Post by Eugen LeitlPost by Eugen LeitlI'm getting a
Warning: opendir(/usr/local/etc/snort/snort_10053_igb1/rules/): failed
to open dir: No such file or directory in
supplied argument is not a valid Directory resource in
/usr/local/www/snort/snort_rulesets.php on line 252 Warning: sort() expects
parameter 1 to be array, null given in
/usr/local/www/snort/snort_rulesets.php on line 255 Warning: Invalid
argument supplied for foreach() in /usr/local/www/snort/snort_rulesets.php
on line 256
Post by Eugen Leitlin the Categories tab the snort package. The package is too old
again for snort rules, probably?
Some more warnings/errors from the logs
Dec 21 14:39:46 snort[40843]: WARNING
/usr/local/etc/snort/snort_10053_igb1/rules/pfsense-voip.rules(1) threshold
(in rule) is deprecated; use detection_filter instead.
Dec 21 14:39:46 snort[40843]: WARNING
/usr/local/etc/snort/snort_10053_igb1/rules/pfsense-voip.rules(1) threshold
(in rule) is deprecated; use detection_filter instead.
/usr/local/etc/snort/snort_10053_igb1/rules/snort_attack-responses.rules(32)
Please enable the HTTP Inspect preprocessor before using the http content
modifiers
/usr/local/etc/snort/snort_10053_igb1/rules/snort_attack-responses.rules(32)
Please enable the HTTP Inspect preprocessor before using the http content
modifiers
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
The first two warnings are just deprecation messages, I don't think you
need to worry about those. It just indicates a version mismatch between
the stated rules and the running version of snort. Er more specifically,
it indicates that the rule was written using syntax that is being phased
out. I get errors like this all the time, partially because I use 3rd
party rulesets, and it's never hampered my operation. The rule should
still operate appropriately.
The second two I'm less familiar with, but it sounds as simple as enabling
the HTTP inspect preprocessor. A user addressed this specific error in the
support forums at: http://forum.pfsense.org/index.php?topic=31597.0 . The
instructions he gave were:
--------------------------------------
Problem is that you need to enable the HTTP inspect preprocessor. To do
that...
1. Login to pfSense and click on Services / Snort tab
2. Under "Snort Interfaces" click the edit button next to your interface
3. Click on the "Preprocessors" tab
4. Under "HTTP Inspect Settings" section put a checkmark in "Use HTTP
Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies."
It should tell you at the top that the Snort service needs to be restarted,
if it doesn't just go back to the "Snort Interfaces" and click the red stop
button and then the green start button to restart the service.
---------------------------------------------------
One recommendation I can give, and I totally don't mean this to sound like
I'm waving my finger at you, is to use google. Take advantage of how
widely deployed snort is. It's the most deployed IDS out there. And as is
typically the case with networking, enough so that I use it as a mantra,
"Chances are you're not the first person to have this problem". Take the
error message and paste it inside quotes, not including anything specific
to your machine (PID numbers, paths, etc). So like just google with "Please
enable the HTTP Inspect preprocessor before using the http content
modifiers" to make it as specific as possible while still being generic.
if that makes any sense. that's how I found that forum post, I think it
was the first or second link. With millions (I'm making that up but it's
probably true) of snort implementations out there, there are gobs of people
having startup errors.
Sorry to be long winded, but I'm trying to teach a man how to fish!
-Ian