Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort and Backdoor Rules not working

    pfSense Packages
    4
    6
    9219
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AhnHEL
      AhnHEL last edited by

      Ruleset was updated yesterday and I noticed Snort wasnt blocking spyware from newegg.com anymore, looked in the logs and confirmed snort showed up as not starting successfully, promiscuous mode disabled, and some other complaint about backdoor rules

      Sep-13-2007.5:17:18 PM.Daemon.Error.10.33.40.1.UDP.Sep 13 17:17:21 snort[4709]: FATAL ERROR: Unable to open rules file: /usr/local/etc/snort/rules/backdoor.rules or /usr/local/etc/snort//usr/local/etc/snort/rules/backdoor.rules….............

      Unchecked this rule and snort is working again, can anyone else confirm this.

      Using ac performance method with 2 gigs of RAM/full install on white box

      AhnHEL (Angel)
      NYC

      4 *sense sites:
      Dell R210 II, Xeon 1230v2, 16GB RAM, 940/880 Mbps
      Dell R210 II, Xeon 1240v2, 8GB RAM, 940/880 Mbps
      Dell R210 II, Xeon 1220, 8GB RAM, 100/30 Mbps
      Dell 7010 Optiplex SFF, i5-3570, 16GB RAM, 100/30 Mbps

      1 Reply Last reply Reply Quote 0
      • AhnHEL
        AhnHEL last edited by

        Ok, tracked it all down to Backdoor rules, Netbios, and Misc. rules.  These 3 categories are not allowing Snort to initialize.  Are any of these 3 problematic for anyone else or is it something within my own setup that causes this?

        I have all other rules enabled and snort is successfully working, alerting and blocking.

        Latest snort update 9/11/07

        AhnHEL (Angel)
        NYC

        4 *sense sites:
        Dell R210 II, Xeon 1230v2, 16GB RAM, 940/880 Mbps
        Dell R210 II, Xeon 1240v2, 8GB RAM, 940/880 Mbps
        Dell R210 II, Xeon 1220, 8GB RAM, 100/30 Mbps
        Dell 7010 Optiplex SFF, i5-3570, 16GB RAM, 100/30 Mbps

        1 Reply Last reply Reply Quote 0
        • W
          welliott last edited by

          Have had the issue with only the Netbios rules myself. As soon as I check it and save snort crashes and won't restart.

          1 Reply Last reply Reply Quote 0
          • C
            coolcat1975 last edited by

            the following rules are not working here:

            pfsense in ac mode

            backdoor
            content-replace
            misc
            netbios
            web-php

            in lowmem mode snort works fine

            regards

            cc

            1 Reply Last reply Reply Quote 0
            • AhnHEL
              AhnHEL last edited by

              I got Netbios to work if I disable Exploit and Chat.  Rule Categories are so finicky with Snort.

              Just noticed too that the recent update 11/6/07 doesnt  reflect my own ruleset when i compare it to the changelog.  For example SPYWARE-PUT Adware adblaster 2.0 runtime detection is not listed in the Deleted category.  According to the 11/6 changelog this rule was moved to Deleted but my ruleset still shows the rule in Spyware-Put.  I am a Premium member and I'm referring to the 2.6 changelog.

              http://www.snort.org/vrt/docs/ruleset_changelogs/2_6/changes-2007-11-06.html

              AhnHEL (Angel)
              NYC

              4 *sense sites:
              Dell R210 II, Xeon 1230v2, 16GB RAM, 940/880 Mbps
              Dell R210 II, Xeon 1240v2, 8GB RAM, 940/880 Mbps
              Dell R210 II, Xeon 1220, 8GB RAM, 100/30 Mbps
              Dell 7010 Optiplex SFF, i5-3570, 16GB RAM, 100/30 Mbps

              1 Reply Last reply Reply Quote 0
              • T
                trendchiller last edited by

                sql rules also are a problem…

                in lowmem mode it works fine without sql...

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post