Snort Won't Start After Upgrade
-
well if you found that something needs to be fixed in the package let me know so i can integrate it.
As related to other issues, you can report them with some info behind for me to be able to find the issue or even better submit a patch.
I am aware of the status of the package but as it is today it is way better than it was when i started.
Also continuing fixing that will be based either on funding donation or my free time that is the reasoning on my statements.
For the moment my time was backed with some funding behind and for the future will see.
You have to thank me as well as the pfSense guys for allocating time to this.
Certainly i will try to progress in free time to improve and there is a lot to improve but that has no timelines behind -
Where and how can we donate?
Thanks,
-th3r3isnospoon
-
You can contribute to pfSense directly at this link http://www.pfsense.org/index.php?option=com_content&task=view&id=69&Itemid=80
-
@ermal I don't know if this is a quick fit or not, but could you fix the log format spacing? It wasn't like this with the old ver of snort, see my screen shot
-
Cino,
I dont have this issue.
which version are you using? also what platform i386 or amd64? -
FF 6.02, PF2.1_Dev i386
-
By any chance.. do you have the widescreen package installed?
-
By any chance.. do you have the widescreen package installed?
nope… Would like to use it but not till its fully completed
-
… If I clear the log in snort the interface takes me to a white page /snort/snort_alerts.php and does nothing. it does not clear the logs. ...
I also have this issue.
Moreover, in the If settings of the interface configured to run snort, the only option available for HOME NET is the default (which includes the subnets of all interfaces). When I change it manually in the corresponding snort.conf file, after restarting the service it does take the same values again.Am I missing something or is it a kind of a bug?
Thanks
Antonios
-
…in the If settings of the interface configured to run snort, the only option available for HOME NET is the default (which includes the subnets of all interfaces)...
I did overcome this problem by using the "Advanced configuration pass through" to pass the HOME_NET and the EXTERNAL_NET parameters. In the snort.conf the file there are two definitions of this variables (the default and the passed through ones), but obviously the second overrides the first.
However, I still believe it is an issue that you cannot change the default value.
-
By any chance.. do you have the widescreen package installed?
nope… Would like to use it but not till its fully completed
Matthias did some changes to fix the issues with the widescreen pkg…
http://forum.pfsense.org/index.php/topic,35285.0.html
Though is a manual process and still requires some editing if you are not running 2.1... All in all it works and fixes a lot of bugs.
-
I personally consider it a bug since you don't normally think of your home net as your WAN interface. I don't know how pfSense feels about that, which is what will ultimately decide if this is a "bug" or "feature".
-
@Ermal I noticed you added some code to allow inspecting gzipped http flows.. After updating the package i'm receiving this error:
snort[1781]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(171) => Enable 'extended_response_inspection' inspection before setting 'inspect_gzip'
i removed the changes from my box and snort started again.
doing some research, i add extended_response_inspection before the changes you change and snort started. Based on the docs, this is needed for the inspect_gzip setting
extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \Reviewing the different settings, think it would make sense have them under Preprocessors: HTTP Inspect Settings. With all the different settings available for snort, I can see why it would almost be a full-time job to make everything configurable within pfSense.
P.S I still can't clear the alert log. After clicking 'OK' to clear the log, nothing happens. At least i'm not being directed to a blank page now.
-
Thanks Cino for the usual help.
The alert mostly works when it does not work its mostly because of snort reloading or php doing something stupid though i have not investigated which is that does this.
-
Anytime!
Looks like someone figured out a fix for clearing the alert log. Take a look when you have time, http://redmine.pfsense.org/issues/1765
-
I just pushed the fixes for the alert.
Test it out. -
tested and confirm it is working.. Thanks again
-
How did you manage to update Snort with that fix? Is it in a new ISO or must I place the new snort_alerts.php there manually?
-
How did you manage to update Snort with that fix? Is it in a new ISO or must I place the new snort_alerts.php there manually?
Basically, when you see updates in forum and no change in package version, just reinstall(in this case snort package) to get latest files version.
-
Yes, I think that worked. Thanks for filling me in.
