Snort Catalog List is Truncated



  • Is there any reason why the catalog list in snort is being truncated?  I haven't been able to find anything on the forums list regarding this issue.

    1. The package has been removed completely and reinstalled
    2. Attempted to remove the UI components

    Please see attachment for screenshot.

    Running:
    Pfsense 2.1.5
    Snort 2.9.6.2 pkg 3.1.5
    ![Screen Shot 2014-11-11 at 15.08.28 .png](/public/imported_attachments/1/Screen Shot 2014-11-11 at 15.08.28 .png)
    ![Screen Shot 2014-11-11 at 15.08.28 .png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-11 at 15.08.28 .png_thumb)



  • There should be a scroll bar on the right side of the page.  What browser and version are you using?

    Bill



  • Bill,

    Thanks for responding.

    I've tried Internet Explorer 8, 9, 10, 11, Firefox Nightly 36.0a1 (2014-11-11), Chrome Canary 41.0.2217.0, Chrome and Firefox (normal release versions).  I haven't tried Safari.

    I double checked and there is a lack of scroll bars.  Sorry about not including the browser version in my original reply.

    Ryan



  • @rkrenzis:

    Bill,

    Thanks for responding.

    I've tried Internet Explorer 8, 9, 10, 11, Firefox Nightly 36.0a1 (2014-11-11), Chrome Canary 41.0.2217.0, Chrome and Firefox (normal release versions).  I haven't tried Safari.

    I double checked and there is a lack of scroll bars.  Sorry about not including the browser version in my original reply.

    Ryan

    Ryan:

    There should be a scrollbar on the very far right-hand side of your browser window.  I just tested on IE11 and it works fine.  I have also tested on Firefox and Chrome.  The scrollbar is provided by your browser and not the pfSense web application, so don't look within the smaller pfSense window. Instead, look at the far right of the browser window itself.

    Bill



  • Bill,

    The list is just truncated.  I will try to perform a fresh install and re-import my configuration.  It just seems really odd.  I inspected the code that was given to the web browser and the table is really truncated.

    Is there something I can look at in regards to logs regarding this package?  Is there a FAQ I could follow?

    Thanks,

    Ryan



  • @rkrenzis:

    Bill,

    The list is just truncated.  I will try to perform a fresh install and re-import my configuration.  It just seems really odd.  I inspected the code that was given to the web browser and the table is really truncated.

    Is there something I can look at in regards to logs regarding this package?  Is there a FAQ I could follow?

    Thanks,

    Ryan

    The only way the table could be actually truncated is if quite a few of the rules files are actually missing.  All that code does is walk the *.rules files in the rules directory for the interface.  If the list is short and you are not getting scroll bars, then a pile of your rules files are missing.

    Go here and compare the folder contents to what is shown on the CATEGORIES tab:

    /usr/pbi/snort-amd64/etc/snort/rules  (this path assumes a 64-bit install, use snort-i386 if 32-bit)

    You should have a one-to-one correspondence between *.rules files in that folder and what is shown on the CATEGORIES tab.

    Bill



  • Bill,

    Here is the directory listing.  It is significantly different from what is shown in the web browser.

    /usr/pbi/snort-amd64/etc/snort/rules(13): ls -la
    total 12878
    drwxr-xr-x  2 root  wheel    4096 Nov 13 00:03 .
    drwxr-xr-x  6 root  wheel      512 Oct 15 00:30 ..
    -rw-r–r--  1 root  wheel  1320773 Nov 13 12:03 GPLv2_community.rules
    -rw-r--r--  1 root  wheel    19574 Nov 12 00:03 VRT-License.txt
    -rw-r--r--  1 root  wheel  296128 Nov 13 00:03 emerging-activex.rules
    -rw-r--r--  1 root  wheel    36073 Nov 13 00:03 emerging-attack_response.rules
    -rw-r--r--  1 root  wheel    32294 Nov 13 00:03 emerging-botcc.portgrouped.rules
    -rw-r--r--  1 root  wheel  120454 Nov 13 00:03 emerging-botcc.rules
    -rw-r--r--  1 root  wheel    26341 Nov 13 00:03 emerging-chat.rules
    -rw-r--r--  1 root  wheel    37894 Nov 13 00:03 emerging-ciarmy.rules
    -rw-r--r--  1 root  wheel    11948 Nov 13 00:03 emerging-compromised-ips.txt
    -rw-r--r--  1 root  wheel    43665 Nov 13 00:03 emerging-compromised.rules
    -rw-r--r--  1 root  wheel  665998 Nov 13 00:03 emerging-current_events.rules
    -rw-r--r--  1 root  wheel  761360 Nov 13 00:03 emerging-deleted.rules
    -rw-r--r--  1 root  wheel    21066 Nov 13 00:03 emerging-dns.rules
    -rw-r--r--  1 root  wheel    38408 Nov 13 00:03 emerging-dos.rules
    -rw-r--r--  1 root  wheel    17339 Nov 13 00:03 emerging-drop.rules
    -rw-r--r--  1 root  wheel    3116 Nov 13 00:03 emerging-dshield.rules
    -rw-r--r--  1 root  wheel  120376 Nov 13 00:03 emerging-exploit.rules
    -rw-r--r--  1 root  wheel    11745 Nov 13 00:03 emerging-ftp.rules
    -rw-r--r--  1 root  wheel    28762 Nov 13 00:03 emerging-games.rules
    -rw-r--r--  1 root  wheel    2243 Nov 13 00:03 emerging-icmp.rules
    -rw-r--r--  1 root  wheel    2324 Nov 13 00:03 emerging-icmp_info.rules
    -rw-r--r--  1 root  wheel    2225 Nov 13 00:03 emerging-imap.rules
    -rw-r--r--  1 root  wheel    8143 Nov 13 00:03 emerging-inappropriate.rules
    -rw-r--r--  1 root  wheel  110225 Nov 13 00:03 emerging-info.rules
    -rw-r--r--  1 root  wheel  405496 Nov 13 00:03 emerging-malware.rules
    -rw-r--r--  1 root  wheel    3145 Nov 13 00:03 emerging-misc.rules
    -rw-r--r--  1 root  wheel    53475 Nov 13 00:03 emerging-mobile_malware.rules
    -rw-r--r--  1 root  wheel    30268 Nov 13 00:03 emerging-netbios.rules
    -rw-r--r--  1 root  wheel    43277 Nov 13 00:03 emerging-p2p.rules
    -rw-r--r--  1 root  wheel  238847 Nov 13 00:03 emerging-policy.rules
    -rw-r--r--  1 root  wheel    2186 Nov 13 00:03 emerging-pop3.rules
    -rw-r--r--  1 root  wheel    1963 Nov 13 00:03 emerging-rbn-malvertisers.rules
    -rw-r--r--  1 root  wheel    1934 Nov 13 00:03 emerging-rbn.rules
    -rw-r--r--  1 root  wheel    2474 Nov 13 00:03 emerging-rpc.rules
    -rw-r--r--  1 root  wheel    9401 Nov 13 00:03 emerging-scada.rules
    -rw-r--r--  1 root  wheel    88756 Nov 13 00:03 emerging-scan.rules
    -rw-r--r--  1 root  wheel    59877 Nov 13 00:03 emerging-shellcode.rules
    -rw-r--r--  1 root  wheel    3592 Nov 13 00:03 emerging-smtp.rules
    -rw-r--r--  1 root  wheel    8895 Nov 13 00:03 emerging-snmp.rules
    -rw-r--r--  1 root  wheel    3808 Nov 13 00:03 emerging-sql.rules
    -rw-r--r--  1 root  wheel    2979 Nov 13 00:03 emerging-telnet.rules
    -rw-r--r--  1 root  wheel    3583 Nov 13 00:03 emerging-tftp.rules
    -rw-r--r--  1 root  wheel  658972 Nov 13 00:03 emerging-tor.rules
    -rw-r--r--  1 root  wheel  1277850 Nov 13 00:03 emerging-trojan.rules
    -rw-r--r--  1 root  wheel    28038 Nov 13 00:03 emerging-user_agents.rules
    -rw-r--r--  1 root  wheel    7243 Nov 13 00:03 emerging-voip.rules
    -rw-r--r--  1 root  wheel  117263 Nov 13 00:03 emerging-web_client.rules
    -rw-r--r--  1 root  wheel  191974 Nov 13 00:03 emerging-web_server.rules
    -rw-r--r--  1 root  wheel  2859281 Nov 13 00:03 emerging-web_specific_apps.rules
    -rw-r--r--  1 root  wheel    8973 Nov 13 00:03 emerging-worm.rules
    -rw-r--r--  1 root  wheel    49276 Nov 12 00:03 snort_app-detect.rules
    -rw-r--r--  1 root  wheel    1061 Nov 12 00:03 snort_attack-responses.rules
    -rw-r--r--  1 root  wheel    1037 Nov 12 00:03 snort_backdoor.rules
    -rw-r--r--  1 root  wheel    1046 Nov 12 00:03 snort_bad-traffic.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_bad-traffic.so.rules
    -rw-r--r--  1 root  wheel  991486 Nov 12 00:03 snort_blacklist.rules
    -rw-r--r--  1 root  wheel    1043 Nov 12 00:03 snort_botnet-cnc.rules
    -rw-r--r--  1 root  wheel    12012 Nov 12 00:03 snort_browser-chrome.rules
    -rw-r--r--  1 root  wheel    80242 Nov 12 00:03 snort_browser-firefox.rules
    -rw-r--r--  1 root  wheel  552007 Nov 12 00:03 snort_browser-ie.rules
    -rw-r--r--  1 root  wheel    3363 Nov 12 00:04 snort_browser-ie.so.rules
    -rw-r--r--  1 root  wheel    13200 Nov 12 00:03 snort_browser-other.rules
    -rw-r--r--  1 root  wheel      521 Nov 12 00:04 snort_browser-other.so.rules
    -rw-r--r--  1 root  wheel  1280071 Nov 12 00:03 snort_browser-plugins.rules
    -rw-r--r--  1 root  wheel    3452 Nov 12 00:04 snort_browser-plugins.so.rules
    -rw-r--r--  1 root  wheel    29568 Nov 12 00:03 snort_browser-webkit.rules
    -rw-r--r--  1 root  wheel    1025 Nov 12 00:03 snort_chat.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_chat.so.rules
    -rw-r--r--  1 root  wheel    8015 Nov 12 00:03 snort_content-replace.rules
    -rw-r--r--  1 root  wheel    1025 Nov 12 00:03 snort_ddos.rules
    -rw-r--r--  1 root  wheel    23552 Nov 12 00:03 snort_deleted.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_dos.so.rules
    -rw-r--r--  1 root  wheel      811 Nov 12 00:04 snort_exploit-kit.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_exploit.so.rules
    -rw-r--r--  1 root  wheel    2090 Nov 12 00:04 snort_file-executable.so.rules
    -rw-r--r--  1 root  wheel    3619 Nov 12 00:04 snort_file-flash.so.rules
    -rw-r--r--  1 root  wheel    5281 Nov 12 00:04 snort_file-image.so.rules
    -rw-r--r--  1 root  wheel      379 Nov 12 00:04 snort_file-java.so.rules
    -rw-r--r--  1 root  wheel    4832 Nov 12 00:04 snort_file-multimedia.so.rules
    -rw-r--r--  1 root  wheel    12987 Nov 12 00:04 snort_file-office.so.rules
    -rw-r--r--  1 root  wheel    6248 Nov 12 00:04 snort_file-other.so.rules
    -rw-r--r--  1 root  wheel    1121 Nov 12 00:04 snort_file-pdf.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_icmp.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_imap.so.rules
    -rw-r--r--  1 root  wheel      281 Nov 12 00:04 snort_indicator-shellcode.so.rules
    -rw-r--r--  1 root  wheel    1723 Nov 12 00:04 snort_malware-cnc.so.rules
    -rw-r--r--  1 root  wheel    1066 Nov 12 00:04 snort_malware-other.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_misc.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_multimedia.so.rules
    -rw-r--r--  1 root  wheel    3461 Nov 12 00:04 snort_netbios.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_nntp.so.rules
    -rw-r--r--  1 root  wheel      496 Nov 12 00:04 snort_os-linux.so.rules
    -rw-r--r--  1 root  wheel    1580 Nov 12 00:04 snort_os-other.so.rules
    -rw-r--r--  1 root  wheel    24520 Nov 12 00:04 snort_os-windows.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_p2p.so.rules
    -rw-r--r--  1 root  wheel      761 Nov 12 00:04 snort_policy-social.so.rules
    -rw-r--r--  1 root  wheel    4071 Nov 12 00:04 snort_protocol-dns.so.rules
    -rw-r--r--  1 root  wheel      815 Nov 12 00:04 snort_protocol-icmp.so.rules
    -rw-r--r--  1 root  wheel      340 Nov 12 00:04 snort_protocol-nntp.so.rules
    -rw-r--r--  1 root  wheel    1071 Nov 12 00:04 snort_protocol-other.so.rules
    -rw-r--r--  1 root  wheel      709 Nov 12 00:04 snort_protocol-snmp.so.rules
    -rw-r--r--  1 root  wheel    7535 Nov 12 00:04 snort_protocol-voip.so.rules
    -rw-r--r--  1 root  wheel      262 Nov 12 00:04 snort_pua-p2p.so.rules
    -rw-r--r--  1 root  wheel      389 Nov 12 00:04 snort_server-apache.so.rules
    -rw-r--r--  1 root  wheel    1896 Nov 12 00:04 snort_server-iis.so.rules
    -rw-r--r--  1 root  wheel    2201 Nov 12 00:04 snort_server-mail.so.rules
    -rw-r--r--  1 root  wheel      430 Nov 12 00:04 snort_server-mysql.so.rules
    -rw-r--r--  1 root  wheel    1544 Nov 12 00:04 snort_server-oracle.so.rules
    -rw-r--r--  1 root  wheel    19537 Nov 12 00:04 snort_server-other.so.rules
    -rw-r--r--  1 root  wheel    2602 Nov 12 00:04 snort_server-webapp.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_smtp.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_snmp.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_specific-threats.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_web-activex.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_web-client.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_web-iis.so.rules
    -rw-r--r--  1 root  wheel      58 Nov 12 00:04 snort_web-misc.so.rules

    This is a cut and paste from the screen which has the categories:

    Enabled Ruleset: Snort GPLv2 Community Rules
    Snort GPLv2 Community Rules (VRT certified)
    Enabled Ruleset: ET Open Rules Enabled Ruleset: Snort Text Rules Enabled Ruleset: Snort SO Rules
    emerging-activex.rules snort_app-detect.rules snort_bad-traffic.so.rules
    emerging-attack_response.rules snort_attack-responses.rules snort_browser-ie.so.rules
    emerging-botcc.portgrouped.rules snort_backdoor.rules snort_browser-other.so.rules
    emerging-botcc.rules snort_bad-traffic.rules snort_browser-plugins.so.rules
    emerging-chat.rules snort_blacklist.rules snort_chat.so.rules
    emerging-ciarmy.rules snort_botnet-cnc.rules snort_dos.so.rules
    emerging-compromised.rules snort_browser-chrome.rules snort_exploit-kit.so.rules
    emerging-current_events.rules snort_browser-firefox.rules snort_exploit.so.rules
    emerging-deleted.rules snort_browser-ie.rules snort_file-executable.so.rules
    emerging-dns.rules snort_browser-other.rules snort_file-flash.so.rules
    emerging-dos.rules snort_browser-plugins.rules snort_file-image.so.rules
    emerging-drop.rules snort_browser-webkit.rules snort_file-java.so.rules
    emerging-dshield.rules snort_chat.rules snort_file-multimedia.so.rules
    emerging-exploit.rules snort_content-replace.rules snort_file-office.so.rules
    emerging-ftp.rules snort_ddos.rules snort_file-other.so.rules
    emerging-games.rules snort_deleted.rules snort_file-pdf.so.rules

    ...You can see the list is truncated.

    Thoughts or ideas?

    Ryan



  • A few more questions for you:

    How much RAM is in this box?

    Have you looked at the system log immediately after viewing the CATEGORIES tab to see if there are any suspicious messages logged?

    Bill



  • Bill,

    There is 8 GB of memory in the machine.  No error messages logged.

    Ryan



  • Previously, in the list of rules files you posted, the path seems a bit strange.  Here is what was posted:

    /usr/pbi/snort-amd64/etc/snort/rules**(13)**

    That part I highlighted in bold maroon seems unusual.  Is that actually part of the path, or is that just an artifact of your CLI prompt?

    I have one more thing for you to check.  In the /usr/pbi/snort-amd64/etc/snort directory you will find an additional subdirectory for each configured interface.  That subdirectory will have a UUID and the NIC name in the folder name.  Inside that directory will be another rules folder.  Compare the contents of that folder with the /usr/pbi/snort-amd64/etc/snort/rules folder.  In particular I am wondering if the contents of that folder matches what is displayed on your CATEGORIES tab.

    Bill



  • Bill,

    The (13) is just from the prompt in regards to history number of commands typed in for tcsh on the command line.  I forgot to trim that from my post.

    As you can see from the command:

    /usr/pbi/snort-amd64/etc/snort/rules(11): pwd
    /usr/pbi/snort-amd64/etc/snort/rules
    

    pwd returns the path you had advised me to check.

    In regards to the UUID/NIC name directory, the contents are:

    /usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules(37): ls -l
    total 1148
    -rw-r--r--  1 root  wheel        0 Nov 13 12:03 custom.rules
    -rw-r--r--  1 root  wheel        0 Nov 13 12:03 flowbit-required.rules
    -rw-r--r--  1 root  wheel  1170393 Nov 13 12:03 snort.rules
    

    pwd returns:

    /usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules(38): pwd
    /usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules
    

    It is significantly emptier than the other directory.  Please also note, if I go to create a new snort instance, the list is also truncated which leads me to believe it is not related to configuration or files missing.

    Just as reference, I have deleted the package, reinstalled, tried reinstalling the package, and reinstalling the UI components.

    Thanks,

    Ryan



  • @rkrenzis:

    Bill,

    The (13) is just from the prompt in regards to history number of commands typed in for tcsh on the command line.  I forgot to trim that from my post.

    As you can see from the command:

    /usr/pbi/snort-amd64/etc/snort/rules(11): pwd
    /usr/pbi/snort-amd64/etc/snort/rules
    

    pwd returns the path you had advised me to check.

    In regards to the UUID/NIC name directory, the contents are:

    /usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules(37): ls -l
    total 1148
    -rw-r--r--  1 root  wheel        0 Nov 13 12:03 custom.rules
    -rw-r--r--  1 root  wheel        0 Nov 13 12:03 flowbit-required.rules
    -rw-r--r--  1 root  wheel  1170393 Nov 13 12:03 snort.rules
    

    pwd returns:

    /usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules(38): pwd
    /usr/pbi/snort-amd64/etc/snort/snort_43131_bge0/rules
    

    It is significantly emptier than the other directory.  Please also note, if I go to create a new snort instance, the list is also truncated which leads me to believe it is not related to configuration or files missing.

    Just as reference, I have deleted the package, reinstalled, tried reinstalling the package, and reinstalling the UI components.

    Thanks,

    Ryan

    Sorry about sending you looking in the UUID directory.  I forgot that it will only contain three files.  That was a wild goose chase.

    I sincerely do not know what is going on in your system.  The CATEGORIES page reads all the *.rules files in that directory into an in-memory array and then displays them in columns on the tab.

    Are you using some kind of customized theme or have you in any other manner modified the default CSS files on the firewall?

    Bill



  • Sometimes a reboot will fix GUI issues



  • Bill,

    I am using the stock theme (pfsense_ng).  CSS files are unmodified.

    Ryan



  • Ron,

    Thanks for responding.  Reboot does not fix the behavior either.  I'm going to try a fresh install at this point.  I believe there is an issue with my install.  I will report back later this evening.

    Thanks,

    Ryan