pfSense Support Subscription

Author Topic: Snort Updated to 2.7  (Read 28308 times)

0 Members and 1 Guest are viewing this topic.

Offline cdx304

  • Jr. Member
  • **
  • Posts: 86
    • View Profile
Re: Snort Updated to 2.7
« Reply #30 on: December 12, 2007, 05:06:27 pm »
Well snort did work ,Now it crashes pfsense .So i did a reinstall of pfsense and installed snort and tryed to update now i get this snort rules: md5 signature of rules mismatch.So i guess i will go back to my d-link . >:(

Offline shiftyjoe

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: Snort Updated to 2.7
« Reply #31 on: December 12, 2007, 06:54:54 pm »
onhel - Thanks for the help, changed to ac-bnfa and snort is much happier now.

cdx304 - "Well snort did work ,Now it crashes pfsense .So i did a reinstall of pfsense and installed snort and tryed to update now i get this snort rules: md5 signature of rules mismatch.So i guess i will go back to my d-link . Angry"

Not sure if it will help, but I've gotten this message.  After a fifteen minute wait, I could re download the rules without an issue.
Running pfSense with Celeron @966Mhz w/ 1gb ram, 80GB IDE/ATA Harddrive, and two intel desktop pro 10/100.

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Re: Snort Updated to 2.7
« Reply #32 on: December 12, 2007, 11:37:11 pm »
Yes, I have gotten the md5 mismatch a couple of times as well during the testing of Snort 2.7.0.1_1 and 2.7.0.1_2.  A second attempt to download rules always cleared up this error.


While I have this post up, I'd like to give my thanks to Sullrich for maintaining the package and Shaddow501 for his help to Sullrich in getting the problems with 2.7 resolved so quickly for all of us end-users.  Great job guys.
« Last Edit: December 12, 2007, 11:58:07 pm by onhel »
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata

Offline rt_rex

  • Jr. Member
  • **
  • Posts: 84
    • View Profile
Re: Snort Updated to 2.7
« Reply #33 on: December 13, 2007, 12:28:52 pm »
Yes, I have gotten the md5 mismatch a couple of times as well during the testing of Snort 2.7.0.1_1 and 2.7.0.1_2.  A second attempt to download rules always cleared up this error.


While I have this post up, I'd like to give my thanks to Sullrich for maintaining the package and Shaddow501 for his help to Sullrich in getting the problems with 2.7 resolved so quickly for all of us end-users.  Great job guys.
There is a 2.7.0.1_3 version working ok here
Donīt Try this @home go outside!
WIFI Link @ 76 km

Offline cdx304

  • Jr. Member
  • **
  • Posts: 86
    • View Profile
Re: Snort Updated to 2.7
« Reply #34 on: December 14, 2007, 11:47:33 pm »
Pfsense crashes now with snort installed .

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Re: Snort Updated to 2.7
« Reply #35 on: December 15, 2007, 01:35:29 am »
Define
Pfsense crashes now with snort installed .

Define "crash."

Please elaborate.

Mine is running great, possibly a hardware issue?
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata

Offline shaddow501

  • Jr. Member
  • **
  • Posts: 47
    • View Profile
Re: Snort Updated to 2.7
« Reply #36 on: December 16, 2007, 06:39:07 pm »
Hi All

After a few days working with snort i have found that it doesnt remove the blocked IP after 60 min, maybe it is something with the configuration i am nit sure yet.

i do think that should be a line in the cron configuration that after a specific time it removes the blocked IPs, or maybe i am wrong...

Did anyone notice that problem or is it just something messed up in my system.

anyway any information where i should write this line i will appreciate.

 

Offline shiftyjoe

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: Snort Updated to 2.7
« Reply #37 on: December 16, 2007, 09:08:22 pm »
This post (http://forum.pfsense.org/index.php/topic,5902.0.html) is talking about how to change the time it take before the ip's are removed.

Sullrich says "You can change the reset time by modifying /cf/conf/config.xml from Diagnostics -> Edit File.

Look for the cron entry that runs the command /usr/local/sbin/expiretable -t 1800 snort2c.

Change the <minute>60</minute> to whatever you like.  Then go to Diagnostics -> Command Prompt and in the PHP command box issue the command:

configure_cron();"

I'ld check to make sure the cron job is schedualed.
Running pfSense with Celeron @966Mhz w/ 1gb ram, 80GB IDE/ATA Harddrive, and two intel desktop pro 10/100.

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Re: Snort Updated to 2.7
« Reply #38 on: December 17, 2007, 03:16:50 am »
Watched a blocked IP and noticed it was removed after around 87 minutes.  Performed a second test and this one went beyond 115 minutes before I gave up on babysitting the GUI so I can confirm your experiences Shaddow501.  One thing I noticed while tinkering around with this is that "top" doesnt show snort2c running when an IP is blocked.  I can verify that the IP is in fact blocked so I can only assume snort2c is doing its job but strange that I dont see it running when I know I've seen snort2c by running Top in the past.
« Last Edit: December 17, 2007, 04:49:17 am by onhel »
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata

Offline shaddow501

  • Jr. Member
  • **
  • Posts: 47
    • View Profile
Re: Snort Updated to 2.7
« Reply #39 on: December 17, 2007, 04:06:32 pm »
Hi OnHel

Well i do think that the reason because snort crash (i do see strange line in my log that refer to snort exited core dump , well something like that, i do thing it isnt a very stable release, any way i am working on snort.inc file to see if by removing some items it will make snort work better...  (like the SMTP check that i have added and FTP processor that i have added, so far i have removed the SMTP and will try to check it for a few days to see if it will make the release more stale.
if you would like to "play" also with the file then it is located at /usr/local/pkg/snort.inc (just use edit file in snort gui)

also i did modification in cron that will remove the blocked ip after 10 min, and i guess it does work...

Offline shaddow501

  • Jr. Member
  • **
  • Posts: 47
    • View Profile
Re: Snort Updated to 2.7 - and to 2.8
« Reply #40 on: December 18, 2007, 04:50:37 pm »
Hi Guys

I have started to work with snort version-2.8.0.1, since I didnt like much the 2.7.0.1, i have made a new package based on the snort 2.7.0.1 but with files of the new last version i mention above.
In the terminal ssh software i just pkg_delete the old version and did pkg_add to my version.

the new version seem to work so far, but i still not have much information of how stable it is.
It also require a change in the snort.inc file.

anyone that wish to try it may contact me

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 347
    • View Profile
Re: Snort Updated to 2.7
« Reply #41 on: December 18, 2007, 05:09:43 pm »
Perhaps give scott a link if it runs fine ;-)

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Re: Snort Updated to 2.7
« Reply #42 on: December 19, 2007, 03:53:18 am »
Shaddow501, I've been studying the snort.inc file, and trust me I'm not in your league at all in understanding it, nor would I have been able to fix it the way you did previously when the preprocessors were causing Snort to crash.

But I did notice that some alerts werent properly being set off.  For instance, ICMP pings to my WAN IP werent setting off a Snort Alert even though I have the same ICMP rules enabled as I did with 2.6

Then I noticed that you had the preprocessor flow enabled in the snort.inc file.  According to this site http://cvs.snort.org/viewcvs.cgi/snort/doc/README.stream5?rev=1.2
Quote
The Stream5 preprocessor is a target-based TCP reassembly module
for Snort.  It is intended to replace both the stream4 and flow
preprocessors, and it is capable of tracking sessions for both
TCP and UDP.  With Stream5, the rule 'flow' and 'flowbits' keywords
are usable with TCP as well as UDP traffic.

Since Stream5 replaces stream4, both cannot be used simultaneously.
Remove the stream4 and flow configurations from snort.conf when the
stream5 configuration is added.

I commented out the flow preprocessor and I'm now seeing ICMP ping alerts again. 
« Last Edit: December 19, 2007, 04:07:18 am by onhel »
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata

Offline shaddow501

  • Jr. Member
  • **
  • Posts: 47
    • View Profile
Re: Snort Updated to 2.7
« Reply #43 on: December 19, 2007, 07:24:41 am »
Hi OnHeL

Well you are right, with the last version of snort 2.8.0.1 i did disable the flow preprocessor, i did compile the 2.8.0.1 that will also support stream4udp packets so it does work with both stream5 and stream4 configuration (but will not work together, you must select if you want to use stram4 or stream5 option)

With the both versions (2.7.0.1 & 2.8.0.1) i still have a problem after some time  (could be hours and could be minutes) snort exit with this message:
 " (snort), uid 0: exited on signal 11 (core dumped)"  I havent got any clue what could cause it and looking into web (google and such) didnt resolved much information...

I am curious if it is just me that get this error or some of you do get it as well, if someone have got any clue how to debug it and  see what cause this fault i could have a bit more progress, but as for now i am kinda stuck with lack of information.

I did try snort with almost all the working methods but again i do get the message and snort stop doing what it should be doing (blocking :))

anyone?

Offline chazers18

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Snort Updated to 2.7
« Reply #44 on: December 19, 2007, 07:59:38 am »
i have a Similar problem that some of the others are having with Snort

version of PFsense

1.2-RC2
built on Fri Aug 17 17:46:06 EDT 2007

Some of the goofy errors that i am getting with snort

Dec 19 07:54:49    SnortStartup[63790]: Ram free BEFORE starting Snort: 73M -- Ram free AFTER starting Snort: 73M -- Mode ac-std -- Snort memory usage:
Dec 19 07:54:43    kernel: xl0: promiscuous mode disabled
Dec 19 07:54:32    snort[63624]: Daemon parent exiting
Dec 19 07:54:32    snort[63624]: Daemon parent exiting
Dec 19 07:54:32    snort[63638]: Daemon initialized, signaled parent pid: 63624
Dec 19 07:54:32    snort[63638]: Daemon initialized, signaled parent pid: 63624
Dec 19 07:54:32    snort[63638]: Writing PID "63638" to file "/var/run//snort_xl0.pid"
Dec 19 07:54:32    snort[63638]: Writing PID "63638" to file "/var/run//snort_xl0.pid"
Dec 19 07:54:32    snort[63638]: PID path stat checked out ok, PID path set to /var/run/
Dec 19 07:54:32    snort[63638]: PID path stat checked out ok, PID path set to /var/run/
Dec 19 07:54:32    kernel: xl0: promiscuous mode enabled
Dec 19 07:54:32    snort[63624]: Initializing daemon mode
Dec 19 07:54:32    snort[63624]: Initializing daemon mode
Dec 19 07:54:32    kernel: xl0: promiscuous mode disabled
Dec 19 07:54:32    kernel: xl0: promiscuous mode enabled



also  it does not stop any thing or set off any alerts i am just useing default rules pulled in from snort. let me know what you are all thinking.

Thanks