Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort-dev has been released. old snort has been renamed snort-old

    Scheduled Pinned Locked Moved pfSense Packages
    50 Posts 20 Posters 18.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      netmethods
      last edited by

      Just tried to run the update manually and it seems to stuck on clean up process.

      When checking the logs, I see this twice:
      snort[45846]: Could not remove pid file /var/run//snort_em19121_em1.pid: Permission denied

      I'm guessing this has something to do with the snort account permissions on the files/folder? Unfortunately, I'm still fairly new to using the CLI on FreeBSD and Linux, etc and not sure how to fix this.

      2x Nexcom 1088n8 in HA config
      2.4 GHz Quad Core / 4GB DDR2 / SATAII 160GB / 4x1GB Intel module

      1 Reply Last reply Reply Quote 0
      • S Offline
        simby
        last edited by

        @tester_02:

        Bad day so far.  I thought this would be easy install from the last dev to the release.  I uninstalled the last dev release and rebooted (I always like a clean boot).  Then pfsense (1.2.3)failed to respond.  I am guessing squid/squidguard, although I did notice the webconfigurator failed to start.
        I could not browse into the pfsense box, but I could ssh in.
        I needed it back in a hurry and after 30 minutes I could not figure it out.  So fresh install and restore and I am back up and running.  Maybe the next machine I'll skip the reboot process :)
          Just my warning….

        I have the same problem!! Fresh install :)

        1 Reply Last reply Reply Quote 0
        • J Offline
          jamesdean
          last edited by

          @netmethods:

          Just tried to run the update manually and it seems to stuck on clean up process.

          When checking the logs, I see this twice:
          snort[45846]: Could not remove pid file /var/run//snort_em19121_em1.pid: Permission denied

          I'm guessing this has something to do with the snort account permissions on the files/folder? Unfortunately, I'm still fairly new to using the CLI on FreeBSD and Linux, etc and not sure how to fix this.

          One low end systems cleanup may take a few minutes.
          "snort_em19121_em1.pid" has nothing to do with updates.

          I'll review the code but its working for me on firefox.

          Maybe its a IE thing I have to workout.

          Are you on nanobsd ?

          What browser and pfsense version are you using ?

          james

          1 Reply Last reply Reply Quote 0
          • J Offline
            jamesdean
            last edited by

            @simby:

            @tester_02:

            Bad day so far.  I thought this would be easy install from the last dev to the release.  I uninstalled the last dev release and rebooted (I always like a clean boot).  Then pfsense (1.2.3)failed to respond.  I am guessing squid/squidguard, although I did notice the webconfigurator failed to start.
            I could not browse into the pfsense box, but I could ssh in.
            I needed it back in a hurry and after 30 minutes I could not figure it out.  So fresh install and restore and I am back up and running.  Maybe the next machine I'll skip the reboot process :)
             Just my warning….

            I have the same problem!! Fresh install :)

            I think I know whats wrong. I am unistalling mysql and perl. I fix it in a bit.

            James

            1 Reply Last reply Reply Quote 0
            • C Offline
              ColdFusion
              last edited by

              Anyone else missing the rules category Tab?…...All other Tabs are there including rules update and downloaded rules went ok.
              Ver. 2.8.5.3 pkg v. 1.19

              1 Reply Last reply Reply Quote 0
              • V Offline
                vito
                last edited by

                @ColdFusion:

                Anyone else missing the rules category Tab?…...All other Tabs are there including rules update and downloaded rules went ok.
                Ver. 2.8.5.3 pkg v. 1.19

                This is the first time i am using the new package, so i am not sure if it should be somewhere else…
                But i do have a category tab on the interface

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jamesdean
                  last edited by

                  @vito:

                  @ColdFusion:

                  Anyone else missing the rules category Tab?…...All other Tabs are there including rules update and downloaded rules went ok.
                  Ver. 2.8.5.3 pkg v. 1.19

                  This is the first time i am using the new package, so i am not sure if it should be somewhere else…
                  But i do have a category tab on the interface

                  @anyone having troubles with the new package
                  Tracked the problems to the old-snort.
                  Seems old-snort is not uninstalling completely and is conflicting with the new install.
                  Do a fresh install, sorry I didn't see this coming.

                  James

                  1 Reply Last reply Reply Quote 0
                  • N Offline
                    netmethods
                    last edited by

                    RE:
                              One low end systems cleanup may take a few minutes.
                              "snort_em19121_em1.pid" has nothing to do with updates.

                    I'll review the code but its working for me on firefox.

                    Maybe its a IE thing I have to workout.

                    Are you on nanobsd ?

                    What browser and pfsense version are you using ?

                    james

                    It's not a low end system, quad core, 4gb, etc. I'm using the latest version firefox (although I might've been on my mac at the time) with 1.2.3-RELEASE (not nanobsd). I refreshed the browser and everything looks ok. Restarted snort and it came up ok. Looks like it's running ok, so probably nothing.

                    2x Nexcom 1088n8 in HA config
                    2.4 GHz Quad Core / 4GB DDR2 / SATAII 160GB / 4x1GB Intel module

                    1 Reply Last reply Reply Quote 0
                    • L Offline
                      lightenup
                      last edited by

                      I found two issues after performing a fresh install of 1.2.3-Release.   First logging to mysql database does not look to be functioning properly. The configuration looks to be going into place but I never see any connection attempts to the mysql server.

                      Syslog output from barnyard2:

                      resistance.quantum.local daemon 10:42:27 barnyard2  barnyard2[41812]:   database: host   =   10.1.1.5
                      resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: host = 10.1.1.5
                      resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: ===============================================================================
                      resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: ===============================================================================
                      resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: user = snort
                      resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: user = snort
                      resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: Record Totals:
                      resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: Record Totals:
                      resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: database name = snort
                      resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: database name = snort

                      I ran a TCPdump at the time of snort starting up and I see it make an initial connection to the mysql server, I took at look at the database and it updates its sensor name and interface info however when alerts are generated by snort there is no updates sent to the database.

                      Second, this is a minor issue, in the system.log everything from snort and barnyard2 is logging twice at startup, as you can see above. I think the old version may have done this too.

                      Another feature that I liked in the old version was the ability to add in custom commands. In my syslogs I liked snort alerts to show up as warnings ie. <configpassthru>output alert_syslog: log_warning</configpassthru> (by default they are sent as alert).

                      LiGHT

                      1 Reply Last reply Reply Quote 0
                      • G Offline
                        grandrivers
                        last edited by

                        james when you have time,

                        I tried to define some servers and on saving I get the following error

                        snort release pf 2.0 April 3  windows 7 ff3.6.3

                        Warning: touch(): Unable to create file because No such file or directory in /usr/local/www/snort/snort_define_servers.php on line 215 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 217 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 218 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 219 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 220 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 221 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 224

                        pfsense plus 25.03 super micro A1SRM-2558F
                        C2558 32gig ECC  60gig SSD

                        1 Reply Last reply Reply Quote 0
                        • J Offline
                          joukahainen
                          last edited by

                          @jamesdean:

                          @anyone having troubles with the new package
                          Tracked the problems to the old-snort.
                          Seems old-snort is not uninstalling completely and is conflicting with the new install.
                          Do a fresh install, sorry I didn't see this coming.

                          James

                          Hi and thanks for your great work with Snort.

                          Is there any way for doing this without doing full fresh install of Pfsense? I am using 1.2.3 release of Pfsense, and stuck with Snort 2.8.4.1_5 pkg v. 1.7. The new version just wont start (conflicting with the old-snort leftovers).

                          1 Reply Last reply Reply Quote 0
                          • ? Offline
                            A Former User
                            last edited by

                            Does this new version of snort work in Pfsense 2.0 beta .I would like to test it but the last time i did that i could not get snort to run at all .

                            1 Reply Last reply Reply Quote 0
                            • E Offline
                              expert_az
                              last edited by

                              Hello jamesdean,

                              First of all thank you for your great job,

                              I have installed new snort package with success,i did all my conf and update,now lan interface working well,but when i stared my wan interface i received following errors on system logs

                              Apr 5 09:34:32 SnortStartup[9193]: Interface Rule START for 0_39767_ng0…
                              Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
                              Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
                              Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"
                              Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"

                              any idea?

                              regards

                              1 Reply Last reply Reply Quote 0
                              • E Offline
                                expert_az
                                last edited by

                                my pf version is 1.2.3 stable

                                1 Reply Last reply Reply Quote 0
                                • G Offline
                                  g4m3c4ck
                                  last edited by

                                  Probably wrong thread but I am in a big hurry. Just tried to add some defined servers after reinstalling to the newest snort on 1.2.3 release.

                                  Warning: touch(): Unable to create file because No such file or directory in /usr/local/www/snort/snort_define_servers.php on line 215 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 217 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 218 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 219 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 220 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 221 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 224

                                  Just an fyi

                                  Looks like it is holding its settings though….  Also is it normal for Dashboard and Status:Services to say the service is stopped even though on the Snort Interfaces Panel I get a green arrow?

                                  1 Reply Last reply Reply Quote 0
                                  • G Offline
                                    g4m3c4ck
                                    last edited by

                                    nope not working.

                                    uninstalled, and reinstalled will try more later…

                                    Apr 5 09:41:56	SnortStartup[1633]: Interface Rule START for 0_65478_vlan0...
                                    Apr 5 09:41:56	snort[1631]: FATAL ERROR: Invalid pidfile suffix: 65478_vlan0\. Suffix must less than 11 characters and not have ".." or "/" in the name.
                                    Apr 5 09:41:56	snort[1631]: FATAL ERROR: Invalid pidfile suffix: 65478_vlan0\. Suffix must less than 11 characters and not have ".." or "/" in the name.
                                    Apr 5 09:41:56	SnortStartup[1561]: Toggle for 65478_vlan0...
                                    Apr 5 09:41:23	SnortStartup[1160]: Error: snort.sh IS running
                                    Apr 5 09:38:32	kernel: msk0: watchdog timeout (missed Tx interrupts) -- recovering
                                    Apr 5 09:25:50	php: /pkg_mgr_install.php: Beginning package installation for snort.
                                    Apr 5 09:24:36	php: /pkg_mgr_install.php: cd /var/db/pkg && pkg_delete ls | grep snort
                                    Apr 5 09:24:36	php: /pkg_mgr_install.php: cd /var/db/pkg && pkg_delete ls | grep
                                    Apr 5 09:22:35	php: /pkg_mgr_install.php: Beginning package installation for snort.
                                    Apr 5 08:59:04	dnsmasq[908]: reading /var/dhcpd/var/db/dhcpd.leases
                                    Apr 5 08:46:42	dnsmasq[908]: reading /var/dhcpd/var/db/dhcpd.leases
                                    Apr 5 08:46:12	SnortStartup[49241]: Error: snort.sh IS running
                                    Apr 5 08:11:09	php: /pkg_mgr_install.php: Beginning package installation for snort.
                                    Apr 5 08:06:42	php: /pkg_mgr_install.php: Beginning package installation for snort.
                                    Apr 5 08:05:56	snort[2149]: Snort exiting
                                    Apr 5 08:05:56	snort[2149]: Snort exiting
                                    
                                    1 Reply Last reply Reply Quote 0
                                    • D Offline
                                      dpg2
                                      last edited by

                                      Hi Jamesdean,

                                      Thanks for the snort package! I had the old package working well for several months until recently when the rules changed.

                                      With the new release I'm having trouble running snort on VLAN interfaces. It seems that when snort starts it is complaining that the pid file identifier is too long:

                                      snort[<pid>]: FATAL ERROR: Invalid pidfile suffix: 31477_vlan3.  Suffix must less than 11 characters and not have ".." or "/" in the name.

                                      Two of these messages appear in the system.log upon attempting to start snort on the vlan interface. The normal interfaces, like le0, start without issue.

                                      I tried hacking the "if_real" value in the php code to truncate the name, as in the following:

                                      $if_real = substr($if_real, 0, 1) . substr($if_real, -2);

                                      While this did work, sort of, it was a bit of a mess that would eventually require similar changes to many files. I think another variable is needed, one for the pid file alone, and the interface variable would then stay the same (as if_real).

                                      I'd be happy to take a shot at implementing the fix if this idea makes sense. It appears that both the files under /usr/local/www/snort and /usr/local/pkg/snort may need to be modified.

                                      In particular the "-R" parameter to snort needs to be corrected, and the "pidfile" value needs to be corrected where it is queried.</pid>

                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        dnegreira
                                        last edited by

                                        Hi,

                                        I am having the same problem when trying to put the new snort package to listen on VLAN interfaces.

                                        I tried to find some configuration file where i can change the pidfile suffix but with no success… Is there any way to change the pidfile suffix?

                                        I am available to do some tests with development packages or to follow some instructions provided by you guys ;)

                                        Kind regards,
                                        David Negreira.
                                        @dpg2:

                                        Hi Jamesdean,

                                        Thanks for the snort package! I had the old package working well for several months until recently when the rules changed.

                                        With the new release I'm having trouble running snort on VLAN interfaces. It seems that when snort starts it is complaining that the pid file identifier is too long:

                                        snort[<pid>]: FATAL ERROR: Invalid pidfile suffix: 31477_vlan3.  Suffix must less than 11 characters and not have ".." or "/" in the name.

                                        Two of these messages appear in the system.log upon attempting to start snort on the vlan interface. The normal interfaces, like le0, start without issue.

                                        I tried hacking the "if_real" value in the php code to truncate the name, as in the following:

                                        $if_real = substr($if_real, 0, 1) . substr($if_real, -2);

                                        While this did work, sort of, it was a bit of a mess that would eventually require similar changes to many files. I think another variable is needed, one for the pid file alone, and the interface variable would then stay the same (as if_real).

                                        I'd be happy to take a shot at implementing the fix if this idea makes sense. It appears that both the files under /usr/local/www/snort and /usr/local/pkg/snort may need to be modified.

                                        In particular the "-R" parameter to snort needs to be corrected, and the "pidfile" value needs to be corrected where it is queried.</pid>

                                        1 Reply Last reply Reply Quote 0
                                        • ? Offline
                                          A Former User
                                          last edited by

                                          I will say that  Snort-dev  does not work in the lastest pfsense it uninstalls itself and it will not block  a thing in pfsense 2.0 so i am back using old snort .Either fix the new snort or take it of the packages list because it does not work . :-[

                                          1 Reply Last reply Reply Quote 0
                                          • N Offline
                                            netmethods
                                            last edited by

                                            Nice attitude cdx304….

                                            Just so you know, 2.0 is still beta. Try out the stable version of pfSense (1.2.3) before blasting on someone that has been working hard to contribute to this project. We're running 1.2.3 in a HA config with several VLANs, VPN's, etc and snort is working for us. We also upgraded from 1.2.2 using the old version of snort as well. (which did not work for us) The only thing we had to do was delete the /var/run/snort directory, which had a bunch of crap from the old install.

                                            2x Nexcom 1088n8 in HA config
                                            2.4 GHz Quad Core / 4GB DDR2 / SATAII 160GB / 4x1GB Intel module

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.