Snort 2.9.4.1 pkg v.2.5.8



  • Hey Bill,

    thanks for this great package!

    The alert tab in this version overlaps the IPv6 addresses over columns.



  • @bmeeks:

    @gogol:

    I believe the process check_reload_status is checking the /tmp directory, so maybe it is happening there.

    I just updated a 2.1 virtual machine I have from 2.1-BETA to 2.1RC0.  I'm using Snort with the "IPS Connectivity" policy enabled with no problems.  The WAN interface is set to get its IP address via DHCP.  This VM is running on VMware Workstation 9.  So far I am not seeing any issues with the VM, but I will leave it running to check it out thoroughly.

    As for the "check_reload_status" script, that is a native pfSense binary that does a number of things. I am not sure what exactly it does.  One of the Core Team developers might could tell you.  The "check_reload_status" is not part of the Snort package.

    I tested a Virtual Machine which gave me the same errors. I even installed a fresh system on this VM and restored a configuration file. Same result. Both on WAN DHCP. I even compared both configuration files of 2.5.7 and 2.5.8 but could not see a problem there.

    So, package 2.5.7 works on both systems and package 2.5.8 does not. I really like the options you made in 2.5.8 but for now I can't use it. Do you think there a way I can update the firmware and install the old package 2.5.7?

    I hope there will be others that have the same experience ;)


  • Banned

    I dont see that at all here.

    2.5.8 works like a charm.



  • @jflsakfja:

    VRT was enabled and downloaded. Worked OK before the update and md5 shows up in updates tab. Same thing on both of my boxes.
    Forced an update and it found an update to VRT rules (although I'm pretty sure it passed through 2 auto updates so far…). Checked IPS Policy - Security list and it comes up as blank. Restarted snort through dashboard, restarted the interface after it finished and it's still blank.

    Went into the interface setttings and selected Balanced as the policy. Restarted the Interface and the list was populated as it should. Went back and changed it to security and restarted the interface yet again and it's still blank.

    How much memory do you have in the box, and are you waiting for the process to completely finish?  I ask these questions because the Security Policy is very large and it takes several seconds to read and then construct the table via PHP for the web page.  I have tested all three Snort IPS Policies in my 2.1RC0 virtual machine, and they all work.  Balanced and Security take longer to populate than Connectivity, with Security taking the longer by far.  Attached is a screenshot showing the IPS Security policy rules being displayed.

    One other question – what browser are you using?  I've done the majority of my testing with Internet Explorer 10, but also checked things out with the latest Firefox and Chrome browsers.




  • @gogol:

    I tested a Virtual Machine which gave me the same errors. I even installed a fresh system on this VM and restored a configuration file. Same result. Both on WAN DHCP. I even compared both configuration files of 2.5.7 and 2.5.8 but could not see a problem there.

    So, package 2.5.7 works on both systems and package 2.5.8 does not. I really like the options you made in 2.5.8 but for now I can't use it. Do you think there a way I can update the firmware and install the old package 2.5.7?

    I hope there will be others that have the same experience ;)

    There was a change in the 2.5.8 code in the way it selected the gateways and WAN IPs to add to the default Whitelist and HOME_NET collections, but I can't for the life of me see how that could translate to what you are seeing.  Not saying it can't be related, but how it might be related escapes me at the moment.  I will keep testing my own VMs to see if I can replicate this.

    As for running 2.5.7 on the new firmware, that is relatively easy to pull off if you are willing to copy some files around.  Here is what to do:

    Rollback to your 2.5.7 setup and copy the following files off to a set of directories in /tmp.

    First, create the following directories in /tmpwww and pkg.

    Next, navigate to /usr/local/pkg/snort and copy the files there to the /tmp/pkg directory created earlier.

    Repeat the step above except the source directory is /usr/local/www/snort and the destination is /tmp/www.

    Now update the firmware.  This will also update Snort to 2.5.8, but that is OK.  After the reboot from the update and the package reinstallation completes, copy the saved files back to their original locations.  Copy the /tmp/pkg files to /usr/local/pkg/snort, and copy the /tmp/www files to /usr/local/www/snort.

    Stop and restart Snort, and you should have 2.5.7 running on the new firmware.  It will say "2.5.8" on the Packages screens because that is what PBI thinks it installed, but the header on the actual Snort pages should say 2.5.7.

    Bill



  • @Nukama:

    Hey Bill,

    thanks for this great package!

    The alert tab in this version overlaps the IPv6 addresses over columns.

    Hmm…I am having problems getting the various browsers to line-break properly.  Thank you for the feedback on this problem.

    The issue with the Alerts tab is needing to display more information than there really is available column width.  Will take another crack at it.  Have not found a way yet to signal the browser to break on say the colon ":" in the IPv6 address.  If anyone has a suggestion, I'm all ears.

    Bill



  • @bmeeks:

    How much memory do you have in the box, and are you waiting for the process to completely finish?  I ask these questions because the Security Policy is very large and it takes several seconds to read and then construct the table via PHP for the web page.  I have tested all three Snort IPS Policies in my 2.1RC0 virtual machine, and they all work.  Balanced and Security take longer to populate than Connectivity, with Security taking the longer by far.  Attached is a screenshot showing the IPS Security policy rules being displayed.

    I have 2GB ram in those boxes, and RAM never gets above 40% (on the days they get hammered, usually around 30%).
    Waiting for it doesn't help either.It's not that the browser is waiting for the page, it gets the page, but it's a completely blank page (see a couple of my posts back for the html code).
    I'm enabling all rules anyway, is there a difference between balanced and security after doing that, or does security load something external (something other that the rules listed on the rule enable/disable page)?



  • @jflsakfja:

    I have 2GB ram in those boxes, and RAM never gets above 40% (on the days they get hammered, usually around 30%).
    Waiting for it doesn't help either.It's not that the browser is waiting for the page, it gets the page, but it's a completely blank page (see a couple of my posts back for the html code).
    I'm enabling all rules anyway, is there a difference between balanced and security after doing that, or does security load something external (something other that the rules listed on the rule enable/disable page)?

    The three policies enable different sets of rules.  These are pre-defined by the Snort VRT.  The policy membership of a given rule is contained within a metadata statement in the text.  Use grep and search the Snort rules files for these phrases to see which rules belong to which policy:

    policy connectivity-ips, policy balanced-ips, and policy security-ips

    Many of the rules containing one of these metadata values will be disabled by default (have the semicolon in front of the text).  What Snort does when you select a policy is find all the rules containing the target policy in their metadata, then it enables those rules by removing any semicolons if present.  So selecting all the Rule Categories on the Categories tab will only get you part of the way there.  You will still have to individually enable the commented-out rules.  That's why using the policy option in the drop-down is better.  I am really puzzled why it is not working for you.

    As one last troubleshooting attempt, have you tried force flushing the cache on your browser?  Or how about a forced refresh while the blank page is displayed?

    Bill


  • Banned

    This is exactly why I wanted the widescreen package back. It needs to be able to scale the width of any column.



  • @bmeeks:

    The three policies enable different sets of rules.  These are pre-defined by the Snort VRT.  The policy membership of a given rule is contained within a metadata statement in the text.  Use grep and search the Snort rules files for these phrases to see which rules belong to which policy:

    policy connectivity-ips, policy balanced-ips, and policy security-ips

    Many of the rules containing one of these metaata values will be disabled by default (have the semicolon in front of the text).  What Snort does when you select a policy is find all the rules containing the target policy in their metadata, then it enables those rules by removing any semicolons if present.  So selecting all the Rule Categories on the Categories tab will only get you part of the way there.  You will still have to individually enable the commented-out rules.  That's why using the policy option in the drop-down is better.  I am really puzzled why it is not working for you.

    As one last troubleshooting attempt, have you tried force flushing the cache on your browser?  Or how about a forced refresh while the blank page is displayed?

    Bill

    Already tried forcing refresh, clearing cache, restarting browser… nothing. It was working absolutely perfect before the update, but I'm not going back, carp sync is more important.
    Is there anyway to force snort to rewrite the "security" part? like delete a file and restart or something? Deselecting VRT rules, restarting snort and then reenabling them doesn't work.


  • Banned

    Deinstall, reboot, install and see if it goes away.



  • @Supermule:

    Deinstall, reboot, install and see if it goes away.

    Already tried that, just tried it again with no luck. I'm off to bed for now. Thank you all for your help so far.



  • @bmeeks:

    @Nukama:

    Hey Bill,

    thanks for this great package!

    The alert tab in this version overlaps the IPv6 addresses over columns.

    Hmm…I am having problems getting the various browsers to line-break properly.  Thank you for the feedback on this problem.

    The issue with the Alerts tab is needing to display more information than there really is available column width.  Will take another crack at it.  Have not found a way yet to signal the browser to break on say the colon ":" in the IPv6 address.  If anyone has a suggestion, I'm all ears.

    Bill

    Try the status_dhcpv6_leases.php, it outgrows the border to fit in information.



  • @jflsakfja:

    @Supermule:

    Deinstall, reboot, install and see if it goes away.

    Already tried that, just tried it again with no luck. I'm off to bed for now. Thank you all for your help so far.

    I think you said "Security" was the only policy that did not display correctly.  Is that right?  So for instance, Connectivity and Balanced display OK?

    Is your locale set to display the screens in English or another language?

    Do you have more than one interface enabled for Snort?  If so, do all interfaces exhibit the same problem?

    Sorry to pepper you with questions, but I really want to try and figure out what the problem is.

    Edit:  Oh, and one other thing you can check to see if the "Security" policy is actually in place.  It could just be a display issue.  Follow the steps below to investigate.

    1.  Under Diagnostics choose Edit File.

    2.  Navigate to /usr/pbi/snort__{arch}_/etc/snort/  (where {arch} is either "amd64" or "i386" depending on your CPU)

    3.  In the directory will be one or more snort_xxxx_xxx sub-directories.  They correspond to each configured Snort interface.  If you have Snort only on the WAN, then there will be only one of these additional snort_xxxx_xxx sub-directories.  The "xxxx_xxx" will be a random UUID created for the interface followed by the NIC driver name and number.  For example, on my VM test box the directory is called snort_33226_em0.

    4.  Navigate down into the snort_xxxx_xxx directory for the interface giving you the problem.  In the directory is a rules directory.  Navigate down into it and click the snort.rules rule to view it.  It should be full of rule text lines, all uncommented and all containing "policy security-ips" in the metadata.  If the file is present and contains the correct rules, then Snort is actually using the policy defined and your problem is purely a display issue.  If the snort.rules file is empty, then we definitely have something strange going on.

    Bill



  • @bmeeks:

    @gogol:

    I tested a Virtual Machine which gave me the same errors. I even installed a fresh system on this VM and restored a configuration file. Same result. Both on WAN DHCP. I even compared both configuration files of 2.5.7 and 2.5.8 but could not see a problem there.

    So, package 2.5.7 works on both systems and package 2.5.8 does not. I really like the options you made in 2.5.8 but for now I can't use it. Do you think there a way I can update the firmware and install the old package 2.5.7?

    I hope there will be others that have the same experience ;)

    There was a change in the 2.5.8 code in the way it selected the gateways and WAN IPs to add to the default Whitelist and HOME_NET collections, but I can't for the life of me see how that could translate to what you are seeing.  Not saying it can't be related, but how it might be related escapes me at the moment.  I will keep testing my own VMs to see if I can replicate this.

    As for running 2.5.7 on the new firmware, that is relatively easy to pull off if you are willing to copy some files around.  Here is what to do:

    Rollback to your 2.5.7 setup and copy the following files off to a set of directories in /tmp.

    First, create the following directories in /tmp:  www and pkg.

    Next, navigate to /usr/local/pkg/snort and copy the files there to the /tmp/pkg directory created earlier.

    Repeat the step above except the source directory is /usr/local/www/snort and the destination is /tmp/www.

    Now update the firmware.  This will also update Snort to 2.5.8, but that is OK.  After the reboot from the update and the package reinstallation completes, copy the saved files back to their original locations.  Copy the /tmp/pkg files to /usr/local/pkg/snort, and copy the /tmp/www files to /usr/local/www/snort.

    Stop and restart Snort, and you should have 2.5.7 running on the new firmware.  It will say "2.5.8" on the Packages screens because that is what PBI thinks it installed, but the header on the actual Snort pages should say 2.5.7.

    Thank you, that worked! Although I see some strange file permissions (077).

    I did some further testing. Deinstalled snort without saving configuration and configured it from scratch: same problems.
    Then I installed a fresh pfSense RC0 Fri May 31 from memorystick to hard disk and restored configuration file and rebooted: same problems
    An alert and then "check_reload_status" as I mentioned before.

    I am out of options now (well I can install pfSense system from scratch but then I need a day or so) and need an answer from the developers. Very weird!



  • @gogol:

    I did some further testing. Deinstalled snort without saving configuration and configured it from scratch: same problems.
    Then I installed a fresh pfSense RC0 Fri May 31 from memorystick to hard disk and restored configuration file and rebooted: same problems
    An alert and then "check_reload_status" as I mentioned before.

    Just so I'm clear, does the 2.5.8 package start and run fine until the first Alert, and then it starts going haywire?  And one more question.  Does it go haywire on the first Alert, or the first Alert with a Block?  I'm wondering if something is weird with Spoink, the snort2c table, and the check_reload_status() tool.

    You could help me test this by configuring a VM and not checking the "Block Offenders" option.  Let it record Alerts, but tell it not to block on them.  Let's see if that keeps it stable.  Trying to isolate if the problem is with Snort itself, or if it might be related to Spoink.

    Bill



  • @Nukama:

    Try the status_dhcpv6_leases.php, it outgrows the border to fit in information.

    Thanks for the tip, but I wound up finding a different trick using a zero-width space character after each colon in an IPv6 address.  That seems to fix the column overrun on my test systems using IE10, Chrome and Firefox as browsers.

    This fix has been submitted via a Pull Request to the Core Team for review and approval.  The Snort Package Version number will not increment, though.  I will post back when the update has been pushed to the Packages repository.

    Bill



  • @bmeeks:

    @gogol:

    I did some further testing. Deinstalled snort without saving configuration and configured it from scratch: same problems.
    Then I installed a fresh pfSense RC0 Fri May 31 from memorystick to hard disk and restored configuration file and rebooted: same problems
    An alert and then "check_reload_status" as I mentioned before.

    Just so I'm clear, does the 2.5.8 package start and run fine until the first Alert, and then it starts going haywire?  And one more question.  Does it go haywire on the first Alert, or the first Alert with a Block?  I'm wondering if something is weird with Spoink, the snort2c table, and the check_reload_status() tool.

    You could help me test this by configuring a VM and not checking the "Block Offenders" option.  Let it record Alerts, but tell it not to block on them.  Let's see if that keeps it stable.  Trying to isolate if the problem is with Snort itself, or if it might be related to Spoink.

    Bill

    I found it!

    This bug #2555 describes also what I discovered and this topic made me also think. I have Intel NICs (82574L) and I switched my WAN interface to an Realtek one. Problem gone!
    It must be a driver issue although the Intel NICs are recommended and were stable.

    Fingers crossed!!!!



  • @gogol:

    I found it!

    This bug #2555 describes also what I discovered and this topic made me also think. I have Intel NICs (82574L) and I switched my WAN interface to an Realtek one. Problem gone!
    It must be a driver issue although the Intel NICs are recommended and were stable.

    Fingers crossed!!!!

    Great news!  Another user in the thread topic you linked was also having a problem with a newer Intel NIC (using the fxp0) driver.  He swapped out his card and his problems also went away.

    Bill



  • Yes I referred to that post but mangled my link. Corrected that now.

    Just wanted 2.5.8 so badly that I spent a day looking for solutions  ;D

    But I can't change the driver for my Virtual Machine  >:(



  • @bmeeks:

    Another user in the thread topic you linked was also having a problem with a newer Intel NIC (using the fxp0) driver.
    He swapped out his card and his problems also went away.

    Unless something changed very recently, the fxp(4) FreeBSD driver is used for ancient (mid-1990s) 100Mbps Intel NICs.

    For best results it is recommended to use relatively recent (less than 10 years old) Intel GbE NICs such as those supported by the em(4) driver, and IMHO avoid wasting developers' time troubleshooting 20 year old hardware …

    PS: bmeeks keep up your fine work !!!



  • @gogol:

    But I can't change the driver for my Virtual Machine  >:(

    If it's VMware, yes you can.  Simply choose e1000 in the NIC options (for ESXi).  For Workstation you can manually edit the vmx file.  Do a quick Google search.  VMware will usually by default configure the e1000 NIC driver for virtual machines.  This driver will show up in pfSense as "em0".

    Bill



  • We are going off-topic but I have a Mac and Parallels Desktop. Too bad :'(



  • @gogol:

    We are going off-topic but I have a Mac and Parallels Desktop. Too bad :'(

    Oh…there is VMware Fusion for the Mac ... :D



  • Only security gives me the blank page, as previously stated. I'm using iceweasel (for all intents and purposes it's identical to firefox).

    /usr/pbi/snort_i386/etc/snort/snort_xxxx_em1/snort.rules does not exist

    /usr/local/etc/snort/snort_7104_em1/rules/snort.rules on the other hand exists and contains:
    #some comments
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, /|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
    and so on and so forth…
    As you can see it shows security-ips. It's not that security is not used, it's just not displayed properly. As I said above it was working fine just before the update, updated and now both systems show that behaviour (security selected, enabled,used, but rule edit page is completely blank). Is that the only file that gets parsed to display the results on the IPS Policy Security rule edit page (the one that comes up blank)?
    I can't remember if system B (slave) displayed this behaviour before the first post-update sync. But system B definitely shows blank page now, maybe something got messed up on system A (master) and got replicated to B.



  • I also see the behavior of a blank screen when IPS Security is enabled, but also a crash report:

    [02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157
    

    This should give a clou I guess?



  • @gogol:

    I also see the behavior of a blank screen when IPS Security is enabled, but also a crash report:

    [02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157
    

    This should give a clou I guess?

    Yep, the box is running out of memory to hold the rules from the IPS Security policy as it loads them into an array for manipulation.  Can you give the amount of RAM configured in your box and whether you are running 32-bit or 64-bit pfSense kernel.

    Bill



  • @jflsakfja:

    Only security gives me the blank page, as previously stated. I'm using iceweasel (for all intents and purposes it's identical to firefox).

    /usr/pbi/snort_i386/etc/snort/snort_xxxx_em1/snort.rules does not exist

    /usr/local/etc/snort/snort_7104_em1/rules/snort.rules on the other hand exists and contains:
    #some comments
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, /|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
    and so on and so forth…
    As you can see it shows security-ips. It's not that security is not used, it's just not displayed properly. As I said above it was working fine just before the update, updated and now both systems show that behaviour (security selected, enabled,used, but rule edit page is completely blank). Is that the only file that gets parsed to display the results on the IPS Policy Security rule edit page (the one that comes up blank)?
    I can't remember if system B (slave) displayed this behaviour before the first post-update sync. But system B definitely shows blank page now, maybe something got messed up on system A (master) and got replicated to B.

    Same question for you as for gogol:

    How much RAM is installed in your firewall and are you running 32-bit or 64-bit pfSense?

    Can you list for me the exact sequence of steps you go through to get the blank page?  Where do you click and in what order?  I want to try and reproduce this by configuring a VM with the same specs and then duplicating your steps precisely.

    Oh, and the "xxxx" in my previous post was referring to that "7104" number.  That is an unique identifier (UUID) generated by the system for each configured Snort interface.  Each one will be different, hence I just said "xxxx" in my post.

    Bill


  • Banned

    I needed 4GB to run Snort in a stable state. 2GB was not enough to load all the rules and it pulled a Swap file error on me.

    Did a lot of searching together with Bill to come to that conclusion :)



  • @bmeeks:

    @gogol:

    I also see the behavior of a blank screen when IPS Security is enabled, but also a crash report:

    [02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157
    

    This should give a clou I guess?

    Yep, the box is running out of memory to hold the rules from the IPS Security policy as it loads them into an array for manipulation.  Can you give the amount of RAM configured in your box and whether you are running 32-bit or 64-bit pfSense kernel.

    Bill

    I have 2 GB Ram on a 32bit system. I have 1 snort sensor and Dashboard says that I use 67% Ram. I tested on a VM and upped it to 4 GB of Ram. Dashboard says 49% of Ram used, but I get the same crash report.



  • If I load some ET rules + IPS Security, Snort is using +2 GB RAM on my system with AC as memory performance option. So it could be that your system is running out of memory. Either for Snort process or PHP possibly.


  • Banned

    I run AC-Sparsebands. Try that and see if it makes a difference.



  • In my case it doesn't matter how much memory Snort uses, I just thought of mentioning it to remind that Snort is a resource hog with a lot of rules loaded up. My box has 8 GB RAM and I run AMD64 version of Snort, so memory usage isn't really a problem :)



  • Thanks for all of the hard work on this. I just updated today. All went well so far and i am loving the new features! Just gotta wait and see if auto updates run ok. ;)



  • @gogol:

    I have 2 GB Ram on a 32bit system. I have 1 snort sensor and Dashboard says that I use 67% Ram. I tested on a VM and upped it to 4 GB of Ram. Dashboard says 49% of Ram used, but I get the same crash report.

    Sorry to continue with questions, but I need one more answered to help me reproduce.  Besides the Snort VRT rules, what others are you running?

    Emerging Threats (if yes, how many categories are selected)?

    Snort GPLv2 Community Rules?

    I will send you a PM with my e-mail address, and if you don't mind I would like for you to send me a copy of your config.xml (or at least the sections for Snort).  I want to reproduce your setup and see if I can force the same problem.

    Bill



  • [02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157
    

    This is related to a 128Mb php memory limit set on conf files.

    In some packages I use this code to set a larger memory limit.

    $uname=posix_uname();
    if ($uname['machine']=='amd64')
            ini_set('memory_limit', '250M');
    


  • @bmeeks:

    @jflsakfja:

    Only security gives me the blank page, as previously stated. I'm using iceweasel (for all intents and purposes it's identical to firefox).

    /usr/pbi/snort_i386/etc/snort/snort_xxxx_em1/snort.rules does not exist

    /usr/local/etc/snort/snort_7104_em1/rules/snort.rules on the other hand exists and contains:
    #some comments
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, /|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
    and so on and so forth…
    As you can see it shows security-ips. It's not that security is not used, it's just not displayed properly. As I said above it was working fine just before the update, updated and now both systems show that behaviour (security selected, enabled,used, but rule edit page is completely blank). Is that the only file that gets parsed to display the results on the IPS Policy Security rule edit page (the one that comes up blank)?
    I can't remember if system B (slave) displayed this behaviour before the first post-update sync. But system B definitely shows blank page now, maybe something got messed up on system A (master) and got replicated to B.

    Same question for you as for gogol:

    How much RAM is installed in your firewall and are you running 32-bit or 64-bit pfSense?

    Can you list for me the exact sequence of steps you go through to get the blank page?  Where do you click and in what order?  I want to try and reproduce this by configuring a VM with the same specs and then duplicating your steps precisely.

    Oh, and the "xxxx" in my previous post was referring to that "7104" number.  That is an unique identifier (UUID) generated by the system for each configured Snort interface.  Each one will be different, hence I just said "xxxx" in my post.

    Bill

    Please re-read my post. /usr/pbi/snort_i386/ is miles away from /usr/local/etc/snort. UUID has nothing to do with it.

    I'm running 2GB of RAM in a 32 bit pfsense. Just selecting Security shows the blank page. Running GPLv2 rules (ALL), emerging threats (ALL) and VRT rules (guessed it right, ALL). AC-BNFA. I have never run out of memory during all the previous years running this setup,as previously mentioned RAM usage never goes above 40% and that's on the days that clients are downloading, webservers get hammered and so on and so forth (WORST CASE SCENARIO), so it's not the memory that's the problem. The problem lies within a change introduced in the last package version.
    Not meaning to sound rude or anything, but once it happens, twice is a coincidence, third time something's wrong.

    Install a 32 bit pfsense in a vm, install snort package and select everything I mentioned above. I bet you'll get the blank page.



  • @dhatz:

    @bmeeks:

    Another user in the thread topic you linked was also having a problem with a newer Intel NIC (using the fxp0) driver.
    He swapped out his card and his problems also went away.

    Unless something changed very recently, the fxp(4) FreeBSD driver is used for ancient (mid-1990s) 100Mbps Intel NICs.

    For best results it is recommended to use relatively recent (less than 10 years old) Intel GbE NICs such as those supported by the em(4) driver, and IMHO avoid wasting developers' time troubleshooting 20 year old hardware …

    PS: bmeeks keep up your fine work !!!

    I wonder why my 82574L Intel NIC doesn't work and an old Realtek 8139 does with Snort version 2.5.8. Anyway I am going to replace the Realtek NIC with an Intel Pro 1000 GT card. Let us see what happens then.


  • Banned

    I have it running no issues in a VM using E1000 driver on Dual port Intel Server NIC's.



  • @Supermule:

    I have it running no issues in a VM using E1000 driver on Dual port Intel Server NIC's.

    Even on a VM on a MAC with the em0 driver I have the same issues (alert -> check_reload_status -> high cpu -> filter reset). Still wondering  ;)


Log in to reply