Snort stops working after snort update (newest 2.0 RELEASE)
-
Notice work I me an other user have found an issue with the interface.php page http://forum.pfsense.org/index.php/topic,42955.msg221944.html#msg221944
When i try to start from the interface page, i get the below error, the file location is doubled
snort[4101]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/snort_39737_em3/rules/emerging-attack_response.rules": No such file or directory.
if i reboot the box or do a manually rule update, snort starts fine
Also, did the new binaries compile over night? I look under http://files.pfsense.org/packages/8/All/ and the date stamp didn't change. As i said in a previous post, my box isn't downloading binaries anymore and i think it has to do with the future pbi that is coming when 2.1 is on freebsd 9.
p.s you like pale ale's
-
Post your snort.conf since nothing has changed there!
Apart that PBI installs iirc snort 2.9.1 -
@ermal:
Post your snort.conf since nothing has changed there!
Apart that PBI installs iirc snort 2.9.1Dont know if this helps: When I stop snort via the interface page, it deletes /usr/local/etc/snort/snort_39737_em3 folder. When i try to start it, it doesn't create it.. So thats why snort wont start. BUT if I do a manually update of the rules, it creates the folder and snort is able to start again
-
Fixed.
Try after 15 minutes. -
@ermal:
Fixed.
Try after 15 minutes.looking good man! i'll do some more testing later today. also, since i never tested this for you before; barnyard2 is reporting data to my windows mysql server. I did have to manually copy the barnyard2 file from file.pfsense.org to get it on my box but i don't know if that's because its not in the package install or the issue I'm having with my box not pulling down binaries.
I don't think the new snort binary has been complied yet… I dont them on files.pfsense.org... also for the pbi, they look to be 2.9.1 but i'll have to wait for a freebsd9 snapshot before i can test
-
Removed and installed Services: Snort 2.9.1 pkg v. 2.0
I did see 2.9.0.5.tar during the install ??
Now the status is ok in the GUI.
I changed the WAN IP and snort restarted fine ::)Thank you
-
I will need some beer together with pfSense.org guys to continue improve this more :)
Hope people put some effort into donation as they do in the reporting of issues ;)
-
Ermal, you are right of course.
Considering that according to recent blog post pfsense has recently surpassed 100k active installs, there should be a better way to fund projects than posting in the Bounty forum and waiting a couple of weeks for others to join in, since apparently a very small fraction of pfsense users reads these forums regularly.
I'm thinking of a funding platform like http://www.indiegogo.com/ (just the concept) coupled with a way for people to vote up/down on features (e.g. feature.astaro.com)
-
@RonpfS 2.9.0.5 is the correct file for install for 2.0 installs. I have 2.1 development code installed on my box for testing…
@Ermal I sent some money this morning... Bug Scott for a case or 2 :-)
-
Thanks Cino, much appreciated.
-
I forgot to do a save after the last install :-[ No entry was expiring !!!
[quote author=Cino link=topic=41533.msg221876#msg221876 date=1320973760]
@RonpfS Every time you reinstall snort, save the global settings page for it to re-create the cron job.. This has been normal practice since snort was fixed a few months back.This could be emphasized with a BIG MESSAGE
in the System: Package Manager Installer or Services: Snort: Updates window.Why not 'automatic global settings save' when you click the Update Rules Button??
-
Any body having issues with memory when snort is running?
-
I updated today to version 2.9.1 pkg v. 2.0 and after a rules update snort isnt starting and i get the following message: snort[3689]: FATAL ERROR: /usr/local/etc/snort/snort_15641_em0/snort.conf(320) Unknown output plugin: "alert_pf"
What can i do to fix this?
-
Try to remove, then Install
-
I have done that and keep getting the same error.
-
If your look at the file /usr/local/etc/snort/snort_15641_em0/snort.conf
you will should find something like that:
output alert_pf: /usr/local/etc/snort/whitelist/Blablabla,snort2cso maybe your whilelist is incorrect or snort2c is corrupted, try to look at them in Diagnostics: Tables
Try to clear the Alert and Blocked
You could also start from scratch:
Uncheck Keep snort settings after deinstall, Save, Reset, Save, remove snort, install snort -
snort2c is empty. is that the problem?
-
No, it will be empty when you clear the Blocked.
-
<hehehe>I just found the problem on my side:
1. Login to your console (press 8 :))
2. do a "clog -f /var/log/system.log"
3. Start snort and see the error…I found that after re-installing, the rules were missing.
Hope this helps
Kind regards
Aubrey Kloppers
Cape Town</hehehe> -
Hi,
i am using Snort stable package on an alix board with Pfsense 2.0 4G embebbed version.
There seems to be two Bugs.
1.) Snort is deactivated under Services -> Snort but it activates automatically again every day. I guess this is beccause of automatic Rules download.
2.) After installing Snort the CF isnt mounted readonly anymore. Even after deinstalling snort package the CF is still rw mounted. This is an very important bug for all those People who run Snort on embedded version!
mount
/dev/ufs/pfsense0 on / (ufs, local, noatime, synchronous)
devfs on /dev (devfs, local)
/dev/md0 on /tmp (ufs, local)
/dev/md1 on /var (ufs, local)
/dev/ufs/cf on /cf (ufs, local, noatime, synchronous)
devfs on /var/dhcpd/dev (devfs, local)Any Idea how i can fix this before my Compact Flash dies?
