Snort Won't Start After Upgrade

hmishra

Just tried it, still no joy. Having installed Snort first, I tried to install Cron and that bumped off the Snort menu entry under Services.

eri--

You need to update to latest snapshot to fix the issues with the menu.

@Cino,

IDS integration is the Block offenders option

Cino

@Ermal The suppress list is working. Snort stayed up last night. Need to do some more testing but block ip's didn't clear after the set time i selected. My time is set to block for 1 hour, I had IPs in there that were blocked 8 hours ago.

Edit: I did some more testing and its not removing IPs from the Block list. I looked to see if there was an cron job but there wasn't. Some reason I thinking there was a cron job that was based on the 'Remove blocked hosts every' field

mdovey

The "add another entry" button under the "Add your own custom ips" for Whitelists doesn't appear to be working. So I can only add 1 ip to a whitelist!

I've tried under Opera 11.50 and IE9

Matthew

Cino

@mdovey:

The "add another entry" button under the "Add your own custom ips" for Whitelists doesn't appear to be working. So I can only add 1 ip to a whitelist!

I've tried under Opera 11.50 and IE9

Matthew

This is new, i can confirm that its doing the same thing for me using FF 5… Strange it wasn't doing this last night... I did notice last night that any IPs i did add, wouldn't show up under 'Values' in the 'Services:Snort:Whitelist' tab

When i try to add an IP, this is the link the button is pointing too: https://192.168.0.1:445/snort/snort_interfaces_whitelist_edit.php?id=1#

eri--

Fixed even the row helper.

The expire of the hosts from the table should be done by a cron job.
Please try with the latest package and give a save under Global Settings fro that.

Cino

@ermal:

Fixed even the row helper.

The expire of the hosts from the table should be done by a cron job.
Please try with the latest package and give a save under Global Settings fro that.

Adding IPs work again. I still dont see added the IPs under the main page in the values field. I'm thinking there is a limit of 10 entries because it doesn't display pass 10 entries. No biggie for me since it is adding them to the file correctly..

the cron job is back and its working for 1hr :-)

Thank you again for all your help Emarl!

PS I dont have Barnyard2 so I can't test but I think we have tested everything within the package… I still have to create another interface and see how that reacts with snort being bind to 2+ interfaces

hansmuff

I have pfsense 2.0 RC3 64-bit installed. I un-installed Snort when it broke and just re-installed from the packages menu. Does that give me the latest release, because I have the same problem I've been having when Snort initially stopped working.

My Snort version is 2.8.6.1 pkg v. 2.0

The error in the syslog is "Aug 4 17:27:07 SnortStartup[17989]: Snort HARD Reload For 25369_fxp0…
Aug 4 17:27:07 snort[17310]: FATAL ERROR: /usr/local/etc/snort/snort_25369_fxp0/snort.conf(316) Unknown output plugin: "alert_pf""

My apologies if I'm doing this wrong.

asterix

Latest amd64 snapshot. Clean install.

Snort not starting.

Aug 4 18:43:49 SnortStartup[10250]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:49 SnortStartup[6313]: Snort Startup files Sync…
Aug 4 18:43:22 SnortStartup[47731]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:21 SnortStartup[43782]: Snort Startup files Sync…

Did a uninstall/install of Snort (not re-install) thrice... no-go

Aug 4 18:53:13 SnortStartup[2775]: Snort HARD Reload For 33845_em0…
Aug 4 18:53:13 SnortStartup[62907]: Snort Startup files Sync…
Aug 4 18:52:54 SnortStartup[33560]: Interface Rule START for 0_33845_em0…
Aug 4 18:52:53 SnortStartup[21740]: Toggle for 33845_em0…
Aug 4 18:52:47 check_reload_status: Syncing firewall
Aug 4 18:52:32 check_reload_status: Syncing firewall
Aug 4 18:52:10 SnortStartup[23637]: Snort HARD Reload For 35360_em0…
Aug 4 18:52:10 SnortStartup[20060]: Snort Startup files Sync…
Aug 4 18:51:29 check_reload_status: Syncing firewall
Aug 4 18:50:47 check_reload_status: Syncing firewall
Aug 4 18:50:47 check_reload_status: Reloading filter
Aug 4 18:50:46 check_reload_status: Syncing firewall
Aug 4 18:50:09 check_reload_status: Syncing firewall
Aug 4 18:50:08 php: /pkg_mgr_install.php: Beginning package installation for snort.

Cino

@hansmuff and asterix I dont run amd64 on my box, all my testing has been on the i386 platform.

@ermal logged into my console and i noticed some startup errors.
this is right after starting package snort….

chown: /tmp/snort*: No such file or directory
chmod: /var/run/snort*: No such file or directory
chmod: /tmp/snort*: No such file or directory

grandrivers

I did a clean install and am having trouble with the emerging threats rules can't get them to show up

Burnie

@Emarl: great work. snort seems to be working great now. (i386/2.0RC1)

I found two things that didn't seem right:

1. filenames of md5 files in /usr/local/www/snort/snort_download_updates.php seem wrong:

--- /usr/local/www/snort/snort_download_updates.php.orig	2011-08-04 22:03:35.000000000 +0200
+++ /usr/local/www/snort/snort_download_updates.php	2011-08-04 22:04:35.000000000 +0200
@@ -47,5 +47,5 @@
 /* quick md5s chk */
-if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2860.tar.gz.md5'))
+if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5'))
 {
-	$snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2860.tar.gz.md5');
+	$snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5');
 }else{
@@ -54,5 +54,5 @@

-if(file_exists('/usr/local/etc/snort/version.txt'))
+if(file_exists('/usr/local/etc/snort/emerging.rules.tar.gz.md5'))
 {
-	$emergingt_net_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/version.txt');
+	$emergingt_net_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/emerging.rules.tar.gz.md5');
 }else{

2. Trying to enable barnyard2, when I clicked save, it said it couldn't write to
  /usr/local/etc/snort/snort__re1/barnyard2.conf
    and then all config of snort were gone…
    I guess somewhere it lost $iface_uuid, as I suspect it meant to write to
  _  /usr/local/etc/snort/snort_6162_re1/barnyard2.conf_

(I haven't had time to dig into the last one just yet)

eri--

I have not touched barnyard at all, :(.

I know there are some other issues in the code but general functionality is ok.
I will check what i can do to progress on this but support is most definitely a welcome addition :)

BTW: my name is Ermal and not Emarl

EDIT:
@Burnie
imported your fix in the package, thx.

@Cino,

fixed the warnings you mentioned.

asterix

Ermal, any amd64 support?

eri--

The amd64 support is there but look at redmine.pfsense.org under snort category of issues on pfSense-packages project.
I am trying to put there all known issues though solving those is not only based on my or pfSense good will :), some help is needed as well.

hmishra

Ermal,

I know folks here have reported that the blocked hosts being cleared after the set time is working now, but I have not had success with that working yet. I have attached my screen shot of Cron entries on my system and don't think the job to remove the blocked hosts exists for Snort. I uninstalled and installed Snort just a few minutes back, so I am positive that I am running the latest iteration of your changes.

Thanks,
Hiranmoy


hmishra

Never mind…..My mistake. Turns out I did not hit 'Save' after having installed the latest Snort package. The Cron entries appeared after that.

Thanks!

Ibor Daru

@ermal and others

Today I updated my AMD64 PFSense system (Intel Atom CPU D510 @ 1.66GHz) to the latest available snapshot (2.0-RC3 (amd64) built on Tue Aug 2 22:54:59 EDT 2011).

Snort completely deinstalled before updating to latest snapshot. Reinstalled Snort, but Snort cannot be found in any menu whatsoever. Furthermore, Snort service is not available either. Tried again: completely deinstalled Snort, restarted PFSense and reinstalled Snort again with no results.

Any suggestions on how to solve the menu and service issues?

eri--

You need to do a gitsync or wait for a new snapshot to come out.

Ibor Daru

@ermal:

You need to do a gitsync or wait for a new snapshot to come out.

Thanks ermal! It worked out by following the guide @ http://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots. Menu and service are back again.

However (don't shoot the messenger), Snort service still won't start … as before. Just like:

@asterix:

Latest amd64 snapshot. Clean install.

Snort not starting.

Aug 4 18:43:49 SnortStartup[10250]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:49 SnortStartup[6313]: Snort Startup files Sync…
Aug 4 18:43:22 SnortStartup[47731]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:21 SnortStartup[43782]: Snort Startup files Sync…
...