Snort Won't Start After Upgrade
-
@Ermal I noticed you added some code to allow inspecting gzipped http flows.. After updating the package i'm receiving this error:
snort[1781]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(171) => Enable 'extended_response_inspection' inspection before setting 'inspect_gzip'
i removed the changes from my box and snort started again.
doing some research, i add extended_response_inspection before the changes you change and snort started. Based on the docs, this is needed for the inspect_gzip setting
extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \Reviewing the different settings, think it would make sense have them under Preprocessors: HTTP Inspect Settings. With all the different settings available for snort, I can see why it would almost be a full-time job to make everything configurable within pfSense.
P.S I still can't clear the alert log. After clicking 'OK' to clear the log, nothing happens. At least i'm not being directed to a blank page now.
-
Thanks Cino for the usual help.
The alert mostly works when it does not work its mostly because of snort reloading or php doing something stupid though i have not investigated which is that does this.
-
Anytime!
Looks like someone figured out a fix for clearing the alert log. Take a look when you have time, http://redmine.pfsense.org/issues/1765
-
I just pushed the fixes for the alert.
Test it out. -
tested and confirm it is working.. Thanks again
-
How did you manage to update Snort with that fix? Is it in a new ISO or must I place the new snort_alerts.php there manually?
-
How did you manage to update Snort with that fix? Is it in a new ISO or must I place the new snort_alerts.php there manually?
Basically, when you see updates in forum and no change in package version, just reinstall(in this case snort package) to get latest files version.
-
Yes, I think that worked. Thanks for filling me in.
-
Sorry for reviving an old thread, but I've been having the Unknown output plugin: "alert_pf" problem on my AMD64 pfSense 2.0 install.
I originally thought it could be a package problem; but after a few updates and apparently no one else has this problem anymore, I suspect I'm missing something.
Can anyone clarify if "Block offenders" is working on AMD64?
If so, any clues about why mine doesn't work?
-
did you tried to uninstall / reinstall snort package?
-
Yes, every single time.
Just in case, I did it again. No luck.Pretty sure my messing around caused this, anyone knows which library contains the alert_pf plugin?
-
Try to uninstall again, then go ti console and remove any snort package or dependencie left behind.
I think some post on this topic has a detailed info about this. -
Locking this thread so it won't get hijacked over and over by numerous different issues, please start new threads instead.
