Snort 2.9.1 pkg v. 2.1.1 Error.

Cino

uninstall snort
drop down to shell
run 'find /* | grep snort'
delete every reference
install snort
update rules
Click save on every page, Global page for sure, so the cron job is added
make sure every preprocessor is ON

that should do it, at least for i386… can't help with amd64 builds... and in the past, amd64 always had problems with snort for some reason

Gradius

I'm getting this now:
Jun 12 16:42:17 php: /status_services.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was 'rm: /tmp/snort.sh.pid: No such file or directory rm: /var/run/snort*: No such file or directory'

I even rebooted, no joy.

taryezveb

@Cino:

uninstall snort
drop down to shell
run 'find /* | grep snort'

In case the Snort devs do not know this. Or maybe it is just me?

Code:

Installation of snort FAILED!
delete every reference
install snort
update rules
Click save on every page, Global page for sure, so the cron job is added
make sure every preprocessor is ON

that should do it, at least for i386… can't help with amd64 builds... and in the past, amd64 always had problems with snort for some reason

The above worked for me using a amd64 install. Needed to do this, since the snort rules would not get updated.

Used the following instead of, [find /* | grep snort]:

find /* | grep -i snort | xargs rm -rv

EDIT: Thanks Cino for the info :)

When I finished setting up snort, noticed there was a new version:

Stable	
2.9.2.3 pkg v. 2.2
platform: 2.0

But the new version fails to install:

Installation of snort FAILED!

Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies... 
Checking for package installation... 
 Downloading http://files.pfsense.org/packages/amd64/8/All/barnyard2-1.9_2.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/barnyard2-1.9_2.tbz.
of barnyard2-1.9_2 failed!

Installation aborted.Backing up libraries... 
Removing package...
Starting package deletion for mysql-client-5.1.53...done.
Starting package deletion for barnyard2-1.9_2...done.
Starting package deletion for snort-2.9.2.3...done.
Starting package deletion for perl-threaded-5.12.4_4...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands... 
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

Cino

noticed that too. barnyard2-1.9_2.tbz isnt built yet.. once its built, you should be good to go

taryezveb

@Cino:

noticed that too. barnyard2-1.9_2.tbz isnt built yet.. once its built, you should be good to go

Yes, just wanted to report my findings and thanks for conformation. Will try again later and report back :)

Cino

@taryezveb:

@Cino:

noticed that too. barnyard2-1.9_2.tbz isnt built yet.. once its built, you should be good to go

Yes, just wanted to report my findings and thanks for conformation. Will try again later and report back :)

it will be located here: http://files.pfsense.org/packages/8/All/ when its built

taryezveb

@Cino:

it will be located here: http://files.pfsense.org/packages/8/All/ when its built

Thanks for all the info :)

eri--

Try again after reinstalling snort.

Cino

@ermal:

Try again after reinstalling snort.

@ermal ah, life is good again.. Thank you sir! I uninstalled, ran 'find /* | grep -i snort | xargs rm -rv' just to be sure then a installed.. Saved the Global page(cron job creation) updated the rules and snort and barnyard started right up!! No more manually install barnyard2….. thank you again sir!

P.S thank you for breaking out the alert file by interface! Big plus there, nice to see alerts by interface. Doing this does break the snort widget on the dashboard tho :-( I changed log file its looking for but that didn't work for me... With the changes made to the alerts page, this widget would need some work to get working again... I can live without for now.. the new alert page is the better trade off IMHO

Gradius

Well, I did everything again just now and I'm still getting:
Jun 13 11:37:34 php: /pkg_mgr_install.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was 'rm: /tmp/snort.sh.pid: No such file or directory rm: /var/run/snort*: No such file or directory'

Cino

@Gradius:

Well, I did everything again just now and I'm still getting:
Jun 13 11:37:34 php: /pkg_mgr_install.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was 'rm: /tmp/snort.sh.pid: No such file or directory rm: /var/run/snort*: No such file or directory'

how are you starting it? from the service menu or from snort? I start mine from snort menu, and click on every interface i want to start/stop…

Gradius

@Cino:

how are you starting it? from the service menu or from snort? I start mine from snort menu, and click on every interface i want to start/stop…

Both.  Snort and service menu, same error on both ways.

If I do on shell:
[2.1-BETA0][root@**]/usr/local/etc/rc.d(25): ./snort.sh stop
rm: /tmp/snort.sh.pid: No such file or directory
rm: /var/run/snort: No such file or directory

Same thing.

[2.1-BETA0][root@***]/usr/local/etc/rc.d(26): ./snort.sh start
rm: /var/run/snort_59419_pppoe0.pid: No such file or directory
./snort.sh: /usr/local/bin/snort: not found

o.O

I did everything, I even deleted my snort config and did all from scratch again.  Same result.  :(

Gradius

I manually uploaded snort (bin) and now I'm back to ZERO:
Jun 13 12:39:10 snort[5794]: FATAL ERROR: parser.c(5302) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.

Gradius

Fixed.

I had to manually upload all those files, I have no idea WHY they weren't installed!

Cino

@Gradius:

Fixed.

I had to manually upload all those files, I have no idea WHY they weren't installed!

something with your box… it created them for me and few other users

FlashPan

@Gradius:

Fixed.

I had to manually upload all those files, I have no idea WHY they weren't installed!

Gradius, could you please explain how you manually updated those files as well please as I am gettingthe same error.  Beforehand was getting the errors more or less everyone was seeing.  I enabled all the preprocessors etc beforehand as well before downloading my rules with the oink code.

Thanks and appreciate your input.

Gradius

@FlashPan:

Gradius, could you please explain how you manually updated those files as well please as I am gettingthe same error.  Beforehand was getting the errors more or less everyone was seeing.  I enabled all the preprocessors etc beforehand as well before downloading my rules with the oink code.

Thanks and appreciate your input.

@Cino: is some bug for real, my box is perfectly fine.  :-)  Is a Gigabyte MB running a trusty P4 3.60GHz (no overclock at all).  Also, I'm only using Intel NIC (recent ones, not those old).  Hardware is 2 years old (MB, CPU & cooler only).  Also using brand new HDD Western Digital (no CF).

@FlashPan: the simple way (I'm tired broken head all the time with IT lol) is: http://dl.bitvise.com/Tunnelier-Inst.exe

Freeware and superb, of course you can also register for commercial use: http://www.bitvise.com/tunnelier

I just downloaded from packages link listed here early to PC (win7) used WinRAR to unpack, and just uploaded the necessary files to my pF box, with tunnelier you can use SFTP it has GUI and all, super easy to use.

Once uploaded the files, I just SSHed the pF box and confirmed if the rights (chown/chmod) of those files are correct.

After that you can just start from pF's WebGUI or use shell, that's all.  It's a bug for sure.

Cino

just no more networking slang for me on the forums… box being your installation of pfsense... not your hardware.

since another user is having the same issue... Are you running AMD or i386? I'm running i386 with no issues right now... well other then some netlist/whitelist ipv6 issues but its not supported by pfsense i think at this time.

Gradius

After new update, got the same error, had to put the files manually there again (except snort bin).

Always used i386:
2.1-BETA0 (i386)
built on Wed Jun 13 08:12:22 EDT 2012
FreeBSD 8.3-RELEASE-p3

After snort re-start I'm getting this:

Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.Evil' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.Evil' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.DROPIP' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.DROPIP' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'is_proto_irc' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'is_proto_irc' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.DshieldIP' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.DshieldIP' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.gadu.loggedin' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.gadu.loggedin' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.BotccIP' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.BotccIP' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.CompIP' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.CompIP' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.http.javaclient' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.http.javaclient' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.http.javaclient.vulnerable' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.http.javaclient.vulnerable' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.MSSQL' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: WARNING: flowbits key 'ET.MSSQL' is checked but not ever set.
Jun 13 18:25:21 	snort[23037]: IP tracking disabled, no IP sessions allocated
Jun 13 18:25:21 	snort[23037]: IP tracking disabled, no IP sessions allocated
Jun 13 18:25:21 	snort[23037]: WARNING: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option.
Jun 13 18:25:21 	snort[23037]: WARNING: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option.

I don't know how bad (or good?) that is.

About my box, cannot be since config is really simple and not big at all and did upgrade from 2.0.1 to 2.1-beta.  On 2.0.1 I never had such issues.

mschiek01

For some reason the latest version is not updating the files if you try to reinstall, or delete and install snort.

try this command from the command line:

pkg_add -f http://files.pfsense.org/packages/8/All/snort-2.9.2.3.tbz

This has worked for me as it forces the install.  You should see the files and objects after you run this command.