You get a happy face karma for your efforts.  Thanks.  8)

@pfff:

Hi

Thank you so much Bill for all your great work on Snort and Suricata!

I ran into a problem 1-2 months ago with Snort before I switched to Suricata and just never found the time to report it. I was updating Snort and the installation script proceeded as usual to remove the old package but then my internet connection failed and the new package couldn't be downloaded and the installation aborted leaving me with no Snort at all. Perhaps it would be better to download the package first and only then proceed with the actual installation. I'm not sure if this issue is still present or related to the above post because I can't see the screenshot but I thought I'd report it.

Suricata is working great, thanks again.

The process for downloading and installing packages is handled by the pfSense core code.  The packages themselves have no control over that.  There have been suggestions for improvements in this area posted on the pfSense Redmine Bug Tracking site.  One of those suggestions was to first download and verify the new package before removing the old one.

Bill

Hi,

Has anyone found a fix for the problem?.  I have pfsense 2.1.5-Release with Blinkled 0.4.3.  It installed without problems and run for a few days before the Led 2 or 3 will stopped working or blink continuously for no reason.

I need to reboot the unit or go to the Blinkled interface page and click "Save" to get it working again.  This will fail again in a few days time.

No one can answer this simple question? :-[

@bmeeks:

@laptopdude90:

@bmeeks:

@laptopdude90:

Snort is only detecting http_inspect. It's always 'http_inspect: UNKNOWN METHOD' or 'http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE'. I've tried using IDSWakeup, which didn't trigger anything. I also tried an online port scanner, which didn't trigger anything. I have set snort up listening on the WAN port. I should probably note that my ISP requires me to set up a virtual WAN port on VLAN 35, and that is what snort is listening on.

Screenshots: http://imgur.com/a/BtYoq

Yes, I have updated the rules, and I have restarted Snort.

Those are very common false positives.  Did you read the threads here in the Packages sub-forum about generating a Suppress List so that the known false positives don't trigger?  Search this forum for threads about Suppress List generation.

Do you have blocking enabled on your interfaces?  You set this on the INTERFACE settings tab.

Bill

The problem isn't the false positives, it's the fact that they're the only things that trigger.

What do you mean about this blocking interfaces thing? Where do I find it?

1.  From the pfSense menu, choose Services…Snort.

2.  When the Snort tabs appear, either double-click on a selected interface or click the "e" icon to edit that interface.

3.  The action in #2 above will open a new set of tabs for that specific interface's configuration.  On the SETTINGS tab you will find checkboxes for enabling the blocking of offenders.

You can see what blocks have been put in place by clicking the BLOCKED tab.

Where do you have Snort configured? Is it on the WAN interface or another one?  And how specifically did you run the IDSWakeup test?  Did you run that from a remote machine and target the firewall interface where Snort was running?  Depending on where you browse to and the amount of traffic on your network, it is quite common to have few Snort alerts.  For instance, on my home LAN where Snort is configured on the WAN and LAN, I get maybe one LAN alert per week because there is just me and my wife surfing and we have only a few favorite sites we visit.  On the WAN side I get a number of alerts per hour from some IP blacklists using the IP REPUTATION preprocessor.

Bill

Blocking is turned off. Snort is configured on the WAN interface. I ran the test from my father's network on my linux laptop, directed toward my IP.

Hi, thanks for your replay.

I changed "Memory cache size" from 8 to 512, and after that it started loading pages at exceptional speed, then changed it back to 8 just to test and it kept loading the page fast.

Weird behavior since i have the "Hard disk cache system" to null this whole time,

Anyway its working fine and i have no idea why  :-X :-\

Thanks for the help.

Sorry I can't remind what I've done to make it works. It was a misconfiguration very stupid…  Can you show me your configuration I will tell what's different with mine.

You should probably use the 8.3 link instead for future pkg adds. When you install a pkg, you might need to run the following command (your reboot also fixed it) after you install the pkg for the pkg to be accessible.

rehash

My fix:

mkdir /usr/local/bacula/
chown bacula:bacula /usr/local/bacula

Run vipw from the command line and adjust the home directory for bacula to be the above mentioned directory.

That is insufficient to get the correct WorkingDirectory value in bacula-fd.conf file.

The path, /var/db/bacula is hardcoded at https://packages.pfsense.org/packages/config/bacula-client/bacula-client.inc

Is that the problem?  I believe so.  If I edit /usr/local/pkg/bacula-client.inc and put the new path in there, the correct configuration is saved.

In addition, all instances of BACULA_LOCALBASE . /etc/bacula-fd.conf in /usr/local/pkg/bacula-client.inc needs to be BACULA_LOCALBASE . /etc/bacula/bacula-fd.conf

NOW it runs:

[2.1.5-RELEASE][admin@pfsense.unixathome.org]/cf(110): ps auwx | grep bacula
root    6659  0.0  0.3 28864  5756  ??  Is  12:56PM  0:00.00 /usr/pbi/bacula-amd64/sbin/bacula-fd -u root -g wheel -v -c /usr/pbi/bacula-amd64/etc/bacula/bacula-fd.conf
root    9672  0.0  0.1  6088  1400  1  R+  12:56PM  0:00.00 grep bacula

In addition, the code seems to append -dir to the Director Name via pkg_edit.php?xml=bacula-client.xml&act=edit&id=0

Hope this helps to fix this bug.

Hi,

I don't know how, but it took a while, now is working fine as I had it before.

Solved!

hello all, that's good news, I'm waiting to test this package
where I can download ?

Hi, Thanks for the answer,,,,,but it does not solve my problem,…i dont want to use sarg report or maybe i will try it later but for now im looking for a solution of this error,thanks a lot...

@wbennett77:

Thanks BBcan177,
Once last question re snort. If I have the IPS policy set to Connectivity or Balanced and "Block Offenders" disabled does that make Snort just a logger or is it still protecting against the IPS policy chosen?
Thanks!

You have to enable "Blocking" for it to actually Protect your network. or its just going to Alert only.

I suggest "Block Offenders", "Kill States" and "Block Both"

As an update… thanks for the replies guys.  I finished the HA cluster upgrade from 2.0.3 to 2.1.5 this morning (everything went perfectly).  I definitely didn't want to customize the installation by trying to get snort to work on 2.0.3.

Hi pjkenned,

Thanks.

I never thought a config that small (basically nothing configured yet, no frontends / no backends) would cause such a big problem (php process 'crashes' in the background).. Even though while when haproxy configuration is completely absent there apparently is no problem..

Send a pull-request https://github.com/pfsense/pfsense-packages/pull/720 to fix this issue. It will probably get pulled later today.

Thanks for reporting the issue & providing the info required to fix it.

Kind regards PiBa-NL