Re: [pfSense Support] Snort whitelisting? - w/ possible fix?

Fri, 16 Mar 2007 11:52:50 -0800

It sure feels weird to reply to myself but I have found a solution to this problem in case anybody has to go through this again.
The HOME_NET problem I mentioned in one of the other posts causes the whitelist to be improperly written to /var/db/whitelist. The function called on line 231 of /usr/local/pkg/snort.inc returns a empty value therefore it appends a empty forward slash to $home_net variable in the else statement on like 237. 


I executed snort2c in the foreground so I can see it parse the whitelist 
and configuration file by appending -d to "snort2c -w /var/db/whitelist 
-a /var/log/snort/alert" and it failed shortly after parsing CIDR 
notations caused by the generate_snort_conf() function within the 
whitelist file itself.



I've created a crude patch that fixes the issue mentioned yesterday and 
the whitelist generation. This is the first time I had to dig into 
pfsense's sources so it may not be the ideal way to resolve this issue. 
The diff has been attached to this email.



Hope this saves some time for somebody else in the future. Thanks for 
your help Scott :)


- Ying


Ying Wong wrote:

The only docs I found was in the source as well.

Snorts version number I mentioned above was from the command line,

Snort exiting
# Version 2.6.1.3 (Build 36)

I will install _2 just in case afterwards.

Thanks for your input Scott.

- Ying

Scott Ullrich wrote:

On 3/15/07, Ying Wong <[EMAIL PROTECTED]> wrote:

If a upgrade of pfsense is not necessary, then I did have the latest
snort package installed. I can't seems to find much documentation on
snort2c either, or a sample white list.


Neither could I when I ported snort2c to FreeBSD/pfSense.  The source
is the docs unfortunately.

You mentioned that you had 2.6.1.3 on there, not 2.6.1.3_2, thats a
different package.

Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--- ./snort.inc Fri Mar 16 11:37:52 2007
+++ ../snort.inc        Fri Mar 16 11:50:52 2007
@@ -235,6 +235,7 @@
                        if($subnet)
                                $home_net .= "{$subnet} ";
                } else {
+                       if ($subnet)
                        $home_net .= "{$subnet}/{$ifcfg['subnet']} ";
                }
        }


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





















					Reply via email to