Snort Stable 2.9.2.3 pkg v. 2.2 Failed
-
I'm having the same issue,
It seems that if you enter http://files.pfsense.org/packages/8/All/ in your browser, the file that pfsense is trying to get "snort-2.9.2.3.tbz" is not there. Though there is "Snort-2.9.2.tbz" and older versions.
Are the URLS of these packages hard coded into pfsense or something?There has got to be a way to install it manually..
pfsense packages are hard coded… search the wiki and the forum for the reason why... but if you install package/port, it could install a file and can break pfsense. Snort-2.9.2.tbz GUI was never completed, it used a patches to communicate with pf i believe. I started a new topic request the dev to change the package so it would download the old binary until the new is built and is tested
-
Hiya,
Is nayone getting this error;
eginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/amd64/8/All/barnyard2-1.9_2.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/barnyard2-1.9_2.tbz.
of barnyard2-1.9_2 failed!Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for mysql-client-5.1.53...done.
Starting package deletion for barnyard2-1.9_2...done.
Starting package deletion for snort-2.9.2.3...done.
Starting package deletion for perl-threaded-5.12.4_4...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.Installation halted.
Any help is welcome
Cheers,
Raj
-
From a thread I started about the same time as you…
2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:43:51 EST 2011
FreeBSD 8.1-RELEASE-p6In case the Snort devs do not know this. Or maybe it is just me?
Installation of snort FAILED! Beginning package installation for snort... Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading http://files.pfsense.org/packages/amd64/8/All/barnyard2-1.9_2.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/barnyard2-1.9_2.tbz. of barnyard2-1.9_2 failed! Installation aborted.Backing up libraries... Removing package... Starting package deletion for mysql-client-5.1.53...done. Starting package deletion for barnyard2-1.9_2...done. Starting package deletion for snort-2.9.2.3...done. Starting package deletion for perl-threaded-5.12.4_4...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Include file snort.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Cleaning up... Failed to install package. Installation halted.
Will try again later and report back.
-
Also as Cino points out..
http://forum.pfsense.org/index.php/topic,50397.msg268281.html#msg268281
noticed that too. barnyard2-1.9_2.tbz isnt built yet.. once its built, you should be good to go
-
you can download the package to your pfsense box from the pfsense repo using wget, then install with pkg_add (in my case it said it was already installed). The downside to this option is it only installs the command line tools, not the web configuration interface. To use it you will have to get familiar with the command-line options
Also, as mentioned previously, it's possible you might break something if you install from the standard freebsd repo. I would guess that risk is minimized if you install from the pfsense repo, but still possible if you install something intended for a different version than what you're using.
My install was failing while trying to install a dependency, barnyard2.
Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.9_2.tbz … could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/barnyard2-1.9_2.tbz.
of barnyard2-1.9_2 failed! -
There is http://files.pfsense.org/packages/8/All/barnyard2 file so maybe we can work around the issue fetch http://files.pfsense.org/packages/8/All/barnyard2 mv barnyard2 barnyard2-1.9_2.tbz then pkg_add -r barnyard2-1.9_2.tbz
What if for i386 we use http://mirrors.syringanetworks.net/pub/FreeBSD/ports/i386/packages-stable/security/barnyard2-1.9_2.tbz
or http://mirrors.syringanetworks.net/pub/FreeBSD/ports/amd64/packages-stable/security/barnyard2-1.9_2.tbz for 64 bit -
Its fixes so just reinstall.
-
Snort 2.9.2.3 pkg v. 2.2 installs fine without errors, but after setting it up and updating rule files I get an error when I try to start it:
Snort HARD START For 62994_em0…
I currently only have EM rules selected.
2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011
FreeBSD 8.1-RELEASE-p6Edit:
I tried to
1. Remove package + find /* |grep snort -> made sure no snort files are left over.
2. Rebooted pfsense
3. Installed Snort + configured it
4. Same error: Snort HARD START For 37895_em0...I went through the same setup on a vm and I got it working without messing around with anything. Whats going on?
-
You are not showing your system log there.
There will be the cause of that.I can expect missing pre processor.
-
Finally, it appears that the updated package files and the snort updates are in synch and are working. However, the update seems to have broken the snort dashboard widget. It is not updating, although selecting on its header does open the snort alerts window. Tried removing and reinstalling the widget package to no effect.
Can someone verify this issue? Thanks.
-
Finally, it appears that the updated package files and the snort updates are in synch and are working. However, the update seems to have broken the snort dashboard widget. It is not updating, although selecting on its header does open the snort alerts window. Tried removing and reinstalling the widget package to no effect.
Can someone verify this issue? Thanks.
it has… with the recently changes made to the alert page, the widget would probably have to be redone from scratch because the alerts are now broken out by interface, each interface has its own alert file now.....
-
I uninstalled snort when the install stopped working but my configurations saved across uninstalls. I installed it today and it went through fine. It loaded my previous configuration but no rules as expected (usually does this on updates). So i updated rules and disable and renable interface, checked all settings and enabled only one rule category to test. I get this error in syslog:
Jun 13 17:42:12 snort[37197]: FATAL ERROR: ByteExtract variable '^Authorization\x3A\sBasic[ \t]+' in rule [3:13308] is used before it is defined.
Jun 13 17:42:12 snort[37197]: FATAL ERROR: ByteExtract variable '^Authorization\x3A\sBasic[ \t]+' in rule [3:13308] is used before it is defined.Should i wipe all the configurations and start from scratch ?
-
To get this to work, I had to uninstall, then run the following:
pkg_delete -f snort*
find / -name snortand rm -rf anything that turned up. Reinstalling with new package fixed it from there, running snort rules and ET.
-
Delete anything in this directory
/usr/local/lib/snort/dynamicrules
also uncheck any .so rules on your interfaces.Try to start snort
-
That has resolved the problem. thanks.
-
@ermal:
You are not showing your system log there.
There will be the cause of that.I can expect missing pre processor.
Status -> Servies -> Hit start on Snort, Status -> System log -> Jun 14 00:23:18 SnortStartup[18693]: Snort HARD START For 37895_em0… -is the only line generated.
If I try to run Snort from Services -> Snort -> Snort interfaces, I get two lines:
Jun 14 00:32:11 SnortStartup[35943]: Interface Rule START for 0_37895_em0…
Jun 14 00:32:11 SnortStartup[30175]: Toggle for 37895_em0… -
services/snort
click to edit the interface in question
Select the Catagories tab
Select the rules you want to use.Do not select any of the .so "shared objects rules" they will cause snort to crash.
From your description it sounds like you don't have any rules selected.
-
I have tried with and without rules enabled. Currently I have only EM rules installed and 2 of them selected. Still I don't get anything useful on the system log.
-
On the Interface tab
general you have enabled the interface correct?on the same tab under
Choose the types of logs snort should create.
you selected "Send alerts to main System logs"On the preprocessors tab you have enabled "performance statics for this interface"
If all else fails you could try running this command from the console comand line although I do not think this is the problem
pkg_add -f http://files.pfsense.org/packages/8/All/snort-2.9.2.3.tbz
Then update your rules and try to start snort.
-
@ermal:
Its fixes so just reinstall.
It's running here 2.0.1-RELEASE (amd64) and kept all previous settings. All that I did, after reinstall, was to update ET rules.
-
To get this to work, I had to uninstall, then run the following:
pkg_delete -f snort*
find / -name snortand rm -rf anything that turned up. Reinstalling with new package fixed it from there, running snort rules and ET.
This worked for me!
Tnx -
Has anyone else noticed on their Snort > Blocked (tab) that the ALERT DESCRIPTION next to each IP now says "N/A" instead of displaying a full description as it has in the past?
I've confirmed under Snort > Global Settings, my Alert file description type = FULL.
Is there any way to restore this functionality so that full alert description is listed?
-
I think it is now being shown under the Alerts/Interface tab.
Have you noticed if the blocked ip's are being removed in the time you have specified?
-
The alert info has always been displayed within the Snort > Alerts tab. But requires excessive searching to find the info that corresponds with a blocked IP. Whereas, on the BLOCKED tab, it used to specifically show the ALERT DESCRIPTION that corresponds with each blocked IP. More straight forward.
No - I've not yet confirmed that the blocked IPs are expiring within the interval I've configured. I've been having to clear and reset snort blocks constantly to keep snort running so it's been somewhat of a moving target.
Wish the latest snort was more stable. Though I'm sure most of my issues are already being addressed for subsequent release.
-
To get this to work, I had to uninstall, then run the following:
pkg_delete -f snort*
find / -name snortand rm -rf anything that turned up. Reinstalling with new package fixed it from there, running snort rules and ET.
This worked for me!
TnxGot snort working again (AMD64). EM and Snort rules.
Indeed, just remove the package first and then reinstall it. -
Wish the latest snort was more stable. Though I'm sure most of my issues are already being addressed for subsequent release.
Stable in what sense? And how you know will be addressed in the future? :)
-
This is infuriating. How come everytime a snort update is release that pfSense is totally incapable of doing an upgrade that doesn't completely break it and requiring people to wipe their snort config and reinstall? I keep getting so close to pitching this for our enterprise but then crap like this happens perpetually. What kind of QA, if any, is being done? One virtual machine or box and then it gets signed off? That's what it feels like. If a simple package update can't be properly scripted and automated why would someone buy commercial support?
-
I think it is now being shown under the Alerts/Interface tab.
Have you noticed if the blocked ip's are being removed in the time you have specified?
It does for me… make sure you save the global page.. this creates the cron job for it
-
I think it is now being shown under the Alerts/Interface tab.
Have you noticed if the blocked ip's are being removed in the time you have specified?
It does for me… make sure you save the global page.. this creates the cron job for it
I have the same problem. Saved the global page, still the blocked ip's aren't removed.
AMD64 version. Two interfaces. -
I think it is now being shown under the Alerts/Interface tab.
Have you noticed if the blocked ip's are being removed in the time you have specified?
It does for me… make sure you save the global page.. this creates the cron job for it
Thanks for the tip the cron job was there but must not have been running correctly. I changed the setting to never then saved, then changed back to 1 hour and saved again. It is now working.
Now if I could just figure out why snort stops working after a couple of hours. It is doing this on multiple boxes.
-
Thanks for the tip, will try it and post back.
-
Now if I could just figure out why snort stops working after a couple of hours. It is doing this on multiple boxes.
Can you give me any log entries about this.
-
This is infuriating. How come everytime a snort update is release that pfSense is totally incapable of doing an upgrade that doesn't completely break it and requiring people to wipe their snort config and reinstall? I keep getting so close to pitching this for our enterprise but then crap like this happens perpetually. What kind of QA, if any, is being done? One virtual machine or box and then it gets signed off? That's what it feels like. If a simple package update can't be properly scripted and automated why would someone buy commercial support?
Well there is something in the enterprise called patch management process that shuold be done before allowing these things to production.
A testbed is not so much costy for pfSense in general as well.While i do agree that this upgrade was not correct, you have to keep in mind that the code of the snort package is by no means finished and up-to 5 minutes ago it had code that removed critical components of snort on just reinstall!!!
Anyway we are trying hard to improve the process and locking some packages as such but community need to support as well with any means.
Also comercial support will give you support on any issue you will have be it snort/pfSense/or your rant :). -
Has anyone else noticed on their Snort > Blocked (tab) that the ALERT DESCRIPTION next to each IP now says "N/A" instead of displaying a full description as it has in the past?
I've confirmed under Snort > Global Settings, my Alert file description type = FULL.
Is there any way to restore this functionality so that full alert description is listed?
It should work on latest version 2.2.1
-
@ermal:
Now if I could just figure out why snort stops working after a couple of hours. It is doing this on multiple boxes.
Can you give me any log entries about this.
I for one appreciate your efforts.
I will send you some logs as soon as snort stops again. I am hoping though that the issue with the cron job not removing the blocked ip's had something to do with it, this is just a guess for now.
Thanks for your hard work. -
@ermal:
This is infuriating. How come everytime a snort update is release that pfSense is totally incapable of doing an upgrade that doesn't completely break it and requiring people to wipe their snort config and reinstall? I keep getting so close to pitching this for our enterprise but then crap like this happens perpetually. What kind of QA, if any, is being done? One virtual machine or box and then it gets signed off? That's what it feels like. If a simple package update can't be properly scripted and automated why would someone buy commercial support?
Well there is something in the enterprise called patch management process that shuold be done before allowing these things to production.
A testbed is not so much costy for pfSense in general as well.While i do agree that this upgrade was not correct, you have to keep in mind that the code of the snort package is by no means finished and up-to 5 minutes ago it had code that removed critical components of snort on just reinstall!!!
Anyway we are trying hard to improve the process and locking some packages as such but community need to support as well with any means.
Also comercial support will give you support on any issue you will have be it snort/pfSense/or your rant :).Ermal- The latest update is still deleting files and modules and not replacing them on reinstall.
/usr/local/lib/snort directories either missing or missing files
snort-2.9.2.3 "2.2.1" shows installed.
-
Uninstall / Install package snort-2.9.2.3 "2.2.1" / Reboot
Systems log: SnortStartup[16137]: Snort HARD START For 64152_em0…Snort will not start. >:(
-
When running /usr/local/bin/snort from command line it says:
/usr/local/lib/libdnet.1: unsupported file layout
I reinstalled all the dependencies just in case but no change. Even downloaded libdnet-1.11_3.tbz from other sources and still the same error.
-
When running /usr/local/bin/snort from command line it says:
/usr/local/lib/libdnet.1: unsupported file layout
I reinstalled all the dependencies just in case but no change. Even downloaded libdnet-1.11_3.tbz from other sources and still the same error.
Try the following:
Run this command from the command line:
pkg_add -f http://files.pfsense.org/packages/8/All/snort-2.9.2.3.tbz
Delete anything in this directory
/usr/local/lib/snort/dynamicrules
also uncheck any .so rules on your interfaces.Then update snort rules and start snort
-
Ok did all that and is the same thing. I noticed something strange, I don't know if this is related. When installing snort it complains with this warning:
pkg_add: warning: package 'snort-2.9.2.3' requires 'libpcap-1.1.1_1', but 'libpcap-1.2.1' is installed
I reinstalled all dependencies again and package daq complains like this:
pkg_add: warning: package 'daq-0.6.2' requires 'libpcap-1.2.1', but 'libpcap-1.1.1_1' is installed
Could that be the problem? I don't know what else to try…
BTW I do have installed both libpcap 1.1.1 and 1.2.1 . All dependencies are correctly installed.