Problem SNORT 2.9.1 pkg v. 2.1
-
The previous version of Snort didnt remove the blocked hosts after one hour (as I had configured it to do). This is why I upgraded in the first place so I will wait for an hour and see if blocked hosts get removed! :-)
if you go to the page where you select the time frame, when you save it; it should re-create the cron job.
should look kinda like this: */5 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c -
Cino, did you mean add code that is in green and remove the red?
You will have to manually edit the files.. Remove what is in green and add what is in red.. There is way to download the whole file it a few steps.
-
Hello
I have tried all the above steps, but now I'm getting a new error message:
snort[62529]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_47562_xl1//usr/local/etc/snort/snort_47562_xl1/reference.config": No such file or directory.
Any ideas?
Thanks.
-
cino/catfish thanks a bunch. The two file updates worked on my end as well.
-
I have no idea how to see a cron job in PFSENSE (Im a Windows guy lol) - I activated SSH and tried to telnet on port 22 but I get a PROTOCOL MISMATCH error and no chance to login. How do I see cron jobs? lol
-
@dwood my statement was correct….. the green are new and red is whats deleted... in this case, you want to go back so it would be the opposite.
@torsurfer i've seen this before, cant remember the fix... did you update your rules? you have to update them for every re-install
@trvsecurity i've a windows guy too but knowledge is power..lol... telenet client wont work since its SSH... search for putty.. great tool and also winscp. install the Cron package, add a menu to see it in the web interface.
-
@cino You're right. Re-downloading the rules fixed the problem. Thanks!
-
Hi,
I don't understand why you can specify which IP to block (src, dst, both) only if your HomeNet is a "whitelists" and not a "netlist".
Can you pls tell me the reason?I see the "Which ip to block" select empty… Anyway, in this case what happens?
Thanks,
Michele -
binaries seem to be in but there are some issues..
@emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.
Again is ermal.
Fixed.
-
is it safe to use the gui package management to upgrade now?
-
@ermal:
binaries seem to be in but there are some issues..
@emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.
Again is ermal.
Fixed.
Hi Ermal,
thanks for fixing. Unfortunately now when I start the service I get the errors:FATAL ERROR: pf.conf => Table snort2c,src,kill don't exists in packet filter
or
FATAL ERROR: pf.conf => Table snort2c,dst,kill don't exists in packet filter
or
FATAL ERROR: pf.conf => Table snort2c,both,kill don't exists in packet filterdepending on what option I set in the "Which ip to block" field of the interface…
Thanks,
Michele -
is it safe to use the gui package management to upgrade now?
I would wait a while…. I am doing my test on my secondary machine and I am having some trouble...
-
mdima,
EDIT: it seems you nave installed old binary still on your system that is why you get the error
-
@ermal:
mdima,
your options tells that you do not have a table snort2c defined in your filter rules.
Which should be by default hardcoded on pfSense rules.
Can you check on /tmp/rules.debug that there is a <snort2c>table defined?</snort2c>Hi Ermal,
thanks for your prompt answer.The table is defined in /tmp/rules.debug ("table <snort2c>" at line 15) and I can also see it in the Diagnostic->Tables page…
Thanks,
Michele</snort2c> -
@ermal:
mdima,
EDIT: it seems you nave installed old binary still on your system that is why you get the erroryes, even updating the package didn't help. So I removed then reinstalled the package and now everything seems to work… I will update my primary machine now and test it in deep!
Thanks,
Michele -
There are 2 buttons there for re-installing a package.
One just installs the php code and the other updates the binaries as well.I can only assume that you clicked the wrong button.
-
@ermal:
There are 2 buttons there for re-installing a package.
One just installs the php code and the other updates the binaries as well.I can only assume that you clicked the wrong button.
mmhhh… no, I pressed the "full reinstall" ("pkg icon"), not only the "interface" ("xml icon"), I am pretty sure because I did it twice after your message and I verified that pfSense didn't download the binary files...
-
Thanks again to Ermal, Cino and Catfish. I learned a lot more about pfsense, particularly github and the code update process this time around :-)
I removed, then reinstalled (with settings saved) and everything seems to be working well. As always, rules must be updated after an update…no issues there. I've enabled "block offenders" "Kill states" and Block "SRC" and everything fired up (including a full set of rules) just fine. Version is AMD64, PF 2.0.1
Cheers,
Dennis. -
Ok, so before when I updated, I could not get snort to start after I selected block offenders, after updating again, I was able to get snort to start with block offenders checked, but now when I select any category, even if I select 1 freaking category, save and then try to restart snort, it will not start. "WTF" Thank God I have an Untangle system on the backend doing IPS.
-
Update on the start issue. I found that the preprocessor section needs to be saved again. Click the save button and then make sure you have http inspect checked and then place a -1 in the HTTP server flow depth field to disable it, then click save one more time. After that I was able to get SNORT to finaly start with blocking and rules selected.