Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 4 Posters 7.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shaddow501
      last edited by

      Hello All

      Does any one know why snort doesnt show any alerts in the alerts tab?

      the service is running and all seem to work but i still dont see any alerts..

      1 Reply Last reply Reply Quote 0
      • F
        firestorm
        last edited by

        I seem to have the same problems

        I'm running 1.2 RC2 on an X86 box

        here are some of the logs

        don't understand why fxp1 would have "promiscuous mode disabled", I'd thought it would need to be in promiscuous mode to monitor the traffic, or does snort pick it up from the ip stack or something ?

        Sep 26 07:51:12 kernel: fxp1: promiscuous mode disabled
        Sep 26 07:49:50 SnortStartup[58572]: Ram free BEFORE starting Snort: 569M – Ram free AFTER starting Snort: 436M -- Mode ac -- Snort memory usage:
        Sep 26 07:49:32 snort2c[58553]: snort2c running in daemon mode pid: 58553
        Sep 26 07:49:32 snort2c[58553]: snort2c running in daemon mode pid: 58553
        Sep 26 07:49:32 snort[58550]: Daemon initialized, signaled parent pid: 58548
        Sep 26 07:49:32 snort[58550]: Daemon initialized, signaled parent pid: 58548
        Sep 26 07:49:32 snort[58548]: Daemon parent exiting
        Sep 26 07:49:32 snort[58548]: Daemon parent exiting
        Sep 26 07:49:32 snort[58550]: Writing PID "58550" to file "/var/run//snort_fxp1.pid"
        Sep 26 07:49:32 snort[58550]: Writing PID "58550" to file "/var/run//snort_fxp1.pid"
        Sep 26 07:49:32 snort[58550]: PID path stat checked out ok, PID path set to /var/run/
        Sep 26 07:49:32 snort[58550]: PID path stat checked out ok, PID path set to /var/run/
        Sep 26 07:49:32 kernel: fxp1: promiscuous mode enabled
        Sep 26 07:49:32 snort[58548]: Initializing daemon mode
        Sep 26 07:49:32 snort[58548]: Initializing daemon mode
        Sep 26 07:49:32 kernel: fxp1: promiscuous mode disabled
        Sep 26 07:49:32 kernel: fxp1: promiscuous mode enabled
        Sep 26 07:49:32 snort[58548]: 329 out of 512 flowbits in use.
        Sep 26 07:49:32 snort[58548]: 329 out of 512 flowbits in use.
        Sep 26 07:49:32 snort[58548]: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
        Sep 26 07:49:32 snort[58548]: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
        Sep 26 07:49:32 snort[58548]: Warning: flowbits key 'dce.bind.ca-alert' is checked but not ever set.
        Sep 26 07:49:32 snort[58548]: Warning: flowbits key 'dce.bind.ca-alert' is checked but not ever set.
        Sep 26 07:49:32 snort[58548]: Log directory = /var/log/snort
        Sep 26 07:49:32 snort[58548]: Log directory = /var/log/snort
        Sep 26 07:49:32 snort[58548]: Rule application order: ->activation->dynamic->pass->drop->alert->log
        Sep 26 07:49:32 snort[58548]: Rule application order: ->activation->dynamic->pass->drop->alert->log
        Sep 26 07:49:32 snort[58548]: –-----------------------------------------------------------------------------
        Sep 26 07:49:32 snort[58548]: –-----------------------------------------------------------------------------
        Sep 26 07:49:32 snort[58548]: | none
        Sep 26 07:49:32 snort[58548]: | none
        Sep 26 07:49:32 snort[58548]: +–---------------------[suppression]–----------------------------------------
        Sep 26 07:49:32 snort[58548]: +–---------------------[suppression]–----------------------------------------
        Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=12121 type=Limit tracking=src count=1 seconds=300
        Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=12121 type=Limit tracking=src count=1 seconds=300
        Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=8358 type=Limit tracking=src count=1 seconds=300
        Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=8358 type=Limit tracking=src count=1 seconds=300
        Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=5801 type=Limit tracking=src count=1 seconds=300
        Sep 26 07:49:32 snort[58548]: | gen-id=1 sig-id=5801 type=Limit tracking=src count=1 seconds=300

        1 Reply Last reply Reply Quote 0
        • AhnHELA
          AhnHEL
          last edited by

          Had this same problem, which one of the rule categories was causing.

          Disable all categories, and save.

          Start enabling categories one by one and hit save and watch the logs for a successful snort initialization until you find the rule category that is causing the problem.

          Anytime snort says promiscuous mode disabled, snort is running but its not going to work.
          If after a restart it says snort exiting as a final log notice to a restart then same thing, its running but its not working.

          AhnHEL (Angel)

          1 Reply Last reply Reply Quote 0
          • S
            Slam
            last edited by

            I too have noticed nothing being logged, I dont have the issue of "promiscuous mode disabled" in my logs, I've tried onhel's solution, with no joy, even to the point of deinstalling, rebooting, reinstalling, I also tested by enabling the "scan.rules" and performed a full scan, nothing showed up in the snort alerts or was the online scan host block.

            Also nothing out of the ordinary shows up on my system log in regards to snort.

            1.2-RC2
            built on Wed Sep 26 15:54:17 EDT 2007

            Slam

            1 Reply Last reply Reply Quote 0
            • AhnHELA
              AhnHEL
              last edited by

              The log entries below is what i get when snort starts up correctly along with squid, this is copied from my syslog server so the entries run from top to bottom.  I have all rules enabled except netbios, backdoor, and misc, those 3 categories all caused snort to exit for unknown reason.  I have 2 gigs of RAM so I use ac method because it allows snort to start up faster, the other methods use less ram but with a lot of rules enabled, it can take up to 2 minutes sometimes for snort to initialize, which is way to slow especially if you're trying to troubleshoot.  With all those rule categories enabled, I'm only utilizing 34% of my RAM.

              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | gen-id=1      sig-id=5980      type=Limit    tracking=src count=1  seconds=300
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | gen-id=1      sig-id=5804      type=Limit    tracking=src count=1  seconds=300
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | gen-id=1      sig-id=7515      type=Limit    tracking=src count=1  seconds=300
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | gen-id=1      sig-id=7515      type=Limit    tracking=src count=1  seconds=300
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | none
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: | none
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: –-----------------------------------------------------------------------------
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: –-----------------------------------------------------------------------------
              Sep-23-2007 6:40:49 AM Daemon.Notice Sep 23 06:40:49 snort[62782]: Rule application order: ->activation->dynamic->pass->drop->alert->log
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: 67 out of 512 flowbits in use.
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: 67 out of 512 flowbits in use.
              Sep-23-2007 6:40:49 AM Kernel.Info     UDP     Sep 23 06:40:49 kernel: fxp1: promiscuous mode enabled
              Sep-23-2007 6:40:49 AM Kernel.Info     UDP    Sep 23 06:40:49 kernel: fxp1: promiscuous mode disabled
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Initializing daemon mode
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Initializing daemon mode
              Sep-23-2007 6:40:49 AM Kernel.Info     UDP     Sep 23 06:40:49 kernel: fxp1: promiscuous mode enabled
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: PID path stat checked out ok, PID path set to /var/run/
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: PID path stat checked out ok, PID path set to /var/run/
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: Writing PID "62783" to file "/var/run//snort_fxp1.pid"
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: Writing PID "62783" to file "/var/run//snort_fxp1.pid"
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: Daemon initialized, signaled parent pid: 62782
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62783]: Daemon initialized, signaled parent pid: 62782
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Daemon parent exiting
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort[62782]: Daemon parent exiting
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort2c[62786]: snort2c running in daemon mode pid: 62786
              Sep-23-2007 6:40:49 AM Daemon.Notice UDP Sep 23 06:40:49 snort2c[62786]: snort2c running in daemon mode pid: 62786
              Sep-23-2007 6:41:06 AM Daemon.Info UDP Sep 23 06:41:07 SnortStartup[62798]: Ram free BEFORE starting Snort: 1847M – Ram free AFTER starting Snort: 1625M -- Mode ac -- Snort memory usage:
              Sep-23-2007 6:41:17 AM Daemon.Notice UDP Sep 23 06:41:17 snort[62783]: Snort initialization completed successfully (pid=62783)
              Sep-23-2007 6:41:17 AM Daemon.Notice UDP Sep 23 06:41:17 snort[62783]: Snort initialization completed successfully (pid=62783)
              Sep-23-2007 6:41:17 AM Daemon.Notice UDP Sep 23 06:41:17 snort[62783]: Not Using PCAP_FRAMES
              Sep-23-2007 6:41:17 AM Daemon.Notice UDP Sep 23 06:41:17 snort[62783]: Not Using PCAP_FRAMES
              Sep-23-2007 6:41:20 AM Local0.Info   UDP   Sep 23 06:41:21 pf: 27. 852854 rule 81/0(match): block in on fxp1: (tos 0x0, ttl 100, id 8462, offset 0, flags [none], proto: ICMP (1), length: 61) 218.253.166.193 > xx.xx.xx.xx: ICMP echo request, id 512, seq 26976, length 41
              Sep-23-2007 6:41:22 AM Local0.Info   UDP   Sep 23 06:41:23 pf: 2. 252989 rule 81/0(match): block in on fxp1: (tos 0x0, ttl  99, id 22353, offset 0, flags [none], proto: ICMP (1), length: 61) 218.253.166.193 > xx.xx.xx.xx: ICMP echo request, id 512, seq 63584, length 41
              Sep-23-2007 6:42:56 AM Daemon.Notice UDP Sep 23 06:42:57 snort2c[62786]: attack detected non-whitelisted ip: xx.xx.xx.xx blocked !
              Sep-23-2007 6:42:57 AM Daemon.Notice UDP Sep 23 06:42:57 snort2c[62786]: attack detected non-whitelisted ip: xx.xx.xx.xx blocked !

              Sometimes, I get this error if I reboot pfSense and Snort attempts to initialize:

              FATAL ERROR: Failed to Lock PID File "/var/run//snort_fxp1.pid" for PID "6624"

              I clear all the IPs in the Snort Blocked Tab, clear the snort logs, and then restart Snort and Squid together and this error goes away.

              Hope this helps.

              AhnHEL (Angel)

              1 Reply Last reply Reply Quote 0
              • S
                Slam
                last edited by

                The steps I took was to back up my config w/out package information, removed ALL packages (NTOP, IMSpector and Snort), rebooted, restored my config, rebooted again, installed the 3 packages I removed, I probably didnt have to do all those steps but eh, now Snort is working.

                Slam

                1 Reply Last reply Reply Quote 0
                • AhnHELA
                  AhnHEL
                  last edited by

                  Making several reboots and also many changes to my config, I've had snort restarted several times and from what I can see, clearing the blocked list and clearing the snort logs and going to the first snort tab and hitting save is a sure thing for me when it doesnt start right.

                  AhnHEL (Angel)

                  1 Reply Last reply Reply Quote 0
                  • S
                    Slam
                    last edited by

                    I am still having problems, I have done a full clean install of pfsense using 1.2-RC2 ISO
                    built on Sun Sep 30 19:44:27 EDT 2007, because both Snort and IMSpector were giving me problems.

                    Oct 1 07:43:09 	ntop[1170]: THREADMGMT[t134610944]: ntop RUNSTATE: INIT(2)
                    Oct 1 07:43:09 	ntop[1170]: THREADMGMT[t134610944]: ntop RUNSTATE: PREINIT(1)
                    Oct 1 07:43:09 	snort[1178]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_ath0.pid" for PID "1178"
                    Oct 1 07:43:09 	snort[1178]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_ath0.pid" for PID "1178"
                    Oct 1 07:43:09 	snort[1178]: PID path stat checked out ok, PID path set to /var/run/
                    Oct 1 07:43:09 	snort[1178]: PID path stat checked out ok, PID path set to /var/run/
                    Oct 1 07:43:09 	snort[1177]: Initializing daemon mode
                    Oct 1 07:43:09 	snort[1177]: Initializing daemon mode
                    Oct 1 07:43:09 	snort[1177]: *** *** interface device lookup found: ath0 ***
                    Oct 1 07:43:09 	snort[1177]: *** *** interface device lookup found: ath0 ***
                    Oct 1 07:43:09 	snort[1177]: 0 out of 512 flowbits in use.
                    Oct 1 07:43:09 	snort[1177]: 0 out of 512 flowbits in use.
                    Oct 1 07:43:09 	snort[1177]: Log directory = /var/log/snort
                    Oct 1 07:43:09 	snort[1177]: Log directory = /var/log/snort
                    

                    From what I can tell, its listening to the wrong interface, it should be listening to bfe0 (WAN) instead its listening to ath0 (WLAN), when I manually change it to the correct interface, the logs show up the correct thing

                    Oct 1 07:45:06 	SnortStartup[1637]: Ram free BEFORE starting Snort: 29M -- Ram free AFTER starting Snort: 29M -- Mode ac-sparsebands -- Snort memory usage:
                    Oct 1 07:44:49 	snort[1607]: Not Using PCAP_FRAMES
                    Oct 1 07:44:49 	snort[1607]: Not Using PCAP_FRAMES
                    Oct 1 07:44:49 	snort[1607]: Snort initialization completed successfully (pid=1607)
                    Oct 1 07:44:49 	snort[1607]: Snort initialization completed successfully (pid=1607)
                    Oct 1 07:44:49 	snort2c[1610]: snort2c running in daemon mode pid: 1610
                    Oct 1 07:44:49 	snort2c[1610]: snort2c running in daemon mode pid: 1610
                    Oct 1 07:44:49 	snort[1607]: Daemon initialized, signaled parent pid: 1606
                    Oct 1 07:44:49 	snort[1607]: Daemon initialized, signaled parent pid: 1606
                    Oct 1 07:44:49 	snort[1606]: Daemon parent exiting
                    Oct 1 07:44:49 	snort[1606]: Daemon parent exiting
                    Oct 1 07:44:49 	snort[1607]: Writing PID "1607" to file "/var/run//snort_bfe0.pid"
                    Oct 1 07:44:49 	snort[1607]: Writing PID "1607" to file "/var/run//snort_bfe0.pid"
                    Oct 1 07:44:49 	snort[1607]: PID path stat checked out ok, PID path set to /var/run/
                    Oct 1 07:44:49 	snort[1607]: PID path stat checked out ok, PID path set to /var/run/
                    Oct 1 07:44:49 	snort[1606]: Initializing daemon mode
                    Oct 1 07:44:49 	snort[1606]: Initializing daemon mode
                    

                    However, after a reboot it reverts back to ath0, I have double checked the settings in /cf/conf/config.xml, tried deleting /tmp/config.cache and rebooting but the problem still occurs.

                    Also I've just noticed something else thats strange, the log is showing:

                    Ram free BEFORE starting Snort: 29M -- Ram free AFTER starting Snort: 29M -- Mode ac-sparsebands -- Snort memory usage:
                    

                    I have 1 GB of ram on the box, but on my dashboard its showing mem usage 16% and in phpsysinfo Physical Memory 16% - 850.51 MB - 163.91 MB - 1014.41 MB

                    EDIT: disabling a rule (P2P) and hitting save generates the following```
                    Warning: Invalid argument supplied for foreach() in /usr/local/www/snort_rulesets.php on line 40

                    
                    Slam
                    1 Reply Last reply Reply Quote 0
                    • AhnHELA
                      AhnHEL
                      last edited by

                      I see the same exact thing on a reboot.  Snort apparently takes some coaxing to run properly and yes I've seen that line 40 error as well as of late.

                      This is not specific to just your system Slam, so no more clean installs, ok?  ;)

                      AhnHEL (Angel)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.