Jeff Ratzel wrote:

hammer reinstalls all snort (snortsam) packages and all dependencies.(i had apparently had an issue with one of the dependencies on my snort install after installing another package) this error cannot be ignored and is its own issue, I believe. Sorry it did not work for you.

This did the trick with me.

yum reinstall app-intrusion-* snort snort-gpl-rules

Basicly the same as your hammer.

I had this in my snort/syslog

Oct 18 09:43:58 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1048653 bytes (server queue). 145.50.40.205 19727 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 09:47:45 domainname snort[6080]: S5: Pruned session from cache that was using 1106639 bytes (stale/timeout). 145.50.40.205 19727 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Oct 18 09:57:39 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1048937 bytes (server queue). 145.50.40.205 20402 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 10:02:24 domainname snort[6080]: S5: Pruned session from cache that was using 1109451 bytes (stale/timeout). 145.50.40.205 20402 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Oct 18 10:13:22 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1049495 bytes (server queue). 145.50.40.205 29562 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 10:13:22 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1048858 bytes (server queue). 145.50.40.205 43747 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 10:17:09 domainname snort[6080]: S5: Pruned session from cache that was using 1106923 bytes (stale/timeout). 145.50.40.205 43747 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Oct 18 10:17:54 domainname snort[6080]: S5: Pruned session from cache that was using 1111036 bytes (stale/timeout). 145.50.40.205 29562 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Oct 18 10:26:23 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1048926 bytes (server queue). 145.50.40.205 52284 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 10:30:54 domainname snort[6080]: S5: Pruned session from cache that was using 1109282 bytes (stale/timeout). 145.50.40.205 52284 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Oct 18 10:36:47 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1049658 bytes (server queue). 145.50.40.205 64649 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 10:41:24 domainname snort[6080]: S5: Pruned session from cache that was using 1109461 bytes (stale/timeout). 145.50.40.205 64649 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Oct 18 10:45:58 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1048758 bytes (server queue). 145.50.40.205 53476 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 10:52:24 domainname snort[6080]: S5: Pruned session from cache that was using 1108245 bytes (stale/timeout). 145.50.40.205 53476 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Oct 18 13:19:57 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1049269 bytes (server queue). 145.50.40.205 50676 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 13:32:08 domainname snort[6080]: S5: Pruned session from cache that was using 1113101 bytes (stale/timeout). 145.50.40.205 50676 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Oct 18 15:34:24 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1048933 bytes (server queue). 145.50.40.205 52934 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 15:38:20 domainname snort[6080]: S5: Pruned session from cache that was using 1107630 bytes (stale/timeout). 145.50.40.205 52934 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Oct 18 15:55:57 domainname snort[6080]: S5: Session exceeded configured max bytes to queue 1048576 using 1049685 bytes (server queue). 145.50.40.205 11686 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x402001

Oct 18 16:16:44 domainname snort[6080]: S5: Pruned session from cache that was using 1111384 bytes (stale/timeout). 145.50.40.205 11686 --> xxx.xxx.xxx.xxx 443 (0) : LWstate 0x1 LWFlags 0x612001

Let's see if it keeps running

Patrick de Brabander wrote:

Jeff Ratzel wrote:

Resolved issue with big hammer:


yum reinstall $(repoquery --requires --recursive –resolve snort*)

My list is also empy for a few weeks now and was working normally without any issues and daily i had some blocks

Your big hammer is not working for me and gives an error

Error: Need to pass a list of pkgs to reinstall

 Mini usage:



reinstall PACKAGE...



reinstall a package

hammer reinstalls all snort (snortsam) packages and all dependencies.(i had apparently had an issue with one of the dependencies on my snort install after installing another package) this error cannot be ignored and is its own issue, I believe. Sorry it did not work for you.

Jeff Ratzel wrote:

Resolved issue with big hammer:


yum reinstall $(repoquery --requires --recursive –resolve snort*)

My list is also empy for a few weeks now and was working normally without any issues and daily i had some blocks

Your big hammer is not working for me and gives an error

Error: Need to pass a list of pkgs to reinstall

 Mini usage:



reinstall PACKAGE...



reinstall a package

Resolved issue with big hammer:


yum reinstall $(repoquery --requires --recursive –resolve snort*)

Peter Broch wrote:

I haven't experienced problems with blocking. Likely because I never received the 27 April signature update. Will it arrive anytime soon?

The update was released yesterday, so the April 27 update was deprecated.

I haven't experienced problems with blocking. Likely because I never received the 27 April signature update. Will it arrive anytime soon?

Cheers

Peter

Oh - the issue was with the way back-end handled snort ID mappings. The little test script that we run weekly didn't capture the fwsam tag properly.

An update was just released today. You can upgrade right away with:

yum upgrade clearsdn-intrusion-protection

Community Edition with I P subscription and have same issue from 27/4.
Any solution at all?

Reported here:

https://tracker.clearos.com/view.php?id=8201

Since you've subscribed to the rules updates, please can one of you raise a ticket with Clearcenter?

I confirm. I'm using ClearOS Home Edition and since the last intrusion-prevention update no more IP banned before that I had a lot of banned IP.
A quick look in /etc/snort.d/rules/clearcenter, only one alert activate snortsam.

What I did:
cat /etc/snort.d/rules/clearclenter/*.rules | grep fwsam:

and this is what I get:

alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:6; fwsam: src, 1 day

Every rules who normaly should activate snortsam miss this statement "fwsam: src, 1 day" at the end of each alert.
So please, Clearcenter could you investigate.

OK, if I roll back the clearcenter snort rules and the snortsam clearcenter-whitelist.conf file to the March 24 update, the Blocked List starts showing blocked IPs almost immediately, and so does the /var/log/snortsam log.