next »

[AhnHEL]

Wow, I havent seen any of your issues before mbedyn, that cpu utilization is pegged alright.

First off, what kind of hardware are we talking about here?

Secondly, that rule your setting off is in your snort.inc file, not in your rule categories.  Apparently this rule has to do with preventing NMap scans of your network.

Go to Diagnostics/Edit File.  Load the /usr/local/pkg/snort.inc file and scroll down until you see #sf Portscan.  See if you have your sense level set to medium or high.  If it is, then edit setting to low, and then press save.  While you're there in the snort.inc file, make sure under #Flow and stream, put a # symbol before "preprocessor flow: stats_interval 0 hash 2"

Hit save again and Go to Services/Snort.

Blocked tab - X out any entries, then
Alerts tab - hit clear, then
Settings tab - hit save.

[mbedyn]

Yeah.. before upgrading snort to 2.7 everything works flawless.. After upgrade I can't manage with the package..
Tried reilstall, changing inc files...
Maybe I should try clean install package from scratch.... I do not know...

I can not find preprocessor flow code in my snort.inc... so I do not have nothing to comment by # 

Thanks for direction about scan rules.. I was just curious.. nothing else... I do not want to disable this behavior... ;-)

best regards
Michael

[Matts]

I'm not able to remove, reinstall the package at all on a RC4 machine.

It just keeps saying the following:

Removing package...
Loading package configuration snort.xml...
Loading package instructions...


And it hangs for hours...

[AhnHEL]

Perform a manual uninstall:

Go to Diagnostics/Command and in the command line execute

pkg_info

Find the exact package name of snort, should be snort-2.7.0.1_1, then in the command line again execute:

pkg_delete (followed by the exact snort install name you noted with pkg_info)

Should look like this:

pkg_delete snort-2.7.0.1_1

pkg_info after that to confirm its uninstalled.  Try to reinstall now, if it still gives you problems, perform the above again then do the following.

Go to Diagnosics, Backup/Restore, download the config.xml and edit out the snort package from <installedpackages>

   <snort>
         <config>
            <iface_array>wan</iface_array>
            <performance>ac-bnfa</performance>
            <oinkmastercode>xxxxxxxxxxxxxxxxxxxxxx</oinkmastercode>
            <subscriber>on</subscriber>
            <blockoffenders>on</blockoffenders>
            <automaticrulesupdate/>
            <whitelistvpns/>
            <clickablalerteurls>on</clickablalerteurls>
            <associatealertip>on</associatealertip>
            <syncxmlrpc/>
         </config>
         <last_ruleset_download>2008-01-20</last_ruleset_download>
         <rulesets>attack-responses.rules||backdoor.rules||bad-traffic.rules||chat.rules||content-replace.rules||ddos.rules||dns.rules||dos.rules||experimental.rules||exploit.rules||finger.rules||ftp.rules||icmp-info.rules||icmp.rules||imap.rules||info.rules||local.rules||misc.rules||multimedia.rules||mysql.rules||netbios.rules||nntp.rules||oracle.rules||other-ids.rules||policy.rules||pop2.rules||pop3.rules||rpc.rules||rservices.rules||scan.rules||shellcode.rules||smtp.rules||snmp.rules||specific-threats.rules||spyware-put.rules||sql.rules||telnet.rules||tftp.rules||virus.rules||voip.rules||web-attacks.rules||web-cgi.rules||web-client.rules||web-coldfusion.rules||web-frontpage.rules||web-iis.rules||web-misc.rules||web-php.rules||x11.rules</rulesets>
      </snort>

Restore configuration from the GUI and reboot.

[Matts]

Hi,

The problem for now is that the package SNORT is not shown after the "pkg_info" command.

I will first try to reboot the system, if that will not help... I will place back a backup config file and do what you described above.

Thanks.