The pfSense Store

Author Topic: snort-dev ready for testing. Post issues here.  (Read 5566 times)

0 Members and 1 Guest are viewing this topic.

Offline SectorNine50

  • Jr. Member
  • **
  • Posts: 33
    • View Profile
Re: snort-dev ready for testing. Post issues here.
« Reply #15 on: June 26, 2012, 11:51:32 pm »
Doesn't this only happen when you have the widescreen package installed?

Ah okay good to know!  Thanks.

Offline judex

  • Jr. Member
  • **
  • Posts: 62
    • View Profile
Re: snort-dev ready for testing. Post issues here.
« Reply #16 on: June 28, 2012, 04:59:30 pm »
Snort-dev seems to loose blocked hosts on 2.0.1 amd64.
My blocking time is set to 3 hours. A host gets blocked correctly when a matching rule fires. Sometimes this host gets out of snort2c table even if there where multiple new alerts from the same host meanwhile. So it also seems that the remaining blocking time does not get updated after a new alert.

Greets, Judex
2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:48 EDT 2013
FreeBSD 8.3-RELEASE-p11

Offline judex

  • Jr. Member
  • **
  • Posts: 62
    • View Profile
Re: snort-dev ready for testing. Post issues here.
« Reply #17 on: June 28, 2012, 05:06:58 pm »
It seems that snort-dev shuts down on the first alert after an automatic rule update. I observed that at leats twice.

Here's the log:

Jun 29 00:10:07 gatekeeper snort[62591]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Bad file descriptor
Jun 29 00:10:07 gatekeeper kernel: em1: promiscuous mode disabled
2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:48 EDT 2013
FreeBSD 8.3-RELEASE-p11

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
    • View Profile
Re: snort-dev ready for testing. Post issues here.
« Reply #18 on: July 04, 2012, 07:27:54 am »
It seems that snort-dev shuts down on the first alert after an automatic rule update. I observed that at leats twice.

Here's the log:

Jun 29 00:10:07 gatekeeper snort[62591]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Bad file descriptor
Jun 29 00:10:07 gatekeeper kernel: em1: promiscuous mode disabled

I was testing whitelist changes today and enabled blocking, I'm seeing the same issues.

Is there an issue with the pf patch that was applied?

Code: [Select]
Jul 4 08:28:56 snort[4839]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
Jul 4 08:28:56 snort[4839]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
« Last Edit: July 05, 2012, 05:42:11 am by Cino »

Offline dwood

  • Jr. Member
  • **
  • Posts: 84
    • View Profile
Re: snort-dev ready for testing. Post issues here.
« Reply #19 on: July 07, 2012, 09:32:04 am »
attempted snort-dev install on two amd64 boxes.  Installation does not finish.  It hangs at "loading package information".

Cheers,
Dennis.

Offline judex

  • Jr. Member
  • **
  • Posts: 62
    • View Profile
Re: snort-dev ready for testing. Post issues here.
« Reply #20 on: July 07, 2012, 05:20:24 pm »
attempted snort-dev install on two amd64 boxes.  Installation does not finish.  It hangs at "loading package information".

Cheers,
Dennis.

+1
2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:48 EDT 2013
FreeBSD 8.3-RELEASE-p11

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: snort-dev ready for testing. Post issues here.
« Reply #21 on: July 10, 2012, 04:50:53 pm »
It seems like php closure code that you used on snort.inc file is compatible only with php5.3(pfsense 2.1)
$snort_calc_iface_subnet_list = function($int) use(&$home_net)

Starting package snort-dev...
Parse error: syntax error, unexpected T_FUNCTION in /usr/local/pkg/snort/snort.inc on line 183

Offline rcfa

  • Sr. Member
  • ****
  • Posts: 565
    • View Profile
snort-dev 3.0 won't start up, shows error...
« Reply #22 on: July 17, 2012, 11:23:02 am »
I get this error:

Warning: file_get_contents(/var/log/snort/59183_lagg0/alert): failed to open stream: No such file or directory in /usr/local/www/snort/snort_alerts.php on line 396

when I go to the Alerts tab (Services : Snort : Snort Alerts)

Rules are downloaded successfully, WAN interface is enabled for snort, but it ain't running.

Any ideas?

Offline Topper727

  • Jr. Member
  • **
  • Posts: 53
    • View Profile
Re: snort-dev ready for testing. Post issues here.
« Reply #23 on: July 17, 2012, 04:57:34 pm »
When I am in any part of the Snort addon I find that I have to click dashboard to get back to dashboard.  I can not click the PFsense logo in top Left..
This is link it suppose to be
https://10.10.10.1/index.php

This is what I get in snort
https://10.10.10.1/snort/index.php

Snort 2.9.2.3 pkg v. 3.0

Default Skin

2.1-BETA0 (i386)
built on Mon Jul 16 19:08:20 EDT 2012
FreeBSD 8.3-RELEASE-p3

You are on the latest version.