Snort stops working after snort update (newest 2.0 RELEASE)
-
I've just reported this as a bug: http://redmine.pfsense.org/issues/1982
-
I do experience many snort failure after update. If I do the update manualy, snort start without problem.
The Update start a 00:03 every day for a DAILY update. If all pfsense boxes do that at the same time, could that create some issues? Can the servers provide all the data to all pfsense boxes? It might me nice to be able to specify the update time or chose the time 'randomly'.
I also noticed that when the WAN IP change, strange things also happens like blocking of the WAN IP !!!.
A manual restart fix the problems. -
I do experience many snort failure after update. If I do the update manualy, snort start without problem.
…Do you mean that if you update manually, AFTER the automatic update, or more specifically: WHEN snort is not running, snort starts without problems? Because if so, that is because the update is different when snort is not running. See my bug report: http://redmine.pfsense.org/issues/1982
Everyone,
Which rules are you running? Snort Free, Snort Paid-for, Emerging Threats (free), or two of these? I'm currently using Snort Free and Emerging Threats. -
@Seb:
I do experience many snort failure after update. If I do the update manualy, snort start without problem.
…@Seb:
Do you mean that if you update manually, AFTER the automatic update, or more specifically: WHEN snort is not running, snort starts without problems? Because if so, that is because the update is different when snort is not running. See my bug report: http://redmine.pfsense.org/issues/1982
I can't speak for RonpfS, but one of my systems (x86 P3 w/ 512mb RAM) does the updates fine on a 12 hour schedule. It fails every so often, but very rare. My other system (x86 Xeon(TM) CPU 3.06GHz w/ 3GB RAM) has updates turned off and when I do run updates manually the updates go through, but Snort never starts/fails; then I have to click on update again and it finally starts up and runs until I tell it to update. I just tried a reinstall of the package today and ran the updates; the same thing happened… after the updates ran I had to click update a second time to get the Snort service to start.
@Seb:
Everyone,
Which rules are you running? Snort Free, Snort Paid-for, Emerging Threats (free), or two of these? I'm currently using Snort Free and Emerging Threats.I am running free Snort rules and Emerging Threats on both machines, but with only certain rules enabled. I tried to have both systems using as much of the same ones as possible, but I'm limited on the P3 with it having less memory.
Hope this helps Seb.
-
@Seb:
I do experience many snort failure after update. If I do the update manualy, snort start without problem.
…Do you mean that if you update manually, AFTER the automatic update, or more specifically: WHEN snort is not running, snort starts without problems? Because if so, that is because the update is different when snort is not running. See my bug report: http://redmine.pfsense.org/issues/1982
When snort is running, it fails after auto update, a manual update will start snort.
I'm currently using x86 Snort 2.9.0.5 pkg v. 2.0 with Snort Free and Emerging Threats
I have pfBlocker in use as well.I reinstalled the snort package an hour ago … no alert since !!!!
I figured out that /usr/local/bin/barnyard2 went missing in action ???
and reinstalled itcd /usr/local/bin fetch http://files.pfsense.com/packages/8/All/barnyard2 chmod 555 /usr/local/bin/barnyard2No alerts logged ?
with snort is running, I updated the rules, snort exited
I ran update again while snort was stopped, it started okSill no alerts logged
After many reinstall, a rebooot …
I reinstalled all package
I removed snort
I installed banyard2
I installed snort
finally I am getting alerts ....
:)But it is impossible to fonction with snort enabled ...
I am gettting
2 3 TCP (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Unknown Traffic 69.64.6.7 80 -> 96.43.226.245 58850 120:3:1 11/03-22:26:05just browsing any site .... ???
I am throwing the towel ... disable snort for now
-
@RonpfS I don't think it is bad/wrong/error that you are getting those errors from http inspect; there might be legit reasons that the sites you visit cause errors. I don't use Barnyard, so I can't give any feedback on that, but I have always had alerts show up.
-
I am getting this 'http_inspect' Alert browsing forum.pfsense.org !!!
Something broke somewhere so I will wait later to reinstall snort -
I am getting this 'http_inspect' Alert browsing forum.pfsense.org !!!
Something broke somewhere so I will wait later to reinstall snort;D I just whitelisted pfsense.org . . . just to be safe.
-
I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1
-
I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1
Yep, it happened to me as well. That's why I have this line in the Snort>Supress tab:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120,sig_id 3 -
I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1
Yep, it happened to me as well. That's why I have this line in the Snort>Supress tab:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120,sig_id 3Yup … that works fine with this suppress line ;D
Thank you
-
I am not sure what you guys are doing to get snort to work… I still cant get snort to log and or block.
-
Looks like snort.org updated code that references fpcreate.c.
http://www.snort.org/downloads/1165
Your going to have to wait till will update the port to the newest version.
Hi,
When one triggers 'Update rules' the snort is restarting using SIGHUP - according to code at file /usr/local/pkg/snort/snort.inc, line 1278.
But when you look at system.log you see following entries:(...) Nov 6 08:26:09 pfsense SnortStartup[31407]: Snort Startup files Sync... Nov 6 08:26:09 pfsense SnortStartup[33474]: Snort already running, soft restart (...) Nov 6 08:26:40 pfsense snort[20195]: Reload via Signal HUP does not work if you aren't root or are chroot'ed. (...) Nov 6 08:26:43 pfsense snort[20195]: Snort exitingI guess that is the reason why manual stop/start works, but automatic one doesn't.
Kind regards,
–
John -
I am not sure what you guys are doing to get snort to work… I still cant get snort to log and or block.
Reinstalling does not fix problem.
To get it to run, I uninstalled snort
then I installed snort
I uncheck Keep snort settings after deinstall, save
I click Reset, save
I uninstalled snort againAfter that, I installed snort and started from scratch.
It is working, but it did not restart after the last automatic update, same problem as pfsenseddc mentionned:
the2011-11-06 00:05:38 Daemon.Info xxx SnortStartup[54021]: Snort Startup files Sync... 2011-11-06 00:05:38 Daemon.Info xxx SnortStartup[55697]: Snort already running, soft restart 2011-11-06 00:05:38 Daemon.Info xxx SnortStartup[55926]: Snort Soft Reload For 18203_pppoe0... 2011-11-06 00:05:39 Daemon.Notice xxx snort[17907]: 2011-11-06 00:05:39 Daemon.Notice xxx snort[17907]: --== Reloading Snort ==-- 2011-11-06 00:05:39 Daemon.Notice xxx snort[17907]: 2011-11-06 00:05:39 Daemon.Notice xxx snort[17907]: PortVar 'HTTP_PORTS' defined : --- 2011-11-06 00:06:13 Daemon.Notice xxx snort[17907]: Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option 2011-11-06 00:06:13 Daemon.Error xxx snort[17907]: http_inspect: Changing decompress_depth requires a restart. 2011-11-06 00:06:14 Daemon.Notice xxx snort[17907]: Reload via Signal HUP does not work if you aren't root or are chroot'ed. 2011-11-06 00:06:14 Kernel.Info xxx kernel: pppoe0: promiscuous mode disabled 2011-11-06 00:06:16 Daemon.Notice xxx snort[17907]: =============================================================================== 2011-11-06 00:06:16 Daemon.Notice xxx snort[17907]: Packet I/O Totals: --- 2011-11-06 00:06:16 Daemon.Notice xxx snort[17907]: +-----------------------[filtered events]-------------------------------------- 2011-11-06 00:06:16 Daemon.Notice xxx snort[17907]: | gen-id=1 sig-id=2013479 type=Both tracking=src count=20 seconds=360 filtered=5 2011-11-06 00:06:16 Daemon.Notice xxx snort[17907]: | gen-id=1 sig-id=2002911 type=Threshold tracking=src count=5 seconds=60 filtered=3 2011-11-06 00:06:16 Daemon.Notice xxx snort[17907]: | gen-id=1 sig-id=2001219 type=Threshold tracking=src count=5 seconds=120 filtered=2 2011-11-06 00:06:16 Daemon.Notice xxx snort[17907]: | gen-id=1 sig-id=2001972 type=Both tracking=src count=20 seconds=360 filtered=1 2011-11-06 00:06:16 Daemon.Notice xxx snort[17907]: | gen-id=120 sig-id=3 type=Suppress tracking=none filtered=158 2011-11-06 00:06:18 Daemon.Notice xxx snort[17907]: Snort exitingMaybe you can spot this behaviour by looking at the Status: RRD Graphs / System / Processor
the graph will show almost no User Nice utilisation after restart or update. -
Hi,
When one triggers 'Update rules' the snort is restarting using SIGHUP - according to code at file /usr/local/pkg/snort/snort.inc, line 1278.
But when you look at system.log you see following entries:(...) Nov 6 08:26:09 pfsense SnortStartup[31407]: Snort Startup files Sync... Nov 6 08:26:09 pfsense SnortStartup[33474]: Snort already running, soft restart (...) Nov 6 08:26:40 pfsense snort[20195]: Reload via Signal HUP does not work if you aren't root or are chroot'ed. (...) Nov 6 08:26:43 pfsense snort[20195]: Snort exitingI guess that is the reason why manual stop/start works, but automatic one doesn't.
Kind regards,
–
John@pfsenseddc: Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982 -
@Seb:
(…)
Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982
(...)Below is ugly but quick fix that works for me (output from command: diff /usr/local/pkg/snort/snort.inc /usr/local/pkg/snort/snort.inc_org):
1278,1281c1278 < # developer sar:20111031 - SIGHUP doesn't work if snort is running chrooted or if php is not running as root < # before: # /bin/kill -HUP \${snort_pid} < /bin/kill \${snort_pid} < sleep 10 --- > /bin/kill -HUP \${snort_pid}You probably need to restart the pfsense after modification or/and modify /usr/local/etc/rc.d/snort.sh manually also.
Regards,
–
John -
@Seb:
(…)
Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982
(...)Below is ugly but quick fix that works for me (output from command: diff /usr/local/pkg/snort/snort.inc /usr/local/pkg/snort/snort.inc_org):
1278,1281c1278 < # developer sar:20111031 - SIGHUP doesn't work if snort is running chrooted or if php is not running as root < # before: # /bin/kill -HUP \${snort_pid} < /bin/kill \${snort_pid} < sleep 10 --- > /bin/kill -HUP \${snort_pid}You probably need to restart the pfsense after modification or/and modify /usr/local/etc/rc.d/snort.sh manually also.
Regards,
–
JohnGood job guys, glad this got figured out. Hopefully this is reflected in the package code soon.
-
How many users are having this issue? I've been running snort for a while now with no issues at all. It auto updates everyday and starts right after. Anyone running pfSense 2.1-dev have is having this issue? I'm running the same package as you guys (unless your running snort-dev; which doesn't work) but I'm using 2.1 code for IPv6 support.
-
How many users are having this issue? I've been running snort for a while now with no issues at all. It auto updates everyday and starts right after. Anyone running pfSense 2.1-dev have is having this issue? I'm running the same package as you guys (unless your running snort-dev; which doesn't work) but I'm using 2.1 code for IPv6 support.
Cino,
Everybody on 2.0-Release is having this issue. They must be applying code changes to 2.1 and is probably why it works.
The latest snort fully broke my system making me go away from it. And unless there is money on the plate… fixes will not come around any time soon.
We should start thinking about a bounty. -
Everybody on 2.0-Release is having this issue.
I wouldn't say everyone on 2.0-release. That's like when I get call from someone in the call center saying that all the computers are down but in fact its only few.
I know of few other users that have snort working on 2.0. Some functions do not work like barnyard2 but overall its working for them. Strange tho…is it not working for both i386 and amd64?
