Problem SNORT 2.9.1 pkg v. 2.1

darklogic

Ok, so before when I updated, I could not get snort to start after I selected block offenders, after updating again, I was able to get snort to start with block offenders checked, but now when I select any category, even if I select 1 freaking category, save and then try to restart snort, it will not start. "WTF" Thank God I have an Untangle system on the backend doing IPS.

darklogic

Update on the start issue. I found that the preprocessor section needs to be saved again. Click the save button and then make sure you have http inspect checked and then place a -1 in the HTTP server flow depth field to disable it, then click save one more time. After that I was able to get SNORT to finaly start with blocking and rules selected.

dwood

This was not required here.  Did you have "Keep snort settings after deinstall" checked off in Global settings before you uninstalled SNORT?  Were your rules categories settings saved?

Cino et al, are you seeing lower memory usage?  At AC-BNFA, memory usage seems to have dropped 10 to 20 percent.

darklogic

Yeah, why would I want to recreate everything, I don't see anyway of exporting my 100 plus entries WhiteList without wincp into my pfsense box. The fact that I would have to clear my config in order to update to a newer version of SNORT is ridiculous. No other open source firewall or UTM I know of using SNORT requires this.

darklogic

Note: might want to look at this category snort_file-identify.rules

Seems to cause starting issues as well.

th3r3isnospoon

Awesome Snort is now working beautifully!

Thanks ermal!

Also, just as a note, I also still need to add 'portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]' in order to get Snort to start on AMD64.

Thanks again!

-th3r3isnospoon

Cino

@ermal sorry about that again…I thought I checked the spelling.. Anyways your latest changes fixed the which ip to block option. I'm able to get snort to start with this option and with/and without Kill option enabled.. I'm thinking portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] just needs to be added to the snort.inc file somewhere?

You mention about the 2 install options, I've meant to bring this up awhile going for some reason both options seem to do the same thing on my box.. Doesn't matter what package… if I want to just have the xml update, it removes the binaries and tries to installed them again( which doesn't work but its because i'm running 2.1-dev so i know the work around)

As always Ermal, thank you again for the quick fixes!

@dwood I am seeing about 10% difference.. I also use AC-BNFA... Have to put it to the test over the weekend.

@everyone Search the forum... After every reinstall of snort, you need to update rules.. then go to every page within the interface and click save. I know its a pain but this will ensure that the settings that are in your config.xml are synced to the snort.conf file.

mdima

Hello Everybody!
    after some initial issues, uninstalling and reinstalling the package it worked! And it is working GREAT!!

The main problem I had was the block of the offenders even when they were the "destination IP", and this is working!

Thanks to Ermal for the fixes and support!!

Michele

dwood

For whatever reason I did not have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get SNORT 2.1.1 started and blocking with all rules. (AMD64)

I did however uninstall a few days ago with no settings saved, rebooted..and deleted any snort directories left over before installing the new version.

antilog

@dwood:

For whatever reason I did not have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get SNORT 2.1.1 started and blocking with all rules. (AMD64)

I did however uninstall a few days ago with no settings saved, rebooted..and deleted any snort directories left over before installing the new version.

I was able to get today's update working by uninstalling, reinstalling, updating rules, with no portvar additions.  I am tweaking the HTTP_INSPECT as it is now blocking common sites, such as forum.pfsense.org and forums.snort.org.

Cino

@antilog:

@dwood:

For whatever reason I did not have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get SNORT 2.1.1 started and blocking with all rules. (AMD64)

I did however uninstall a few days ago with no settings saved, rebooted..and deleted any snort directories left over before installing the new version.

I was able to get today's update working by uninstalling, reinstalling, updating rules, with no portvar additions.  I am tweaking the HTTP_INSPECT as it is now blocking common sites, such as forum.pfsense.org and forums.snort.org.

check the rules you have enabled and you can also suppress ones that are false positives

I still  have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143], i think its needed the specific-threats rulset

pisarm

A complete reinstall fixed it for me(also removing the old settings). I still have to add FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get it running.

eri--

Added the FILE_DATA_PORTS thing to the package so you do not need to do that anymore.

Cino

@ermal:

Added the FILE_DATA_PORTS thing to the package so you do not need to do that anymore.

thanks Ermal!!

digdug3

Had the same problems after upgrading.
Just disabled the "Keep snort settings after deinstall" pressed the reset button and removed the package.
Had to setup Snort again and now everything is working better then before! Looks much faster.

Best thing are the new "Kill states" and "Which ip to block"

Thanks Ermal!

taryezveb

@ermal:

Added the FILE_DATA_PORTS thing to the package so you do not need to do that anymore.

Thanks

taryezveb

My experience when upgrading:

I reinstalled Snort but would not start due to this error:

FATAL ERROR: pf.conf => Table snort2c,, don't exists in packet filter

On the first try on doing a fresh install of Snort failed with an error[did not write down the exact error]. On second fresh install, this time all went well. But Snort would not start, received this error:

kernel: pid 712 (snort), uid 0: exited on signal 11

Tried a reboot and still got the error above. Then unchecked "Settings will not be removed during deinstall." and did another fresh install. After updating the rules and using my old options/settings, all works great now.

I would like to Thank everyone that posted their experience.

eri--

Where is the beer?  ;D

Cino

@ermal:

Where is the beer?  ;D

hmm, i could use one right now.. have to check to refrigerator… But seriously, If you guys really want to see fixes/added features to snort, please donate to the cause. I've already donated a couple of times myself last year. And I will continue to donate as I really love this freaking firewall :-) Yeah funds are tight just like everyone else and I have mouths to feed these days... But what ever you can donate goes a long way. Ermal just wants beer for using coding time.. In the US that could get him a case(2 12packs) of some great micro-brews for less then 25bucks or 1 1/2-2 cases of bud or girls-light, coors light i meant to say..

I bring this up because every time there is a problem with snort, the posts are so negative! I get the idea that certain users depend on snort like it will shut down their whole operation if its not working. If that is case, donate money then and stop b1tching.. Yeah I get piss when snort stops working but instead of b1tching about it. I post its broken, here are the logs, steps i tried to get it going..... Then I wait for a developer to fix.. Sometimes its not fix right away, but that is why we test... and test everything so the developer can try and it fix as quickly as possible...

i dont mean to offend anyone by this post... just me venting and saying my thoughts out loud

taryezveb

@ermal:

Where is the beer?  ;D

I sent funds to pfSense and made it clear to donate a portion to a few packages, including Snort of course. I will donate again when I can.

Thanks