Snort Problem !!!!!
-
I am also having the exact same problem.
Installed Snort 2.8.4.1 pkg v. 1.4 via the Packages module in the pfsense 1.2.2 gui, updated the rules manually (as per the wiki, as the gui times out), rebooted pfsense - but the Snort service won't start, and when clicking the Rules tab, this error appears at the top of the webgui:
Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39
…if it helps, I'm running pfsense on a Nokia IP330 (AMD K6 II-400, 256 MB RAM, 20 GB HD).
Also, just noticed this error in the Diagnostics / System log:
snort[48048]: FATAL ERROR: Dynamic detection lib /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort/dynamicengine/libsf_engine.so 1.10. The dynamic detection lib is compiled with an older version of the dynamic engine.
-
I am also having the exact same problem.
Installed Snort 2.8.4.1 pkg v. 1.4 via the Packages module in the pfsense 1.2.2 gui, updated the rules manually (as per the wiki, as the gui times out), rebooted pfsense - but the Snort service won't start, and when clicking the Rules tab, this error appears at the top of the webgui:
Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39
…if it helps, I'm running pfsense on a Nokia IP330 (AMD K6 II-400, 256 MB RAM, 20 GB HD).
I'm running a Alix 2d3 running at 500mhz and 256 mb RAM. Rule updates takes 5 minutes. How long are you waiting for the rules updates to finish ?
Please post the output of
ls /usr/local/etc/snort/
and
ls /usr/local/etc/snort/rules
James
-
An Alix, sweeeet, I'd like to get my hands on a WRAP board to install in my car (dual wifi radios).
Sry the proc in my Nokia IP330 is a K6-II 500, not K6-II 400.
The gui seems to time out at extraction - at about the 9 minute mark, give or take 10 - 20 seconds.
Dunno if this means anything, but with top running in an SSH session, bsdtar keeps running for several minutes after the gui times out.
ls /usr/local/etc/snort/
classification.config sid-msg.map-sample
classification.config-sample snort.conf
gen-msg.map snort.conf-sample
gen-msg.map-sample threshold.conf
reference.config threshold.conf-sample
reference.config-sample unicode.map
rules unicode.map-sample
sid-msg.map…and
ls /usr/local/etc/snort/rules
doc etc rules so_rules
Thanks James. Been struggling and searching for a while before posting…pretty sure I've just missed something silly.
-
NP DigitalJer
There GUI errors you get are because the rules have not extracted to /usr/local/etc/snort/rules.
Dont touch the gui do this for me.
rm /usr/local/etc/snort/rules/*
and
ls /tmp/snort_rules_up/
James
-
rm /usr/local/etc/snort/rules/*
rm: /usr/local/etc/snort/rules/doc: is a directory
rm: /usr/local/etc/snort/rules/etc: is a directory
rm: /usr/local/etc/snort/rules/rules: is a directory
rm: /usr/local/etc/snort/rules/so_rules: is a directory..and
ls /tmp/snort_rules_up/
etc snortrules-snapshot-2.8.tar.gz
pfsense_rules.tar.gz snortrules-snapshot-2.8.tar.gz.md5
pfsense_rules.tar.gz.md5 so_rules
rules…looking into Alix / WRAP, I see the WRAPs are discontinued in favour of the Alix, since the last time I looked. The Alix looks sharp. waaaaannnnt!!
-
rm /usr/local/etc/snort/rules/*
rm: /usr/local/etc/snort/rules/doc: is a directory
rm: /usr/local/etc/snort/rules/etc: is a directory
rm: /usr/local/etc/snort/rules/rules: is a directory
rm: /usr/local/etc/snort/rules/so_rules: is a directory..and
ls /tmp/snort_rules_up/
etc snortrules-snapshot-2.8.tar.gz
pfsense_rules.tar.gz snortrules-snapshot-2.8.tar.gz.md5
pfsense_rules.tar.gz.md5 so_rules
rules…looking into Alix / WRAP, I see the WRAPs are discontinued in favour of the Alix, since the last time I looked. The Alix looks sharp. waaaaannnnt!!
Good news, looks like the rules are downloading fine, but your system cant handle the extraction processes.
Do this
rm -r /usr/local/etc/snort/rules/*
and
ls /tmp/snort_rules_up/rules
James
-
ls /tmp/snort_rules_up/rules
Makefile.am local.rules snmp.rules
VRT-License.txt misc.rules specific-threats.rules
attack-responses.rules multimedia.rules spyware-put.rules
backdoor.rules mysql.rules sql.rules
bad-traffic.rules netbios.rules telnet.rules
cgi-bin.list nntp.rules tftp.rules
chat.rules open-test.conf virus.rules
content-replace.rules oracle.rules voip.rules
ddos.rules other-ids.rules web-activex.rules
deleted.rules p2p.rules web-attacks.rules
dns.rules policy.rules web-cgi.rules
dos.rules pop2.rules web-client.rules
experimental.rules pop3.rules web-coldfusion.rules
exploit.rules porn.rules web-frontpage.rules
finger.rules rpc.rules web-iis.rules
ftp.rules rservices.rules web-misc.rules
icmp-info.rules scada.rules web-php.rules
icmp.rules scan.rules x11.rules
imap.rules shellcode.rules
info.rules smtp.rules…my Nokia can't handle the truth?? boo! Oh well it was only $20.
-
ls /tmp/snort_rules_up/rules
Makefile.am local.rules snmp.rules
VRT-License.txt misc.rules specific-threats.rules
attack-responses.rules multimedia.rules spyware-put.rules
backdoor.rules mysql.rules sql.rules
bad-traffic.rules netbios.rules telnet.rules
cgi-bin.list nntp.rules tftp.rules
chat.rules open-test.conf virus.rules
content-replace.rules oracle.rules voip.rules
ddos.rules other-ids.rules web-activex.rules
deleted.rules p2p.rules web-attacks.rules
dns.rules policy.rules web-cgi.rules
dos.rules pop2.rules web-client.rules
experimental.rules pop3.rules web-coldfusion.rules
exploit.rules porn.rules web-frontpage.rules
finger.rules rpc.rules web-iis.rules
ftp.rules rservices.rules web-misc.rules
icmp-info.rules scada.rules web-php.rules
icmp.rules scan.rules x11.rules
imap.rules shellcode.rules
info.rules smtp.rules…my Nokia can't handle the truth?? boo! Oh well it was only $20.
Never give up DigitalJer…...
Do this
cp /tmp/snort_rules_up/rules/ /usr/local/etc/snort/rules*
and
rm /usr/local/lib/snort/dynamicrules/*
cp /tmp/snort_rules_up/so_rules/ /usr/local/lib/snort/dynamicrules/*
and start snort by clicking save on the Settings Tab.
-
Heck no, not giving up, just mildly disappointed.
…and that worked - tyvm!!
How did you know that it was failing on the extraction? Going forward - will it update automatically, do you think, or should I bookmark this thread.
-
snort will not update automatically for you, so bookmark this thread.
The main problem is that your system cant handle extracting snortrules-snapshot-2.8.tar.gz.
Hope you understand that I cant fix bsd tar problem, because your on a low end system.Just remember to
rm /usr/local/etc/snort/rules/*
cp /tmp/snort_rules_up/rules/ /usr/local/etc/snort/rules*rm /usr/local/lib/snort/dynamicrules/*
cp /tmp/snort_rules_up/so_rules/ /usr/local/lib/snort/dynamicrules/*cp /tmp/snort_rules_up/pfsense_rules.tar.gz.md5 /usr/local/etc/snort/
cp /tmp/snort_rules_up/snortrules-snapshot-2.8.tar.gz.md5 /usr/local/etc/snort/James
P.S.
You could write a small script to do this after snort package downloads the rules.
-
Got it.
Thanks again :)
-
UPDATE: You're right, the Nokia IP330 firewall turned out to be considerably less powerful than I thought.
I recently ordered Shaw's 100 mbps service, and with just ONE decently seeded torrent the pfsense f/w CPU held steady at about 55%. Even just surfing at the same time resulted in 100% CPU, saturation, and laaaag :(
So, that's been retired, and an Athlon XP 64 3000+ with a gig of RAM moved in instead, and all is well. I did the math, this should just slightly exceed requirements…so ought to be just about right.
Anyway, thanks again jamesdean, for taking the time to help me out! Happy Holidays :)