• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort Won't Start After Upgrade

pfSense Packages
64
301
212.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    strasharo
    last edited by Sep 5, 2011, 8:34 AM

    @Jare:

    @strasharo:

    With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:

    [2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn
    [2.0-RC3][root@kainak]/usr/local/bin(7):
    
    

    I didn't have time to examine the real cause why barnyard2 binary fails to install. Since it's just a single binary file you can download and "install" it manually by executing one of these commands:

    amd64

    /usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2
    

    i386

    /usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2
    

    At least for me it seems to be working and logging now just like it should…  ;)

    Thanks a lot for the tip, Jare! ;D At last I got it running with Snorby.  ::)

    P.S. Portscan detection still isn't working, I launched a portscan from GRC.com + a remote full portscan with nmap and the only alerts that I got from that are those who match specific rules from the signature (for example ET SCAN Potential VNC Scan 5900-5920 ).  :-[

    1 Reply Last reply Reply Quote 0
    • V
      valshare
      last edited by Sep 5, 2011, 10:25 AM

      Hi,

      if i want edit a rule, i get this error:

      
      Fatal error: Call to undefined function get_middle() in /usr/local/www/snort/snort_rules_edit.php on line 99
      
      

      Regards, Valle

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by Sep 5, 2011, 11:47 AM

        Reinstall, already fixed.

        1 Reply Last reply Reply Quote 0
        • C
          Cino
          last edited by Sep 5, 2011, 1:44 PM

          Not realy a bug but I noticed when I try to shutdown snort from the main snort page, I have to refresh the page for the status to update. Before the recent changes were made; i would click on the little icon to disable snort, the page would refresh after snort was shutdown for that interface.

          1 Reply Last reply Reply Quote 0
          • D
            digdug3
            last edited by Sep 5, 2011, 4:02 PM

            Snort and EM update work like they did before. (2.0-RC3 (i386) built on Mon Sep 5 04:07:51 EDT 2011)

            I disabled the 'keep settings after update' and this reinstalls Snort without any problems.
            Of course you have to setup Snort every time after each update…

            Thanks Ermal for all you effort!

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by Sep 5, 2011, 9:00 PM

              Portscan and other preprocessors should work ok now.
              Just reinstall the package files.
              It is not needed a full upgrade.

              1 Reply Last reply Reply Quote 0
              • C
                Cino
                last edited by Sep 6, 2011, 10:20 AM Sep 5, 2011, 9:32 PM

                @ermal:

                Portscan and other preprocessors should work ok now.
                Just reinstall the package files.
                It is not needed a full upgrade.

                Thanks ermal!! I did a uninstall, install… The port scan detection is working, looks a little different in the alert log. But its good!

                2 2 PROTO:255 PSNG_TCP_FILTERED_PORTSCAN Attempted Information Leak 4.79.142.206 empty -> xx.xx.xx.xx empty 122:5:1 09/05-17:23:39

                I see you added a sleep timer when disabling snort, thank you.... So far so good. Only issue left is being able to clear the alerts from the gui.

                btw, all my testing is on i386.. Someone else will have to confirm amd64. also, i have not testing Barnyard2. When I get back home next week, i'll play around with it.

                1 Reply Last reply Reply Quote 0
                • H
                  hmishra
                  last edited by Sep 5, 2011, 11:46 PM

                  ermal,

                  As per your suggestion, I ran ps -ax | grep snort and here is the output:

                  56884  0  S+    0:00.02 grep snort

                  Doesn't this mean snort is not running on my system?

                  Thanks!

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cino
                    last edited by Sep 6, 2011, 2:34 AM Sep 6, 2011, 2:09 AM

                    @ermal I noticed that snort was built to have ipv6 now… Can the alert and block page be setup to display ipv6 addresses down the road? I had a line under my block page that displayed NA for the ip. I couldn't remove it, so i went to the snort2c table and it was a ipv6 address. The alert looked like this:

                    4 2 PROTO:255 PSNG_TCP_PORTSWEEP_FILTERED Attempted Information Leak empty empty -> empty empty 122:7:1 09/05-21:40:01

                    
                    [**] [122:7:1] PSNG_TCP_PORTSWEEP_FILTERED [**]
                    [Classification: Attempted Information Leak] [Priority: 2] 
                    09/05-21:40:01.891026 2001:0470:1f07:xxxx:0000:0000:0000:8c60 -> 2001:4860:b009:0000:0000:0000:0000:0065
                    PROTO:255 TTL:63 TOS:0x0 ID:0 IpLen:40 DgmLen:234
                    
                    

                    Go figure it was one of my internal ipv6s… When I get back in a week, i'll see if i can add ipv6 to the whitelist and netlist.

                    thanks again for all your hard work on snort!

                    another example of ipv6:

                    
                    1 	1 	UDP 	BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt 	Attempted Administrator Privilege Gain 	empty 	29652 	-> 	empty 	52225 	3:13287:4 	09/05-22:17:32
                    
                    
                    
                    Delete 	 2 	 empty 	 N\A
                    
                    
                    
                    [**] [3:13287:4] BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt [**]
                    [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
                    09/05-22:17:32.979947 2002:43b1:e866:0000:0000:0000:43b1:e866:29652 -> 2001:0470:1f07:xxxx:0000:0000:0000:0100:52225
                    UDP TTL:118 TOS:0x0 ID:0 IpLen:40 DgmLen:68
                    Len: 20
                    [Xref => http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0069]
                    
                    

                    P.S I only have my IPv4 interface configured within Snort. I use a HE tunnel so I find it a little odd but good to see it can work with IPv6 traffic now

                    1 Reply Last reply Reply Quote 0
                    • B
                      breusshe
                      last edited by Sep 6, 2011, 2:38 AM

                      @Cino:

                      btw, all my testing is on i386.. Someone else will have to confirm amd64. also, i have not testing Barnyard2. When I get back from home next week, i'll play around with it.

                      I have pfsense on x64 and snort seems to work fine now.  I did as suggested and updated the firmware to the latest RC3 micro-version deleted the /usr/lib/snort/* folders after uninstalling the snort module.  I did not delete my settings, however.  Upon reinstalling Snort and doing the rules update, Snort came right up.  No issues at all.  I didn't even have to do the Snort fixes that I spoke of in earlier posts.  Oh, as with Cino, I am not running Barnyard2.

                      Looks like you guys got it, thanks pfSense Team!

                      1 Reply Last reply Reply Quote 0
                      • M
                        marcelloc
                        last edited by Sep 6, 2011, 3:11 AM

                        At my x64 2.0 RC3 its working too, including block ofenders.

                        I'm just saw a delay when I press the "x" gif to start snort. The daemon starts but gui stays waiting…(not a big deal.)

                        Thanks again for the fix.

                        Treinamentos de Elite: http://sys-squad.com

                        Help a community developer! ;D

                        1 Reply Last reply Reply Quote 0
                        • B
                          breusshe
                          last edited by Sep 6, 2011, 3:51 AM

                          Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

                          1 Reply Last reply Reply Quote 0
                          • V
                            valshare
                            last edited by Sep 6, 2011, 7:54 AM

                            Hi,

                            now i have reinstalled the snort package i386 package, deltet the configs and reconfig anything for snort. Choose the snort_p2p, snort_scan and snort_wb-client categorie. Switch the preprocessors on and startet the sensor.

                            Starting skype, portscanner and any web activitie. But snort doesn find anything and didn´t report anything unter the "Alert" page.

                            Whats wrong? Does it now run on other i386 machines? I´m running pfsense as a virtual machine under kvm. Because there are no virtio drivers i have choosen the rtl8139 network interfaces.

                            Regards,

                            Valle

                            1 Reply Last reply Reply Quote 0
                            • E
                              eri--
                              last edited by Sep 6, 2011, 7:56 AM

                              @Cino,

                              yes during integration of Spoink i made it IPv6 capable so if an alert for an ipv6 address is triggered it will be entered on the table of pf(4) to be blocked.
                              As for a IPv6 capable GUI for snort, for now i do not have any plans.

                              As for the portscan it looks a bit different because snort 2.9 does it a little more differently to give more control apparently but that needs still more work to be integrated in the GUI.

                              As to why snort is detecting IPv6 its just a byproduct of how snort itself works in IPS mode. This would not have been possible in inline mode though :)

                              Again, thank you for your testing and help.

                              @breusshe,

                              i have no plans and never even used the snort widget.

                              1 Reply Last reply Reply Quote 0
                              • S
                                serialdie
                                last edited by Sep 6, 2011, 11:44 AM

                                @breusshe:

                                Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

                                It has nothing to do with snort config. Its just looks like the widget is way out dated.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  digdug3
                                  last edited by Sep 6, 2011, 4:15 PM

                                  @serialdie:

                                  @breusshe:

                                  Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

                                  It has nothing to do with snort config. Its just looks like the widget is way out dated.

                                  You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    serialdie
                                    last edited by Sep 6, 2011, 4:41 PM

                                    @digdug3:

                                    @serialdie:

                                    @breusshe:

                                    Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

                                    It has nothing to do with snort config. Its just looks like the widget is way out dated.

                                    You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

                                    Thats not the case in 2.0

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      NightHawk007
                                      last edited by Sep 6, 2011, 5:29 PM

                                      @Cino:

                                      @NightHawk007 I did a firmware update for other reasons, nothing to do with snort… probably shouldn't had mention it.. The Snort package has had its binary updated to a more recent version from Snort. A side effect it seems is that port scanning detecting isn't working. From my current testing, any attack that matches a rule is being detected.

                                      I did a test after a snort reinstall and did a port scan and seem to be work fine now  :) :)

                                      Thank You

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        serialdie
                                        last edited by Sep 6, 2011, 5:34 PM

                                        I am running i386 2.0-RC3. Is it safe now to update snort?

                                        I just want to make sure everything is ok before updating as my box is under production env.

                                        Thanks You!

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          serialdie
                                          last edited by Sep 6, 2011, 6:48 PM

                                          @digdug3:

                                          @serialdie:

                                          @breusshe:

                                          Not sure if this is a new topic, but I'll ask here and move it if needed.  I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not.  Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort.  But, I'm wondering if anyone else has the same issue?

                                          It has nothing to do with snort config. Its just looks like the widget is way out dated.

                                          You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3

                                          Funny… after a re install is started working.

                                          1 Reply Last reply Reply Quote 0
                                          252 out of 301
                                          • First post
                                            252/301
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.