Snort Stable 2.9.2.3 pkg v. 2.2 Failed
-
There is http://files.pfsense.org/packages/8/All/barnyard2 file so maybe we can work around the issue fetch http://files.pfsense.org/packages/8/All/barnyard2 mv barnyard2 barnyard2-1.9_2.tbz then pkg_add -r barnyard2-1.9_2.tbz
What if for i386 we use http://mirrors.syringanetworks.net/pub/FreeBSD/ports/i386/packages-stable/security/barnyard2-1.9_2.tbz
or http://mirrors.syringanetworks.net/pub/FreeBSD/ports/amd64/packages-stable/security/barnyard2-1.9_2.tbz for 64 bit -
Its fixes so just reinstall.
-
Snort 2.9.2.3 pkg v. 2.2 installs fine without errors, but after setting it up and updating rule files I get an error when I try to start it:
Snort HARD START For 62994_em0…
I currently only have EM rules selected.
2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011
FreeBSD 8.1-RELEASE-p6Edit:
I tried to
1. Remove package + find /* |grep snort -> made sure no snort files are left over.
2. Rebooted pfsense
3. Installed Snort + configured it
4. Same error: Snort HARD START For 37895_em0...I went through the same setup on a vm and I got it working without messing around with anything. Whats going on?
-
You are not showing your system log there.
There will be the cause of that.I can expect missing pre processor.
-
Finally, it appears that the updated package files and the snort updates are in synch and are working. However, the update seems to have broken the snort dashboard widget. It is not updating, although selecting on its header does open the snort alerts window. Tried removing and reinstalling the widget package to no effect.
Can someone verify this issue? Thanks.
-
Finally, it appears that the updated package files and the snort updates are in synch and are working. However, the update seems to have broken the snort dashboard widget. It is not updating, although selecting on its header does open the snort alerts window. Tried removing and reinstalling the widget package to no effect.
Can someone verify this issue? Thanks.
it has… with the recently changes made to the alert page, the widget would probably have to be redone from scratch because the alerts are now broken out by interface, each interface has its own alert file now.....
-
I uninstalled snort when the install stopped working but my configurations saved across uninstalls. I installed it today and it went through fine. It loaded my previous configuration but no rules as expected (usually does this on updates). So i updated rules and disable and renable interface, checked all settings and enabled only one rule category to test. I get this error in syslog:
Jun 13 17:42:12 snort[37197]: FATAL ERROR: ByteExtract variable '^Authorization\x3A\sBasic[ \t]+' in rule [3:13308] is used before it is defined.
Jun 13 17:42:12 snort[37197]: FATAL ERROR: ByteExtract variable '^Authorization\x3A\sBasic[ \t]+' in rule [3:13308] is used before it is defined.Should i wipe all the configurations and start from scratch ?
-
To get this to work, I had to uninstall, then run the following:
pkg_delete -f snort*
find / -name snortand rm -rf anything that turned up. Reinstalling with new package fixed it from there, running snort rules and ET.
-
Delete anything in this directory
/usr/local/lib/snort/dynamicrules
also uncheck any .so rules on your interfaces.Try to start snort
-
That has resolved the problem. thanks.
-
@ermal:
You are not showing your system log there.
There will be the cause of that.I can expect missing pre processor.
Status -> Servies -> Hit start on Snort, Status -> System log -> Jun 14 00:23:18 SnortStartup[18693]: Snort HARD START For 37895_em0… -is the only line generated.
If I try to run Snort from Services -> Snort -> Snort interfaces, I get two lines:
Jun 14 00:32:11 SnortStartup[35943]: Interface Rule START for 0_37895_em0…
Jun 14 00:32:11 SnortStartup[30175]: Toggle for 37895_em0… -
services/snort
click to edit the interface in question
Select the Catagories tab
Select the rules you want to use.Do not select any of the .so "shared objects rules" they will cause snort to crash.
From your description it sounds like you don't have any rules selected.
-
I have tried with and without rules enabled. Currently I have only EM rules installed and 2 of them selected. Still I don't get anything useful on the system log.
-
On the Interface tab
general you have enabled the interface correct?on the same tab under
Choose the types of logs snort should create.
you selected "Send alerts to main System logs"On the preprocessors tab you have enabled "performance statics for this interface"
If all else fails you could try running this command from the console comand line although I do not think this is the problem
pkg_add -f http://files.pfsense.org/packages/8/All/snort-2.9.2.3.tbz
Then update your rules and try to start snort.
-
@ermal:
Its fixes so just reinstall.
It's running here 2.0.1-RELEASE (amd64) and kept all previous settings. All that I did, after reinstall, was to update ET rules.
-
To get this to work, I had to uninstall, then run the following:
pkg_delete -f snort*
find / -name snortand rm -rf anything that turned up. Reinstalling with new package fixed it from there, running snort rules and ET.
This worked for me!
Tnx -
Has anyone else noticed on their Snort > Blocked (tab) that the ALERT DESCRIPTION next to each IP now says "N/A" instead of displaying a full description as it has in the past?
I've confirmed under Snort > Global Settings, my Alert file description type = FULL.
Is there any way to restore this functionality so that full alert description is listed?
-
I think it is now being shown under the Alerts/Interface tab.
Have you noticed if the blocked ip's are being removed in the time you have specified?
-
The alert info has always been displayed within the Snort > Alerts tab. But requires excessive searching to find the info that corresponds with a blocked IP. Whereas, on the BLOCKED tab, it used to specifically show the ALERT DESCRIPTION that corresponds with each blocked IP. More straight forward.
No - I've not yet confirmed that the blocked IPs are expiring within the interval I've configured. I've been having to clear and reset snort blocks constantly to keep snort running so it's been somewhat of a moving target.
Wish the latest snort was more stable. Though I'm sure most of my issues are already being addressed for subsequent release.
-
To get this to work, I had to uninstall, then run the following:
pkg_delete -f snort*
find / -name snortand rm -rf anything that turned up. Reinstalling with new package fixed it from there, running snort rules and ET.
This worked for me!
TnxGot snort working again (AMD64). EM and Snort rules.
Indeed, just remove the package first and then reinstall it.