On Wed, Dec 21, 2011 at 8:41 AM, Eugen Leitl <[email protected]> wrote:
> On Wed, Dec 21, 2011 at 02:38:32PM +0100, Eugen Leitl wrote: > > > > I'm getting a > > > > Warning: opendir(/usr/local/etc/snort/snort_10053_igb1/rules/): failed > to open dir: No such file or directory in > /usr/local/www/snort/snort_rulesets.php on line 251 Warning: readdir(): > supplied argument is not a valid Directory resource in > /usr/local/www/snort/snort_rulesets.php on line 252 Warning: sort() expects > parameter 1 to be array, null given in > /usr/local/www/snort/snort_rulesets.php on line 255 Warning: Invalid > argument supplied for foreach() in /usr/local/www/snort/snort_rulesets.php > on line 256 > > > > in the Categories tab the snort package. The package is too old > > again for snort rules, probably? > > Some more warnings/errors from the logs > > Dec 21 14:39:46 snort[40843]: WARNING > /usr/local/etc/snort/snort_10053_igb1/rules/pfsense-voip.rules(1) threshold > (in rule) is deprecated; use detection_filter instead. > Dec 21 14:39:46 snort[40843]: WARNING > /usr/local/etc/snort/snort_10053_igb1/rules/pfsense-voip.rules(1) threshold > (in rule) is deprecated; use detection_filter instead. > Dec 21 14:39:46 snort[40843]: FATAL ERROR: > /usr/local/etc/snort/snort_10053_igb1/rules/snort_attack-responses.rules(32) > Please enable the HTTP Inspect preprocessor before using the http content > modifiers > Dec 21 14:39:46 snort[40843]: FATAL ERROR: > /usr/local/etc/snort/snort_10053_igb1/rules/snort_attack-responses.rules(32) > Please enable the HTTP Inspect preprocessor before using the http content > modifiers > > -- > Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org > ______________________________________________________________ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > The first two warnings are just deprecation messages, I don't think you need to worry about those. It just indicates a version mismatch between the stated rules and the running version of snort. Er more specifically, it indicates that the rule was written using syntax that is being phased out. I get errors like this all the time, partially because I use 3rd party rulesets, and it's never hampered my operation. The rule should still operate appropriately. The second two I'm less familiar with, but it sounds as simple as enabling the HTTP inspect preprocessor. A user addressed this specific error in the support forums at: http://forum.pfsense.org/index.php?topic=31597.0 . The instructions he gave were: -------------------------------------- Problem is that you need to enable the HTTP inspect preprocessor. To do that... 1. Login to pfSense and click on Services / Snort tab 2. Under "Snort Interfaces" click the edit button next to your interface 3. Click on the "Preprocessors" tab 4. Under "HTTP Inspect Settings" section put a checkmark in "Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies." It should tell you at the top that the Snort service needs to be restarted, if it doesn't just go back to the "Snort Interfaces" and click the red stop button and then the green start button to restart the service. --------------------------------------------------- One recommendation I can give, and I totally don't mean this to sound like I'm waving my finger at you, is to use google. Take advantage of how widely deployed snort is. It's the most deployed IDS out there. And as is typically the case with networking, enough so that I use it as a mantra, "Chances are you're not the first person to have this problem". Take the error message and paste it inside quotes, not including anything specific to your machine (PID numbers, paths, etc). So like just google with "Please enable the HTTP Inspect preprocessor before using the http content modifiers" to make it as specific as possible while still being generic. if that makes any sense. that's how I found that forum post, I think it was the first or second link. With millions (I'm making that up but it's probably true) of snort implementations out there, there are gobs of people having startup errors. Sorry to be long winded, but I'm trying to teach a man how to fish! -Ian
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
