Problem SNORT 2.9.1 pkg v. 2.1
-
I am also having this issue.
I unchecked block offenders, however, I still had to add 'portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]' in order to get Snort to start.
As said above, the package says its '2.9.1 pkg v. 2.1', but when you install it and open it it says its version '2.9.1 pkg v. 2.0.2'
Looks like there is a few new features though.
Also, WOW, it uses A LOT more memory now. Just throwing that out there.
Guess we'll have to wait until tomorrow.
-th3r3isnospoon
-
Updated to Snort 2.9.1 pkg v. 2.0.2
Supprise Suprise,
Same issue with this stable version of SNORT. When block offenders is checked, the SNORT service will not start.
-
We have EXACTLY the same issues - as soon as we try to "block hosts", Snort fails to start. There must be many many others around the world where their IDS security protection has just failed!!
Does anyone have a precise date / time when the corrected version will be released and available to install on PFSENSE?
Thanks!
-
In the meantime, does anyone know how to modify the snort2c table so that the updated snort can be made to work?
-
I have never been able to get the automatic rule update to function with any version. I have always had to update the rules with a manual update.
To be honest, Snort on PFSENSE worries me from a testing point of view. We have used it for 2 years now and it's nice when it works. However, even the most basic testing would have found the current errors (especially that the product fails completely when it is set to "block hosts").
I hope they get this sorted soon!!
-
To be honest, Snort on PFSENSE worries me from a testing point of view. However, even the most basic testing would have found the current errors (especially that the product fails completely when it is set to "block hosts").
Indeed the pfsense Snort package has been having problems for several months.
But keep in mind that most packages are not maintained by the pfsense core developers, so the quality control isn't necessarily the same as the base system.
I guess priorities are a matter of funding.
-
Offender blocking still offline as of 2:53 PM EST.
-
having the same problem…...
FATAL ERROR: pf.conf => Table snort2c,src,kill don't exists in packet filter
looks like the file pf.conf should be in /etc/pf.conf but I can't seem to find it there on my pfsense box
http://www.freebsd.org/doc/handbook/firewalls-pf.html
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=htmlif the file isnt where its supposed to be no wonder snort cant find the table.....
-
the binaries didn't build last night. I heard that they are being built now. We just have to wait until they are built.
When it comes to snort, if you see a new version and don't understand pfsense and freebsd that well, wait till there is an announcement or experience users confirming that it works before re-installing.
other then barnyard, snort has been very stable for the last month.. Once in a while it has to be restarted on my box but only when I'm doing heavy heavy bit-torrent downloading..
-
I'm wondering if it's possible to make the package "publishing" via the GUI the last step? In other words, remove the installation option entirely until the binaries and code etc. have been pushed to the update server?
I check the packages regularly via the PF GUI, and if an update is there, tend to install it. The downside is that in cases like this, you can't go back and install the previous package. That said, I remain very impressed with PF in general since pulling the pin on the previous routers. Kudos to all in the chain.
Cino, can you describe (with a link or two if possible :-) ) the process you used to check github?
-
or add automatic checksum comparison to the package manager, this would prevent this problem and any man-in-middle attacks
-
Check out the github site for pfsense. There u can see the old changes and new ones.
-
Cino, is there a newby guide to checking github for snort? I had a look here but beyond that, no idea on what to do beyond that: https://github.com/pfsense/pfsense
-
there isn't and it would take me a while to make one..
the changes where done here https://github.com/pfsense/pfsense-packages/commit/e4c13a5752c5f7b4947edbc4227b005cd333566d You will have to manually edit the files.. Remove what is in green and add what is in red.. There is way to download the whole file it a few steps.
see if this helps everyone:
/usr/local/pkg/snort/snort.inc
https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc
/usr/local/www/snort/snort_interfaces_edit.php
https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php
-
Thanks Cino, that did the trick !
I can now turn on Snort blocking :)
Here's the steps for the Newbies…
- SSH to the pfsense machine
- select 8) Shell
- cd /usr/local/pkg/snort/
- cp snort.inc snort.inc.bk
- fetch https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc
- cd /usr/local/www/snort/
- cp snort_interfaces_edit.php snort_interfaces_edit.php.bk
- fetch https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php
Exit shell and try things out. If all works, then go back to shell and remove the two backup copies of the files (ie. rm the .bk files )
Curious if it works for others as well.
there isn't and it would take me a while to make one..
the changes where done here https://github.com/pfsense/pfsense-packages/commit/e4c13a5752c5f7b4947edbc4227b005cd333566d You will have to manually edit the files.. Remove what is in green and add what is in red.. There is way to download the whole file it a few steps.
see if this helps everyone:
/usr/local/pkg/snort/snort.inc
https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc
/usr/local/www/snort/snort_interfaces_edit.php
https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php
-
I have just changed the two files you mention and the problem seems the same. I am still getting the following error when I try to start Snort with "block offenders" on:
snort[12668]: FATAL ERROR: pf.conf => Table snort2c,, don't exists in packet filter
Any ideas?
-
binaries seem to be in but there are some issues..
@emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.
log:
Jan 26 20:27:50 snort[52895]: FATAL ERROR: snort.conf => No option on which ip to block src/dst/both: Unknown error: 0 Jan 26 20:27:50 snort[52895]: FATAL ERROR: snort.conf => No option on which ip to block src/dst/both: Unknown error: 0conf line is missing the new option:
output alert_pf: /usr/local/etc/snort/whitelist/MainWhiteList,snort2c,,Still have to manually add the barnyard2 binary and add "portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]" under the advance
Edit: If i have Kill States enabled, snort to start..
output alert_pf: /usr/local/etc/snort/whitelist/MainWhiteList,snort2c,,kill -
When you say that the binaries are there, does this mean that they will be used to install Snort in PFSENSE from the GUI? I have just reinstalled Snort and I still get the old error:
snort[48751]: FATAL ERROR: pf.conf => Table snort2c,,kill don't exists in packet filter
I still still version 2.02 when it should be version 2.1 I think?
-
there is new timestamp, you can check here http://files.pfsense.org/packages/8/All/. Because the way my box is setup, i have to manually add binaries after using the package gui.
-
The first time I "upgraded" to the new 2.1 version of SNORT I had three options under "Which IP to block"… SRC, DEST. and BOTH. They're not there now.