Problem SNORT 2.9.1 pkg v. 2.1
-
When you say that the binaries are there, does this mean that they will be used to install Snort in PFSENSE from the GUI? I have just reinstalled Snort and I still get the old error:
snort[48751]: FATAL ERROR: pf.conf => Table snort2c,,kill don't exists in packet filter
I still still version 2.02 when it should be version 2.1 I think?
-
there is new timestamp, you can check here http://files.pfsense.org/packages/8/All/. Because the way my box is setup, i have to manually add binaries after using the package gui.
-
The first time I "upgraded" to the new 2.1 version of SNORT I had three options under "Which IP to block"… SRC, DEST. and BOTH. They're not there now.
-
Thanks Cino, that did the trick !
I can now turn on Snort blocking :)
Here's the steps for the Newbies…
- SSH to the pfsense machine
- select 8) Shell
- cd /usr/local/pkg/snort/
- cp snort.inc snort.inc.bk
- fetch https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc
- cd /usr/local/www/snort/
- cp snort_interfaces_edit.php snort_interfaces_edit.php.bk
- fetch https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php
Exit shell and try things out. If all works, then go back to shell and remove the two backup copies of the files (ie. rm the .bk files )
Curious if it works for others as well.
thanks catfish, i followed your instrustions and snort is working with the old gui!
one thing to note is i went to services in the gui and stopped the snort service before everything else, then ran your instructions, checked 'block offenders', and started snort without problems -
I completely uninstalled Snort and then reinstalled using the GUI. While I still see the wrong version (v 2.02), I can start it with host blocking on and it works so progress is being made :-)
I agree that there is a prblem with the select box "Which ip to block" as this is empty. I see no error generated by this as I think it defaults to SRC.
The previous version of Snort didnt remove the blocked hosts after one hour (as I had configured it to do). This is why I upgraded in the first place so I will wait for an hour and see if blocked hosts get removed! :-)
-
cino/catfish…thanks. The old gui with the two files copied in via your instructions works.
Cheers,
Dennis. -
The previous version of Snort didnt remove the blocked hosts after one hour (as I had configured it to do). This is why I upgraded in the first place so I will wait for an hour and see if blocked hosts get removed! :-)
if you go to the page where you select the time frame, when you save it; it should re-create the cron job.
should look kinda like this: */5 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c -
Cino, did you mean add code that is in green and remove the red?
You will have to manually edit the files.. Remove what is in green and add what is in red.. There is way to download the whole file it a few steps.
-
Hello
I have tried all the above steps, but now I'm getting a new error message:
snort[62529]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_47562_xl1//usr/local/etc/snort/snort_47562_xl1/reference.config": No such file or directory.
Any ideas?
Thanks.
-
cino/catfish thanks a bunch. The two file updates worked on my end as well.
-
I have no idea how to see a cron job in PFSENSE (Im a Windows guy lol) - I activated SSH and tried to telnet on port 22 but I get a PROTOCOL MISMATCH error and no chance to login. How do I see cron jobs? lol
-
@dwood my statement was correct….. the green are new and red is whats deleted... in this case, you want to go back so it would be the opposite.
@torsurfer i've seen this before, cant remember the fix... did you update your rules? you have to update them for every re-install
@trvsecurity i've a windows guy too but knowledge is power..lol... telenet client wont work since its SSH... search for putty.. great tool and also winscp. install the Cron package, add a menu to see it in the web interface.
-
@cino You're right. Re-downloading the rules fixed the problem. Thanks!
-
Hi,
I don't understand why you can specify which IP to block (src, dst, both) only if your HomeNet is a "whitelists" and not a "netlist".
Can you pls tell me the reason?I see the "Which ip to block" select empty… Anyway, in this case what happens?
Thanks,
Michele -
binaries seem to be in but there are some issues..
@emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.
Again is ermal.
Fixed.
-
is it safe to use the gui package management to upgrade now?
-
@ermal:
binaries seem to be in but there are some issues..
@emarl The GUI doesn't have anything for the "Which ip to block" field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.
Again is ermal.
Fixed.
Hi Ermal,
thanks for fixing. Unfortunately now when I start the service I get the errors:FATAL ERROR: pf.conf => Table snort2c,src,kill don't exists in packet filter
or
FATAL ERROR: pf.conf => Table snort2c,dst,kill don't exists in packet filter
or
FATAL ERROR: pf.conf => Table snort2c,both,kill don't exists in packet filterdepending on what option I set in the "Which ip to block" field of the interface…
Thanks,
Michele -
is it safe to use the gui package management to upgrade now?
I would wait a while…. I am doing my test on my secondary machine and I am having some trouble...
-
mdima,
EDIT: it seems you nave installed old binary still on your system that is why you get the error
-
@ermal:
mdima,
your options tells that you do not have a table snort2c defined in your filter rules.
Which should be by default hardcoded on pfSense rules.
Can you check on /tmp/rules.debug that there is a <snort2c>table defined?</snort2c>Hi Ermal,
thanks for your prompt answer.The table is defined in /tmp/rules.debug ("table <snort2c>" at line 15) and I can also see it in the Diagnostic->Tables page…
Thanks,
Michele</snort2c> -
@ermal:
mdima,
EDIT: it seems you nave installed old binary still on your system that is why you get the erroryes, even updating the package didn't help. So I removed then reinstalled the package and now everything seems to work… I will update my primary machine now and test it in deep!
Thanks,
Michele -
There are 2 buttons there for re-installing a package.
One just installs the php code and the other updates the binaries as well.I can only assume that you clicked the wrong button.
-
@ermal:
There are 2 buttons there for re-installing a package.
One just installs the php code and the other updates the binaries as well.I can only assume that you clicked the wrong button.
mmhhh… no, I pressed the "full reinstall" ("pkg icon"), not only the "interface" ("xml icon"), I am pretty sure because I did it twice after your message and I verified that pfSense didn't download the binary files...
-
Thanks again to Ermal, Cino and Catfish. I learned a lot more about pfsense, particularly github and the code update process this time around :-)
I removed, then reinstalled (with settings saved) and everything seems to be working well. As always, rules must be updated after an update…no issues there. I've enabled "block offenders" "Kill states" and Block "SRC" and everything fired up (including a full set of rules) just fine. Version is AMD64, PF 2.0.1
Cheers,
Dennis. -
Ok, so before when I updated, I could not get snort to start after I selected block offenders, after updating again, I was able to get snort to start with block offenders checked, but now when I select any category, even if I select 1 freaking category, save and then try to restart snort, it will not start. "WTF" Thank God I have an Untangle system on the backend doing IPS.
-
Update on the start issue. I found that the preprocessor section needs to be saved again. Click the save button and then make sure you have http inspect checked and then place a -1 in the HTTP server flow depth field to disable it, then click save one more time. After that I was able to get SNORT to finaly start with blocking and rules selected.
-
This was not required here. Did you have "Keep snort settings after deinstall" checked off in Global settings before you uninstalled SNORT? Were your rules categories settings saved?
Cino et al, are you seeing lower memory usage? At AC-BNFA, memory usage seems to have dropped 10 to 20 percent.
-
Yeah, why would I want to recreate everything, I don't see anyway of exporting my 100 plus entries WhiteList without wincp into my pfsense box. The fact that I would have to clear my config in order to update to a newer version of SNORT is ridiculous. No other open source firewall or UTM I know of using SNORT requires this.
-
Note: might want to look at this category snort_file-identify.rules
Seems to cause starting issues as well.
-
Awesome Snort is now working beautifully!
Thanks ermal!
Also, just as a note, I also still need to add 'portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]' in order to get Snort to start on AMD64.
Thanks again!
-th3r3isnospoon
-
@ermal sorry about that again…I thought I checked the spelling.. Anyways your latest changes fixed the which ip to block option. I'm able to get snort to start with this option and with/and without Kill option enabled.. I'm thinking portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] just needs to be added to the snort.inc file somewhere?
You mention about the 2 install options, I've meant to bring this up awhile going for some reason both options seem to do the same thing on my box.. Doesn't matter what package… if I want to just have the xml update, it removes the binaries and tries to installed them again( which doesn't work but its because i'm running 2.1-dev so i know the work around)
As always Ermal, thank you again for the quick fixes!
@dwood I am seeing about 10% difference.. I also use AC-BNFA... Have to put it to the test over the weekend.
@everyone Search the forum... After every reinstall of snort, you need to update rules.. then go to every page within the interface and click save. I know its a pain but this will ensure that the settings that are in your config.xml are synced to the snort.conf file.
-
Hello Everybody!
after some initial issues, uninstalling and reinstalling the package it worked! And it is working GREAT!!The main problem I had was the block of the offenders even when they were the "destination IP", and this is working!
Thanks to Ermal for the fixes and support!!
Michele
-
For whatever reason I did not have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get SNORT 2.1.1 started and blocking with all rules. (AMD64)
I did however uninstall a few days ago with no settings saved, rebooted..and deleted any snort directories left over before installing the new version.
-
For whatever reason I did not have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get SNORT 2.1.1 started and blocking with all rules. (AMD64)
I did however uninstall a few days ago with no settings saved, rebooted..and deleted any snort directories left over before installing the new version.
I was able to get today's update working by uninstalling, reinstalling, updating rules, with no portvar additions. I am tweaking the HTTP_INSPECT as it is now blocking common sites, such as forum.pfsense.org and forums.snort.org.
-
For whatever reason I did not have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get SNORT 2.1.1 started and blocking with all rules. (AMD64)
I did however uninstall a few days ago with no settings saved, rebooted..and deleted any snort directories left over before installing the new version.
I was able to get today's update working by uninstalling, reinstalling, updating rules, with no portvar additions. I am tweaking the HTTP_INSPECT as it is now blocking common sites, such as forum.pfsense.org and forums.snort.org.
check the rules you have enabled and you can also suppress ones that are false positives
I still have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143], i think its needed the specific-threats rulset
-
A complete reinstall fixed it for me(also removing the old settings). I still have to add FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get it running.
-
Added the FILE_DATA_PORTS thing to the package so you do not need to do that anymore.
-
@ermal:
Added the FILE_DATA_PORTS thing to the package so you do not need to do that anymore.
thanks Ermal!!
-
Had the same problems after upgrading.
Just disabled the "Keep snort settings after deinstall" pressed the reset button and removed the package.
Had to setup Snort again and now everything is working better then before! Looks much faster.Best thing are the new "Kill states" and "Which ip to block"
Thanks Ermal!
-
@ermal:
Added the FILE_DATA_PORTS thing to the package so you do not need to do that anymore.
Thanks