Snort-dev has been released. old snort has been renamed snort-old
-
Just tried to run the update manually and it seems to stuck on clean up process.
When checking the logs, I see this twice:
snort[45846]: Could not remove pid file /var/run//snort_em19121_em1.pid: Permission deniedI'm guessing this has something to do with the snort account permissions on the files/folder? Unfortunately, I'm still fairly new to using the CLI on FreeBSD and Linux, etc and not sure how to fix this.
-
Bad day so far. I thought this would be easy install from the last dev to the release. I uninstalled the last dev release and rebooted (I always like a clean boot). Then pfsense (1.2.3)failed to respond. I am guessing squid/squidguard, although I did notice the webconfigurator failed to start.
I could not browse into the pfsense box, but I could ssh in.
I needed it back in a hurry and after 30 minutes I could not figure it out. So fresh install and restore and I am back up and running. Maybe the next machine I'll skip the reboot process :)
Just my warning….I have the same problem!! Fresh install :)
-
Just tried to run the update manually and it seems to stuck on clean up process.
When checking the logs, I see this twice:
snort[45846]: Could not remove pid file /var/run//snort_em19121_em1.pid: Permission deniedI'm guessing this has something to do with the snort account permissions on the files/folder? Unfortunately, I'm still fairly new to using the CLI on FreeBSD and Linux, etc and not sure how to fix this.
One low end systems cleanup may take a few minutes.
"snort_em19121_em1.pid" has nothing to do with updates.I'll review the code but its working for me on firefox.
Maybe its a IE thing I have to workout.
Are you on nanobsd ?
What browser and pfsense version are you using ?
james
-
Bad day so far. I thought this would be easy install from the last dev to the release. I uninstalled the last dev release and rebooted (I always like a clean boot). Then pfsense (1.2.3)failed to respond. I am guessing squid/squidguard, although I did notice the webconfigurator failed to start.
I could not browse into the pfsense box, but I could ssh in.
I needed it back in a hurry and after 30 minutes I could not figure it out. So fresh install and restore and I am back up and running. Maybe the next machine I'll skip the reboot process :)
Just my warning….I have the same problem!! Fresh install :)
I think I know whats wrong. I am unistalling mysql and perl. I fix it in a bit.
James
-
Anyone else missing the rules category Tab?…...All other Tabs are there including rules update and downloaded rules went ok.
Ver. 2.8.5.3 pkg v. 1.19 -
Anyone else missing the rules category Tab?…...All other Tabs are there including rules update and downloaded rules went ok.
Ver. 2.8.5.3 pkg v. 1.19This is the first time i am using the new package, so i am not sure if it should be somewhere else…
But i do have a category tab on the interface -
Anyone else missing the rules category Tab?…...All other Tabs are there including rules update and downloaded rules went ok.
Ver. 2.8.5.3 pkg v. 1.19This is the first time i am using the new package, so i am not sure if it should be somewhere else…
But i do have a category tab on the interface@anyone having troubles with the new package
Tracked the problems to the old-snort.
Seems old-snort is not uninstalling completely and is conflicting with the new install.
Do a fresh install, sorry I didn't see this coming.James
-
RE:
One low end systems cleanup may take a few minutes.
"snort_em19121_em1.pid" has nothing to do with updates.I'll review the code but its working for me on firefox.
Maybe its a IE thing I have to workout.
Are you on nanobsd ?
What browser and pfsense version are you using ?
james
It's not a low end system, quad core, 4gb, etc. I'm using the latest version firefox (although I might've been on my mac at the time) with 1.2.3-RELEASE (not nanobsd). I refreshed the browser and everything looks ok. Restarted snort and it came up ok. Looks like it's running ok, so probably nothing.
-
I found two issues after performing a fresh install of 1.2.3-Release. First logging to mysql database does not look to be functioning properly. The configuration looks to be going into place but I never see any connection attempts to the mysql server.
Syslog output from barnyard2:
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: host = 10.1.1.5
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: host = 10.1.1.5
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: ===============================================================================
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: ===============================================================================
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: user = snort
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: user = snort
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: Record Totals:
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: Record Totals:
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: database name = snort
resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: database name = snortI ran a TCPdump at the time of snort starting up and I see it make an initial connection to the mysql server, I took at look at the database and it updates its sensor name and interface info however when alerts are generated by snort there is no updates sent to the database.
Second, this is a minor issue, in the system.log everything from snort and barnyard2 is logging twice at startup, as you can see above. I think the old version may have done this too.
Another feature that I liked in the old version was the ability to add in custom commands. In my syslogs I liked snort alerts to show up as warnings ie. <configpassthru>output alert_syslog: log_warning</configpassthru> (by default they are sent as alert).
LiGHT
-
james when you have time,
I tried to define some servers and on saving I get the following error
snort release pf 2.0 April 3 windows 7 ff3.6.3
Warning: touch(): Unable to create file because No such file or directory in /usr/local/www/snort/snort_define_servers.php on line 215 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 217 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 218 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 219 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 220 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 221 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 224
-
@anyone having troubles with the new package
Tracked the problems to the old-snort.
Seems old-snort is not uninstalling completely and is conflicting with the new install.
Do a fresh install, sorry I didn't see this coming.James
Hi and thanks for your great work with Snort.
Is there any way for doing this without doing full fresh install of Pfsense? I am using 1.2.3 release of Pfsense, and stuck with Snort 2.8.4.1_5 pkg v. 1.7. The new version just wont start (conflicting with the old-snort leftovers).
-
Does this new version of snort work in Pfsense 2.0 beta .I would like to test it but the last time i did that i could not get snort to run at all .
-
Hello jamesdean,
First of all thank you for your great job,
I have installed new snort package with success,i did all my conf and update,now lan interface working well,but when i stared my wan interface i received following errors on system logs
Apr 5 09:34:32 SnortStartup[9193]: Interface Rule START for 0_39767_ng0…
Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"
Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"any idea?
regards
-
my pf version is 1.2.3 stable
-
Probably wrong thread but I am in a big hurry. Just tried to add some defined servers after reinstalling to the newest snort on 1.2.3 release.
Warning: touch(): Unable to create file because No such file or directory in /usr/local/www/snort/snort_define_servers.php on line 215 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 217 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 218 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 219 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 220 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 221 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 224
Just an fyi
Looks like it is holding its settings though…. Also is it normal for Dashboard and Status:Services to say the service is stopped even though on the Snort Interfaces Panel I get a green arrow?
-
nope not working.
uninstalled, and reinstalled will try more later…
Apr 5 09:41:56 SnortStartup[1633]: Interface Rule START for 0_65478_vlan0... Apr 5 09:41:56 snort[1631]: FATAL ERROR: Invalid pidfile suffix: 65478_vlan0\. Suffix must less than 11 characters and not have ".." or "/" in the name. Apr 5 09:41:56 snort[1631]: FATAL ERROR: Invalid pidfile suffix: 65478_vlan0\. Suffix must less than 11 characters and not have ".." or "/" in the name. Apr 5 09:41:56 SnortStartup[1561]: Toggle for 65478_vlan0... Apr 5 09:41:23 SnortStartup[1160]: Error: snort.sh IS running Apr 5 09:38:32 kernel: msk0: watchdog timeout (missed Tx interrupts) -- recovering Apr 5 09:25:50 php: /pkg_mgr_install.php: Beginning package installation for snort. Apr 5 09:24:36 php: /pkg_mgr_install.php: cd /var/db/pkg && pkg_delete ls | grep snort Apr 5 09:24:36 php: /pkg_mgr_install.php: cd /var/db/pkg && pkg_delete ls | grep Apr 5 09:22:35 php: /pkg_mgr_install.php: Beginning package installation for snort. Apr 5 08:59:04 dnsmasq[908]: reading /var/dhcpd/var/db/dhcpd.leases Apr 5 08:46:42 dnsmasq[908]: reading /var/dhcpd/var/db/dhcpd.leases Apr 5 08:46:12 SnortStartup[49241]: Error: snort.sh IS running Apr 5 08:11:09 php: /pkg_mgr_install.php: Beginning package installation for snort. Apr 5 08:06:42 php: /pkg_mgr_install.php: Beginning package installation for snort. Apr 5 08:05:56 snort[2149]: Snort exiting Apr 5 08:05:56 snort[2149]: Snort exiting -
Hi Jamesdean,
Thanks for the snort package! I had the old package working well for several months until recently when the rules changed.
With the new release I'm having trouble running snort on VLAN interfaces. It seems that when snort starts it is complaining that the pid file identifier is too long:
snort[<pid>]: FATAL ERROR: Invalid pidfile suffix: 31477_vlan3. Suffix must less than 11 characters and not have ".." or "/" in the name.
Two of these messages appear in the system.log upon attempting to start snort on the vlan interface. The normal interfaces, like le0, start without issue.
I tried hacking the "if_real" value in the php code to truncate the name, as in the following:
$if_real = substr($if_real, 0, 1) . substr($if_real, -2);
While this did work, sort of, it was a bit of a mess that would eventually require similar changes to many files. I think another variable is needed, one for the pid file alone, and the interface variable would then stay the same (as if_real).
I'd be happy to take a shot at implementing the fix if this idea makes sense. It appears that both the files under /usr/local/www/snort and /usr/local/pkg/snort may need to be modified.
In particular the "-R" parameter to snort needs to be corrected, and the "pidfile" value needs to be corrected where it is queried.</pid>
-
Hi,
I am having the same problem when trying to put the new snort package to listen on VLAN interfaces.
I tried to find some configuration file where i can change the pidfile suffix but with no success… Is there any way to change the pidfile suffix?
I am available to do some tests with development packages or to follow some instructions provided by you guys ;)
Kind regards,
David Negreira.
@dpg2:Hi Jamesdean,
Thanks for the snort package! I had the old package working well for several months until recently when the rules changed.
With the new release I'm having trouble running snort on VLAN interfaces. It seems that when snort starts it is complaining that the pid file identifier is too long:
snort[<pid>]: FATAL ERROR: Invalid pidfile suffix: 31477_vlan3. Suffix must less than 11 characters and not have ".." or "/" in the name.
Two of these messages appear in the system.log upon attempting to start snort on the vlan interface. The normal interfaces, like le0, start without issue.
I tried hacking the "if_real" value in the php code to truncate the name, as in the following:
$if_real = substr($if_real, 0, 1) . substr($if_real, -2);
While this did work, sort of, it was a bit of a mess that would eventually require similar changes to many files. I think another variable is needed, one for the pid file alone, and the interface variable would then stay the same (as if_real).
I'd be happy to take a shot at implementing the fix if this idea makes sense. It appears that both the files under /usr/local/www/snort and /usr/local/pkg/snort may need to be modified.
In particular the "-R" parameter to snort needs to be corrected, and the "pidfile" value needs to be corrected where it is queried.</pid>
-
I will say that Snort-dev does not work in the lastest pfsense it uninstalls itself and it will not block a thing in pfsense 2.0 so i am back using old snort .Either fix the new snort or take it of the packages list because it does not work . :-[
-
Nice attitude cdx304….
Just so you know, 2.0 is still beta. Try out the stable version of pfSense (1.2.3) before blasting on someone that has been working hard to contribute to this project. We're running 1.2.3 in a HA config with several VLANs, VPN's, etc and snort is working for us. We also upgraded from 1.2.2 using the old version of snort as well. (which did not work for us) The only thing we had to do was delete the /var/run/snort directory, which had a bunch of crap from the old install.