Snort-dev has been released. old snort has been renamed snort-old
-
Nice attitude cdx304….
Just so you know, 2.0 is still beta. Try out the stable version of pfSense (1.2.3) before blasting on someone that has been working hard to contribute to this project. We're running 1.2.3 in a HA config with several VLANs, VPN's, etc and snort is working for us. We also upgraded from 1.2.2 using the old version of snort as well. (which did not work for us) The only thing we had to do was delete the /var/run/snort directory, which had a bunch of crap from the old install.
-
A patch for the vlan issue (I can comment on this more later tonight if that'd be helpful):
*** snort.inc.install Tue Apr 6 18:44:12 2010
–- snort.inc Tue Apr 6 20:39:18 2010
*** 65,71 ****
/* use ob_clean to clear output buffer, this code needs to be watched */
ob_clean();
! $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $1;}'", $retval);if ($snort_up_prell != "") {
$snort_uph = 'yes';
--- 65,73 ----/* use ob_clean to clear output buffer, this code needs to be watched */
ob_clean();
!
! $snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2);
! $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep "R {$snort_pidfile}" | awk '{print $1;}'", $retval);if ($snort_up_prell != "") {
$snort_uph = 'yes';
*** 156,162 ****
$snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
if ($snort_info_chk == 'on') {
! exec("/usr/local/bin/snort -u snort -g snort -R "{$snort_uuid}{$if_real}" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
}
/* define snortbarnyardlog_chk /
/ top will have trouble if the uuid is to far back */
–- 158,165 ----$snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
if ($snort_info_chk == 'on') {
! $snort_pidfile = $snort_uuid . "" . substr($if_real, 0, 1) . substr($if_real, -2);
! exec("/usr/local/bin/snort -u snort -g snort -R "{$snort_pidfile}" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
}
/* define snortbarnyardlog_chk /
/ top will have trouble if the uuid is to far back */ -
I have installed new snort package with success,i did all my conf and update,now lan interface working well,but when i stared my wan interface i received following errors on system logs
Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"
Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"I had the same problem. Your "FATAL ERROR" is trying to go to a non-existent directory ("snort_39767_ng0"). I got this same error, looked at the actual directory structure and found that my path to the snort.conf was "snort_xxxxx_sis0" (which IS the correct if for me) even though the IF Tab under Snort shows the if as "ng0". A reboot will allow Snort to run correctly, but every time I try to stop & restart Snort I get this error.
-
@cdx304:
I will say that Snort-dev does not work in the lastest pfsense it uninstalls itself and it will not block a thing in pfsense 2.0 so i am back using old snort .Either fix the new snort or take it of the packages list because it does not work . :-[
[/quote]I am running 1st april snapshot of 2.0 beta with snort installed and I have 150 log alerts and over 400 blocked ip's! must be something up with your config!
Slam
-
Another try with the vlan patch; the last effort did not handle stopping with the revised $pidfile value properly. This patch now corrects the Startup (Running_Start), Stop (Running_Stop), and Check (RunningCk) functions of /usr/local/pkg/snort/snort.inc :
*** snort.inc.install Tue Apr 6 18:44:12 2010 –- snort.inc Wed Apr 7 00:23:17 2010 *************** *** 65,71 **** /* use ob_clean to clear output buffer, this code needs to be watched */ ob_clean(); ! $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'", $retval); if ($snort_up_prell != "") { $snort_uph = 'yes'; --- 65,73 ---- /* use ob_clean to clear output buffer, this code needs to be watched */ ob_clean(); ! ! $snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2); ! $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_pidfile}\" | awk '{print \$1;}'", $retval); if ($snort_up_prell != "") { $snort_uph = 'yes'; *************** *** 111,117 **** function Running_Stop($snort_uuid, $if_real, $id) { global $config; ! $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); --- 113,120 ---- function Running_Stop($snort_uuid, $if_real, $id) { global $config; ! $snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2); ! $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_pidfile}\" | awk '{print \$1;}'"); $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); *************** *** 124,130 **** if ($start_up_s != "") { exec("/bin/kill {$start_up_s}"); ! exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); } if ($start2_upb_s != "") --- 127,133 ---- if ($start_up_s != "") { exec("/bin/kill {$start_up_s}"); ! exec("/bin/rm /var/run/snort_{$snort_pidfile}*"); } if ($start2_upb_s != "") *************** *** 136,142 **** if ($start_up_r != "") { exec("/bin/kill {$start_up_r}"); ! exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); } if ($start2_upb_r != "") --- 139,145 ---- if ($start_up_r != "") { exec("/bin/kill {$start_up_r}"); ! exec("/bin/rm /var/run/snort_{$snort_pidfile}*"); } if ($start2_upb_r != "") *************** *** 156,162 **** $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; if ($snort_info_chk == 'on') { ! exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}_{$if_real}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); } /* define snortbarnyardlog_chk */ /* top will have trouble if the uuid is to far back */ –- 159,166 ---- $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; if ($snort_info_chk == 'on') { ! $snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2); ! exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_pidfile}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); } /* define snortbarnyardlog_chk */ /* top will have trouble if the uuid is to far back */
-
Nice attitude cdx304….
Just so you know, 2.0 is still beta. Try out the stable version of pfSense (1.2.3) before blasting on someone that has been working hard to contribute to this project. We're running 1.2.3 in a HA config with several VLANs, VPN's, etc and snort is working for us. We also upgraded from 1.2.2 using the old version of snort as well. (which did not work for us) The only thing we had to do was delete the /var/run/snort directory, which had a bunch of crap from the old install.
Well every time you guys try to fix it snort just gets worse .Don't say that it works in cases either because it does not .It uninstalles it's self after saying there is dependencies missing and you can enable everything .the hardware is a quadcore 3.4ghz cpu with 12 gigs of ram and 2 gigabit network cards and 2 sata 500gig drives in raid 0 .
-
Thank you to all that have been patient with the move from snort-dev to snort. Sorry, its has been painful but I been busy with work and had not time to fix bugs.
I promise once we get past this bump, changes this big will be a rare thing.For those who are demanding me to fix snort, be patient. Let me explain why snort is so hard to maintain. First for every new version of snort I have to rewrite in C++
the the orion IPS code in snort to fit an ever changing API. Second, if we don't use the newest snort version rules may break. Third, snort.org changes snort.conf
with every version so I have to adjust for that or snort will break. Fourth, from time to time snort.org changes the way rules get downloaded and snort breaks.
Fifth, I had to recode snort from php 4 to php 5 but other dev did this, thank you. If you don't like what I am doing you are welcomed to help code. If not, be patient and be constructive and remember
I do this for our community without pay.Lets do the release again, man this week been rough. snort package 1.20
Fixed pid with vlan issue, hopefully
Snort reinstalling:
I added post install code to deinstall any old-snort entries in config.xml, fixed hopefully.Pfsense nano.
I install snort package and every thing seems fine.James
-
Any chance of a workaround for deinstalling the old snort properly. My pfsense 1.2.3 released died when I uninstalled it and rebooted. A fresh install was my only way to get it back. I have a friend who I helped install pfsense on, and I am scared to update snort for him.
You mentioned that there is a problem with the old snort not properly uninstalling. Any chance of a script that will properly uninstall, so that we can put the new one on?Jamesdean Please keep up the good work. The new version is working great for me, and all the rules are working. I think some people forget that there is always a need for someone to keep these packages updated and running, or they stop working as the main authors update their work (snort, squid, etc).
Hey CDX. You may not have noticed but the old snort stopped working a few weeks ago with a rules update from snort.org. You could get it back running, but with many rules disabled.
-
tester_02 do me a fav. deinstall snort and then install again.
I forgot are you on 2.0 ?I added code that removes snort-old entries. It should help your deinstall problems.
If it does not report back here as soon as you can.I working out these problem on a pfsense 1.2.3 nanobsd on a CF card
every thing seems fine.James
-
Hi,
I am using PfSense 1.2.3.
I confirm that the latest snort package version 1.20 is working correctly!Thanks a lot for the fix jamesdean and i hope that you can keep up the excellent work ;)
Kind regards,
David Negreira. -
Hi JamesDean,
I have the latest Snort running and i am noticing something.i had Snort working fine with one interface up (WAN)
At one point, i needed to disable Snort….So i disabled Snort on the WAN interface (only interface i configured), but Snort still is/was blocking.
Snort Service was still started in Services (which it would seem correct since one interface should not stop the whole package)I'm i missing a setting or something?
Thanks for your help
Also, would you rather new threads on issues or continue this thread?
Again, thanks for the work on this package!PF 1.2.3 Full
Snort 2.8.5.3 pkg v. 1.19 -
Vito,
Try to install the latest snort package 1.20.
-
ok… did that just come out?
I thought i checked yesterday.anyway, just installed....Now all my settings are gone....
-
Hi,
I am using PfSense 1.2.3.
I confirm that the latest snort package version 1.20 is working correctly!Does it mean that upgrade from previous Snort package is now possible without full pfSense reinstall?
-
Hi,
I am using PfSense 1.2.3.
I confirm that the latest snort package version is working correctly!Does it mean that upgrade from previous Snort package is now possible without full pfSense reinstall?
Yes it does mean that.
I can also confirm that this release works without full Pfsense reinstall. I was stuck with the old snort installation version untill 1.20 was released.
The 1.20 version seems to have some minor bugs left (update rules page only works with Firefox and stays stuck with "please be patient" message eaven when using Firefox after the rule update is finnished, and in my case it took a while before snort started actually blocking those hosts that generate alerts), but these are not big issues in my opinion.
-
Snort 1.20 install went great, no issues on my 1.2.3.release install. I had no issues on my firefox and getting new rules.
Can others comment if they do an upgrade from the old releases (2.8.4 v1.7) that their installs do work? Also, if you deinstalled, and then installed the new package, or just did a reinstall to upgrade?
I have my brothers update to do, and don't want to do a reinstall as he is not local to me and he's completely new to pfsense. :)
-
Snort 1.20 install went great, no issues on my 1.2.3.release install. I had no issues on my firefox and getting new rules.
Can others comment if they do an upgrade from the old releases (2.8.4 v1.7) that their installs do work? Also, if you deinstalled, and then installed the new package, or just did a reinstall to upgrade?
I have my brothers update to do, and don't want to do a reinstall as he is not local to me and he's completely new to pfsense. :)
The best now is after a reboot it uninstalls it's self .great fix that was .
-
Snort 1.20 install went great, no issues on my 1.2.3.release install. I had no issues on my firefox and getting new rules.
Can others comment if they do an upgrade from the old releases (2.8.4 v1.7) that their installs do work? Also, if you deinstalled, and then installed the new package, or just did a reinstall to upgrade?
In my case (runnig pfsense 1.2.3 and the old snort version was 2.8.4 v1.7). I did deinstall the old version first and then installed the new 1.20 package. Worked fine that way
Just in case for those that are doing upgrade, or new with snort : Also remeber tho check the preprocessors settings when activating new rules. Snort wont start if you activate rules that require for example http preprocessor and the needed preprocessor is not selected (snort logs are good for finding what is wrong).