Snort 2.9.1 pkg v. 2.1.1 Error.

tritron

i386 is at http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/All/snort-2.9.2.3.tbz
Don't we need snort package compiled for pfsense?

Cino

@tritron:

Don't we need snort package compiled for pfsense?

yes because there is a patch that is needed so it can integrate into pfsense for auto blocking

ucantekme

in my case
rm -r /var/db/pkg/snort-2.9.0.5_1
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/All/snort-2.9.2.3.tbz

Then I try to install snort 2.9.2.3 from pfsense package manager again. It's only install perl-threaded-5.10.1_3.tbz from package manager.
Now snort 2.9.2.3 is running on my PfSense 2.0.1 i386

sirWest

@ucantekme:

in my case
rm -r /var/db/pkg/snort-2.9.0.5_1
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/All/snort-2.9.2.3.tbz

Then I try to install snort 2.9.2.3 from pfsense package manager again. It's only install perl-threaded-5.10.1_3.tbz from package manager.
Now snort 2.9.2.3 is running on my PfSense 2.0.1 i386

Thanks a million dude, it works! :)

Cino

@ucantekme:

in my case
rm -r /var/db/pkg/snort-2.9.0.5_1
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/All/snort-2.9.2.3.tbz

Then I try to install snort 2.9.2.3 from pfsense package manager again. It's only install perl-threaded-5.10.1_3.tbz from package manager.
Now snort 2.9.2.3 is running on my PfSense 2.0.1 i386

Is auto blocking working?

condector

Install.. but snort don't start.

pfSense 2.0.1 AMD64:

pkg_add http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable/All/snort-2.9.2.3.tbz

sirWest

@condector:

Install.. but snort don't start.

pfSense 2.0.1 AMD64:

pkg_add http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable/All/snort-2.9.2.3.tbz

yes sadly the same problem here - it was too soon to cheer, it installed everything fine and configuration went fine but it won't start and no error message also. Strange is that on snort page it says the old package version not the new one…

Cino

@sirWest:

Strange is that on snort page it says the old package version not the new one…

It would because the GUI is from pfSense.. Snort doesn't come with a GUI… You have to create the config files by hand... pfSense GUI creates the files for us

ucantekme

Yep Snort is looking down in services… And yep it was too soon to cheer :)

ucantekme

new issue /libexec/ld-elf.so.1: Shared object "libpcre.so.1" not found, required by "snort" it says in console if you try to use snort command

Cino

@ucantekme:

new issue /libexec/ld-elf.so.1: Shared object "libpcre.so.1" not found, required by "snort" it says in console if you try to use snort command

this is most likely because you installed the snort package from freebsd.org… you have to be very careful when install packages that aren't from files.pfsense.org... you can break your box...

ps snort didn't start because i believe it needs a patch to make it work with pf...

ucantekme

It's my test box so no problem :)

expert_az

same error

My system :
2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:43:51 EST 2011
FreeBSD 8.1-RELEASE-p6

Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/amd64/8/All/snort-2.9.2.3.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/snort-2.9.2.3.tbz.
of snort-2.9.2.3 failed!

Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for mysql-client-5.1.53...done.
Starting package deletion for snort-2.9.2.3...done.
Starting package deletion for perl-threaded-5.10.1_3...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

darklogic

Same issue here as well.

condector

Online again! Thanks!

jimp

Yes this should be OK now, I managed to get a new set of binaries built and uploaded. For one reason or another the nightly automated build process (even when run by hand) was not completely building the snort package and related binaries.

condector

But now I have another problem…

snort[25261]: FATAL ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined.

Snort install perfectly, but not work…

pfsparc

Same here:
snort[56806]: FATAL ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined.

jimp

Might be related:
http://forum.pfsense.org/index.php/topic,45656.msg238815.html#msg238815

Try updating your snort rules.

Cino

i'm doing some testing but since snort was updated to 2.9.2.3, the ruleset filename is different:

thinking it should be like this now
/usr/local/pkg/snort/snort_check_for_rule_updates.php
line 43 $snort_filename_md5 = "snortrules-snapshot-2923.tar.gz.md5";
line 44 $snort_filename = "snortrules-snapshot-2923.tar.gz";