Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 262.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CS
      last edited by

      Hi guys,
      some feedback from my side too:

      pfsense 2.0.1-RELEASE
      Snort 2.9.2.3 pkg v. 2.5.0

      I faced the same issues you mentioned before so there is no need to write them again.
      Till yesterday the snort was working and I had only the issue with the blocking of whitelisted IPs so I had blocking OFF.
      This morning with the latest auto update I got the known "sdf" FATAL ERROR. So I turned auto-update OFF, reinstalled the snort package, downloaded the rules again and now I get FATAL ERROR "freeRuleData" for a ruleset(bad-traffic.so). I disabled this one as well as all SO rules, but I got still this error. I reinstalled the package (having unselected these rulesets) but still the same error…

      So these issues are still unresolved for me:
      1. Auto-update issues / FATAL ERRORS
      2. Blocking of Whitelisted IPs

      Cheers,
      /CS

      1 Reply Last reply Reply Quote 0
      • F
        Fesoj
        last edited by

        In snort.inc the lines 1308 and 1309 contain bogus sed commands, such that the initial installation cannot complete without errors. You cannot patch this by hand, because this code gets called only during the initial installation as part of the function snort_postinstall(). So this part of snort.inc should better be correct.

        Some of the recent posts seem to be related to the sed typos, but I don't know whether it is responsible for all of them. Maybe I was lucky because my setup doesn't need the sensitive data preproc.

        ermal,
        please update the sed commands (e.g. mwexec("/usr/bin/sed -I.bak -f {$g['tmp_path']}/sedcmd …) and trigger an update of the binary package (or I'll come up with a real dirty patch).

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          @Fesoj:

          In snort.inc the lines 1308 and 1309 contain bogus sed commands…

          Again a pull request will be much easier to get applied. Teste this sed, find a fix and pull it at https://github.com/bsdperimeter/pfsense-packages.

          This way ermal can check the code and apply it.

          att,
          Marcello Coutinho

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • D
            dwood
            last edited by

            CS I have been able to reinstall SNORT every time doing this on AMD64, 2.0.1:

            1.  Uninstall snort.  I find that it is helpful to untoggle Global Settings -> "save settings" and start with a new config file when troubleshooting.
            2.  From Diagnostics -> Command Prompt , copy this command in and excecute it: find /* | grep -i snort | xargs rm -rv
            3.  Now reinstall and update your rules.

            Ermal, I have two installs working of the latest 2.5.0, however this morning both failed to start automatically after an update.  I was able to start interfaces manually on one installation.  This time no error in the logs.

            On the 2nd installation, when manually starting snort, the GUI shows it's not started.  However when I start from the shell, one interace starts, but the GUI does not show it started.

            1 Reply Last reply Reply Quote 0
            • F
              Fesoj
              last edited by

              Marcello,

              it looks as if "pull requests" would make it necessary that I need a GitHub account (I have none) and forked the snort project prior to do anything else. Since I've never used GitHub and git never at work, this might take time before I can contribute…

              ... unless there is a customized tutorial for snort projects somewhere here.

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                @Fesoj:

                it looks as if "pull requests" would make it necessary that I need a GitHub account (I have none) and forked the snort project prior to do anything else.

                You can start using only github web site to do this with few steps.

                When you have finished fixes and tests, just:

                • Create you account(it's free  :)) at github

                • browse snort repo to find the file you want to change

                • click fork and edit this file

                • apply your patches and follow pull request options

                att,
                Marcello Coutinho

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • B
                  breusshe
                  last edited by

                  @CS:

                  Hi guys,
                  some feedback from my side too:

                  pfsense 2.0.1-RELEASE
                  Snort 2.9.2.3 pkg v. 2.5.0

                  I faced the same issues you mentioned before so there is no need to write them again.
                  Till yesterday the snort was working and I had only the issue with the blocking of whitelisted IPs so I had blocking OFF.
                  This morning with the latest auto update I got the known "sdf" FATAL ERROR. So I turned auto-update OFF, reinstalled the snort package, downloaded the rules again and now I get FATAL ERROR "freeRuleData" for a ruleset(bad-traffic.so). I disabled this one as well as all SO rules, but I got still this error. I reinstalled the package (having unselected these rulesets) but still the same error…

                  So these issues are still unresolved for me:
                  1. Auto-update issues / FATAL ERRORS
                  2. Blocking of Whitelisted IPs

                  Cheers,
                  /CS

                  Me too.  Snort isn't working again this morning.  The above is my experience getting Snort to work again; however, an uninstall and reinstall of Snort stops the freeRuleData error.

                  1 Reply Last reply Reply Quote 0
                  • F
                    Fesoj
                    last edited by

                    breusshe,

                    currently the initial installation seems to be broken. Remove the package, then install again (no need to clear residual files). You should see several sed related error messages in the system log, but only immediately after the installation. Later you won't see these messages again, but depending on your settings there might be problems.

                    1 Reply Last reply Reply Quote 0
                    • C
                      CS
                      last edited by

                      @breusshe :

                      I confirm that the solution mentioned by dwood works fine on i386 too:

                      1.  Uninstall snort.  I find that it is helpful to untoggle Global Settings -> "save settings" and start with a new config file when troubleshooting.
                      2.  From Diagnostics -> Command Prompt , copy this command in and excecute it: find /* | grep -i snort | xargs rm -rv
                      3.  Now reinstall and update your rules.

                      Snort is up and running again without any errors.

                      1 Reply Last reply Reply Quote 0
                      • F
                        Fesoj
                        last edited by

                        Marcello,

                        apply your patches and follow pull request options

                        that was easy.

                        1 Reply Last reply Reply Quote 0
                        • F
                          Fesoj
                          last edited by

                          The following applies only for a fresh installation of snort. You must remove the package before applying the following recipe. The procedure is also recommended only for courageous fellows.

                          (1) Install the snort package

                          (2) Go to Status: System logs: System

                          (3) If you find one or more of the following error messages:

                          Jul 20 18:57:33 php: /pkg_mgr_install.php: Beginning package installation for snort.
                          Jul 20 18:57:33 check_reload_status: Syncing firewall
                          Jul 20 18:58:22 php: /pkg_mgr_install.php: The command '/usr/bin/sed -I '' -e -f /tmp/sedcmd /usr/local/etc/snort/snort_26134_em0/preproc_rules/preprocessor.rules' returned exit code '1', the output was 'sed: 1: "-f ": invalid command code -'
                          Jul 20 18:58:22 php: /pkg_mgr_install.php: The command '/usr/bin/sed -I '' -e -f /tmp/sedcmd /usr/local/etc/snort/snort_26134_em0/preproc_rules/decoder.rules' returned exit code '1', the output was 'sed: 1: "-f ": invalid command code -'
                          Jul 20 18:58:22 php: /pkg_mgr_install.php: The command '/usr/bin/sed -I '' -e -f /tmp/sedcmd /usr/local/etc/snort/snort_26134_em0/preproc_rules/preprocessor.rules' returned exit code '1', the output was 'sed: 1: "-f ": invalid command code -'
                          Jul 20 18:58:22 php: /pkg_mgr_install.php: The command '/usr/bin/sed -I '' -e -f /tmp/sedcmd /usr/local/etc/snort/snort_26134_em0/preproc_rules/decoder.rules' returned exit code '1', the output was 'sed: 1: "-f ": invalid command code -'
                          Jul 20 18:58:22 check_reload_status: Syncing firewall
                          Jul 20 18:58:23 check_reload_status: Reloading filter
                          Jul 20 18:58:23 check_reload_status: Syncing firewall

                          proceed with (4), otherwise stop.

                          (4) In file /usr/local/pkg/snort/snort.inc find the lines at the end with the sed commands

                          
                          @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
                          mwexec("/usr/bin/sed -I '' -e -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
                          mwexec("/usr/bin/sed -I '' -e -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
                          @unlink("{$g['tmp_path']}/sedcmd");
                          

                          and update as follows

                          
                          @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
                          mwexec("/usr/bin/sed -I.bak -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
                          mwexec("/usr/bin/sed -I.bak -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
                          @unlink("{$g['tmp_path']}/sedcmd");
                          

                          See also: https://github.com/bsdperimeter/pfsense-packages/pull/286/files

                          (5) Within the webConfigurator go to Diagnostics: Command Prompt and enter the 2 php statements into the PHP execute field:

                          require_once('/usr/local/pkg/snort/snort.inc');
                          snort_postinstall();

                          This operates silently unless there is an error.

                          (6) Check the result with

                          find /usr/local/etc/snort -name '*.bak'

                          You should see at least 2 backup files.

                          Good luck.

                          UPDATE: the patch does not solve the
                          FATAL ERROR: /usr/local/etc/snort/snort_9486_em1/preproc_rules/preprocessor.rules(202) Unknown ClassType: sdf
                          problem (though that should be easy to fix, rules were commented out a couple of days ago, but I don't know what the real problem was).

                          1 Reply Last reply Reply Quote 0
                          • F
                            Fesoj
                            last edited by

                            Marcello,

                            do you have a quick explanation how the GUI part of a package gets installed? Obviously, there are no PHP files inside snort-2.9.2.3.tbz. Maybe they come from pkg-config-0.25_1.tbz or somewhere else.

                            Thanx for your time.

                            1 Reply Last reply Reply Quote 0
                            • marcellocM
                              marcelloc
                              last edited by

                              @Fesoj:

                              Do you have a quick explanation how the GUI part of a package gets installed?

                              The package install script copy xml, inc and php files and then install freebsd package.

                              att,
                              Marcello Coutinho

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • D
                                dwood
                                last edited by

                                Ermal, am seeing consistently the same behaviour now with Snort 2.5.0 on AMD64 2.0.1 ( 2 different installations)

                                1.  If emerging threats or snort files are not updated, all ok.
                                2.  If either file set is updated during auto update, the GUI shows both interfaces stopped.
                                3.  Running ps aux | grep snort however shows one of the two interfaces running.

                                $ ps aux | grep snort
                                root   17164  0.0  0.1  9120  1124  ??  S     1:24AM   0:00.01 grep snort

                                4.  If I attempt to start the interface from the GUI, the log generates:

                                snort[57587]: FATAL ERROR: /usr/local/etc/snort/snort_56964_re1/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf

                                Cheers,
                                Dennis.

                                1 Reply Last reply Reply Quote 0
                                • J
                                  judex
                                  last edited by

                                  @dwood:

                                  $ ps aux | grep snort
                                  root   17164  0.0  0.1  9120  1124  ??  S     1:24AM   0:00.01 grep snort

                                  I do not see any interface running, just a grep process that searches for snort…

                                  Anyway, the impacts seem to be very different. So I have to delete the MD5 file and snort rules get downloaded. If I do not do that and update manually snort keeps running - no sdf error any more. Autoupdate always returns that "download 15 min blabla etc..." message.

                                  2.1-RELEASE (amd64)
                                  built on Wed Sep 11 18:17:48 EDT 2013
                                  FreeBSD 8.3-RELEASE-p11

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    Fesoj
                                    last edited by

                                    I've suggested a code change (https://github.com/Fesoj/pfsense-packages/compare/patch-2). This and obeying aaronritter's remark (http://forum.pfsense.org/index.php/topic,51493.msg275905.html#msg275905) seems to let the sensitive data preproc run correctly. Currently, the classification.config files should be patched by hand after every update of the rules.

                                    I haven't found the place that writes the classification.config files. If this gets patched, snort should survive updates again.

                                    UPDATE: with package vs. 2.5.1 this is obsolete

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mdima
                                      last edited by

                                      Hello,
                                          just uninstalled/reinstalled this morning, the package works fine (Sensitive Data Processor disabled), but it still blocks the WAN addresses… so I am still running with blocking off.

                                      Thanks,
                                      Michele

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        Fesoj
                                        last edited by

                                        mdima,

                                        do you mean with WAN address the WAN side of your box or any outside address? If it is the WAN address of your box, then you need to add the ip to the whitelist of the interface.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          mdima
                                          last edited by

                                          @Fesoj: It's the same, with or without whitelist… and by default it should exclude local IP addresses and so on.

                                          Probably this can help: my current HomeNet is an Alias that contains sub-aliases of local and remote IP addresses that should not be detected/blocked by Snort...

                                          Thanks,
                                          Michele

                                          1 Reply Last reply Reply Quote 0
                                          • F
                                            Fesoj
                                            last edited by

                                            mdima,

                                            HOME_NET != WHITELIST. On the WAN side, I have the default HOME_NET, but a special whitelist (including the IP address on the WAN side (I don't know what to do in case of an ISP supplied address using DHCP)) and this works fine. It's just the way things are setup. As I said before, it is now easier than ever to shoot oneself in the foot.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.