Snort 2.9.4.1 pkg v.2.5.8



  • @gogol:

    We are going off-topic but I have a Mac and Parallels Desktop. Too bad :'(

    Oh…there is VMware Fusion for the Mac ... :D



  • Only security gives me the blank page, as previously stated. I'm using iceweasel (for all intents and purposes it's identical to firefox).

    /usr/pbi/snort_i386/etc/snort/snort_xxxx_em1/snort.rules does not exist

    /usr/local/etc/snort/snort_7104_em1/rules/snort.rules on the other hand exists and contains:
    #some comments
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, /|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
    and so on and so forth…
    As you can see it shows security-ips. It's not that security is not used, it's just not displayed properly. As I said above it was working fine just before the update, updated and now both systems show that behaviour (security selected, enabled,used, but rule edit page is completely blank). Is that the only file that gets parsed to display the results on the IPS Policy Security rule edit page (the one that comes up blank)?
    I can't remember if system B (slave) displayed this behaviour before the first post-update sync. But system B definitely shows blank page now, maybe something got messed up on system A (master) and got replicated to B.



  • I also see the behavior of a blank screen when IPS Security is enabled, but also a crash report:

    [02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157
    

    This should give a clou I guess?



  • @gogol:

    I also see the behavior of a blank screen when IPS Security is enabled, but also a crash report:

    [02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157
    

    This should give a clou I guess?

    Yep, the box is running out of memory to hold the rules from the IPS Security policy as it loads them into an array for manipulation.  Can you give the amount of RAM configured in your box and whether you are running 32-bit or 64-bit pfSense kernel.

    Bill



  • @jflsakfja:

    Only security gives me the blank page, as previously stated. I'm using iceweasel (for all intents and purposes it's identical to firefox).

    /usr/pbi/snort_i386/etc/snort/snort_xxxx_em1/snort.rules does not exist

    /usr/local/etc/snort/snort_7104_em1/rules/snort.rules on the other hand exists and contains:
    #some comments
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, /|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
    and so on and so forth…
    As you can see it shows security-ips. It's not that security is not used, it's just not displayed properly. As I said above it was working fine just before the update, updated and now both systems show that behaviour (security selected, enabled,used, but rule edit page is completely blank). Is that the only file that gets parsed to display the results on the IPS Policy Security rule edit page (the one that comes up blank)?
    I can't remember if system B (slave) displayed this behaviour before the first post-update sync. But system B definitely shows blank page now, maybe something got messed up on system A (master) and got replicated to B.

    Same question for you as for gogol:

    How much RAM is installed in your firewall and are you running 32-bit or 64-bit pfSense?

    Can you list for me the exact sequence of steps you go through to get the blank page?  Where do you click and in what order?  I want to try and reproduce this by configuring a VM with the same specs and then duplicating your steps precisely.

    Oh, and the "xxxx" in my previous post was referring to that "7104" number.  That is an unique identifier (UUID) generated by the system for each configured Snort interface.  Each one will be different, hence I just said "xxxx" in my post.

    Bill


  • Banned

    I needed 4GB to run Snort in a stable state. 2GB was not enough to load all the rules and it pulled a Swap file error on me.

    Did a lot of searching together with Bill to come to that conclusion :)



  • @bmeeks:

    @gogol:

    I also see the behavior of a blank screen when IPS Security is enabled, but also a crash report:

    [02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157
    

    This should give a clou I guess?

    Yep, the box is running out of memory to hold the rules from the IPS Security policy as it loads them into an array for manipulation.  Can you give the amount of RAM configured in your box and whether you are running 32-bit or 64-bit pfSense kernel.

    Bill

    I have 2 GB Ram on a 32bit system. I have 1 snort sensor and Dashboard says that I use 67% Ram. I tested on a VM and upped it to 4 GB of Ram. Dashboard says 49% of Ram used, but I get the same crash report.



  • If I load some ET rules + IPS Security, Snort is using +2 GB RAM on my system with AC as memory performance option. So it could be that your system is running out of memory. Either for Snort process or PHP possibly.


  • Banned

    I run AC-Sparsebands. Try that and see if it makes a difference.



  • In my case it doesn't matter how much memory Snort uses, I just thought of mentioning it to remind that Snort is a resource hog with a lot of rules loaded up. My box has 8 GB RAM and I run AMD64 version of Snort, so memory usage isn't really a problem :)



  • Thanks for all of the hard work on this. I just updated today. All went well so far and i am loving the new features! Just gotta wait and see if auto updates run ok. ;)



  • @gogol:

    I have 2 GB Ram on a 32bit system. I have 1 snort sensor and Dashboard says that I use 67% Ram. I tested on a VM and upped it to 4 GB of Ram. Dashboard says 49% of Ram used, but I get the same crash report.

    Sorry to continue with questions, but I need one more answered to help me reproduce.  Besides the Snort VRT rules, what others are you running?

    Emerging Threats (if yes, how many categories are selected)?

    Snort GPLv2 Community Rules?

    I will send you a PM with my e-mail address, and if you don't mind I would like for you to send me a copy of your config.xml (or at least the sections for Snort).  I want to reproduce your setup and see if I can force the same problem.

    Bill



  • [02-Jun-2013 11:33:13 Europe/Amsterdam] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12488260 bytes) in /usr/local/www/csrf/csrf-magic.php on line 157
    

    This is related to a 128Mb php memory limit set on conf files.

    In some packages I use this code to set a larger memory limit.

    $uname=posix_uname();
    if ($uname['machine']=='amd64')
            ini_set('memory_limit', '250M');
    


  • @bmeeks:

    @jflsakfja:

    Only security gives me the blank page, as previously stated. I'm using iceweasel (for all intents and purposes it's identical to firefox).

    /usr/pbi/snort_i386/etc/snort/snort_xxxx_em1/snort.rules does not exist

    /usr/local/etc/snort/snort_7104_em1/rules/snort.rules on the other hand exists and contains:
    #some comments
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, /|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
    and so on and so forth…
    As you can see it shows security-ips. It's not that security is not used, it's just not displayed properly. As I said above it was working fine just before the update, updated and now both systems show that behaviour (security selected, enabled,used, but rule edit page is completely blank). Is that the only file that gets parsed to display the results on the IPS Policy Security rule edit page (the one that comes up blank)?
    I can't remember if system B (slave) displayed this behaviour before the first post-update sync. But system B definitely shows blank page now, maybe something got messed up on system A (master) and got replicated to B.

    Same question for you as for gogol:

    How much RAM is installed in your firewall and are you running 32-bit or 64-bit pfSense?

    Can you list for me the exact sequence of steps you go through to get the blank page?  Where do you click and in what order?  I want to try and reproduce this by configuring a VM with the same specs and then duplicating your steps precisely.

    Oh, and the "xxxx" in my previous post was referring to that "7104" number.  That is an unique identifier (UUID) generated by the system for each configured Snort interface.  Each one will be different, hence I just said "xxxx" in my post.

    Bill

    Please re-read my post. /usr/pbi/snort_i386/ is miles away from /usr/local/etc/snort. UUID has nothing to do with it.

    I'm running 2GB of RAM in a 32 bit pfsense. Just selecting Security shows the blank page. Running GPLv2 rules (ALL), emerging threats (ALL) and VRT rules (guessed it right, ALL). AC-BNFA. I have never run out of memory during all the previous years running this setup,as previously mentioned RAM usage never goes above 40% and that's on the days that clients are downloading, webservers get hammered and so on and so forth (WORST CASE SCENARIO), so it's not the memory that's the problem. The problem lies within a change introduced in the last package version.
    Not meaning to sound rude or anything, but once it happens, twice is a coincidence, third time something's wrong.

    Install a 32 bit pfsense in a vm, install snort package and select everything I mentioned above. I bet you'll get the blank page.



  • @dhatz:

    @bmeeks:

    Another user in the thread topic you linked was also having a problem with a newer Intel NIC (using the fxp0) driver.
    He swapped out his card and his problems also went away.

    Unless something changed very recently, the fxp(4) FreeBSD driver is used for ancient (mid-1990s) 100Mbps Intel NICs.

    For best results it is recommended to use relatively recent (less than 10 years old) Intel GbE NICs such as those supported by the em(4) driver, and IMHO avoid wasting developers' time troubleshooting 20 year old hardware …

    PS: bmeeks keep up your fine work !!!

    I wonder why my 82574L Intel NIC doesn't work and an old Realtek 8139 does with Snort version 2.5.8. Anyway I am going to replace the Realtek NIC with an Intel Pro 1000 GT card. Let us see what happens then.


  • Banned

    I have it running no issues in a VM using E1000 driver on Dual port Intel Server NIC's.



  • @Supermule:

    I have it running no issues in a VM using E1000 driver on Dual port Intel Server NIC's.

    Even on a VM on a MAC with the em0 driver I have the same issues (alert -> check_reload_status -> high cpu -> filter reset). Still wondering  ;)



  • @jflsakfja:

    Please re-read my post. /usr/pbi/snort_i386/ is miles away from /usr/local/etc/snort. UUID has nothing to do with it.

    I'm running 2GB of RAM in a 32 bit pfsense. Just selecting Security shows the blank page. Running GPLv2 rules (ALL), emerging threats (ALL) and VRT rules (guessed it right, ALL). AC-BNFA. I have never run out of memory during all the previous years running this setup,as previously mentioned RAM usage never goes above 40% and that's on the days that clients are downloading, webservers get hammered and so on and so forth (WORST CASE SCENARIO), so it's not the memory that's the problem. The problem lies within a change introduced in the last package version.
    Not meaning to sound rude or anything, but once it happens, twice is a coincidence, third time something's wrong.

    Install a 32 bit pfsense in a vm, install snort package and select everything I mentioned above. I bet you'll get the blank page.

    Sorry about giving you the wrong path.  I am confusing different users' environments.  Hard to keep the posts with similar problems separated sometimes.  From your path, you are on 2.0.x and not 2.1.  Users on 2.1 will have the /usr/pbi/ path.  Both paths will have a UUID as part of the snort interface sub-directory name.

    I am testing this scenario.

    Bill



  • Yea, I publicly apologize for not providing more specific info. I'm running 2.0.3 (latest stable?), 32 bit, 2GB RAM, 3.4HT p4 cpu, supermicro p4sci motherboard (2 onboard intel nics) and a pci-x dual intel card. Install is on a gmirror with 2 40GB sata drives running off the board. Don't forget that there are 2 systems arranged in a CARP cluster. Running AC-BNFA.
    If you need more info please let me know. I'm not able to access the systems for a couple of days (out of town) but I'll try my best to answer from memory. As far I can say it's not that it's running out of memory, it's not reading/parsing a file needed for the rule edit page, hence the blank page. There are no out of memory errors or cannot access file or anything, on my installs, just the blank security page. I can verify this by looking at the various logs. I'll repeat myself, balanced works ok, other edit pages work ok (GPL, all ET categories) and I can disable/enable rules, but when security is selected the page is blank. I can still edit GPL and all ET categories, just not IPS Policy Security.
    The same problem is replicated to the slave/backup system.



  • @jflsakfja:

    Yea, I publicly apologize for not providing more specific info. I'm running 2.0.3 (latest stable?), 32 bit, 2GB RAM, 3.4HT p4 cpu, supermicro p4sci motherboard (2 onboard intel nics) and a pci-x dual intel card. Install is on a gmirror with 2 40GB sata drives running off the board. Don't forget that there are 2 systems arranged in a CARP cluster. Running AC-BNFA.
    If you need more info please let me know. I'm not able to access the systems for a couple of days (out of town) but I'll try my best to answer from memory. As far I can say it's not that it's running out of memory, it's not reading/parsing a file needed for the rule edit page, hence the blank page. There are no out of memory errors or cannot access file or anything, on my installs, just the blank security page. I can verify this by looking at the various logs. I'll repeat myself, balanced works ok, other edit pages work ok (GPL, all ET categories) and I can disable/enable rules, but when security is selected the page is blank. I can still edit GPL and all ET categories, just not IPS Policy Security.
    The same problem is replicated to the slave/backup system.

    I was able to reliably reproduce the problem.  It is caused by the way a global array was being "released" in the new code.  In an attempt to use less memory overall, the 2.5.8 package was tweaked so that an initial list of all the rules was loaded once as a global array and then used several times during the enforcing rules building process.  This same trick is also a part of the IPS Policy rule selection.  Ironically, the new "optimization" was the cause of the memory problem.  The new code was not properly releasing this global array when it was finished with it.  Thus the PHP process itself would run up against the default 128 MB limit set in the php.ini file on pfSense and crash.  This caused the blank page.  Bumping that value up to 250 MB as marcelloc suggested was a workaround, but it did not really get at the root of the problem.  I tried his suggestion first in testing and it worked, but then some Google research turned up the proper (and not well documented, by the way) procedure for deleting or releasing global variables.  Instead of unset($my_var), you must use unset($GLOBALS['my_var']).

    The problem is not running out of RAM on the firewall itself, but rather the PHP process that is running the current web page you are viewing runs up against the 128 MB process limit set for an individual PHP process.  Once that happens, HTML page construction stops and you get the blank page.  You should be able to look in /tmp/PHP_errors.log and see messages in that file about PHP not being able to allocate additional memory.

    After making the change for releasing global variables, I no longer get the blank page even when leaving the PHP process memory limit at the default of 128 MB.  I will submit a fix for this error later today for review and approval by the Core Team.  Once they approve, it will be posted in the Packages repository.

    To cause this problem, you have to select a large number of Rule Categories.  If using just the Snort VRT policy with either none or very few ET rule categories enabled, you don't see it.  It manifests itself when you really load up with all the Rule Categories as you suggested.  Thanks for reporting this problem.  Solving it helped me learn something new about PHP coding.. ;D

    Bill



  • successfully installed snort, but to start, back the following error in system.log > "FATAL ERROR: /usr/local/etc/snort/snort_61463_msk0/snort.conf(87) Unknown config directive: enable_gtp"

    tryed uncheck the option "Enable GTP Detection" in preprocessor, but dont start.

    anyone experiencing this problem?

    Thx



  • @marcosasjr:

    successfully installed snort, but to start, back the following error in system.log > "FATAL ERROR: /usr/local/etc/snort/snort_61463_msk0/snort.conf(87) Unknown config directive: enable_gtp"

    tryed uncheck the option "Enable GTP Detection" in preprocessor, but dont start.

    anyone experiencing this problem?

    Thx

    You are missing a required Preprocessor.  Instead of "unchecking" the Enable GTP Detection preprocessor, "check it".  In fact, you generally should enable ALL of the Preprocessors except for Sensitive Data and two SCADA ones.

    This post has some general tips for getting Snort up and running.  Proper matching of enabled Preprocessors and selected rules is key to getting Snort to run.

    http://forum.pfsense.org/index.php/topic,61018.msg328717.html#msg328717

    Bill



  • @bmeeks:

    @marcosasjr:

    successfully installed snort, but to start, back the following error in system.log > "FATAL ERROR: /usr/local/etc/snort/snort_61463_msk0/snort.conf(87) Unknown config directive: enable_gtp"

    tryed uncheck the option "Enable GTP Detection" in preprocessor, but dont start.

    anyone experiencing this problem?

    Thx

    You are missing a required Preprocessor.  Instead of "unchecking" the Enable GTP Detection preprocessor, "check it".  In fact, you generally should enable ALL of the Preprocessors except for Sensitive Data and two SCADA ones.

    This post has some general tips for getting Snort up and running.  Proper matching of enabled Preprocessors and selected rules is key to getting Snort to run.

    http://forum.pfsense.org/index.php/topic,61018.msg328717.html#msg328717

    Bill

    thx Bill, but I tried with the box checked and gave the same error, tried with the box unchecked and had the same error.

    I read your post, very good post, the only difference is why not use snort VRT and tried to enable but I had the same error…

    :(



  • @marcosasjr:

    thx Bill, but I tried with the box checked and gave the same error, tried with the box unchecked and had the same error.

    I read your post, very good post, the only difference is why not use snort VRT and tried to enable but I had the same error…

    :(

    Oops…misread your original error message.  It is not liking a value in the snort.conf file.  I initially thought it said "rule option", but it says config directive in snort.conf.  Tell me what rule categories you have enabled, and the version of pfSense.  From the path given in your error message, I am guessing 2.0.3.  Is it 32-bit or 64-bit?

    Bill



  • @bmeeks:

    @marcosasjr:

    thx Bill, but I tried with the box checked and gave the same error, tried with the box unchecked and had the same error.

    I read your post, very good post, the only difference is why not use snort VRT and tried to enable but I had the same error…

    :(

    Oops…misread your original error message.  It is not liking a value in the snort.conf file.  I initially thought it said "rule option", but it says config directive in snort.conf.  Tell me what rule categories you have enabled, and the version of pfSense.  From the path given in your error message, I am guessing 2.0.3.  Is it 32-bit or 64-bit?

    Bill

    Yes, my version is pfsense 2.0.3 64-bit.
    My rules catagories :
    snort_botnet-cnc.rules
    snort_ddos.rules
    snort_scan.rules
    snort_virus.rules

    other testes:
    -Checked only snort_ddos.rules in rules catagories
    -tested too with "Use IPS Policy" checked box and "IPS Policy" checked

    But same erro



  • @marcosasjr:

    Yes, my version is pfsense 2.0.3 64-bit.

    Would you mind posting the contents of /usr/local/etc/snort/snort_61463_msk0/snort.conf for me?  You can obscure IP addresses in it if you wish.  I am thus far unable to replicate this problem, so I need a look at your snort.conf file.

    Thanks,
    Bill



  • @Nukama:

    Hey Bill,

    thanks for this great package!

    The alert tab in this version overlaps the IPv6 addresses over columns.

    The fix for this is now posted.  The Snort Package version number was not incremented, but you can pick up the fix by simply reinstalling the GUI components.  Go to System…Packages and then the Installed Packages tab.  Click the XML icon next to Snort to reinstall the GUI files.  That should do it.

    Bill



  • @bmeeks:

    @marcosasjr:

    Yes, my version is pfsense 2.0.3 64-bit.

    Would you mind posting the contents of /usr/local/etc/snort/snort_61463_msk0/snort.conf for me?  You can obscure IP addresses in it if you wish.  I am thus far unable to replicate this problem, so I need a look at your snort.conf file.

    Thanks,
    Bill

    Thx Bill,

    snort.conf atached.

    snort.txt



  • @bmeeks:

    I was able to reliably reproduce the problem.  It is caused by the way a global array was being "released" in the new code.  In an attempt to use less memory overall, the 2.5.8 package was tweaked so that an initial list of all the rules was loaded once as a global array and then used several times during the enforcing rules building process.  This same trick is also a part of the IPS Policy rule selection.  Ironically, the new "optimization" was the cause of the memory problem.  The new code was not properly releasing this global array when it was finished with it.  Thus the PHP process itself would run up against the default 128 MB limit set in the php.ini file on pfSense and crash.  This caused the blank page.  Bumping that value up to 250 MB as marcelloc suggested was a workaround, but it did not really get at the root of the problem.  I tried his suggestion first in testing and it worked, but then some Google research turned up the proper (and not well documented, by the way) procedure for deleting or releasing global variables.  Instead of unset($my_var), you must use unset($GLOBALS['my_var']).

    The problem is not running out of RAM on the firewall itself, but rather the PHP process that is running the current web page you are viewing runs up against the 128 MB process limit set for an individual PHP process.  Once that happens, HTML page construction stops and you get the blank page.  You should be able to look in /tmp/PHP_errors.log and see messages in that file about PHP not being able to allocate additional memory.

    After making the change for releasing global variables, I no longer get the blank page even when leaving the PHP process memory limit at the default of 128 MB.  I will submit a fix for this error later today for review and approval by the Core Team.  Once they approve, it will be posted in the Packages repository.

    To cause this problem, you have to select a large number of Rule Categories.  If using just the Snort VRT policy with either none or very few ET rule categories enabled, you don't see it.  It manifests itself when you really load up with all the Rule Categories as you suggested.  Thanks for reporting this problem.  Solving it helped me learn something new about PHP coding.. ;D

    Bill

    Glad I could be of help  ;D. I'll report back when I get back to the systems, could be a couple of days which should give time for the fix to be available anyways.

    PS.
    Did I mention how much I love the SYNC feature? If it was less than 5 times, I'll say it again. Love the new SYNC feature  ;D



  • @marcosasjr:

    Thx Bill,

    snort.conf atached.

    marcosasjr:

    I found a line-break problem in the file attached to your last post, but it was not in the section where you were getting the error.  It's further down at line 130 in the {http_methods} section.  There is a newline in the file you posted at the end of the parameter CCM_POST in that section.  It should not be there.  I don't know if that happened during file transfer and attaching to the forum post, or if the original file on your firewall has the same issue.

    Have you tried these steps?  This will force a rebuild of the snort.conf file on your setup.

    1.  From the Snort Interfaces tab, click the green icon to toggle Snort "off".  The icon will turn into a red X.

    2.  Click the icon to edit the Snort interface and then click the Save button on the interface edit tab.

    3.  This will return you to the Snort Interfaces tab.  Click the red X to start Snort.  If successful, it will turn green in a few seconds.

    4.  If that doesn't work, try an uninstall and reinstall.  Click the Global Settings tab and be sure the checkbox near the bottom of the page is checked so Snort will save settings upon a deinstall.  Next, go to the Installed Packages tab (under the System…Packages menu) and click the X icon to completely remove Snort.  When the uninstall finishes, go to the Available Packages tab and install it again fresh.

    5.  You can also have Snort locally verify the configuration file.  Run this command sequence from a console prompt on the firewall.  These are two separate commands with ENTER pressed after typing each one:

    cd /usr/local/etc/snort/snort_61463_msk0
    /usr/local/bin/snort -T -c ./snort.conf
    

    Snort will read and validate the configuration file.  It will report any error and the line number where the error was.

    Report back and let me know if any of the above worked.

    Bill



  • @gogol:

    @dhatz:

    @bmeeks:

    Another user in the thread topic you linked was also having a problem with a newer Intel NIC (using the fxp0) driver.
    He swapped out his card and his problems also went away.

    Unless something changed very recently, the fxp(4) FreeBSD driver is used for ancient (mid-1990s) 100Mbps Intel NICs.

    For best results it is recommended to use relatively recent (less than 10 years old) Intel GbE NICs such as those supported by the em(4) driver, and IMHO avoid wasting developers' time troubleshooting 20 year old hardware …

    PS: bmeeks keep up your fine work !!!

    I wonder why my 82574L Intel NIC doesn't work and an old Realtek 8139 does with Snort version 2.5.8. Anyway I am going to replace the Realtek NIC with an Intel Pro 1000 GT card. Let us see what happens then.

    I saw a change made to "check_reload_status" and decided to try again my Intel NIC with a snapshot "2.1-RC0 (i386) built on Mon Jun 3 08:27:21 EDT 2013" and Snort block works again!
    Another riddle solved.



  • @bmeeks:

    @marcosasjr:

    Thx Bill,

    snort.conf atached.

    marcosasjr:

    I found a line-break problem in the file attached to your last post, but it was not in the section where you were getting the error.  It's further down at line 130 in the {http_methods} section.  There is a newline in the file you posted at the end of the parameter CCM_POST in that section.  It should not be there.  I don't know if that happened during file transfer and attaching to the forum post, or if the original file on your firewall has the same issue.

    Have you tried these steps?  This will force a rebuild of the snort.conf file on your setup.

    1.  From the Snort Interfaces tab, click the green icon to toggle Snort "off".  The icon will turn into a red X.

    2.  Click the icon to edit the Snort interface and then click the Save button on the interface edit tab.

    3.  This will return you to the Snort Interfaces tab.  Click the red X to start Snort.  If successful, it will turn green in a few seconds.

    4.  If that doesn't work, try an uninstall and reinstall.  Click the Global Settings tab and be sure the checkbox near the bottom of the page is checked so Snort will save settings upon a deinstall.  Next, go to the Installed Packages tab (under the System…Packages menu) and click the X icon to completely remove Snort.  When the uninstall finishes, go to the Available Packages tab and install it again fresh.

    5.  You can also have Snort locally verify the configuration file.  Run this command sequence from a console prompt on the firewall.  These are two separate commands with ENTER pressed after typing each one:

    cd /usr/local/etc/snort/snort_61463_msk0
    /usr/local/bin/snort -T -c ./snort.conf
    

    Snort will read and validate the configuration file.  It will report any error and the line number where the error was.

    Report back and let me know if any of the above worked.

    Bill

    Hi Bill,

    Thx for help,

    I tried this steps  and again now the step 4…

    follows attached the archive "test snort.txt" from step 5 and snort.conf on "snort.txt".

    [test snort.txt](/public/imported_attachments/1/test snort.txt)
    snort.txt



  • @marcosasjr:

    Hi Bill,

    Thx for help,

    I tried this steps  and again now the step 4…

    follows attached the archive "test snort.txt" from step 5 and snort.conf on "snort.txt".

    I do not visually see anything wrong in the attached snort.conf file.  This one is really puzzling.  I will make a fresh 2.0.3 64-bit VM, import your file, and test with it to see if I can reproduce the problem.  Give me a day for troubleshooting.

    Thanks,
    Bill



  • @bmeeks:

    @marcosasjr:

    Hi Bill,

    Thx for help,

    I tried this steps  and again now the step 4…

    follows attached the archive "test snort.txt" from step 5 and snort.conf on "snort.txt".

    I do not visually see anything wrong in the attached snort.conf file.  This one is really puzzling.  I will make a fresh 2.0.3 64-bit VM, import your file, and test with it to see if I can reproduce the problem.  Give me a day for troubleshooting.

    Thanks,
    Bill

    Hi Bill,
    Thanks for great help,
    I'll be watching the topic.



  • @marcosasjr:

    Hi Bill,
    Thanks for great help,
    I'll be watching the topic.

    marcosasjr:

    I created a clean 2.0.3 64-bit install on a VMware Workstation virtual machine and imported the snort.conf file you sent.  I did have to edit the file to change the interface names, but I changed nothing anywhere else in the file.  It validated fine, and Snort started just fine on the VM.  I even selected the rule categories you listed in a previous post, and everything worked.

    By the way, are you aware that those rule categories you had selected are basically empty of rules?  You can see what I mean by viewing them on the RULES tab.  Select each one, and any rules present in the file will show up below.  The Snort VRT folks have restructured the rules files a bit and many of the old names are now empty shells.  A number of those you listed are empty shells.  That's not your problem with Snort not starting, but just pointing out that with those selected you have basically zero protection from Snort.  Much better to check the "Use IPS Policy" checkbox and choose either "Connectivity, Balanced or Security".  I suggest "Connectivity" if you are just starting out with Snort.

    Now back to the topic and your problem – at this point I really have no idea what is wrong on your end.  The file you sent me was fine.  As far I know, you are the only user to experience this problem.  So that indicates to me it is something unique with your installation.

    What language setup do you have on your box and what browser are you using?  Try taking the exact file you sent me and copying it back to the firewall.  Download it fresh from your post here, then copy it back to the firewall on top of the original and try to start Snort.  Instead of trying to start from the GUI, execute this command at a console prompt to start Snort.  This sequence will not rebuild the snort.conf file prior to starting.  The GUI start will always rebuild the snort.conf from scratch.

    Command to start Snort without rebuilding snort.conf file:

    /usr/local/etc/rc.d/snort.sh start
    

    As a last resort, you can clear the box for Snort to save settings and then remove Snort from the firewall.  Reboot the firewall, then install Snort fresh again.  You will have to reconfigure all the Snort settings, but maybe that will fix it.

    Bill



  • @bmeeks:

    @Nukama:

    Hey Bill,

    thanks for this great package!

    The alert tab in this version overlaps the IPv6 addresses over columns.

    The fix for this is now posted.  The Snort Package version number was not incremented, but you can pick up the fix by simply reinstalling the GUI components.  Go to System…Packages and then the Installed Packages tab.  Click the XML icon next to Snort to reinstall the GUI files.  That should do it.

    Bill

    Thanks Bill,

    this patch does introduce line breaks in alert tab.
    Copy and pasting is problematic when a parser is the next step.
    Good work for this fixed width limitation.



  • @Nukama:

    Thanks Bill,

    this patch does introduce line breaks in alert tab.
    Copy and pasting is problematic when a parser is the next step.
    Good work for this fixed width limitation.

    Yeah, I knew copy and paste could be a problem given the inserted zero-width characters.  It was the best option I could find.  I never could find any tricks to tell the browser to break on something other than spaces or hyphens.

    Bill



  • I am noticing that if i disable a few rules in current events, and then click on apply.  It Disables the interface but the pid is still running.  I then click start on the interface and it just makes a new one pid on top of the old one.



  • I've recently changed from subscriber to paid Snort rules and have disabled the community rules download from update tab, but the rules tab of my interface shows this error:

    
    The following input errors were detected:
    
        GPLv2_community.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.
    
    

    The drop down list still shows the community rules, but it's obviously empty. Shouldn't the category have been removed when I no longer have the community rules downloaded at all?

    Editing rules category tab and restarting Snort cleared the empty community rules selection from the rules tab and the error is no more.



  • @shinzo:

    I am noticing that if i disable a few rules in current events, and then click on apply.  It Disables the interface but the pid is still running.  I then click start on the interface and it just makes a new one pid on top of the old one.

    I just tested this scenario and could not reproduce the issue.  When you are looking at the icons on the Snort Interfaces tab, remember that starting with this new 2.5.8 package they were swapped so that the green arrow means "Snort is running" and the red X means "Snort is stopped" on the interface.  The tooltip text was updated to reflect this.  If you hover over the icon for a few seconds the tooltip will appear and show the current state of Snort.

    When you say "disabled", are you talking about the text displayed next to the icon?  If so, wait several seconds on the page and then hit the refresh button for your browser.  See if that changes the display.
    Bill


Log in to reply