Snort stops working after snort update (newest 2.0 RELEASE)

RonpfS

@Seb:

@RonpfS:

I do experience many snort failure after update. If I do the update manualy, snort start without problem.
…

Do you mean that if you update manually, AFTER the automatic update, or more specifically: WHEN snort is not running, snort starts without problems?  Because if so, that is because the update is different when snort is not running.  See my bug report: http://redmine.pfsense.org/issues/1982

---

When snort is running, it fails after auto update, a manual update will start snort.

I'm currently using x86 Snort 2.9.0.5 pkg v. 2.0 with Snort Free and Emerging Threats
I have pfBlocker in use as well.

I reinstalled the snort package an hour ago … no alert since !!!!

I figured out that /usr/local/bin/barnyard2 went missing in action  ???
and  reinstalled it

cd /usr/local/bin
fetch http://files.pfsense.com/packages/8/All/barnyard2 
chmod 555 /usr/local/bin/barnyard2

No alerts logged ?

with snort is running, I updated the rules, snort exited
I ran update again while snort was stopped, it started ok

Sill no alerts logged

After many reinstall, a rebooot …
I reinstalled all package
I removed snort
I installed banyard2
I installed snort
finally I am getting alerts ....
:)

But it is impossible to fonction with snort enabled ...

I am gettting
2 3 TCP (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Unknown Traffic 69.64.6.7 80 -> 96.43.226.245 58850 120:3:1 11/03-22:26:05

just browsing any site ....  ???

I am throwing the towel ... disable snort for now

mentalhemroids

@RonpfS  I don't think it is bad/wrong/error that you are getting those errors from http inspect; there might be legit reasons that the sites you visit cause errors.  I don't use Barnyard, so I can't give any feedback on that, but I have always had alerts show up.

RonpfS

I am getting this 'http_inspect' Alert browsing  forum.pfsense.org !!!
Something broke somewhere so I will wait later to reinstall snort

mentalhemroids

@RonpfS:

I am getting this 'http_inspect' Alert browsing  forum.pfsense.org !!!
Something broke somewhere so I will wait later to reinstall snort

;D I just whitelisted pfsense.org . . . just to be safe.

RonpfS

I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1

I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1

johnnybe

@RonpfS:

I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1

I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1

Yep, it happened to me as well. That's why I have this line in the Snort>Supress tab:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120,sig_id 3

RonpfS

@johnnybe:

@RonpfS:

I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1

I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1

Yep, it happened to me as well. That's why I have this line in the Snort>Supress tab:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120,sig_id 3

Yup … that works fine with this suppress line  ;D

Thank you

serialdie

I am not sure what you guys are doing to get snort to work… I still cant get snort to log and or block.

pfsenseddc

@jamesdean:

@mentalhemroids

Looks like snort.org updated code that references fpcreate.c.

http://www.snort.org/downloads/1165

Your going to have to wait till will update the port to the newest version.

Hi,
When one triggers 'Update rules' the snort is restarting using SIGHUP - according to code at file /usr/local/pkg/snort/snort.inc, line 1278.
But when you look at system.log you see following entries:

(...)
Nov  6 08:26:09 pfsense SnortStartup[31407]: Snort Startup files Sync...
Nov  6 08:26:09 pfsense SnortStartup[33474]: Snort already running, soft restart
(...)
Nov  6 08:26:40 pfsense snort[20195]: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
(...)
Nov  6 08:26:43 pfsense snort[20195]: Snort exiting

I guess that is the reason why manual stop/start works, but automatic one doesn't.

Kind regards,

–  
John

RonpfS

@serialdie:

I am not sure what you guys are doing to get snort to work… I still cant get snort to log and or block.

Reinstalling does not fix problem.

To get it to run, I uninstalled snort
then I installed snort
I uncheck Keep snort settings after deinstall, save
I click Reset, save
I uninstalled snort again

After that, I installed snort and started from scratch.
It is working, but it did not restart after the last automatic update, same problem as pfsenseddc mentionned:
the

2011-11-06 00:05:38	Daemon.Info	xxx	SnortStartup[54021]: Snort Startup files Sync...
2011-11-06 00:05:38	Daemon.Info	xxx	SnortStartup[55697]: Snort already running, soft restart
2011-11-06 00:05:38	Daemon.Info	xxx	SnortStartup[55926]: Snort Soft Reload For 18203_pppoe0...
2011-11-06 00:05:39	Daemon.Notice	xxx	snort[17907]:
2011-11-06 00:05:39	Daemon.Notice	xxx	snort[17907]:         --== Reloading Snort ==--
2011-11-06 00:05:39	Daemon.Notice	xxx	snort[17907]:
2011-11-06 00:05:39	Daemon.Notice	xxx	snort[17907]: PortVar 'HTTP_PORTS' defined :

 ---

2011-11-06 00:06:13	Daemon.Notice	xxx	snort[17907]: Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
2011-11-06 00:06:13	Daemon.Error	xxx	snort[17907]: http_inspect:  Changing decompress_depth requires a restart.
2011-11-06 00:06:14	Daemon.Notice	xxx	snort[17907]: Reload via Signal HUP does not work if you aren't root or are chroot'ed.

2011-11-06 00:06:14	Kernel.Info	xxx	kernel: pppoe0: promiscuous mode disabled

2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: ===============================================================================
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: Packet I/O Totals:

 ---

2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: +-----------------------[filtered events]--------------------------------------
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=1      sig-id=2013479    type=Both      tracking=src count=20  seconds=360 filtered=5
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=1      sig-id=2002911    type=Threshold tracking=src count=5   seconds=60  filtered=3
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=1      sig-id=2001219    type=Threshold tracking=src count=5   seconds=120 filtered=2
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=1      sig-id=2001972    type=Both      tracking=src count=20  seconds=360 filtered=1
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=158
2011-11-06 00:06:18	Daemon.Notice	xxx	snort[17907]: Snort exiting

Maybe you can spot this behaviour by looking at the Status: RRD Graphs / System /  Processor
the graph will show almost no User Nice utilisation after restart or update.

Seb

@pfsenseddc:

Hi,
When one triggers 'Update rules' the snort is restarting using SIGHUP - according to code at file /usr/local/pkg/snort/snort.inc, line 1278.
But when you look at system.log you see following entries:

(...)
Nov  6 08:26:09 pfsense SnortStartup[31407]: Snort Startup files Sync...
Nov  6 08:26:09 pfsense SnortStartup[33474]: Snort already running, soft restart
(...)
Nov  6 08:26:40 pfsense snort[20195]: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
(...)
Nov  6 08:26:43 pfsense snort[20195]: Snort exiting

I guess that is the reason why manual stop/start works, but automatic one doesn't.

Kind regards,

–  
John

@pfsenseddc:  Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982

pfsenseddc

@Seb:

(…)
Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982
(...)

Below is ugly but quick fix that works for me (output from command: diff /usr/local/pkg/snort/snort.inc /usr/local/pkg/snort/snort.inc_org):

 1278,1281c1278
< 	# developer sar:20111031 - SIGHUP doesn't work if snort is running chrooted or if php is not running as root
< 	# before: # /bin/kill -HUP \${snort_pid}
< 	/bin/kill \${snort_pid}
< 	sleep 10
---
> 	/bin/kill -HUP \${snort_pid}

You probably need to restart the pfsense after modification or/and modify /usr/local/etc/rc.d/snort.sh manually also.
Regards,
–
John

bdwyer

@pfsenseddc:

@Seb:

(…)
Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982
(...)

Below is ugly but quick fix that works for me (output from command: diff /usr/local/pkg/snort/snort.inc /usr/local/pkg/snort/snort.inc_org):

 1278,1281c1278
< 	# developer sar:20111031 - SIGHUP doesn't work if snort is running chrooted or if php is not running as root
< 	# before: # /bin/kill -HUP \${snort_pid}
< 	/bin/kill \${snort_pid}
< 	sleep 10
---
> 	/bin/kill -HUP \${snort_pid}

You probably need to restart the pfsense after modification or/and modify /usr/local/etc/rc.d/snort.sh manually also.
Regards,
–
John

Good job guys, glad this got figured out.  Hopefully this is reflected in the package code soon.

Cino

How many users are having this issue? I've been running snort for a while now with no issues at all. It auto updates everyday and starts right after. Anyone running pfSense 2.1-dev have is having this issue? I'm running the same package as you guys (unless your running snort-dev; which doesn't work) but I'm using 2.1 code for IPv6 support.

serialdie

@Cino:

How many users are having this issue? I've been running snort for a while now with no issues at all. It auto updates everyday and starts right after. Anyone running pfSense 2.1-dev have is having this issue? I'm running the same package as you guys (unless your running snort-dev; which doesn't work) but I'm using 2.1 code for IPv6 support.

Cino,

Everybody on 2.0-Release is having this issue. They must be applying code changes to 2.1 and is probably why it works.
The latest snort fully broke my system making me go away from it. And unless there is money on the plate… fixes will not come around any time soon.
We should start thinking about a bounty.

Cino

@serialdie:

Everybody on 2.0-Release is having this issue.

I wouldn't say everyone on 2.0-release. That's like when I get call from someone in the call center saying that all the computers are down but in fact its only few.
I know of few other users that have snort working on 2.0. Some functions do not work like barnyard2 but overall its working for them. Strange tho…

is it not working for both i386 and amd64?

serialdie

@Cino:

@serialdie:

Everybody on 2.0-Release is having this issue.

I wouldn't say everyone on 2.0-release. That's like when I get call from someone in the call center saying that all the computers are down but in fact its only few.
I know of few other users that have snort working on 2.0. Some functions do not work like barnyard2 but overall its working for them. Strange tho…

is it not working for both i386 and amd64?

I disagree. You cant compare the two that's a bad analogy  ;)
If  the code is broken than the code will be broken across the board…. well most of it.
Yes architecturally might be different causing the code to change but the broad majority will be i386/x86_64 where the code can not be that much different... in any case I tested both and had the same issue.
I am not sure about embedded.

Cino

x86_64? Don't you mean amd64? If i remember x86_64 didn't go anywhere and Intel ended up using the Amd64 architecture for 64bit processes… thats off topic now

The binaries are different between them and I remember during testing, there where issues with amd64 at first. Let me fire up a new test VM and see if i can reproduce what your seeing

If the code that pfsenseddc gave is the fix to the issue, and other users can confirm them. Open a ticket so it can be added.. Looking at the change, its just adding a delay to the restart process.

mentalhemroids

Cino - I can tell you that this problem is isolated to certain hardware; the Intel P3 w/ 512mb RAM that I run Snort with pfSense 2.0 is more stable with updates, than my Dell PE 1750 Xeon w/ 3gb RAM, which doesn't support 64bit.  The Xeon always seems to take time to start and stop the service, so a delay in the process after updates might be the fix.  I don't know… I'm willing to try anything that could help.  I am getting tired of manually doing updates twice in a row to get the service to run.

Thanks!

eri--

@pfsenseddc:

@Seb:

(…)
Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982
(...)

Below is ugly but quick fix that works for me (output from command: diff /usr/local/pkg/snort/snort.inc /usr/local/pkg/snort/snort.inc_org):

 1278,1281c1278
< 	# developer sar:20111031 - SIGHUP doesn't work if snort is running chrooted or if php is not running as root
< 	# before: # /bin/kill -HUP \${snort_pid}
< 	/bin/kill \${snort_pid}
< 	sleep 10
---
> 	/bin/kill -HUP \${snort_pid}

You probably need to restart the pfsense after modification or/and modify /usr/local/etc/rc.d/snort.sh manually also.
Regards,
–
John

I put this in the package so just reinstall and try out.