Snort Stable 2.9.2.3 pkg v. 2.2 Failed
-
This is infuriating. How come everytime a snort update is release that pfSense is totally incapable of doing an upgrade that doesn't completely break it and requiring people to wipe their snort config and reinstall? I keep getting so close to pitching this for our enterprise but then crap like this happens perpetually. What kind of QA, if any, is being done? One virtual machine or box and then it gets signed off? That's what it feels like. If a simple package update can't be properly scripted and automated why would someone buy commercial support?
Well there is something in the enterprise called patch management process that shuold be done before allowing these things to production.
A testbed is not so much costy for pfSense in general as well.While i do agree that this upgrade was not correct, you have to keep in mind that the code of the snort package is by no means finished and up-to 5 minutes ago it had code that removed critical components of snort on just reinstall!!!
Anyway we are trying hard to improve the process and locking some packages as such but community need to support as well with any means.
Also comercial support will give you support on any issue you will have be it snort/pfSense/or your rant :). -
Has anyone else noticed on their Snort > Blocked (tab) that the ALERT DESCRIPTION next to each IP now says "N/A" instead of displaying a full description as it has in the past?
I've confirmed under Snort > Global Settings, my Alert file description type = FULL.
Is there any way to restore this functionality so that full alert description is listed?
It should work on latest version 2.2.1
-
@ermal:
Now if I could just figure out why snort stops working after a couple of hours. It is doing this on multiple boxes.
Can you give me any log entries about this.
I for one appreciate your efforts.
I will send you some logs as soon as snort stops again. I am hoping though that the issue with the cron job not removing the blocked ip's had something to do with it, this is just a guess for now.
Thanks for your hard work. -
@ermal:
This is infuriating. How come everytime a snort update is release that pfSense is totally incapable of doing an upgrade that doesn't completely break it and requiring people to wipe their snort config and reinstall? I keep getting so close to pitching this for our enterprise but then crap like this happens perpetually. What kind of QA, if any, is being done? One virtual machine or box and then it gets signed off? That's what it feels like. If a simple package update can't be properly scripted and automated why would someone buy commercial support?
Well there is something in the enterprise called patch management process that shuold be done before allowing these things to production.
A testbed is not so much costy for pfSense in general as well.While i do agree that this upgrade was not correct, you have to keep in mind that the code of the snort package is by no means finished and up-to 5 minutes ago it had code that removed critical components of snort on just reinstall!!!
Anyway we are trying hard to improve the process and locking some packages as such but community need to support as well with any means.
Also comercial support will give you support on any issue you will have be it snort/pfSense/or your rant :).Ermal- The latest update is still deleting files and modules and not replacing them on reinstall.
/usr/local/lib/snort directories either missing or missing files
snort-2.9.2.3 "2.2.1" shows installed.
-
Uninstall / Install package snort-2.9.2.3 "2.2.1" / Reboot
Systems log: SnortStartup[16137]: Snort HARD START For 64152_em0…Snort will not start. >:(
-
When running /usr/local/bin/snort from command line it says:
/usr/local/lib/libdnet.1: unsupported file layoutI reinstalled all the dependencies just in case but no change. Even downloaded libdnet-1.11_3.tbz from other sources and still the same error.
-
When running /usr/local/bin/snort from command line it says:
/usr/local/lib/libdnet.1: unsupported file layoutI reinstalled all the dependencies just in case but no change. Even downloaded libdnet-1.11_3.tbz from other sources and still the same error.
Try the following:
Run this command from the command line:
pkg_add -f http://files.pfsense.org/packages/8/All/snort-2.9.2.3.tbz
Delete anything in this directory
/usr/local/lib/snort/dynamicrules
also uncheck any .so rules on your interfaces.Then update snort rules and start snort
-
Ok did all that and is the same thing. I noticed something strange, I don't know if this is related. When installing snort it complains with this warning:
pkg_add: warning: package 'snort-2.9.2.3' requires 'libpcap-1.1.1_1', but 'libpcap-1.2.1' is installedI reinstalled all dependencies again and package daq complains like this:
pkg_add: warning: package 'daq-0.6.2' requires 'libpcap-1.2.1', but 'libpcap-1.1.1_1' is installedCould that be the problem? I don't know what else to try…
BTW I do have installed both libpcap 1.1.1 and 1.2.1 . All dependencies are correctly installed.
-
Ok did all that and is the same thing. I noticed something strange, I don't know if this is related. When installing snort it complains with this warning:
pkg_add: warning: package 'snort-2.9.2.3' requires 'libpcap-1.1.1_1', but 'libpcap-1.2.1' is installedI reinstalled all dependencies again and package daq complains like this:
pkg_add: warning: package 'daq-0.6.2' requires 'libpcap-1.2.1', but 'libpcap-1.1.1_1' is installedCould that be the problem? I don't know what else to try…
BTW I do have installed both libpcap 1.1.1 and 1.2.1 . All dependencies are correctly installed.
Try to reinstall libcap-1.1.1_1
use this command which will force the reinstall from the command line.
pkg_add -f http://files.pfsense.org/packages/8/All/libpcap-1.1.1.tbz
Then
pkg_add -f http://files.pfsense.org/packages/8/All/libpcap-1.1.1_1.tbz
-
[2.0.1-RELEASE][admin@pfsense.lan]/root(17): pkg_add -f http://files.pfsense.org/packages/8/All/libpcap-1.1.1.tbz
Fetching http://files.pfsense.org/packages/8/All/libpcap-1.1.1.tbz… Done.
[2.0.1-RELEASE][admin@pfsense.lan]/root(18): pkg_add -f http://files.pfsense.org/packages/8/All/libpcap-1.1.1_1.tbz
Fetching http://files.pfsense.org/packages/8/All/libpcap-1.1.1_1.tbz… Done.
[2.0.1-RELEASE][admin@pfsense.lan]/root(19): /usr/local/bin/snort
/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout
[2.0.1-RELEASE][admin@pfsense.lan]/root(20)::(
-
pkg_info
what libpcap shows installed?
on my boxes I only show libpcap-1.1.1_1
you could try deleting any other ones with pkg_delete
-
I have:
libpcap-1.1.1 Ubiquitous network traffic capture library libpcap-1.1.1_1 Ubiquitous network traffic capture library libpcap-1.2.1 Ubiquitous network traffic capture libraryI tried to delete libpcap-1.2.1 but daq-0.6.2 depends on it. Deleting libpcap-1.1.1 (not _1) makes no difference at all.
UPDATE: Did a pkg_delete -f libpcap-1.2.1, then reinstalled libpcap-1.1.1_1 and still same error as always:
/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout -
The issue with old code that is present when you uypgrade to a new version will be there even when you reinstall since the damage from old code will be done.
Feadin,
that is why for 2.1 we are moving to PBIs to make especially this dependency issues go away once and for good.
For now you have to clean your environment from other packages you have as well and reinstall again. -
Snort Stable 2.9.2.3 pkg v. 2.2.1 (AMD64) won't start
After removing Snort Snort Stable 2.9.2.3 pkg v. 2.2 and reinstalling Snort Stable 2.9.2.3 pkg v. 2.2.1 snort won't start.
No messages in the system log, only "Jun 15 08:58:09 pfsense SnortStartup[46856]: Snort HARD START For xxxxx_em1…"Tried removing, rebooting, reinstalling, same issue.
(Only had snort widget as an added package.) -
Same for my case!
Snort Stable 2.9.2.3 pkg v. 2.2.1 (AMD64) won't start
If I try to start the snort from Services menu, I get this in System logs
- SnortStartup[43771]: Snort HARD START For 49607_em1…
From snort interface - start, I get this message,
- SnortStartup[24252]: Interface Rule START for 0_40330_em1…
- SnortStartup[59413]: Toggle for 40330_em1…
But services and snort interface shows that snort is not running.
Pfsense 2.0.1-RELEASE (amd64)
-
If you do not get anything on the system logs probably the package did not install at all!?
Is the snort binary installed? -
@ermal:
If you do not get anything on the system logs probably the package did not install at all!?
Is the snort binary installed?How do I check for that? I'm a total FreeBSD noob :)
-
I added explicit dependencies on the package instalaltion so it pulls the right packages needed.
Can you try after 10 minutes from this post and see? -
I tried installation once again. But still same problem. ???
-
Same here with fresh installation on a Virtualbox VM running
2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011FreeBSD 8.1-RELEASE-p6
Only log line generated: SnortStartup[48564]: Snort HARD START For 23366_em1…
I only did basic settings and installed + configured snort with 1 rule category selected.