Snort Won't Start After Upgrade

tester_02 · Jul 27, 2011, 3:29 AM

Personally I think snort should be part of the main package. To me pfsense is the main release + squid + squidguard + snort. I just believe that part of the main development should be those packages integrated into the release.
Beyond that, if this package is so critical to so many, why has nobody put up a bounty like others suggested. I am also sure that the amount contributed to the snort developer is probably peanuts compared to the time he's put into this package. I am sure more of an incentive to keep it going would not hurt.
As just a home user I've donated my $50 in the past (and probably should do more when the next release comes out), as well as offered money for bounties when I can. For people complaining that their company need it, I think the amount should be much more. Your business is operating on free software, contribute to it, or it will stop being developed. Complain when you have to spend thousands on proprietary software with yearly fees, instead of living off free software. It's not really free, as the developers spend their time working on it for nothing. Donated a few dollars per year, it's worth the rewards when you get software like pfsense (watch the other distros with no support fall off over the years or move strictly into pay systems and you will know how good this really is).

That's all I have to say on the topic….

jamesdean · Jul 27, 2011, 3:40 AM

Update….

I am pretty much done with every thing, GUI wise. New snort binaries are building right now, that is a relief.

Only 2 things left to do...

1. create snortsam GUI.

2. create snortsam/snort/barnyard2 startup scripts.

I been stuck on creating a way to manage the snortsam block sid rule sets and saving user changes to said blocked sids.
You guys/girls have to realize there are 30,000 snort/emeging rule block sids and I have to make sure your saved settings are saved and displayed correctly as fast as possible.

Side note: I am always happy when you guys care enough to complain. Makes me feel my work on the GUI and the forums is useful to you.
I understand you guys bothered, but snort is working on pfsense 1.2.3 and the removal of the old snort version from 2.0 could not be helped.
Moreover, I understand the urgency and I am working as fast as possible with the limited amount of time I have. (personal life, work, paid projects etc...)

I am not giving you an a date on release to beta, just know I am close.

follow my progress
https://github.com/robiscool

Thanks
Robert

cyber7 · Jul 27, 2011, 6:00 AM

Hi Robert.
Actually, it is very true what you say. The reason people (including myself!) are complaining is because your work is so very important in the entire release of pfSense that without your contribution, the firewall is reasoned lacking. (In other words, without Snort, pfSense just won't do!)

I thank you for your update. I believe most people (if not all) have been put to rest seeing that you are putting so much effort into Snort.

Kind regards
Aubrey Kloppers
Cape Town
South Africa

Cino · Jul 27, 2011, 1:48 PM

Robert,

Keep up the good work man! From what i've seen, the new package looks really awesome! Looking forward to beta testing when that time comes..

Darkk · Jul 27, 2011, 4:12 PM

Awesome!! Looking forward to it.

Darkk

NightHawk007 · Jul 28, 2011, 6:04 AM

I am glad my standby utm software still works on my hardware . I hope you guys tell us when the beta is ready to go ..

seattle-it · Jul 28, 2011, 4:25 AM

Segfaults for me on an AMD64 box when started from a shell .. looks as if progress is being made though, keep @ it Jamesdean ;)

cmb · Aug 2, 2011, 6:29 AM

We need to be able to dedicate more of our core developer resources to clean this up and keep it working, as is it's largely just Rob's volunteer efforts, where the base system is largely done by people on our payroll (who, no offense to Rob, are far more experienced developers). What gets done by our core developers is largely what people are willing to pay for, and it's been years since we've had anyone interested in paying for Snort work. I've dedicated 10 hours of Ermal's time (with no funding, as a favor to a partner) to cleaning up bugs and bad code in the Snort package this week, which has lead to this massive clean up today, with more work to be done on it tomorrow.
https://github.com/bsdperimeter/pfsense-packages/commit/c8b7c369d1b391fc687e4ad09ee156dbec37043a

That's not going to leave things in perfect shape (there are other improvements I'd like to see), but it will at least be much better. That's limited to the main snort package, not snort-dev, which Rob can continue to do whatever he wants with, but nothing will be merged back into the main snort package from now on without review and merge approval to keep things sane.

If anyone can dedicate some money to furthering our efforts here, please contact me (cmb at pfsense dot org). I'd love to get more of our resources on it, but we also have to make payroll so we're limited in what we can do because we want to do it.

Cino · Aug 2, 2011, 5:38 PM

@cmb:

We need to be able to dedicate more of our core developer resources to clean this up and keep it working, as is it's largely just Rob's volunteer efforts, where the base system is largely done by people on our payroll (who, no offense to Rob, are far more experienced developers). What gets done by our core developers is largely what people are willing to pay for, and it's been years since we've had anyone interested in paying for Snort work. I've dedicated 10 hours of Ermal's time (with no funding, as a favor to a partner) to cleaning up bugs and bad code in the Snort package this week, which has lead to this massive clean up today, with more work to be done on it tomorrow.
https://github.com/bsdperimeter/pfsense-packages/commit/c8b7c369d1b391fc687e4ad09ee156dbec37043a

That's not going to leave things in perfect shape (there are other improvements I'd like to see), but it will at least be much better. That's limited to the main snort package, not snort-dev, which Rob can continue to do whatever he wants with, but nothing will be merged back into the main snort package from now on without review and merge approval to keep things sane.

If anyone can dedicate some money to furthering our efforts here, please contact me (cmb at pfsense dot org). I'd love to get more of our resources on it, but we also have to make payroll so we're limited in what we can do because we want to do it.

funny I just checked github to see what updates are out there and Ermal has been busy!! I see the old snort package is enable… Who is going to be the brave soul and try it? Well i gave it shot and it installed on my system but it couldn't download the rules from snort.org

Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 859

I guess i should wait until the devs say its good to go.

going to see if i can manually download them

jamesdean · Aug 2, 2011, 5:52 PM

@cmb is right snort should be maintained by the core paid developers. My work on snort package will stop immediately and will move my code to a package called Orion.
I have really enjoyed giving my free time and code to the pfSense snort community. I hope people continue to enjoy my GUI I have built and code I have donated.
Those of you that expect the Old snort gui to return dont worry, 90% of my snort 1.2.3 code will not change for 2.0.

My snort 2.0 package I was working on will become Orion IDS package and will likely become private for paid supporters. This will help me give my full attention to this package.
I think I have a base now that can support me to work on this package on a limited part time.

Moreover, this should give me the freedom to add features as fast as possible.

Robert

eri-- · Aug 2, 2011, 6:47 PM

I just made some other changes that should make it behave better in regards to rule downloading.

I couldn't test with snort.org since it was slow and did not have an account to test with.

Cino · Aug 2, 2011, 7:09 PM

This makes sense if i'm reading this last couple of post correctly. Snort being maintained my the core dev team.. If users want more then a basic Snort package… They have the option to pay for the Orion IDS.

@Ermal I'll give it a shot but you are right! Snort.org is really slow today... My manual updating from the cmd failed due to timeouts

Cino · Aug 2, 2011, 7:58 PM

Snorts site is timing out so i can't test. emergingnet rules downloaded with no problems.

When I tried to start snort on my WAN interface, this is the error i received:

Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 92 Warning: fopen(/usr/local/etc/snort/suppress/): failed to open stream: Is a directory in /usr/local/pkg/snort/snort.inc on line 1184 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 192 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 193 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 194 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 195 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 196 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 197

This is in my system log:


Aug 2 13:20:31 	php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.
Aug 2 13:20:31 	php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.

I don't know if this is relate to adding snort or my mornings gitsync but when i look at my system log i get the below errors. I'm able to see the system log tho but this is at the header of the page. Also, none of the other tabs are showing this error(firewall,dhcp,openvpn)


Warning: Unknown: GC cache entry '/usr/local/www/guiconfig.inc' (dev=109 ino=801962) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/usr/local/www/csrf/csrf-magic.php' (dev=109 ino=801951) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/xmlparse.inc' (dev=109 ino=7301225) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/util.inc' (dev=109 ino=7301219) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.defs.inc' (dev=109 ino=7301206) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.inc' (dev=109 ino=7301205) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv/user.priv.inc' (dev=109 ino=7301204) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/notices.inc' (dev=109 ino=7301195) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/led.inc' (dev=109 ino=7301192) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/IPv6.inc' (dev=109 ino=7301190) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/globals.inc' (dev=109 ino=7301185) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/crypt.inc' (dev=109 ino=7301178) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.lib.inc' (dev=109 ino=7301176) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.gui.inc' (dev=109 ino=7301175) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/authgui.inc' (dev=109 ino=7301168) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/auth.inc' (dev=109 ino=7301167) was on gc-list for 3659 seconds in Unknown on line 0 Warning: session_start(): Cannot send session cache limiter - headers already sent in /etc/inc/auth.inc on line 1260 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 47 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 51

Now i'm asking for too much, could it be possible to add a index.php in the root of the snort www directory with the below code? So when i click on the pfSense image in the upper left corner, it brings back to the main dashboard page instead of page no found.

EDIT: The permissions are wrong on the /usr/local/etc/rc.d/snort.sh file I believe. Its currently 644, should 755. i tried to manually start snort using the snort.sh but i think there is an syntax error with the interface


[2.1-DEVELOPMENT][root@]/root/custom(7): /usr/local/etc/rc.d/snort.sh start
ls: /tmp/snort.sh.pid: No such file or directory
ls: /tmp/snort.sh.pid: No such file or directory
rm: /var/run/snort_7758_em3.pid: No such file or directory
rm: /var/run/snort_7758_em3.pid.lck: No such file or directory
[2.1-DEVELOPMENT][root@]/root/custom(8): usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file target_file
       cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file ... target_directory

valshare · Aug 2, 2011, 7:51 PM

Hello,

i am running the latest pfsense 2.0 rc3 from today and have installed the snort 2.0 package as a virtual machine on kvm. If i want to edit the network interface in the snort settings, i get an "error: no uuid". How can i fix this problem?

Regards, valle

eri-- · Aug 2, 2011, 8:55 PM

@Cino,

should be fixed, just reinstall.

@valshare,

please give me the right error message since that does not mean anything!

NightHawk007 · Aug 2, 2011, 9:13 PM

The thing on this forum that just does not sense .People do not read the forum snort has been broken for a long time now .there was a couple of posts on the forum saying it will be awhile before it gets fixed .
Will someone tell us how far it has come and is the beta out yet for us to test out .
I am using my standbye UTM software with snort in there operating system and it works perfect .

Cino · Aug 2, 2011, 9:21 PM

@ermal:

@Cino,

should be fixed, just reinstall.

Almost there… it seems to forget the interface.. I noticed that you made some changes to how it puts the interface, wondering if something is missing there.

I deleted all my snort configs... Added a interface... told me i had no rules... updated the rules again.... checked some rules.... tried to start it, didn't start. Went back to the categorizes and was told i dont have rules... its picking the wrong directory or something.

Aug 2 17:10:29 	SnortStartup[35682]: Interface Rule START for 0_39737_...
Aug 2 17:10:29 	snort[34151]:
Aug 2 17:10:29 	snort[34151]:
Aug 2 17:10:29 	snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source.
Aug 2 17:10:29 	snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source.

eri-- · Aug 2, 2011, 9:56 PM

Can you show me hte generated snort conf?

Cino · Aug 2, 2011, 10:21 PM

@ermal:

Can you show me hte generated snort conf?

Here you go:

#!/bin/sh
########
# This file was automatically generated
# by the pfSense service handler.
# Code added to protect from double starts on pfSense bootup
######## Begining of Main snort.sh

rc_start() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then

		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0

	fi

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid

	#### Remake the configs on boot Important!
	/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php &
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..."

###### For Each Iface

#### Fake start only used on bootup and Pfsense IP changes
#### Only try to restart if snort is running on Iface
if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" != "" ]; then

	snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`"
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart"

	#### Restart Iface
	/bin/kill -HUP ${snort_pid}
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For 39737_..."

fi

	/bin/rm /tmp/snort.sh.pid

	#### If on Fake start snort is NOT running DO a real start.
	if [ "`/bin/ps -auwx | grep -v grep | grep "R 39737" | awk '{print $2;}'`" = "" ]; then

		rc_start_real

	fi
}

rc_start_real() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0
	fi

	###### For Each Iface

# If Snort proc is NOT running
if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" = "" ]; then

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid

	# Start snort and barnyard2
	/bin/rm /var/run/snort_39737_.pid
	/bin/rm /var/run/snort_39737_.pid.lck

	/usr/local/bin/snort -u snort -g snort -R 39737 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 39737 -c /usr/local/etc/snort/snort_39737_/snort.conf -i 

	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For 39737_..."

fi

	/bin/rm /tmp/snort.sh.pid

}

rc_stop() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0
	fi

pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`
sleep 3
pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_39737_.u2" | /usr/bin/awk '{print $2;}'`

if [ ${pid_s} ] ; then

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For 39737_..."

	/bin/kill ${pid_s}
	sleep 3
	/bin/kill ${pid_b}

	/bin/rm /var/run/snort_39737_.pid.lck
	/bin/rm /var/run/snort_39737_.pid

fi

	/bin/rm /tmp/snort.sh.pid
	/bin/rm /var/run/snort*

}

case $1 in
	start)
		rc_start
		;;
	start_real)
		rc_start_real
		;;
	stop)
		rc_stop
		;;
	restart)
		rc_stop
		rc_start_real
		;;
esac

eri-- · Aug 2, 2011, 10:27 PM

Try the new update i just made.

That is the startup script and not the config. But for now all should be fixed.