Snort on 2.1 dev ??

tritron · May 28, 2012, 3:37 AM

Logs show snort[4544]: FATAL ERROR: /usr/local/etc/snort/snort_59149_bge0/snort.conf(323) Unknown output plugin: "alert_pf"
May 27 21:39:44 snort[4544]: FATAL ERROR: /usr/local/etc/snort/snort_59149_bge0/snort.conf(323) Unknown output plugin: "alert_pf"

How I can fix that ?

asterix · May 29, 2012, 8:22 PM

Check my second post in this thread. That is exactly the error I am getting. I was not able to start snort even through SSH.

asterix · Jun 3, 2012, 6:08 AM

Any progress on this?

I checked with a clean install again last night. Same issue with Snort.

Cino · Jun 3, 2012, 11:02 AM

this may work… install the package log into the box via ssh. run

pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz

goto gui, update rules and see if it starts... make sure all the per-processors are checked..

asterix · Jun 4, 2012, 1:12 AM

Isin't that an older package? Is it compatible with the latest pfSense FreeBSD version?

Cino · Jun 4, 2012, 2:11 AM

@asterix:

Isin't that an older package? Is it compatible with the latest pfSense FreeBSD version?

it should work.. it worked for me a month ago when i tested 2.1 binaries… Remember that packages are built for the stable version of pfSense. The pfSense package is built around snort 2.9.0.5_1 binaries

rcfa · Jun 4, 2012, 7:48 AM

@Cino:

this may work… install the package log into the box via ssh. run

pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz

goto gui, update rules and see if it starts... make sure all the per-processors are checked..

How is this going to affect future updates, both of the packages and/or the OS or snort?

Cino · Jun 4, 2012, 10:22 AM

@rcfa:

@Cino:

this may work… install the package log into the box via ssh. run

pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz

goto gui, update rules and see if it starts... make sure all the per-processors are checked..

How is this going to affect future updates, both of the packages and/or the OS or snort?

you would have to reapply it… i'm hoping once 2.1 is released, that snort will also be updated.

dhatz · Jun 4, 2012, 2:47 PM

iirc a few months ago there was a monetary donation earmarked specifically for Snort, to finally integrate it with pf (ala spoink, snort2c, SnortSam etc). Perhaps do a new round of "crowdfunding" to finally get this done?

Cino · Jun 4, 2012, 7:02 PM

@dhatz:

iirc a few months ago there was a monetary donation earmarked specifically for Snort, to finally integrate it with pf (ala spoink, snort2c, SnortSam etc). Perhaps do a new round of "crowdfunding" to finally get this done?

i remember donating for that…... not sure what is left from the pool... but If I was PMing pfSense, i would want to get 2.1 release first...

tritron · Jun 5, 2012, 2:00 AM

There is something interesting the snort package provided by 8.3 free is older than older freebsd version stable version 2.9.2.3
What do you get when you type /usr/local/etc/rc.d/snort start can you post output .
When I type snort start
Initializing Output Plugins!
Snort BPF option: start
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "bge0".
ERROR: Can't set DAQ BPF filter to 'start' (pcap_daq_set_filter: pcap_compile: syntax error)!
Fatal Error, Quitting..
Is pfsense 2.1 build on old packages ? It seems that when I try to install something on pfsense it states that needs newer packages

asterix · Jun 5, 2012, 3:25 AM

pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz

This does not work. It installs via ssh but nothing shows up in GUI.

Cino · Jun 5, 2012, 10:44 AM

@asterix:

pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz

This does not work. It installs via ssh but nothing shows up in GUI.

install the pfsense snort package first via the gui…. then drop down ssh and run the above command

this will overwrite the binaries that were installed from the pfsense snort package

asterix · Jun 5, 2012, 5:38 PM

Tried that too. Via SSH it downloads the package but does not install it.

Cino · Jun 5, 2012, 6:40 PM

@asterix:

Tried that too. Via SSH it downloads the package but does not install it.

your killing me…. Can you post what your seeing? from when you press enter to were it fails to install

rcfa · Jun 5, 2012, 7:35 PM

Similar issue here:
First had the regular package installed. I could update rules, etc. but snort would never run, Dashboard always shows snort as stopped.
Same thing after the pkg_add procedure

tritron · Jun 6, 2012, 6:48 PM

I belie problems lies in the fact that gui does not create proper list of rules that need to be loaded.
I don't know if the gui should store stuff in database or creates file with rules.
I can start snort by typing snort using ssh but trying to start snort with config files as it does not know what rules to load.