Snort stops working after snort update (newest 2.0 RELEASE)

Cino

@RonpfS 2.9.0.5 is the correct file for install for 2.0 installs. I have 2.1 development code installed on my box for testing…

@Ermal  I sent some money this morning... Bug Scott for a case or 2 :-)

eri--

Thanks Cino, much appreciated.

RonpfS

I forgot to do a save after the last install   :-[ No entry was expiring !!!

[quote author=Cino link=topic=41533.msg221876#msg221876 date=1320973760]
@RonpfS  Every time you reinstall snort, save the global settings page for it to re-create the cron job.. This has been normal practice since snort was fixed a few months back.

This could be emphasized with a BIG MESSAGE
in the System: Package Manager Installer or Services: Snort: Updates window.

Why not 'automatic global settings save' when you click the Update Rules Button??

serialdie

Any body having issues with memory when snort is running?

robheid

I updated today to version 2.9.1 pkg v. 2.0 and after a rules update snort isnt starting and i get the following message: snort[3689]: FATAL ERROR: /usr/local/etc/snort/snort_15641_em0/snort.conf(320) Unknown output plugin: "alert_pf"

What can i do to fix this?

RonpfS

Try to remove, then Install

robheid

I have done that and keep getting the same error.

RonpfS

If your look at the file /usr/local/etc/snort/snort_15641_em0/snort.conf

you will should find something like that:

output alert_pf: /usr/local/etc/snort/whitelist/Blablabla,snort2c

so maybe your whilelist is incorrect or snort2c is corrupted, try to look at them in Diagnostics: Tables
Try to clear the Alert and Blocked
You could also start from scratch:
Uncheck Keep snort settings after deinstall, Save, Reset, Save, remove snort, install snort

robheid

snort2c is empty. is that the problem?

RonpfS

No, it will be empty when you clear the Blocked.

cyber7

<hehehe>I just found the problem on my side:
1. Login to your console (press 8 :))
2. do a "clog -f /var/log/system.log"
3. Start snort and see the error…

I found that after re-installing, the rules were missing.

Hope this helps
Kind regards
Aubrey Kloppers
Cape Town</hehehe>

Guest

Hi,

i am using Snort stable package on an alix board with Pfsense 2.0 4G embebbed version.

There seems to be two Bugs.

1.) Snort is deactivated under Services -> Snort but it activates automatically again every day. I guess this is beccause of automatic Rules download.

2.) After installing Snort the CF isnt mounted readonly anymore. Even after deinstalling snort package the CF is still rw mounted. This is an very important bug for all those People who run Snort on embedded version!

mount
/dev/ufs/pfsense0 on / (ufs, local, noatime, synchronous)
devfs on /dev (devfs, local)
/dev/md0 on /tmp (ufs, local)
/dev/md1 on /var (ufs, local)
/dev/ufs/cf on /cf (ufs, local, noatime, synchronous)
devfs on /var/dhcpd/dev (devfs, local)

Any Idea how i can fix this before my Compact Flash dies?

robheid

I am still getting errors, i did a clean reinstall. It didnt help.

Without blocking offenders:FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SSLPP (IPV6) version 1.1.4 (-2)
with blocking offenders: FATAL ERROR: /usr/local/etc/snort/snort_17976_em0/snort.conf(172) Unknown output plugin: "alert_pf"

Snort version:2.9.1 pkg v. 2.0

Pfsense version:Version 2.1-DEVELOPMENT (amd64) built on Tue Sep 13 17:33:40 EDT 2011 FreeBSD 8.1-RELEASE-p4

digdug3

Snort 2.9.1 pkg v. 2.0 on pfSense 2.0 i386 has a minor bug when returning to the Dashboard it goes to http://pfsense/SNORT/index.php but should go to http://pfsense/index.php
This only happens when inside the Snort service pages and clicking the pfSense logo on the top left.

Did not have any other issues since 2.0 release! Thanks!

RonpfS

Been running Snort 2.9.1 pkg v. 2.0 on pfSense 2.0 i386  for about 20 days.
Update works fine. It failed once but the WAN IP changed during of after the update
So great work guys.  ::)

I am getting this```
snort[3548]: http_inspect:  Changing decompress_depth requires a restart.

When snort restart after a WAN IP change, it run with a nice of 20.
Snort run normally when you start it with the Snort GUI. it works fine in both case.

antilog

@johnnybe:

@RonpfS:

I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1

I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1

Yep, it happened to me as well. That's why I have this line in the Snort>Supress tab:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120,sig_id 3

Note - there now needs to be a space after the comma as such:

suppress gen_id 120, sig_id 3

Cino

i've always had a space, at least for the last 2 years:

suppress gen_id 119, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 122, sig_id 22

antilog

@Cino:

i've always had a space, at least for the last 2 years:

suppress gen_id 119, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 122, sig_id 22

This was in response to johnybe, who did not have a space.  :)

johnnybe

@antilog:

@Cino:

i've always had a space, at least for the last 2 years:

suppress gen_id 119, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 122, sig_id 22

This was in response to johnybe, who did not have a space.  :)

Sorry, it was a typo.  :)