Problem SNORT 2.9.1 pkg v. 2.1
-
For whatever reason I did not have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get SNORT 2.1.1 started and blocking with all rules. (AMD64)
I did however uninstall a few days ago with no settings saved, rebooted..and deleted any snort directories left over before installing the new version.
I was able to get today's update working by uninstalling, reinstalling, updating rules, with no portvar additions. I am tweaking the HTTP_INSPECT as it is now blocking common sites, such as forum.pfsense.org and forums.snort.org.
check the rules you have enabled and you can also suppress ones that are false positives
I still have to add portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143], i think its needed the specific-threats rulset
-
A complete reinstall fixed it for me(also removing the old settings). I still have to add FILE_DATA_PORTS [$HTTP_PORTS,110,143] to get it running.
-
Added the FILE_DATA_PORTS thing to the package so you do not need to do that anymore.
-
@ermal:
Added the FILE_DATA_PORTS thing to the package so you do not need to do that anymore.
thanks Ermal!!
-
Had the same problems after upgrading.
Just disabled the "Keep snort settings after deinstall" pressed the reset button and removed the package.
Had to setup Snort again and now everything is working better then before! Looks much faster.Best thing are the new "Kill states" and "Which ip to block"
Thanks Ermal!
-
@ermal:
Added the FILE_DATA_PORTS thing to the package so you do not need to do that anymore.
Thanks
-
My experience when upgrading:
I reinstalled Snort but would not start due to this error:
FATAL ERROR: pf.conf => Table snort2c,, don't exists in packet filterOn the first try on doing a fresh install of Snort failed with an error[did not write down the exact error]. On second fresh install, this time all went well. But Snort would not start, received this error:
kernel: pid 712 (snort), uid 0: exited on signal 11Tried a reboot and still got the error above. Then unchecked "Settings will not be removed during deinstall." and did another fresh install. After updating the rules and using my old options/settings, all works great now.
I would like to Thank everyone that posted their experience.
-
Where is the beer? ;D
-
@ermal:
Where is the beer? ;D
hmm, i could use one right now.. have to check to refrigerator… But seriously, If you guys really want to see fixes/added features to snort, please donate to the cause. I've already donated a couple of times myself last year. And I will continue to donate as I really love this freaking firewall :-) Yeah funds are tight just like everyone else and I have mouths to feed these days... But what ever you can donate goes a long way. Ermal just wants beer for using coding time.. In the US that could get him a case(2 12packs) of some great micro-brews for less then 25bucks or 1 1/2-2 cases of bud or girls-light, coors light i meant to say..
I bring this up because every time there is a problem with snort, the posts are so negative! I get the idea that certain users depend on snort like it will shut down their whole operation if its not working. If that is case, donate money then and stop b1tching.. Yeah I get piss when snort stops working but instead of b1tching about it. I post its broken, here are the logs, steps i tried to get it going..... Then I wait for a developer to fix.. Sometimes its not fix right away, but that is why we test... and test everything so the developer can try and it fix as quickly as possible...
i dont mean to offend anyone by this post... just me venting and saying my thoughts out loud
-
@ermal:
Where is the beer? ;D
I sent funds to pfSense and made it clear to donate a portion to a few packages, including Snort of course. I will donate again when I can.
Thanks
-
Hi,
I agree… I was deciding my company to support pfSense (then adding extra support hours because I needed a quick help), I have seen the time and effort that all the people involved in the project spend, and the quality as professionality and skills, and I think that all this can't be "just for free"...Now that I switched to pfSense and I know it a little better, I can assert that it's my company's best interest to make this project sustainable for the people working in it, and I will push my company to renew the subscription when it will expire (even if it's not a good year, as I guess for many people).
Thanks to all,
Michele -
Please note that snort v2.9.0.5 End-of-Life day is a few weeks away:
You will now see that the EOL date for Snort version 2.9.0.5 is set for 2012-03-13, that's March 13, 2012.
http://blog.snort.org/2011/12/snort-2905-eol-date-has-been-posted.htmlPS: On my system snort –version suggests it is version 2.9.0.5, but the package is labeled 2.9.1
-
looks like the binaries have to be updated to either Snort 2.9.1.2 or Snort 2.9.2. There is a Snort 2.9.2 binary on files.pfsense.org but its not compiled to use the alert_pf function from some testing I just did. I have a feeling this binary was going for the snort-dev package which isn't published anymore.
-
PS: On my system snort –version suggests it is version 2.9.0.5, but the package is labeled 2.9.1
Yeah but 2.9.0.5 seems to live longer than the 2.9.1 version.
I will get to 2.9.2.x asap.
-
Hi guys, let's have some fun with this.
SNORT is kicking me out everytime I click "save" on my Worpress site over SSL remotely :)
Any ideas?
-
easy one, create a suppress list. do a search and you'll find many examples on how to set one up.
-
this might work:
#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected suppress gen_id 137, sig_id 1 -
@ermal:
PS: On my system snort –version suggests it is version 2.9.0.5, but the package is labeled 2.9.1
Yeah but 2.9.0.5 seems to live longer than the 2.9.1 version.
I will get to 2.9.2.x asap.
Last version is 2.9.2.1:
http://www.snort.org/snort-downloadsThis means we will see that soon on pfsense as new package?
-
What's the change on pkg v. 2.1.1 ?!
-
Forgot to update:
#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected suppress gen_id 137, sig_id 1Of course it worked like a charm. No more kicks.