Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort-dev has been released. old snort has been renamed snort-old

    Scheduled Pinned Locked Moved pfSense Packages
    50 Posts 20 Posters 18.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      netmethods
      last edited by

      Nice attitude cdx304….

      Just so you know, 2.0 is still beta. Try out the stable version of pfSense (1.2.3) before blasting on someone that has been working hard to contribute to this project. We're running 1.2.3 in a HA config with several VLANs, VPN's, etc and snort is working for us. We also upgraded from 1.2.2 using the old version of snort as well. (which did not work for us) The only thing we had to do was delete the /var/run/snort directory, which had a bunch of crap from the old install.

      2x Nexcom 1088n8 in HA config
      2.4 GHz Quad Core / 4GB DDR2 / SATAII 160GB / 4x1GB Intel module

      1 Reply Last reply Reply Quote 0
      • D Offline
        dpg2
        last edited by

        A patch for the vlan issue (I can comment on this more later tonight if that'd be helpful):

        *** snort.inc.install Tue Apr  6 18:44:12 2010
        –- snort.inc Tue Apr  6 20:39:18 2010


        *** 65,71 ****

        /* use ob_clean to clear output buffer, this code needs to be watched */
          ob_clean();
        ! $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $1;}'", $retval);

        if ($snort_up_prell != "") {
          $snort_uph = 'yes';
        --- 65,73 ----

        /* use ob_clean to clear output buffer, this code needs to be watched */
          ob_clean();
        !
        ! $snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2);
        ! $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep "R {$snort_pidfile}" | awk '{print $1;}'", $retval);

        if ($snort_up_prell != "") {
          $snort_uph = 'yes';


        *** 156,162 ****

        $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
          if ($snort_info_chk == 'on') {
        ! exec("/usr/local/bin/snort -u snort -g snort -R "{$snort_uuid}{$if_real}" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
          }
          /* define snortbarnyardlog_chk /
          /
        top will have trouble if the uuid is to far back */
        –- 158,165 ----

        $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
          if ($snort_info_chk == 'on') {
        ! $snort_pidfile = $snort_uuid . "" . substr($if_real, 0, 1) . substr($if_real, -2);
        ! exec("/usr/local/bin/snort -u snort -g snort -R "{$snort_pidfile}" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort
        {$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
          }
          /* define snortbarnyardlog_chk /
          /
        top will have trouble if the uuid is to far back */

        1 Reply Last reply Reply Quote 0
        • T Offline
          TreeTopFlyer
          last edited by

          @expert_az:

          I have installed new snort package with success,i did all my conf and update,now lan interface working well,but when i stared my wan interface i received following errors on system logs

          Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
          Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
          Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"
          Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"

          I had the same problem.  Your "FATAL ERROR" is trying to go to a non-existent directory ("snort_39767_ng0").  I got this same error, looked at the actual directory structure and found that my path to the snort.conf was "snort_xxxxx_sis0" (which IS the correct if for me) even though the IF Tab under Snort shows the if as "ng0".  A reboot will allow Snort to run correctly, but every time I try to stop & restart Snort I get this error.

          1 Reply Last reply Reply Quote 0
          • S Offline
            Slam
            last edited by

            @cdx304:

            I will say that   Snort-dev  does not work in the lastest pfsense it uninstalls itself and it will not block  a thing in pfsense 2.0 so i am back using old snort .Either fix the new snort or take it of the packages list because it does not work . :-[
            [/quote]

            I am running 1st april snapshot of 2.0 beta with snort installed and I have 150 log alerts and over 400 blocked ip's! must be something up with your config!

            Slam

            1 Reply Last reply Reply Quote 0
            • D Offline
              dpg2
              last edited by

              Another try with the vlan patch; the last effort did not handle stopping with the revised $pidfile value properly. This patch now corrects the Startup (Running_Start), Stop (Running_Stop), and Check (RunningCk) functions of /usr/local/pkg/snort/snort.inc :

              
              *** snort.inc.install	Tue Apr  6 18:44:12 2010
              –- snort.inc	Wed Apr  7 00:23:17 2010
              ***************
              *** 65,71 ****
              
                	/* use ob_clean to clear output buffer, this code needs to be watched */
                	ob_clean();
              ! 	$snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'", $retval);
              
                	if ($snort_up_prell != "") {
                		$snort_uph = 'yes';
              --- 65,73 ----
              
                	/* use ob_clean to clear output buffer, this code needs to be watched */
                	ob_clean();
              ! 
              ! 	$snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2);
              ! 	$snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_pidfile}\" | awk '{print \$1;}'", $retval);
              
                	if ($snort_up_prell != "") {
                		$snort_uph = 'yes';
              ***************
              *** 111,117 ****
                	function Running_Stop($snort_uuid, $if_real, $id) {
                		global $config;
              
              ! 	$start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'");
                	$start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'");
                	$start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'");
              
              --- 113,120 ----
                	function Running_Stop($snort_uuid, $if_real, $id) {
                		global $config;
              
              ! 	$snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2);
              ! 	$start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_pidfile}\" | awk '{print \$1;}'");
                	$start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'");
                	$start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'");
              
              ***************
              *** 124,130 ****
                			if ($start_up_s != "")
                			{
                				exec("/bin/kill {$start_up_s}");
              ! 				exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*");
                			}
              
                			if ($start2_upb_s != "")
              --- 127,133 ----
                			if ($start_up_s != "")
                			{
                				exec("/bin/kill {$start_up_s}");
              ! 				exec("/bin/rm /var/run/snort_{$snort_pidfile}*");
                			}
              
                			if ($start2_upb_s != "")
              ***************
              *** 136,142 ****
                			if ($start_up_r != "")
                			{
                				exec("/bin/kill {$start_up_r}");
              ! 				exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*");
                			}
              
                			if ($start2_upb_r != "")
              --- 139,145 ----
                			if ($start_up_r != "")
                			{
                				exec("/bin/kill {$start_up_r}");
              ! 				exec("/bin/rm /var/run/snort_{$snort_pidfile}*");
                			}
              
                			if ($start2_upb_r != "")
              ***************
              *** 156,162 ****
              
                		$snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
                		if ($snort_info_chk == 'on') {
              ! 		exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}_{$if_real}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
                		}
                		/* define snortbarnyardlog_chk */
                		/* top will have trouble if the uuid is to far back */
              –- 159,166 ----
              
                		$snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
                		if ($snort_info_chk == 'on') {
              ! 		$snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2);
              ! 		exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_pidfile}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
                		}
                		/* define snortbarnyardlog_chk */
                		/* top will have trouble if the uuid is to far back */
              
              
              1 Reply Last reply Reply Quote 0
              • ? Offline
                A Former User
                last edited by

                @netmethods:

                Nice attitude cdx304….

                Just so you know, 2.0 is still beta. Try out the stable version of pfSense (1.2.3) before blasting on someone that has been working hard to contribute to this project. We're running 1.2.3 in a HA config with several VLANs, VPN's, etc and snort is working for us. We also upgraded from 1.2.2 using the old version of snort as well. (which did not work for us) The only thing we had to do was delete the /var/run/snort directory, which had a bunch of crap from the old install.

                Well every time you guys try to fix it snort just gets worse .Don't say that it works in cases either because it does not .It uninstalles it's self after saying there is dependencies missing and you can enable everything .the hardware is a quadcore 3.4ghz cpu with 12 gigs of ram and 2 gigabit network cards and 2 sata 500gig drives in raid 0 .

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jamesdean
                  last edited by

                  Thank you to all that have been patient with the move from snort-dev to snort. Sorry, its has been painful but I been busy with work and had not time to fix bugs.
                  I promise once we get past this bump, changes this big will be a rare thing.

                  For those who are demanding me to fix snort, be patient. Let me explain why snort is so hard to maintain. First for every new version of snort I have to rewrite in C++
                  the the orion IPS code in snort to fit an ever changing API. Second, if we don't use the newest snort version rules may break. Third, snort.org changes snort.conf
                  with every version so I have to adjust for that or snort will break. Fourth, from time to time snort.org changes the way rules get downloaded and snort breaks.
                  Fifth, I had to recode snort from php 4 to php 5 but other dev did this, thank you. If you don't like what I am doing you are welcomed to help code. If not, be patient and be constructive and remember
                  I do this for our community without pay.

                  Lets do the release again, man this week been rough. snort package 1.20

                  Fixed pid with vlan issue, hopefully

                  Snort reinstalling:
                  I added post install code to deinstall any old-snort entries in config.xml, fixed hopefully.

                  Pfsense nano.
                  I install snort package and every thing seems fine.

                  James

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    tester_02
                    last edited by

                    Any chance of a workaround for deinstalling the old snort properly.  My pfsense 1.2.3 released died when I uninstalled it and rebooted.  A fresh install was my only way to get it back.  I have a friend who I helped install pfsense on, and I am scared to update snort for him.
                      You mentioned that there is a problem with the old snort not properly uninstalling.  Any chance of a script that will properly uninstall, so that we can put the new one on?

                    Jamesdean Please keep up the good work.  The new version is working great for me, and all the rules are working.  I think some people forget that there is always a need for someone to keep these packages updated and running, or they stop working as the main authors update their work (snort, squid, etc).

                    Hey CDX.  You may not have noticed but the old snort stopped working a few weeks ago with a rules update from snort.org.  You could get it back running, but with many rules disabled.

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jamesdean
                      last edited by

                      tester_02 do me a fav. deinstall snort and then install again.
                      I forgot are you on 2.0 ?

                      I added code that removes snort-old entries. It should help your deinstall problems.
                      If it does not report back here as soon as you can.

                      I working out these problem on a pfsense 1.2.3 nanobsd on a CF card
                      every thing seems fine.

                      James

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        dnegreira
                        last edited by

                        Hi,

                        I am using PfSense 1.2.3.
                        I confirm that the latest snort package version 1.20 is working correctly!

                        Thanks a lot for the fix jamesdean and i hope that you can keep up the excellent work ;)

                        Kind regards,
                        David Negreira.

                        1 Reply Last reply Reply Quote 0
                        • V Offline
                          vito
                          last edited by

                          Hi JamesDean,
                          I have the latest Snort running and i am noticing something.

                          i had Snort working fine with one interface up (WAN)
                          At one point, i needed to disable Snort….So i disabled Snort on the WAN interface (only interface i configured), but Snort still is/was blocking.
                          Snort Service was still started in Services (which it would seem correct since one interface should not stop the whole package)

                          I'm i missing a setting or something?

                          Thanks for your help
                          Also, would you rather new threads on issues or continue this thread?
                          Again, thanks for the work on this package!

                          PF 1.2.3 Full
                          Snort 2.8.5.3 pkg v. 1.19

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            dnegreira
                            last edited by

                            Vito,

                            Try to install the latest snort package 1.20.

                            1 Reply Last reply Reply Quote 0
                            • V Offline
                              vito
                              last edited by

                              ok… did that just come out?
                              I thought i checked yesterday.

                              anyway, just installed....Now all my settings are gone....

                              1 Reply Last reply Reply Quote 0
                              • V Offline
                                vatson
                                last edited by

                                @dnegreira:

                                Hi,

                                I am using PfSense 1.2.3.
                                I confirm that the latest snort package version 1.20 is working correctly!

                                Does it mean that upgrade from previous Snort package is now possible without full pfSense reinstall?

                                1 Reply Last reply Reply Quote 0
                                • J Offline
                                  joukahainen
                                  last edited by

                                  @vatson:

                                  @dnegreira:

                                  Hi,

                                  I am using PfSense 1.2.3.
                                  I confirm that the latest snort package version is working correctly!

                                  Does it mean that upgrade from previous Snort package is now possible without full pfSense reinstall?

                                  Yes it does mean that.

                                  I can also confirm that this release works without full Pfsense reinstall. I was stuck with the old snort installation version untill 1.20 was released.

                                  The 1.20 version seems to have some minor bugs left (update rules page only works with Firefox and stays stuck with "please be patient" message eaven when using Firefox after the rule update is finnished, and in my case it took a while before snort started actually blocking those hosts that generate alerts), but these are not big issues in my opinion.

                                  1 Reply Last reply Reply Quote 0
                                  • T Offline
                                    tester_02
                                    last edited by

                                    Snort 1.20 install went great, no issues  on my 1.2.3.release install. I had no issues on my firefox and getting new rules.

                                    Can others comment if they do an upgrade from the old releases (2.8.4 v1.7) that their installs do work?  Also, if you deinstalled, and then installed the new package, or just did a reinstall to upgrade?

                                    I have my brothers update to do, and don't want to do a reinstall as he is not local to me and he's completely new to pfsense. :)

                                    1 Reply Last reply Reply Quote 0
                                    • ? Offline
                                      A Former User
                                      last edited by

                                      @tester_02:

                                      Snort 1.20 install went great, no issues  on my 1.2.3.release install. I had no issues on my firefox and getting new rules.

                                      Can others comment if they do an upgrade from the old releases (2.8.4 v1.7) that their installs do work?  Also, if you deinstalled, and then installed the new package, or just did a reinstall to upgrade?

                                      I have my brothers update to do, and don't want to do a reinstall as he is not local to me and he's completely new to pfsense. :)

                                      The best now is after a reboot it uninstalls it's self .great fix that was .

                                      1 Reply Last reply Reply Quote 0
                                      • J Offline
                                        joukahainen
                                        last edited by

                                        @tester_02:

                                        Snort 1.20 install went great, no issues  on my 1.2.3.release install. I had no issues on my firefox and getting new rules.

                                        Can others comment if they do an upgrade from the old releases (2.8.4 v1.7) that their installs do work?  Also, if you deinstalled, and then installed the new package, or just did a reinstall to upgrade?

                                        In my case (runnig pfsense 1.2.3 and the old snort version was 2.8.4 v1.7). I did deinstall the old version first and then installed the new 1.20 package.  Worked fine that way

                                        Just in case for those that are doing upgrade, or new with snort : Also remeber tho check the preprocessors settings when activating new rules. Snort wont start if you activate rules that require for example http preprocessor and the needed preprocessor is not selected (snort logs are good for finding what is wrong).

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.