Snort Stable 2.9.2.3 pkg v. 2.2 Failed
-
I think it is now being shown under the Alerts/Interface tab.
Have you noticed if the blocked ip's are being removed in the time you have specified?
-
The alert info has always been displayed within the Snort > Alerts tab. But requires excessive searching to find the info that corresponds with a blocked IP. Whereas, on the BLOCKED tab, it used to specifically show the ALERT DESCRIPTION that corresponds with each blocked IP. More straight forward.
No - I've not yet confirmed that the blocked IPs are expiring within the interval I've configured. I've been having to clear and reset snort blocks constantly to keep snort running so it's been somewhat of a moving target.
Wish the latest snort was more stable. Though I'm sure most of my issues are already being addressed for subsequent release.
-
To get this to work, I had to uninstall, then run the following:
pkg_delete -f snort*
find / -name snortand rm -rf anything that turned up. Reinstalling with new package fixed it from there, running snort rules and ET.
This worked for me!
TnxGot snort working again (AMD64). EM and Snort rules.
Indeed, just remove the package first and then reinstall it. -
Wish the latest snort was more stable. Though I'm sure most of my issues are already being addressed for subsequent release.
Stable in what sense? And how you know will be addressed in the future? :)
-
This is infuriating. How come everytime a snort update is release that pfSense is totally incapable of doing an upgrade that doesn't completely break it and requiring people to wipe their snort config and reinstall? I keep getting so close to pitching this for our enterprise but then crap like this happens perpetually. What kind of QA, if any, is being done? One virtual machine or box and then it gets signed off? That's what it feels like. If a simple package update can't be properly scripted and automated why would someone buy commercial support?
-
I think it is now being shown under the Alerts/Interface tab.
Have you noticed if the blocked ip's are being removed in the time you have specified?
It does for me… make sure you save the global page.. this creates the cron job for it
-
I think it is now being shown under the Alerts/Interface tab.
Have you noticed if the blocked ip's are being removed in the time you have specified?
It does for me… make sure you save the global page.. this creates the cron job for it
I have the same problem. Saved the global page, still the blocked ip's aren't removed.
AMD64 version. Two interfaces. -
I think it is now being shown under the Alerts/Interface tab.
Have you noticed if the blocked ip's are being removed in the time you have specified?
It does for me… make sure you save the global page.. this creates the cron job for it
Thanks for the tip the cron job was there but must not have been running correctly. I changed the setting to never then saved, then changed back to 1 hour and saved again. It is now working.
Now if I could just figure out why snort stops working after a couple of hours. It is doing this on multiple boxes.
-
Thanks for the tip, will try it and post back.
-
Now if I could just figure out why snort stops working after a couple of hours. It is doing this on multiple boxes.
Can you give me any log entries about this.
-
This is infuriating. How come everytime a snort update is release that pfSense is totally incapable of doing an upgrade that doesn't completely break it and requiring people to wipe their snort config and reinstall? I keep getting so close to pitching this for our enterprise but then crap like this happens perpetually. What kind of QA, if any, is being done? One virtual machine or box and then it gets signed off? That's what it feels like. If a simple package update can't be properly scripted and automated why would someone buy commercial support?
Well there is something in the enterprise called patch management process that shuold be done before allowing these things to production.
A testbed is not so much costy for pfSense in general as well.While i do agree that this upgrade was not correct, you have to keep in mind that the code of the snort package is by no means finished and up-to 5 minutes ago it had code that removed critical components of snort on just reinstall!!!
Anyway we are trying hard to improve the process and locking some packages as such but community need to support as well with any means.
Also comercial support will give you support on any issue you will have be it snort/pfSense/or your rant :). -
Has anyone else noticed on their Snort > Blocked (tab) that the ALERT DESCRIPTION next to each IP now says "N/A" instead of displaying a full description as it has in the past?
I've confirmed under Snort > Global Settings, my Alert file description type = FULL.
Is there any way to restore this functionality so that full alert description is listed?
It should work on latest version 2.2.1
-
@ermal:
Now if I could just figure out why snort stops working after a couple of hours. It is doing this on multiple boxes.
Can you give me any log entries about this.
I for one appreciate your efforts.
I will send you some logs as soon as snort stops again. I am hoping though that the issue with the cron job not removing the blocked ip's had something to do with it, this is just a guess for now.
Thanks for your hard work. -
@ermal:
This is infuriating. How come everytime a snort update is release that pfSense is totally incapable of doing an upgrade that doesn't completely break it and requiring people to wipe their snort config and reinstall? I keep getting so close to pitching this for our enterprise but then crap like this happens perpetually. What kind of QA, if any, is being done? One virtual machine or box and then it gets signed off? That's what it feels like. If a simple package update can't be properly scripted and automated why would someone buy commercial support?
Well there is something in the enterprise called patch management process that shuold be done before allowing these things to production.
A testbed is not so much costy for pfSense in general as well.While i do agree that this upgrade was not correct, you have to keep in mind that the code of the snort package is by no means finished and up-to 5 minutes ago it had code that removed critical components of snort on just reinstall!!!
Anyway we are trying hard to improve the process and locking some packages as such but community need to support as well with any means.
Also comercial support will give you support on any issue you will have be it snort/pfSense/or your rant :).Ermal- The latest update is still deleting files and modules and not replacing them on reinstall.
/usr/local/lib/snort directories either missing or missing files
snort-2.9.2.3 "2.2.1" shows installed.
-
Uninstall / Install package snort-2.9.2.3 "2.2.1" / Reboot
Systems log: SnortStartup[16137]: Snort HARD START For 64152_em0…Snort will not start. >:(
-
When running /usr/local/bin/snort from command line it says:
/usr/local/lib/libdnet.1: unsupported file layoutI reinstalled all the dependencies just in case but no change. Even downloaded libdnet-1.11_3.tbz from other sources and still the same error.
-
When running /usr/local/bin/snort from command line it says:
/usr/local/lib/libdnet.1: unsupported file layoutI reinstalled all the dependencies just in case but no change. Even downloaded libdnet-1.11_3.tbz from other sources and still the same error.
Try the following:
Run this command from the command line:
pkg_add -f http://files.pfsense.org/packages/8/All/snort-2.9.2.3.tbz
Delete anything in this directory
/usr/local/lib/snort/dynamicrules
also uncheck any .so rules on your interfaces.Then update snort rules and start snort
-
Ok did all that and is the same thing. I noticed something strange, I don't know if this is related. When installing snort it complains with this warning:
pkg_add: warning: package 'snort-2.9.2.3' requires 'libpcap-1.1.1_1', but 'libpcap-1.2.1' is installedI reinstalled all dependencies again and package daq complains like this:
pkg_add: warning: package 'daq-0.6.2' requires 'libpcap-1.2.1', but 'libpcap-1.1.1_1' is installedCould that be the problem? I don't know what else to try…
BTW I do have installed both libpcap 1.1.1 and 1.2.1 . All dependencies are correctly installed.
-
Ok did all that and is the same thing. I noticed something strange, I don't know if this is related. When installing snort it complains with this warning:
pkg_add: warning: package 'snort-2.9.2.3' requires 'libpcap-1.1.1_1', but 'libpcap-1.2.1' is installedI reinstalled all dependencies again and package daq complains like this:
pkg_add: warning: package 'daq-0.6.2' requires 'libpcap-1.2.1', but 'libpcap-1.1.1_1' is installedCould that be the problem? I don't know what else to try…
BTW I do have installed both libpcap 1.1.1 and 1.2.1 . All dependencies are correctly installed.
Try to reinstall libcap-1.1.1_1
use this command which will force the reinstall from the command line.
pkg_add -f http://files.pfsense.org/packages/8/All/libpcap-1.1.1.tbz
Then
pkg_add -f http://files.pfsense.org/packages/8/All/libpcap-1.1.1_1.tbz
-
[2.0.1-RELEASE][admin@pfsense.lan]/root(17): pkg_add -f http://files.pfsense.org/packages/8/All/libpcap-1.1.1.tbz
Fetching http://files.pfsense.org/packages/8/All/libpcap-1.1.1.tbz… Done.
[2.0.1-RELEASE][admin@pfsense.lan]/root(18): pkg_add -f http://files.pfsense.org/packages/8/All/libpcap-1.1.1_1.tbz
Fetching http://files.pfsense.org/packages/8/All/libpcap-1.1.1_1.tbz… Done.
[2.0.1-RELEASE][admin@pfsense.lan]/root(19): /usr/local/bin/snort
/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout
[2.0.1-RELEASE][admin@pfsense.lan]/root(20)::(