Problem SNORT 2.9.1 pkg v. 2.1
-
Thanks Cino, that did the trick !
I can now turn on Snort blocking :)
Here's the steps for the Newbies…
- SSH to the pfsense machine
- select 8) Shell
- cd /usr/local/pkg/snort/
- cp snort.inc snort.inc.bk
- fetch https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc
- cd /usr/local/www/snort/
- cp snort_interfaces_edit.php snort_interfaces_edit.php.bk
- fetch https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php
Exit shell and try things out. If all works, then go back to shell and remove the two backup copies of the files (ie. rm the .bk files )
Curious if it works for others as well.
there isn't and it would take me a while to make one..
the changes where done here https://github.com/pfsense/pfsense-packages/commit/e4c13a5752c5f7b4947edbc4227b005cd333566d You will have to manually edit the files.. Remove what is in green and add what is in red.. There is way to download the whole file it a few steps.
see if this helps everyone:
/usr/local/pkg/snort/snort.inc
https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc
/usr/local/www/snort/snort_interfaces_edit.php
https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php
-
I have just changed the two files you mention and the problem seems the same. I am still getting the following error when I try to start Snort with "block offenders" on:
snort[12668]: FATAL ERROR: pf.conf => Table snort2c,, don't exists in packet filter
Any ideas?
-
binaries seem to be in but there are some issues..
@emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.
log:
Jan 26 20:27:50 snort[52895]: FATAL ERROR: snort.conf => No option on which ip to block src/dst/both: Unknown error: 0 Jan 26 20:27:50 snort[52895]: FATAL ERROR: snort.conf => No option on which ip to block src/dst/both: Unknown error: 0conf line is missing the new option:
output alert_pf: /usr/local/etc/snort/whitelist/MainWhiteList,snort2c,,Still have to manually add the barnyard2 binary and add "portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]" under the advance
Edit: If i have Kill States enabled, snort to start..
output alert_pf: /usr/local/etc/snort/whitelist/MainWhiteList,snort2c,,kill -
When you say that the binaries are there, does this mean that they will be used to install Snort in PFSENSE from the GUI? I have just reinstalled Snort and I still get the old error:
snort[48751]: FATAL ERROR: pf.conf => Table snort2c,,kill don't exists in packet filter
I still still version 2.02 when it should be version 2.1 I think?
-
there is new timestamp, you can check here http://files.pfsense.org/packages/8/All/. Because the way my box is setup, i have to manually add binaries after using the package gui.
-
The first time I "upgraded" to the new 2.1 version of SNORT I had three options under "Which IP to block"… SRC, DEST. and BOTH. They're not there now.
-
Thanks Cino, that did the trick !
I can now turn on Snort blocking :)
Here's the steps for the Newbies…
- SSH to the pfsense machine
- select 8) Shell
- cd /usr/local/pkg/snort/
- cp snort.inc snort.inc.bk
- fetch https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc
- cd /usr/local/www/snort/
- cp snort_interfaces_edit.php snort_interfaces_edit.php.bk
- fetch https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php
Exit shell and try things out. If all works, then go back to shell and remove the two backup copies of the files (ie. rm the .bk files )
Curious if it works for others as well.
thanks catfish, i followed your instrustions and snort is working with the old gui!
one thing to note is i went to services in the gui and stopped the snort service before everything else, then ran your instructions, checked 'block offenders', and started snort without problems -
I completely uninstalled Snort and then reinstalled using the GUI. While I still see the wrong version (v 2.02), I can start it with host blocking on and it works so progress is being made :-)
I agree that there is a prblem with the select box "Which ip to block" as this is empty. I see no error generated by this as I think it defaults to SRC.
The previous version of Snort didnt remove the blocked hosts after one hour (as I had configured it to do). This is why I upgraded in the first place so I will wait for an hour and see if blocked hosts get removed! :-)
-
cino/catfish…thanks. The old gui with the two files copied in via your instructions works.
Cheers,
Dennis. -
The previous version of Snort didnt remove the blocked hosts after one hour (as I had configured it to do). This is why I upgraded in the first place so I will wait for an hour and see if blocked hosts get removed! :-)
if you go to the page where you select the time frame, when you save it; it should re-create the cron job.
should look kinda like this: */5 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c -
Cino, did you mean add code that is in green and remove the red?
You will have to manually edit the files.. Remove what is in green and add what is in red.. There is way to download the whole file it a few steps.
-
Hello
I have tried all the above steps, but now I'm getting a new error message:
snort[62529]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_47562_xl1//usr/local/etc/snort/snort_47562_xl1/reference.config": No such file or directory.
Any ideas?
Thanks.
-
cino/catfish thanks a bunch. The two file updates worked on my end as well.
-
I have no idea how to see a cron job in PFSENSE (Im a Windows guy lol) - I activated SSH and tried to telnet on port 22 but I get a PROTOCOL MISMATCH error and no chance to login. How do I see cron jobs? lol
-
@dwood my statement was correct….. the green are new and red is whats deleted... in this case, you want to go back so it would be the opposite.
@torsurfer i've seen this before, cant remember the fix... did you update your rules? you have to update them for every re-install
@trvsecurity i've a windows guy too but knowledge is power..lol... telenet client wont work since its SSH... search for putty.. great tool and also winscp. install the Cron package, add a menu to see it in the web interface.
-
@cino You're right. Re-downloading the rules fixed the problem. Thanks!
-
Hi,
I don't understand why you can specify which IP to block (src, dst, both) only if your HomeNet is a "whitelists" and not a "netlist".
Can you pls tell me the reason?I see the "Which ip to block" select empty… Anyway, in this case what happens?
Thanks,
Michele -
binaries seem to be in but there are some issues..
@emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.
Again is ermal.
Fixed.
-
is it safe to use the gui package management to upgrade now?
-
@ermal:
binaries seem to be in but there are some issues..
@emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.
Again is ermal.
Fixed.
Hi Ermal,
thanks for fixing. Unfortunately now when I start the service I get the errors:FATAL ERROR: pf.conf => Table snort2c,src,kill don't exists in packet filter
or
FATAL ERROR: pf.conf => Table snort2c,dst,kill don't exists in packet filter
or
FATAL ERROR: pf.conf => Table snort2c,both,kill don't exists in packet filterdepending on what option I set in the "Which ip to block" field of the interface…
Thanks,
Michele