh in IE several times.  I've seen this especially since moving to IE10 a while back.  I was seeing this behavior even back in 2.5.5, though.  I tried a fix in this current release to help this, but the results are inconsistent.  The code currently enters a "foreach()" loop to find each configured interface and query the status of Snort and/or Barnyard2.  It then prints the icons and words depending on what it discovers.  There is probably a better way to code this.

    Bill



  • Snort starts very slowly for me as well. Definitely over a minute. I have VRT Premium and ET rules enabled. Hardware is Intel(R) Xeon(R) CPU E5405 @ 2.00GHz.

    Snort started very slowly with the previous version too. Also it occasionally just quits with nothing written in the logs. I suspect it just fails to restart after rules update.

    I am running pfSense on physical machine.
    Latest version:
    2.0.3-RELEASE (amd64)
    built on Fri Apr 12 10:27:56 EDT 2013
    FreeBSD 8.1-RELEASE-p13



  • @daq:

    Snort starts very slowly for me as well. Definitely over a minute. I have VRT Premium and ET rules enabled. Hardware is Intel(R) Xeon(R) CPU E5405 @ 2.00GHz.

    Snort started very slowly with the previous version too. Also it occasionally just quits with nothing written in the logs. I suspect it just fails to restart after rules update.

    I think the new 2.9.4.1 binary is a bit slower to start, and that is coupled with the more CPU-consuming task of generating the flowbit rules and stuff.  So the both of them together make startup slower.  One thing I did add in 2.5.7 that was not in 2.5.6 and earlier was a rules rebuild whenever you click the Green START icon on the Snort Interfaces tab.  However, starting Snort from the Services Widget or following a firewall boot will not rebuild the rules.  It just uses what is already in place from the last build.

    Folks that are seeing super slow startups or other strange stuff, please report here and include your pfSense version plus whether you are on physical hardware or a virtual machine.

    Bill



  • I'm seeing issues with Snort start from the Services widget with Snort interface still showing not running on Services -> Snort. The process is running and I've also seen 2 Snort processes running even than there should only be one as I only have it running on one interface.

    I'm running 2.1 beta and 2.5.7 Snort. Below is me stopping Snort twice after noticing the two processes running and then starting Snort from the dashboard services widget. The log shows the pid of the process, right? Now top / ps shows Snort running with pid 85412, even than last start shows 86320.

    
    Apr 27 02:35:43 	SnortStartup[86320]: Snort START for snrtWAN(2226_em0)...
    Apr 27 02:35:42 	kernel: em0: promiscuous mode enabled
    Apr 27 02:34:20 	SnortStartup[18875]: Snort STOP for snrtWAN(2226_em0)...
    Apr 27 02:33:43 	snort[39176]: Could not remove pid file /var/run/snort_em02226.pid: No such file or directory
    Apr 27 02:33:43 	kernel: em0: promiscuous mode disabled
    Apr 27 02:33:43 	snort[39176]: *** Caught Term-Signal
    Apr 27 02:33:42 	SnortStartup[13036]: Snort STOP for snrtWAN(2226_em0)...
    Apr 27 02:33:25 	snort[59926]: *** Caught Term-Signal
    Apr 27 02:33:24 	SnortStartup[6827]: Snort STOP for snrtWAN(2226_em0)...
    
    


  • @fragged:

    I'm seeing issues with Snort start from the Services widget with Snort interface still showing not running on Services -> Snort. The process is running and I've also seen 2 Snort processes running even than there should only be one as I only have it running on one interface.

    I'm running 2.1 beta and 2.5.7 Snort. Below is me stopping Snort twice after noticing the two processes running and then starting Snort from the dashboard services widget. The log shows the pid of the process, right? Now top / ps shows Snort running with pid 85412, even than last start shows 86320.

    
    Apr 27 02:35:43 	SnortStartup[86320]: Snort START for snrtWAN(2226_em0)...
    Apr 27 02:35:42 	kernel: em0: promiscuous mode enabled
    Apr 27 02:34:20 	SnortStartup[18875]: Snort STOP for snrtWAN(2226_em0)...
    Apr 27 02:33:43 	snort[39176]: Could not remove pid file /var/run/snort_em02226.pid: No such file or directory
    Apr 27 02:33:43 	kernel: em0: promiscuous mode disabled
    Apr 27 02:33:43 	snort[39176]: *** Caught Term-Signal
    Apr 27 02:33:42 	SnortStartup[13036]: Snort STOP for snrtWAN(2226_em0)...
    Apr 27 02:33:25 	snort[59926]: *** Caught Term-Signal
    Apr 27 02:33:24 	SnortStartup[6827]: Snort STOP for snrtWAN(2226_em0)...
    
    

    Try this for me.  Stop all Snort processes.  Best way is get to the shell prompt and issue

    /usr/bin/killall snort
    

    then do

    ps -ax |grep snort
    

    to see if any processes remain.  Give it time to shut all of them down.  If any remain after a couple of minutes, then do

    /usr/bin/killall -9 snort
    

    Now go into Snort and click on the Global Settings tab.  Scroll down and just click the Save button.  You don't have to actually change anything on the page, just click Save.  This will rebuild the snort.sh shell script.

    Now do either of the following:

    1.  On the Snort Interfaces tab click the green icon next to Snort

    or

    2.  From the shell prompt, enter this command:

    /usr/local/etc/rc.d/snort.sh start
    

    Either of the methods above should start Snort.  Option #1 will start Snort only on the clicked-on interface (if you have Snort enabled on more than one), while Option #2 will start Snort on all its configured interfaces.  Option #2 (the snort.sh script) is what the Services Widget actually calls.  I'm thinking maybe you have an older version of that script that allows starting of Snort more than once on the same interface??  This was an error in logic with that older version.  That was fixed in 2.5.7, but it could be yours did not get updated with the rest of the GUI code update.

    If you can, post back with the full contents of the /usr/local/etc/rc.d/snort.sh file so I can see what version it is.

    Bill




  • Banned

    install the filemanager package and there is a DL function build in :)



  • @Supermule:

    install the filemanager package and there is a DL function build in :)

    Thank you very much  ;D

    Your speedtest picture in your sig: ARE you a backbone yourself  ???

    :P

    ;D



  • I am still having problems with snort blocking whitelisted IPs.  I sent just you a PM bmeeks.

    Thanks for all your work so far, Snort has consistently been improving with all your hard work and releases! It's greatly appreciated by the community.  :)



  • @ccb056:

    I am still having problems with snort blocking whitelisted IPs.  I sent just you a PM bmeeks.

    Thanks for all your work so far, Snort has consistently been improving with all your hard work and releases! It's greatly appreciated by the community.  :)

    I received the PM and will look into it.  As I mentioned in my PM reply to you, I will have to solicit some assistance from Ermal on this one as he is the expert with the Spoink plugin where the actual blocking and whitelist testing takes place.

    Bill



  • @Hollander:

    The killall instructions you gave return nothing:

    
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(2): /usr/bin/killall snort
    No matching processes were found
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(3): ps -ax | grep snort
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(4):
    
    

    I can press as many times 'start' (the green icon) as I want to, it stays green and also the dashboard service widget shows all packages running except for Snort; that is stopped, and starting it from that dashboard widget also doesn't make it run. Starting it from the shell:

    
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(8): /usr/local/etc/rc.d/snort.sh start
    [2.0.3-RELEASE][admin@pfsense.localdomain]/root(9):
    
    

    (I don't know what that means).

    But in the GUI Snort is still stopped.

    And for a slightly less stupid (but still not the brightest  :-[) question: is there another Snort log I should look into (via the shell) in addition to the general system log in the GUI?

    Thank you very much for any help  ;D

    [/quote]

    I see from the posted snort.sh script that you are running Snort on a PPPoE interface.  I've never done that.  I know within pfSense that's a special kind of interface quite unlike the normal physical interfaces.  Maybe some other users can chime in that may be running Snort successfully on a PPPoE connection.  It could be that PPPoE and Snort don't like each other, but I don't know that for sure.  I've just never encountered that configuration.

    As for your second question relative to logs, there is really just the system log.  You can see part of it in the GUI, or you can go to /var/log/system.log and see it all.  Other than a separate rules update log, there is no separate log file for Snort (aside from the alerts log, but no system startup/error messages get printed there).

    Bill



  • I've been trying to get snort to work on my router but been running into some issues.

    I'm running a new install of 2.1-BETA1 April 25 Build on i386.

    The package installs fine, but when I set it up on my WAN interface and add a basic rule, such as:

    alert tcp any any -> any 80 (msg:"HTTP Testing Rule"; sid:1098001; rev:1;)
    

    Snort service starts, but will crash at the first time something matches the rule (such as me running wget http://myip/)

    Apr 28 16:11:20	php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(snort wan)...
    Apr 28 16:11:20	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
    Apr 28 16:11:20	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
    Apr 28 16:11:21	php: /snort/snort_interfaces.php: Snort START for snort wan(bge0)...
    Apr 28 16:11:21	kernel: bge0: promiscuous mode enabled
    Apr 28 16:11:31	kernel: pid 44641 (snort), uid 0: exited on signal 11
    Apr 28 16:11:31	kernel: bge0: promiscuous mode disabled
    

    So I played around with it some more, and the command it generates to run snort is:

    /usr/local/bin/snort -R 18495 -D -q -l /var/log/snort/snort_bge018495 --pid-path /var/run --nolock-pidfile -G 18495 -c /usr/pbi/snort-i386/etc/snort/snort_18495_bge0/snort.conf -i bge0
    

    If I remove the -D, and instead add -A console, it seems to be acting just fine:

    04/28/13-16:15:01.659745  [**] [1:1098001:1] HTTP Testing Rule [**] [Priority: 0] {TCP} x.x.x.x:58385 -> x.x.x.x:80
    

    Likewise, "-A full" will add data data to the alert log file, but those alerts never show up in the web interface.

    If I run it without a -A, it will crash and just say Segmentation fault.



  • Nevermind, I figured it out.  I searched the forums more (google failed me yesterday when I was using it to search).

    I needed to define a classtype in the rule.  Once I did that everything seems to be working.



  • Ok, one more issue I encountered.  I noticed it wasn't catching events that it should have.  For example, when I enable the ET Policy rules on my LAN, it should alert on skype connections, ftp connections, dropbox, apple software update, etc.

    While digging, it seems that its not populating my $HOME_NET variable in snort.conf properly.  It adds my routers IP 192.168.13.1, but not the 192.168.13.0/24 subnet.

    I haven't been able to figure out how to change it off 'default' addresses either in the interface settings.  I created aliases in the firewall settings as was suggested but that doesn't seem to make a difference.

    Edit: Ok, figured out this one too.. figure i'll leave the fix incase someone else has this issue.  I had to create a whitelist in snort and link that whitelist to my firewall alias with my LAN subnet.  Then I could set that as my homenet.  Although it still seems to me that this should automatically be added into the snort.conf without having to go through this step.



  • Quick question (or maybe feature request?)…

    I have my snort config set to "NEVER" remove bogeys from the "Blocked" list.  However when the system is rebooted the list is cleared.  I usually reboot a few times a week due to power issues, a crappy cable modem, or just beta code updates.  I am curious as to whether there is a config option, command-line option, etc. that will allow snort to retain the blocked list indefinitely, even beyond a reboot?

    On occasion I do save the list and suppose that I could somehow add those addresses to an alias, then block that list at the firewall.  But as my job has me traveling often, I'm not always able to check/save the blocked list before it goes away.

    Thoughts?

    Thanks!
    David


  • Banned

    Good idea!!




  • Banned

    Could it be related to the fact that you use a private IP as WAN and then Snort doesnt see it because of the definition of home net??





  • The meaning of this topic is for common Snort 2.5.7 issues and I have the feeling Snort is very solid now, at least on my system.

    Now we are discussing a setup issue that is very specific. I think it is better to start a new topic on this pppoe setup. It will have a better title too



  • @gogol:

    The meaning of this topic is for common Snort 2.5.7 issues and I have the feeling Snort is very solid now, at least on my system.

    Now we are discussing a setup issue that is very specific. I think it is better to start a new topic on this pppoe setup. It will have a better title too

    Might be a good idea  ;D

    I'll create a new thread and move my post in there.



  • Unless I am missing something simple, it looks like the internal interface (in my case em0) is not populating the home_net (192.168.1.0/24) variable correctly.

    When I manually edit /usr/local/etc/snort/snort_52009_em0/snort.conf and reload the config, my home_net (192.168.1.0/24) is overwritten to only include the gateway (192.168.1.1) IP address.  This obviously is causing me to miss events from the private network.

    I've tried the following to resolve the issue:

    1. Reinstalled the Snort package - failed to fix issue
    2. Uninstalled/reinstalled Snort package - failed to fix the issue
    3. Edited snort.conf for the internal interface - failed to fix the issue

    Thanks,

    CarbonCopy



  • @carboncopy:

    Unless I am missing something simple, it looks like the internal interface (in my case em0) is not populating the home_net (192.168.1.0/24) variable correctly.

    When I manually edit /usr/local/etc/snort/snort_52009_em0/snort.conf and reload the config, my home_net (192.168.1.0/24) is overwritten to only include the gateway (192.168.1.1) IP address.  This obviously is causing me to miss events from the private network.

    I've tried the following to resolve the issue:

    1. Reinstalled the Snort package - failed to fix issue
    2. Uninstalled/reinstalled Snort package - failed to fix the issue
    3. Edited snort.conf for the internal interface - failed to fix the issue

    Thanks,

    CarbonCopy

    I had the same issue and posted about it earlier in this thread, but here's the workaround I ended up using.  Manually editing snort.conf doesn't work because it just gets recreated and overwritten.

    Go to firewall, aliases, make an alias for your 192.168.1.0/24 network.  I named mine LANSUB

    Go to snort settings, whitelists, create a whitelist, called myhomenet for example, leave all the boxes checked and add the LANSUB alias.

    Go to the snort interface settings, change the homenet from default to myhomenet.

    Save and restart service(s)



  • It seems like there is an error in the script that runs that configures snort.conf.  I am thinking this is a simple fix, but I'll let the experts speak to the issue.  I don't really have time to dig on it.  Thanks for the workaround by the way.

    -CC



  • @carboncopy:

    It seems like there is an error in the script that runs that configures snort.conf.  I am thinking this is a simple fix, but I'll let the experts speak to the issue.  I don't really have time to dig on it.  Thanks for the workaround by the way.

    -CC

    When you edit the Snort interface: What is defined for Homenet in Snort Interface settings?



  • @carboncopy:

    It seems like there is an error in the script that runs that configures snort.conf.  I am thinking this is a simple fix, but I'll let the experts speak to the issue.  I don't really have time to dig on it.  Thanks for the workaround by the way.

    -CC

    How many interfaces are you running Snort on?  Just the WAN, or WAN and LAN, or some other combination?  The code that builds the snort.conf file (and the $HOME_NET variable) asks pfSense for the addresses associated with the interface Snort is running on, and then any far-end gateways (for example, on the WAN side).

    Bill



  • @bmeeks:

    @carboncopy:

    It seems like there is an error in the script that runs that configures snort.conf.  I am thinking this is a simple fix, but I'll let the experts speak to the issue.  I don't really have time to dig on it.  Thanks for the workaround by the way.

    -CC

    How many interfaces are you running Snort on?  Just the WAN, or WAN and LAN, or some other combination?  The code that builds the snort.conf file (and the $HOME_NET variable) asks pfSense for the addresses associated with the interface Snort is running on, and then any far-end gateways (for example, on the WAN side).

    Bill

    On my setup I had the same error.  I have 4 interfaces, WAN, LAN, Opt1 (OpenVPN server for mobile ssl clients) and Opt2 (OpenVPN Client for a site to site shared key vpn).  I run Snort on the WAN and LAN interfaces.  On the snort instance on my LAN interface, it detected the IP of the interface (192.168.13.1) but did not add 192.168.13.0/24.  It did catch my VPN subnets (192.168.14.0/24 for the mobile, and 10.0.8.0/24 for the site to site connection), Wan subnet, dns servers, and localhost.

    I think the wan interface came up with the same list, but I don't have access to the router right now to look.

    I tried digging around the code to see where the issue was but ran out of time last night.



  • @boshaus:

    On my setup I had the same error.  I have 4 interfaces, WAN, LAN, Opt1 (OpenVPN server for mobile ssl clients) and Opt2 (OpenVPN Client for a site to site shared key vpn).  I run Snort on the WAN and LAN interfaces.  On the snort instance on my LAN interface, it detected the IP of the interface (192.168.13.1) but did not add 192.168.13.0/24.  It did catch my VPN subnets (192.168.14.0/24 for the mobile, and 10.0.8.0/24 for the site to site connection), Wan subnet, dns servers, and localhost.

    I think the wan interface came up with the same list, but I don't have access to the router right now to look.

    I tried digging around the code to see where the issue was but ran out of time last night.

    And you have the latest 2.5.7 version of the Snort package, correct?

    The place where this is generated is wholly within the file /usr/local/pkg/snort.inc.  The functions are near the very top of that file.  They are called from the same file down in a function near the bottom called snort_generate_conf().  The actual line number is 2178.  The called function that actually builds the $HOME_NET list is snort_build_list() that starts on line 154 in the same file.

    You can experiment in that file with some edits if you want to.  Just save a copy before you monkey with it, so if you mess it up you can easily restore.  That file is the critical core of the Snort package, and if messed up, then no part of Snort will work correctly (including even the uninstall piece).  So consider yourself warned …  :D

    If you can figure something out that either I or Ermal overlooked, please post back.

    Bill



  • @bmeeks:

    You can experiment in that file with some edits if you want to.  Just save a copy before you monkey with it, so if you mess it up you can easily restore.  That file is the critical core of the Snort package, and if messed up, then no part of Snort will work correctly (including even the uninstall piece).  So consider yourself warned …  :D

    If you can figure something out that either I or Ermal overlooked, please post back.

    Bill

    Well, I fixed it, but I'm not sure you're going to like how :)

    so in snort.inc line 209, it checks to see if the interface has a gateway configured, and if it doesn't it skips adding it to the list. I feel like I'm missing why having a gateway or not matters. Looks like this change was made 1-26 by ermal: https://github.com/pfsense/pfsense-packages/commit/b97368f2ed50c70ba7102acacd7d65cc3ffec109#config/snort/snort.inc

    My LAN interface doesn't have a gateway specified. If I comment out 208/209 (and also 220/221 for ipv6) it adds 192.168.13.1/24 and functions properly.


Log in to reply