Snort messing up
-
Ok, whenever I change anything in the config with snort, the service stops. Shelling intot he pfsense box and going to /usr/local/etc/rc.d and running "./snort.sh start" comes back with an error:
./snort.sh: 8: Syntax error: ";" unexpected
looking at line #8
/bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c;sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i nfe0 -A fast ;sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert
Now, mind you, After this, i uninstall snort, reinstall it, redownload my snort rules and it works fine. but when I change anything under the settings, it comes back with this error
this is on:
2.0-ALPHA-ALPHA
built on Sat Feb 14 02:32:54 EST 2009
FreeBSD 7.1-RELEASE-p2Only other packages I have are bandwidthd and imspector
also, in order for me to get into snort i have to put a '&' before id=0 at the end of the URL:
When I click on Snort under Services, the URL it goes to is this:
http://192.168.1.1/pkg_edit.php?xml=snort.xmlid=0
changing it to
http://192.168.1.1/pkg_edit.php?xml=snort.xml&id=0
and it's fine.
-
I'd also like to state that I seem to be having this problem as well. Snort stopping. Maybe it has something to do with the fact that it won't update, maybe there is a under lying problem that is causing both. Either way I don't see any errors in my system logs and I did post @ http://forum.pfsense.org/index.php/topic,12190.0.html in regards to my update problem.
-
I'd also like to state that I seem to be having this problem as well. Snort stopping. Maybe it has something to do with the fact that it won't update, maybe there is a under lying problem that is causing both. Either way I don't see any errors in my system logs and I did post @ http://forum.pfsense.org/index.php/topic,12190.0.html in regards to my update problem.
The snort updates seem to be working a lot better now with the 2.0 updates. The update screen actually shows the progress.
-
ahh, very very nice. So how is 2.0 working out for you? If Snort is working on 2.0 I may update over to 2.0 but how buggy is it?
-
ahh, very very nice. So how is 2.0 working out for you? If Snort is working on 2.0 I may update over to 2.0 but how buggy is it?
Not too bad buggy. It's tolerable so far. I can work around most bugs but this snort issue where it's taking the '&' before id=0 in the URL is killing me. I have however traced it down to something in PFsense main files that mangling the URL and not putting the '&' in. Somehow it's not translating the & correctly in it's sub function.
What i've found on this is that under /usr/local/pkg, if you look at snort.xml and miniupnpd.xml they both show the same URL sequence '&id=0'
However, miniupnpd.xml is in pfSense by default so the subfunction is already present. When pfSense goes to packages that are not loaded by default, the '&' gets removed somehow in the subfunction. I'm still looking into it. I don't think it's a package maintainer's fault on this one because BandwidthD does this as well. plus ANY installed packages that have the & in the URL is not getting through the subfunction in pfSense.
-
Hi,
I've got the problem of the disappearing & when calling xmlrpc functions (backup_config_section). I am still on 1.2.2. Are there any news on this problem?
Thanks,
Jean-Marie.
-
Snort 2.8.4.1 pkg v. 1.3 is working great for me on
1.2.3-RC2
built on Tue Jun 16 00:34:36 EDT 2009Some of you guys run snort with more than one interface with lots of rules on low end systems.
Mabe thats why your seeing buggy behaviour.Question are you guys using
Snort 2.8.4.1 pkg v. 1.3 ?I have never used snort in 2.0, but I'll look into it to night.
I'm not seeing missing "&" in "http://192.168.1.1/pkg_edit.php?xml=snort.xml&id=0".
This looks like an error that its outside of snort package.James
-
Indeed, this is not snort related. This seems to be a bug in libxml. I wrote a post on what I found here: http://forum.pfsense.org/index.php/topic,17113.0.html
Jean-Marie.
-
Glad I found this thread!
My Snort is messing up too (2.8.4.1 pkg v. 1.3) running on 1.2.2. I have my oink code in there and the rules updated but whenever I start the service, it starts "running". If I simply click on anything that has to do with the service (Services – Snort), or if I even click on a tab to configure it, I then go and check in the other tab (Status -- Services) it always seems to be "stopped". Would anyone have any ideas what might be causing that? I previously had Squid installed but I've since uninstalled it as I wasn't really seeing the benefit of having it running. The reason I mention that is that I've read in another thread that squid and snort don't seem to get along very well together. And ideas or suggestions would be appreciated!
-
Hi,
I have problem with my snort from beginning. Every time I reboot pfSense, snort stop working. Basically what I found is that snort load itself to memory at startup but it doesn't work. If I wish for snort to work I have to manually clear Alert logs. After that snort reboots itself and start working. Anyone else have same problem? Is there any way to make that automatically?
I use last version of pfSense and snort (1.2.3-RC2 built on Wed Jul 8 06:05:02 EDT 2009, Snort 2.8.4.1 pkg v. 1.4). I testing snort with grc.com.
Thx for answers…