Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem SNORT 2.9.1 pkg v. 2.1

    Scheduled Pinned Locked Moved pfSense Packages
    74 Posts 18 Posters 24.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trvsecurity
      last edited by

      I have just changed the two files you mention and the problem seems the same.  I am still getting the following error when I try to start Snort with "block offenders" on:

      snort[12668]: FATAL ERROR: pf.conf => Table snort2c,, don't exists in packet filter

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • C
        Cino
        last edited by

        binaries seem to be in but there are some issues..

        @emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.

        log:

        
        Jan 26 20:27:50 	snort[52895]: FATAL ERROR: snort.conf => No option on which ip to block src/dst/both: Unknown error: 0
        Jan 26 20:27:50 	snort[52895]: FATAL ERROR: snort.conf => No option on which ip to block src/dst/both: Unknown error: 0
        
        

        conf line is missing the new option:

        
        output alert_pf: /usr/local/etc/snort/whitelist/MainWhiteList,snort2c,,
        
        

        Still have to manually add  the barnyard2 binary and add "portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]" under the advance

        Edit: If i have Kill States enabled, snort to start..

        
        	output alert_pf: /usr/local/etc/snort/whitelist/MainWhiteList,snort2c,,kill
        
        
        1 Reply Last reply Reply Quote 0
        • T
          trvsecurity
          last edited by

          When you say that the binaries are there, does  this mean that they will be used to install Snort in PFSENSE from the GUI?  I have just reinstalled Snort and I still get the old error:

          snort[48751]: FATAL ERROR: pf.conf => Table snort2c,,kill don't exists in packet filter

          I still still version 2.02 when it should be version 2.1 I think?

          1 Reply Last reply Reply Quote 0
          • C
            Cino
            last edited by

            there is new timestamp, you can check here http://files.pfsense.org/packages/8/All/. Because the way my box is setup, i have to manually add binaries after using the package gui.

            1 Reply Last reply Reply Quote 0
            • D
              dwood
              last edited by

              The first time I "upgraded" to the new 2.1 version of SNORT I had three options under "Which IP to block"… SRC, DEST. and BOTH.  They're not there now.

              1 Reply Last reply Reply Quote 0
              • C
                ccb056
                last edited by

                @catfish99:

                Thanks Cino, that did the trick !

                I can now turn on Snort blocking :)

                Here's the steps for the Newbies…

                • SSH to the pfsense machine
                • select 8) Shell
                • cd /usr/local/pkg/snort/
                • cp snort.inc snort.inc.bk
                • fetch https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc
                • cd /usr/local/www/snort/
                • cp snort_interfaces_edit.php snort_interfaces_edit.php.bk
                • fetch https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php

                Exit shell and try things out. If all works, then go back to shell and remove the two backup copies of the files (ie. rm the .bk files )

                Curious if it works for others as well.

                thanks catfish, i followed your instrustions and snort is working with the old gui!
                one thing to note is i went to services in the gui and stopped the snort service before everything else, then ran your instructions, checked 'block offenders', and started snort without problems

                1 Reply Last reply Reply Quote 0
                • T
                  trvsecurity
                  last edited by

                  I completely uninstalled Snort and then reinstalled using the GUI.  While I still see the wrong version (v 2.02), I can start it with host blocking on and it works so progress is being made :-)

                  I agree that there is a prblem with the select box "Which ip to block" as this is empty.  I see no error generated by this as I think it defaults to SRC.

                  The previous version of Snort didnt remove the blocked hosts after one hour (as I had configured it to do).  This is why I upgraded in the first place so I will wait for an hour and see if blocked hosts get removed! :-)

                  1 Reply Last reply Reply Quote 0
                  • D
                    dwood
                    last edited by

                    cino/catfish…thanks.  The old gui with the two files copied in via your instructions works.

                    Cheers,
                    Dennis.

                    1 Reply Last reply Reply Quote 0
                    • C
                      Cino
                      last edited by

                      @trvsecurity:

                      The previous version of Snort didnt remove the blocked hosts after one hour (as I had configured it to do).  This is why I upgraded in the first place so I will wait for an hour and see if blocked hosts get removed! :-)

                      if you go to the page where you select the time frame, when you save it; it should re-create the cron job.
                      should look kinda like this: */5  *  *  *  *  root  /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c

                      1 Reply Last reply Reply Quote 0
                      • D
                        dwood
                        last edited by

                        Cino, did you mean add code that is in green and remove the red?

                        You will have to manually edit the files.. Remove what is in green and add what is in red.. There is way to download the whole file it a few steps.

                        1 Reply Last reply Reply Quote 0
                        • T
                          torsurfer
                          last edited by

                          Hello

                          I have tried all the above steps, but now I'm getting a new error message:

                          snort[62529]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_47562_xl1//usr/local/etc/snort/snort_47562_xl1/reference.config": No such file or directory.

                          Any ideas?

                          Thanks.

                          1 Reply Last reply Reply Quote 0
                          • A
                            Amarth
                            last edited by

                            cino/catfish thanks a bunch. The two file updates worked on my end as well.

                            1 Reply Last reply Reply Quote 0
                            • T
                              trvsecurity
                              last edited by

                              I have no idea how to see a cron job in PFSENSE (Im a Windows guy lol) - I activated SSH and tried to telnet on port 22 but I get a PROTOCOL MISMATCH error and no chance to login.  How do I see cron jobs? lol

                              1 Reply Last reply Reply Quote 0
                              • C
                                Cino
                                last edited by

                                @dwood my statement was correct….. the green are new and red is whats deleted... in this case, you want to go back so it would be the opposite.

                                @torsurfer i've seen this before, cant remember the fix... did you update your rules? you have to update them for every re-install

                                @trvsecurity i've a windows guy too but knowledge is power..lol... telenet client wont work since its SSH... search for putty.. great tool and also winscp.  install the Cron package, add a menu to see it in the web interface.

                                1 Reply Last reply Reply Quote 0
                                • T
                                  torsurfer
                                  last edited by

                                  @cino You're right. Re-downloading the rules fixed the problem. Thanks!

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mdima
                                    last edited by

                                    Hi,
                                      I don't understand why you can specify which IP to block (src, dst, both) only if your HomeNet is a "whitelists" and not a "netlist".
                                    Can you pls tell me the reason?

                                    I see the "Which ip to block" select empty… Anyway, in this case what happens?

                                    Thanks,
                                    Michele

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      eri--
                                      last edited by

                                      @Cino:

                                      binaries seem to be in but there are some issues..

                                      @emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.

                                      Again is ermal.

                                      Fixed.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        ccb056
                                        last edited by

                                        is it safe to use the gui package management to upgrade now?

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          mdima
                                          last edited by

                                          @ermal:

                                          @Cino:

                                          binaries seem to be in but there are some issues..

                                          @emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.

                                          Again is ermal.

                                          Fixed.

                                          Hi Ermal,
                                            thanks for fixing. Unfortunately now when I start the service I get the errors:

                                          FATAL ERROR: pf.conf => Table snort2c,src,kill don't exists in packet filter
                                          or
                                          FATAL ERROR: pf.conf => Table snort2c,dst,kill don't exists in packet filter
                                          or
                                          FATAL ERROR: pf.conf => Table snort2c,both,kill don't exists in packet filter

                                          depending on what option I set in the "Which ip to block" field of the interface…

                                          Thanks,
                                          Michele

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            mdima
                                            last edited by

                                            @ccb056:

                                            is it safe to use the gui package management to upgrade now?

                                            I would wait a while…. I am doing my test on my secondary machine and I am having some trouble...

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.