Snort stops working after snort update (newest 2.0 RELEASE)
-
Try to remove, then Install
-
I have done that and keep getting the same error.
-
If your look at the file /usr/local/etc/snort/snort_15641_em0/snort.conf
you will should find something like that:
output alert_pf: /usr/local/etc/snort/whitelist/Blablabla,snort2cso maybe your whilelist is incorrect or snort2c is corrupted, try to look at them in Diagnostics: Tables
Try to clear the Alert and Blocked
You could also start from scratch:
Uncheck Keep snort settings after deinstall, Save, Reset, Save, remove snort, install snort -
snort2c is empty. is that the problem?
-
No, it will be empty when you clear the Blocked.
-
<hehehe>I just found the problem on my side:
1. Login to your console (press 8 :))
2. do a "clog -f /var/log/system.log"
3. Start snort and see the error…I found that after re-installing, the rules were missing.
Hope this helps
Kind regards
Aubrey Kloppers
Cape Town</hehehe> -
Hi,
i am using Snort stable package on an alix board with Pfsense 2.0 4G embebbed version.
There seems to be two Bugs.
1.) Snort is deactivated under Services -> Snort but it activates automatically again every day. I guess this is beccause of automatic Rules download.
2.) After installing Snort the CF isnt mounted readonly anymore. Even after deinstalling snort package the CF is still rw mounted. This is an very important bug for all those People who run Snort on embedded version!
mount
/dev/ufs/pfsense0 on / (ufs, local, noatime, synchronous)
devfs on /dev (devfs, local)
/dev/md0 on /tmp (ufs, local)
/dev/md1 on /var (ufs, local)
/dev/ufs/cf on /cf (ufs, local, noatime, synchronous)
devfs on /var/dhcpd/dev (devfs, local)Any Idea how i can fix this before my Compact Flash dies?
-
I am still getting errors, i did a clean reinstall. It didnt help.
Without blocking offenders:FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SSLPP (IPV6) version 1.1.4 (-2)
with blocking offenders: FATAL ERROR: /usr/local/etc/snort/snort_17976_em0/snort.conf(172) Unknown output plugin: "alert_pf"Snort version:2.9.1 pkg v. 2.0
Pfsense version:Version 2.1-DEVELOPMENT (amd64) built on Tue Sep 13 17:33:40 EDT 2011 FreeBSD 8.1-RELEASE-p4
-
Snort 2.9.1 pkg v. 2.0 on pfSense 2.0 i386 has a minor bug when returning to the Dashboard it goes to http://pfsense/SNORT/index.php but should go to http://pfsense/index.php
This only happens when inside the Snort service pages and clicking the pfSense logo on the top left.Did not have any other issues since 2.0 release! Thanks!
-
Been running Snort 2.9.1 pkg v. 2.0 on pfSense 2.0 i386 for about 20 days.
Update works fine. It failed once but the WAN IP changed during of after the update
So great work guys. ::)I am getting this```
snort[3548]: http_inspect: Changing decompress_depth requires a restart.When snort restart after a WAN IP change, it run with a nice of 20. Snort run normally when you start it with the Snort GUI. it works fine in both case. -
I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1
Yep, it happened to me as well. That's why I have this line in the Snort>Supress tab:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120,sig_id 3Note - there now needs to be a space after the comma as such:
suppress gen_id 120, sig_id 3 -
i've always had a space, at least for the last 2 years:
suppress gen_id 119, sig_id 2 suppress gen_id 120, sig_id 3 suppress gen_id 122, sig_id 22 -
i've always had a space, at least for the last 2 years:
suppress gen_id 119, sig_id 2 suppress gen_id 120, sig_id 3 suppress gen_id 122, sig_id 22This was in response to johnybe, who did not have a space. :)
-
