Snort and Suricata problems with the new PHP 8.1 and FreeBSD Main Snapshots

bmeeks

@nhscan, I am aware of the issue. It was caused by an upstream change in the FreeBSD ports tree. There is an open pfSense Redmine Issue here: https://redmine.pfsense.org/issues/13623. I am waiting on the Netgate developer team to tell me which of the available options for correcting this issue is best for the long term.

nhscan

@bmeeks Thank you so much!

nhscan

@bmeeks It also happens with suricata but I'm sure you're aware of that. Again thank you for the information and your help just glad somebody's looking into it. Thanks again.

bmeeks

@nhscan said in Snort and Suricata problems with the new PHP 8.1 and FreeBSD Main Snapshots:

@bmeeks It also happens with suricata but I'm sure you're aware of that. Again thank you for the information and your help just glad somebody's looking into it. Thanks again.

Yes. Anything using lua is going to be impacted by that upstream FreeBSD change.

nhscan

@bmeeks Is there any update after reading some of the bug reports it looked like snort ver 4.1.6_1 snort-2.9.20_1 was the php fix however i am still unable to install it still getting this for an error. I am running Current Base System2.7.0.a.20221118.0600

Installing pfSense-pkg-snort...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (2 conflicting)

luajit-devel-2.1.0.20221004_1 [pfSense] conflicts with luajit-openresty-2.1.20220915 [installed] on /usr/local/bin/luajit
luajit-devel-2.1.0.20221004_1 [pfSense] conflicts with luajit-openresty-2.1.20220915 [pfSense] on /usr/local/bin/luajit
Checking integrity... done (0 conflicting)
The following 12 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
lua-resty-core: 0.1.23
lua-resty-lrucache: 0.13
luajit-openresty: 2.1.20220915
nginx: 1.22.0_9,3
pfSense: 2.7.0.a.20221118.0600

New packages to be INSTALLED:
daq: 2.2.2_3 [pfSense]
libdnet: 1.13_3 [pfSense]
libpcap: 1.10.1_2 [pfSense]
luajit-devel: 2.1.0.20221004_1 [pfSense]
pfSense-pkg-snort: 4.1.6_1 [pfSense]
snort: 2.9.20_1 [pfSense]

Installed packages to be REINSTALLED:
pkg-1.18.4_1 [pfSense]

Number of packages to be removed: 5
Number of packages to be installed: 6
Number of packages to be reinstalled: 1

The process will require 3 MiB more space.
pkg-static: Cannot delete vital package: pfSense!
pkg-static: If you are sure you want to remove pfSense,
pkg-static: unset the 'vital' flag with: pkg set -v 0 pfSense
Failed

bmeeks

@nhscan said in Snort and Suricata problems with the new PHP 8.1 and FreeBSD Main Snapshots:

@bmeeks Is there any update after reading some of the bug reports it looked like snort ver 4.1.6_1 snort-2.9.20_1 was the php fix however i am still unable to install it still getting this for an error. I am running Current Base System2.7.0.a.20221118.0600

Installing pfSense-pkg-snort...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (2 conflicting)

luajit-devel-2.1.0.20221004_1 [pfSense] conflicts with luajit-openresty-2.1.20220915 [installed] on /usr/local/bin/luajit

luajit-devel-2.1.0.20221004_1 [pfSense] conflicts with luajit-openresty-2.1.20220915 [pfSense] on /usr/local/bin/luajit
Checking integrity... done (0 conflicting)
The following 12 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
lua-resty-core: 0.1.23
lua-resty-lrucache: 0.13
luajit-openresty: 2.1.20220915
nginx: 1.22.0_9,3
pfSense: 2.7.0.a.20221118.0600

New packages to be INSTALLED:
daq: 2.2.2_3 [pfSense]
libdnet: 1.13_3 [pfSense]
libpcap: 1.10.1_2 [pfSense]
luajit-devel: 2.1.0.20221004_1 [pfSense]
pfSense-pkg-snort: 4.1.6_1 [pfSense]
snort: 2.9.20_1 [pfSense]

Installed packages to be REINSTALLED:
pkg-1.18.4_1 [pfSense]

Number of packages to be removed: 5
Number of packages to be installed: 6
Number of packages to be reinstalled: 1

The process will require 3 MiB more space.
pkg-static: Cannot delete vital package: pfSense!
pkg-static: If you are sure you want to remove pfSense,
pkg-static: unset the 'vital' flag with: pkg set -v 0 pfSense
Failed

Unfortunately, no news yet from the Netgate team. I suspect they are sort of covered up with bug fixes in the base system, and issues with add-on packages are taking a back seat at the moment. I will bump them up again to get a status.

bmeeks

@nhscan, the problem with library dependency errors when trying to install the latest Snort package on pfSense DEVEL snapshots should be fixed in the next snapshot build.

The fix was merged about 11:00 AM Eastern Time (USA) on 11/23/2022. So the fix should be in any snapshot update with a date and time after that time.

RabidSasquatch

@bmeeks Does a similar change need to be made to the Suricata makefile as well? The pull request appears to apply only to Snort.

bmeeks

@rabidsasquatch said in Snort and Suricata problems with the new PHP 8.1 and FreeBSD Main Snapshots:

@bmeeks Does a similar change need to be made to the Suricata makefile as well? The pull request appears to apply only to Snort.

Yeah, probably so. Forgot about that one. I'll get one created in the next few days and submitted.

bmeeks

@rabidsasquatch said in Snort and Suricata problems with the new PHP 8.1 and FreeBSD Main Snapshots:

@bmeeks Does a similar change need to be made to the Suricata makefile as well? The pull request appears to apply only to Snort.

I submitted a fix for Suricata as well for the luajit-openresty library conflict. It was merged around 10:00 AM US Eastern on 11/28/2022, and so will appear in the next snapshot build after that time. The new Suricata binary version will be 6.0.8_2 (updated from 6.0.8_1).

NollipfSense

@bmeeks Suricata 6.0.8_2 not working (2.7) and log doesn't say why, just refresh and that does nothing...

Screenshot 2022-12-15 at 12.09.04 PM.png

Screenshot 2022-12-15 at 12.08.20 PM.png

bmeeks

Have you checked the pfSense System Log for anything that might be logged there?

I just fired up my 2.7.0 Snapshot Virtual Machine with Suricata installed and everything came up fine. Here is a screenshot of Suricata running on the WAN --

If Suricata does not get far enough along in its startup to create the suricata.log file and write to it, then something pretty drastic is messed up on the box.

You can check the System Log to see what may be logged there. You could also try a remove and reinstall operation with the Suricata package.

NollipfSense

@bmeeks said in Snort and Suricata problems with the new PHP 8.1 and FreeBSD Main Snapshots:

You can check the System Log to see what may be logged there. You could also try a remove and reinstall operation with the Suricata package.

I only reinstall once but did not completely remove before the reinstall...all pfSense system log says is that Suricata was stopped then upgraded. Will remove, reinstall, and report back.

Dec 15 11:37:34 pkg-static 67395 suricata upgraded: 6.0.8_1 -> 6.0.8_2
Dec 15 11:37:34 SuricataStartup 76447 Suricata STOP for WAN(25152_em0)...

bmeeks

@nollipfsense, you are likely hitting the issue I described in this post way back at the top of this thread: https://forum.netgate.com/topic/174915/snort-and-suricata-problems-with-the-new-php-8-1-and-freebsd-main-snapshots/5.

The problem is with pkg in pfSense and not with the Suricata (or Snort) packages themselves. There are also other pfSense packages that are currently impacted by this issue. The Netgate team is looking into it.

NollipfSense

@bmeeks Okay as I removed, reinstall, same, then removed settings, removed, reboot then reinstall and got the same result. One thing I noticed after the clean install was service status was showing Suricata had not started despite Suricata had not been enabled nor configured.

bmeeks

@nollipfsense said in Snort and Suricata problems with the new PHP 8.1 and FreeBSD Main Snapshots:

@bmeeks Okay as I removed, reinstall, same, then removed settings, removed, reboot then reinstall and got the same result. One thing I noticed after the clean install was service status was showing Suricata had not started despite Suricata had not been enabled nor configured.

Did you perform the steps outlined in the post I referenced from earlier? If not, go to Post #5 in this thread and perform the steps listed there after installing the package. Or, reboot your firewall after installing the package. Either of those steps will clear the block that the pkg utility gets itself locked into when attempting to start a daemon as part of package installation.

If Suricata is installed, it is perfectly normal for it to show up in the Services Status widget as it installs its binary part as a service that is started by the OS at boot.

NollipfSense

@bmeeks So, I played around by reinstalling even though I never experienced any handing and always got the green success bar. Same as before not showing it started except this time pfSense system logs show Suricata started:

Dec 15 22:11:03 php-fpm 365 Starting Suricata on WAN(em0) per user request...
Dec 15 22:11:03 php 57998 [Suricata] Updating rules configuration for: WAN ...
Dec 15 22:11:03 php 57998 [Suricata] Building new sid-msg.map file for WAN...
Dec 15 22:11:03 php 57998 /tmp/suricata_em048136_startcmd.php: Configuration Change: (system): Removed cron job for suricata_check_for_rule_updates.php
Dec 15 22:11:03 check_reload_status 394 Syncing firewall
Dec 15 22:11:03 php 57998 [Suricata] Suricata START for WAN(em0)...

NollipfSense

So, after several updating the Nov, 242022 snapshot instance wasn't changing the result with Suricata. I completely deleted the instance and installed Dec, 232022 snapshot and restored from backup...glad to report all is good.