Snort Won't Start After Upgrade
-
Thank you all for great work - snort kicks back online on my router - I really felt naked during last few weeks.
BTW. If I understand it correctly classic snort package maintenance was shifted from JamesDean, I really admire his work, I can only hope that you will get on well.I have a couple of issues:
1. When updating rules, when it tries to download the snort.org rules, the following error is shown at the bottom of the page and the rules are not processed:
Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 820
2. If I have the option enabled to "Keep snort settings after deinstall" and then reinstall the package, the menu link for Snort does not appear and Snort is not listed in the "Status: Services" page. I have to backup the config, remove the "snortglobal" section, upload the new config and reinstall Snort to fix it.
Thanks!
I think that no 1 is fixed with the latest update (package version did not change).
I encountered the same issue as in no 2, although I didn't try fiddling with config yet.
What I did was simply use direct link to snort webconfiguration:
http://192.168.1.1/snort/snort_interfaces.php
to update rules and start snort and it seems to be working correctly.
During the snort "holiday" break I messed up with the snort-dev package - maybe something left over from it. -
2.0-RC3 (amd64)
built on Tue Aug 2 22:54:59 EDT 2011First let me say thanks for getting this package back now I can go back to testing ;D
The only problem I've found is that if you tick the Block Offenders under the if settings tab then snort refuses to restart. The following error is logged.
snort[9497]: FATAL ERROR: /usr/local/etc/snort/snort_50697_bce0/snort.conf(351) Unknown output plugin: "alert_pf"
Untick the box and it fires up fine but obviously no hosts get added to the block list.
-
Just got the e-mail that this was fixed. Awesome! Thank you!
http://redmine.pfsense.org/issues/1590
-th3r3isnospoon
-
@Ermal great work! I found small bug with the Suppress List. The interface doesn't seem to be saving the file needed for the interface to come up. Is the path wrong?
Aug 3 09:03:12 snort[57613]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory. Aug 3 09:03:12 snort[57613]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.
I'm going to do more testing with white list and home net list today and report back… I know white list wasn't working in the old package but the work around was to use the home net instead if you needed to white list an IP.
-
All the issues should be solved now.
Please reinstall and test. -
@ermal:
All the issues should be solved now.
Please reinstall and test.new problem.. After updating snort, all the menu items for other packages are missing. I did a full firmware update so it would re-download all the packages.. Same thing, all package menu items are removed but Services-Snort is there..
countryblock, LCDproc, cron, shellcmd, vnstat2, ntop, notes are all missing from the menu
EDIT: I removed the code that was added to pkg-utils.inc, https://github.com/bsdperimeter/pfsense/commit/27018d3cc4f12c995efadf5dc5ba90eb7c1aa641 Rebooted the box and did a package re-install.. Now my package menu items are there
-
white list doesn't work.. I put the IPs into my home net list and snort also blocked them.
i checked my conf file and var HOME_NET contains none of the IPs i added. Not sure how the white list works since it broke a long time ago. The file "MainWhiteList 10285" doesn't contain any of the IPs i put in that list either.. Also, there is a space in the file name..
-
Well the whitelist option in snort:interfaces:edit works only if Block offenders is on!
-
@ermal:
Well the whitelist option in snort:interfaces:edit works only if Block offenders is on!
I had Block offenders on and it was blocking whitelist IPs. I noticed you made some more changes… I'll update and retest
EDIT: new issue, snort wont start. See below:
Aug 3 15:16:23 SnortStartup[13847]: Snort HARD Reload For 39737_em3... Aug 3 15:16:23 snort[13005]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory. Aug 3 15:16:23 snort[13005]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.
-
also change https://github.com/bsdperimeter/pfsense/commit/27018d3cc4f12c995efadf5dc5ba90eb7c1aa641 is still removing package menu items. I see that you put a piece back in https://github.com/bsdperimeter/pfsense/commit/05ca39d93d972908e61da6f1b0b9132dd39b017b but that didn't fix it
as i re-install a package, its removing the last installed package from the menu
Edit: I' opened a ticket on this as this has nothing to do with Snort but with 2.1 Development code, ticket 1743
-
@ermal:
Well the whitelist option in snort:interfaces:edit works only if Block offenders is on!
I had Block offenders on and it was blocking whitelist IPs. I noticed you made some more changes… I'll update and retest
EDIT: new issue, snort wont start. See below:
Aug 3 15:16:23 SnortStartup[13847]: Snort HARD Reload For 39737_em3... Aug 3 15:16:23 snort[13005]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory. Aug 3 15:16:23 snort[13005]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.
I can confirm same issue as above on the latest update. I do not have a problem with the package removal though
-
Hmm just remove and reinstall the binaries again not just the snort files.
Those are files that come wiht the package difficult to loose those without something wrong :)EDIT:
I put another fix to prevent the errors you are seeing.
-
@ermal:
Hmm just remove and reinstall the binaries again not just the snort files.
Those are files that come wiht the package difficult to loose those without something wrong :)All my re-installs have been 'Reinstall this Package'
btw, thank you very much for the quick responses on fixing the snort package as i'v been finding issues… I've been kind hoping other users would be reporting on issues other then myself since there was an outcry for snort a week ago...
-
I've already done two reinstalls of PfSense 2RC3 in the last week due to things going awry during a snapshot update (which may or may not have been related to having snort or snort-dev installed), and my first attempt to install the new snort didn't go too well (Snort was missing from the menu and services list after installation but someone else reported this before I could, with more insight as to the circumstances under which it occurred than I had).
So I'm afraid, I'm sitting on the fence at the moment, waiting for an all-clear!
Matthew
-
@ermal:
Hmm just remove and reinstall the binaries again not just the snort files.
Those are files that come wiht the package difficult to loose those without something wrong :)EDIT:
I put another fix to prevent the errors you are seeing.
Just did a reinstall same error:
Aug 3 15:06:12 snort[18906]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.
Aug 3 15:06:12 snort[18906]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.Snort was this morning this only started occurring after the reinstall.
-
@emarl Im able to start snort again :-) had some issues starting it but i forgot that in my main home net list, i have to uncheck 'Add WAN DNS servers to the list.' since I have a IPv6 in my WAN DNS entries. Snort doesn't like IPv6 yet.
looking at the conf file, my net list is there.. Going to test the IDS then enable blocking and see if whitelist works again.
EDIT: Issue with the suppress file again. The file looks good
the file:
# This file is auto generated by the snort package. Please do not edit this file by hand. suppress gen_id 119, sig_id 2, track by_src, ip 68.x.x.x
system log
Aug 3 16:28:32 SnortStartup[57067]: Interface Rule START for 0_39737_em3... Aug 3 16:28:32 snort[56934]: FATAL ERROR: /usr/local/etc/snort/suppress/(1) Invalid configuration line: Ú^Y^O Aug 3 16:28:32 snort[56934]: FATAL ERROR: /usr/local/etc/snort/suppress/(1) Invalid configuration line: Ú^Y^O
Whitelist isn't working. It is creating the file but there is a space in the name "MainWhiteList 10285" Also when I check 'Block offenders' and Select 'MainWhiteList' from the drop down; it goes back to 'default' when i click on 'Save'
-
mschiek01: Remove the package and install it again.
Do not use the reinstall features but really delete and install the pacakge.That will fix your issue and it should not happen again after that.
-
should be fixed the issues with whitelist selection and suppress.
-
thanks again Ermal!! I can't test right now but later tonight I will remove everything snort relate, do a firmware update(maybe a fresh install) and after my packages update i'll install snort.
not sure how this happen but I started up some bit-torrent downloads and it killed snort i think but it could just be my box..
Aug 3 17:01:11 snort[26553]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS Aug 3 17:01:11 snort[26553]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS
when i started it back i got this:
Aug 3 17:03:41 SnortStartup[59006]: Interface Rule START for 0_39737_em3... Aug 3 17:03:41 snort[58868]: FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter Aug 3 17:03:41 snort[58868]: FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter
but i'm having issues with countryblock now so i need to do a reset before I can test again
-
That is IDS integration which might need some people to help out in funding to make properly usable.