Disabling snort after a few minutes version 4.1.6_13
-
@NSuttner Sorry I confused that thread and https://forum.netgate.com/topic/184112/important-snort-and-suricata-package-announcement-probable-bug-in-legacy-blocking-module/ mentioned above. The "signal 11" issue with Snort was fixed already per that thread.
I think 4.1.6_14 is only available on 23.09/2.7.1...? If I set my branch to Previous Stable I see Snort version _13.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@SteveITS yes that is only available in 23.09, I can confirm. I am using 23.05.01 and snort .11 the only version you can update to is .13. is there a way to disable that version and it is still available in 23.05.01 with the restart issues.
-
@SteveITS Uncheck KILL States doesn't help, i will upgrade to the newest version 23.09 and SNORT 4.1.6_14, but this is hard for me, because i have some CARP machines running! Thanks for your help, Regards, Norbert
-
@NSuttner I also could not get Snort to work on 23.09 for my official ARM SG2100 Netgate appliance. It can not even access the GUI when Snort is enabled and running AppID with full text rules attached here
1696920726080-textrules2 (1).txt
If I uninstall Snort I can access the GUI.
I had to stay a PfSense version back and that version still lists the broken Snort package as an available update item. At this point we know that version .13 is broken shouldn't it be unavailable to download. .13 ?? With the known Bug that was introduced shouldn't it block that Snort version on 23.05.01 as it is still used by some users?
-
@NSuttner unchecking kill states is a fail open for the firewall, it defeats the IPS with it set to off.
Squid and now Snort, we see it comeing. Comeone team... We need some new generation of programers like me... But I am still in school. We don't want a Netgate post to state that it is depreciated. What if .... Cisco or Palo Alto broke it because Netgate became to epic, and was making the perfect everything bagel 🥯 firewall, they couldn't beat open source community members so they broke it... Could happen...
I pay for the Snort rulesets and it is messed up for 23.09
Side note: I am all doom and gloom because of Squid, Squidlite Squidguard.
Make sure to upvote
-
@JonathanLee said in Disabling snort after a few minutes version 4.1.6_13:
shouldn't it be unavailable to download. .13
The package repo is intended to go with the matching pfSense version. Typically package updates are made to "current" and the older versions of pfSense are not updated.
This is also why people get confused, and, for example, while on 23.05 and Current branch they look at a package list today and upgrade Snort, which will install updates and dependencies assuming the router is on 23.09, and break pkg and other stuff. In the past it used to happily pull in a new PHP version and break the GUI but Netgate has blocked that at least.
-
@JonathanLee said in Disabling snort after a few minutes version 4.1.6_13:
What if .... Cisco or Palo Alto broke it because Netgate became to epic, and was making the perfect everything bagel 🥯 firewall, they couldn't beat open source community members so they broke it... Could happen...
This is patently ridiculous and completely uncalled for here.
You don't seem to understand that programmers giving of their time and effort for no pay to create and support open source software offered to the public for free eventually lose interest in what they created. They get burned out. There is no monetary reward, and ultimately their interest shifts elsewhere. That's what happened with Squid and the other packages from the Squid family.
Cisco, Palo Alto and others will gladly sell you similar products and provide complete support for them -- if you are willing to pay their price. They use the money received from paying customers to pay their programmers to maintain the software and support staff to help paying customers. Nobody is working for free.
Cisco/Talos now offers Snort3. That is their update from Snort 2.9.x. Just like Microsoft went from Windows 98 up through now Windows 11, the same is true with Snort. They now support Snort3 -- a complete rewrite of the original application from the ground up to be multithreaded.
The Snort package on pfSense is based on Snort 2.9.x, the soon to be deprecated old single-threaded version of Snort. The Snort3 binary will run just fine on pfSense, so Cisco did not "break it" to force any kind of move. That's why I said your assertion is ridiculous. The issue with Snort3 on pfSense is I have zero interest in modifying all the Snort GUI code and rewriting the custom blocking plugin (which is used only on pfSense and nowhere else) to convert over to Snort3. I worked on it two different times over the last three years and it just did not appeal to me.
The difficulty of migrating existing Snort 2.9.x settings from the pfSense GUI into the new format needed for Snort3 was a ton of work, and I just got burned out and did not see the point. Suricata is already multithreaded, and keeping up with updates there is not nearly as hard for now as nothing requires a rewrite from the ground up. So, my plan is to let Snort 2.9.x die like Squid. If someone wants to takeover the Snort package, they are welcome to do so. Every bit of the required source code lives on GitHub and is available to anyone. Anyone can also start up a Snort3 package if they want to and submit it to Netgate for review and merge into the package repo.
It is completely unreasonable to expect Netgate to put in all the time and effort required to migrate over to Snort3 and then turn around and offer that as a free package on CE (and maintain it in the future). The only thing that would make sense for them is to offer something like that as a paid add-on extra for Plus. That's how I would do it were I running Netgate.
-
@bmeeks I appreciate all you do. I would donate some money to you. I completely understand. I hope to help with future issues however my programming skillsets is not there ... yet. I am still a student. I get overly excited to work on something like this. Even just to be working on the skillsets searching for issues, maybe that is why I am constantly looking for issues and items, its because I want to help, and I will soon. It's like a big puzzle.
Yes thank you for all you do, it's not like I am running a huge business, or some epic server is protected. For me it's all educational purposes. How can one even learn this... Simply by doing. I mean this code is available to everyone, again very few understand it and very few can code it.
What you have done works wonders. I picture this running in a small business, or a coffee shop. Someone put this product into a store that can never afford some big ticket item. Yes that's the issue big offices get the protection and remote workers don't, as they work at home. Netgate fills that gap. But how do you all get paid... For a student like me it's a puzzle for a retired professional or someone donating time it's altruistic and based on goodwill. Sorry I always thought you worked for Cisco or Netgate. But your just like me, someone who likes puzzles.
Make sure to upvote
-
@bmeeks thank you for all you do.
I don't even understand what IDE is being used within GitHub yet. I use an IDE for Java, but for something like PfSense it runs on a cross platform product that complies on many other machines, I dont know how you would see it debug, it is virturl machines in Github that run. I will eventually get to an understanding of it. I got the code side down, but how can you debug, test items that is the fog
️ area for me.I know snort works with the good AppID text rules, here they are I created a Java program to convert them. I am sure you have seen this on other posts. I think you even pay for GitHub virtual machine use right?
-
@JonathanLee said in Disabling snort after a few minutes version 4.1.6_13:
I don't even understand what IDE is being used within GitHub yet.
GitHub is not an IDE. It is a source code repository and versioning system. It has both command-line and GUI interfaces. It's called GitHub because it's based on the
gitdevelopment tool described here: https://git-scm.com/. -
@JonathanLee said in Disabling snort after a few minutes version 4.1.6_13:
Sorry I always thought you worked for Cisco or Netgate.
Nope. Worked for a Fortune 500 electric utility for 36 years in various roles with my last being an IT Security Analyst for three of their nuclear power plants. My job was designing and implementing intrusion detection and prevention systems for critical plant control system networks to meet the requirements of NRC cyber rule 10 CFR 73.54 and Reg Guide 5.71 (and a couple of NEI 08-09 and 10-04 revisions).
I first started with pfSense in probably 2009 or so. I really don't remember precisely. After using pfSense for a while and installing Snort, I wanted Snort to have the ability to automatically resolve flowbit dependencies; but the feature was not part of the Snort package. I created the code to do that and submitted it to the pfSense developers at the time for review and possible merge. They accepted my changes and it just took off from there. The original Snort package creator had abandoned it (maybe due to burn out like I mentioned in my other post). Back then Chris Buechler was in charge of pfSense. Over the ensuing years I became the maintainer of Snort on pfSense.
In 2014, the same year I retired from my nuclear electric utility job, Emerging Threats offered to pay me a one-time contract fee to develop a Suricata package for pfSense. I took them up on the offer and created Suricata on pfSense. I've also maintained it since. That's the only money I've ever made from my open source software efforts.
But things have changed over the years. For starters, I'm much older now and have other competing interests. And the mechanism for building and testing packages has become much harder than it used to be. The introduction of pfSense Plus and its proprietary nature means I can no longer build and test packages for Plus in my private repo like I can for CE. That is becoming a bigger issue now because I can't build and test debug packages for Plus (even if I had a Plus test environment, which I do not). And as Plus continues to diverge from CE, this lack of an ability to build and test debug packages for Plus will be a larger stumbling block.
-
@bmeeks Thanks for sharing.
I worked in IT for 15 combined years, even held some government clearences at one time a DOJ, SSA, and TNET. The amount of 16 hour shifts I did early on in my life limited many core social friendships. I quit once the company I worked for would not give me a regular schedule when my kid started Kindergarten. I just assumed I would get one after the many years. So I put my three weeks in. It was sad after 13 years there and many 16s, even 10 years without a holiday, the last thing I was told by the new manager... get Jon the @#@# out of here, take him home. No goodbyes, no card, after they even deleted half a week off my last check. Very toxic work environment. I went back to school even in my old age, I was able to share spread knowledge with a younger generation. All the scary situations I was in, it was just sad.
Anyway looking forward I can't wait to learn C soon.
