Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
Hi guys,
some feedback from my side too:pfsense 2.0.1-RELEASE
Snort 2.9.2.3 pkg v. 2.5.0I faced the same issues you mentioned before so there is no need to write them again.
Till yesterday the snort was working and I had only the issue with the blocking of whitelisted IPs so I had blocking OFF.
This morning with the latest auto update I got the known "sdf" FATAL ERROR. So I turned auto-update OFF, reinstalled the snort package, downloaded the rules again and now I get FATAL ERROR "freeRuleData" for a ruleset(bad-traffic.so). I disabled this one as well as all SO rules, but I got still this error. I reinstalled the package (having unselected these rulesets) but still the same error…So these issues are still unresolved for me:
1. Auto-update issues / FATAL ERRORS
2. Blocking of Whitelisted IPsCheers,
/CS -
In snort.inc the lines 1308 and 1309 contain bogus sed commands, such that the initial installation cannot complete without errors. You cannot patch this by hand, because this code gets called only during the initial installation as part of the function snort_postinstall(). So this part of snort.inc should better be correct.
Some of the recent posts seem to be related to the sed typos, but I don't know whether it is responsible for all of them. Maybe I was lucky because my setup doesn't need the sensitive data preproc.
ermal,
please update the sed commands (e.g. mwexec("/usr/bin/sed -I.bak -f {$g['tmp_path']}/sedcmd …) and trigger an update of the binary package (or I'll come up with a real dirty patch). -
In snort.inc the lines 1308 and 1309 contain bogus sed commands…
Again a pull request will be much easier to get applied. Teste this sed, find a fix and pull it at https://github.com/bsdperimeter/pfsense-packages.
This way ermal can check the code and apply it.
att,
Marcello Coutinho -
CS I have been able to reinstall SNORT every time doing this on AMD64, 2.0.1:
1. Uninstall snort. I find that it is helpful to untoggle Global Settings -> "save settings" and start with a new config file when troubleshooting.
2. From Diagnostics -> Command Prompt , copy this command in and excecute it: find /* | grep -i snort | xargs rm -rv
3. Now reinstall and update your rules.Ermal, I have two installs working of the latest 2.5.0, however this morning both failed to start automatically after an update. I was able to start interfaces manually on one installation. This time no error in the logs.
On the 2nd installation, when manually starting snort, the GUI shows it's not started. However when I start from the shell, one interace starts, but the GUI does not show it started.
-
Marcello,
it looks as if "pull requests" would make it necessary that I need a GitHub account (I have none) and forked the snort project prior to do anything else. Since I've never used GitHub and git never at work, this might take time before I can contribute…
... unless there is a customized tutorial for snort projects somewhere here.
-
it looks as if "pull requests" would make it necessary that I need a GitHub account (I have none) and forked the snort project prior to do anything else.
You can start using only github web site to do this with few steps.
When you have finished fixes and tests, just:
-
Create you account(it's free :)) at github
-
browse snort repo to find the file you want to change
-
click fork and edit this file
-
apply your patches and follow pull request options
att,
Marcello Coutinho -
-
@CS:
Hi guys,
some feedback from my side too:pfsense 2.0.1-RELEASE
Snort 2.9.2.3 pkg v. 2.5.0I faced the same issues you mentioned before so there is no need to write them again.
Till yesterday the snort was working and I had only the issue with the blocking of whitelisted IPs so I had blocking OFF.
This morning with the latest auto update I got the known "sdf" FATAL ERROR. So I turned auto-update OFF, reinstalled the snort package, downloaded the rules again and now I get FATAL ERROR "freeRuleData" for a ruleset(bad-traffic.so). I disabled this one as well as all SO rules, but I got still this error. I reinstalled the package (having unselected these rulesets) but still the same error…So these issues are still unresolved for me:
1. Auto-update issues / FATAL ERRORS
2. Blocking of Whitelisted IPsCheers,
/CSMe too. Snort isn't working again this morning. The above is my experience getting Snort to work again; however, an uninstall and reinstall of Snort stops the freeRuleData error.
-
breusshe,
currently the initial installation seems to be broken. Remove the package, then install again (no need to clear residual files). You should see several sed related error messages in the system log, but only immediately after the installation. Later you won't see these messages again, but depending on your settings there might be problems.
-
I confirm that the solution mentioned by dwood works fine on i386 too:
1. Uninstall snort. I find that it is helpful to untoggle Global Settings -> "save settings" and start with a new config file when troubleshooting.
2. From Diagnostics -> Command Prompt , copy this command in and excecute it: find /* | grep -i snort | xargs rm -rv
3. Now reinstall and update your rules.Snort is up and running again without any errors.
-
Marcello,
apply your patches and follow pull request options
that was easy.
-
The following applies only for a fresh installation of snort. You must remove the package before applying the following recipe. The procedure is also recommended only for courageous fellows.
(1) Install the snort package
(2) Go to Status: System logs: System
(3) If you find one or more of the following error messages:
Jul 20 18:57:33 php: /pkg_mgr_install.php: Beginning package installation for snort.
Jul 20 18:57:33 check_reload_status: Syncing firewall
Jul 20 18:58:22 php: /pkg_mgr_install.php: The command '/usr/bin/sed -I '' -e -f /tmp/sedcmd /usr/local/etc/snort/snort_26134_em0/preproc_rules/preprocessor.rules' returned exit code '1', the output was 'sed: 1: "-f ": invalid command code -'
Jul 20 18:58:22 php: /pkg_mgr_install.php: The command '/usr/bin/sed -I '' -e -f /tmp/sedcmd /usr/local/etc/snort/snort_26134_em0/preproc_rules/decoder.rules' returned exit code '1', the output was 'sed: 1: "-f ": invalid command code -'
Jul 20 18:58:22 php: /pkg_mgr_install.php: The command '/usr/bin/sed -I '' -e -f /tmp/sedcmd /usr/local/etc/snort/snort_26134_em0/preproc_rules/preprocessor.rules' returned exit code '1', the output was 'sed: 1: "-f ": invalid command code -'
Jul 20 18:58:22 php: /pkg_mgr_install.php: The command '/usr/bin/sed -I '' -e -f /tmp/sedcmd /usr/local/etc/snort/snort_26134_em0/preproc_rules/decoder.rules' returned exit code '1', the output was 'sed: 1: "-f ": invalid command code -'
Jul 20 18:58:22 check_reload_status: Syncing firewall
Jul 20 18:58:23 check_reload_status: Reloading filter
Jul 20 18:58:23 check_reload_status: Syncing firewallproceed with (4), otherwise stop.
(4) In file /usr/local/pkg/snort/snort.inc find the lines at the end with the sed commands
@file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); mwexec("/usr/bin/sed -I '' -e -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); mwexec("/usr/bin/sed -I '' -e -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); @unlink("{$g['tmp_path']}/sedcmd");and update as follows
@file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); mwexec("/usr/bin/sed -I.bak -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); mwexec("/usr/bin/sed -I.bak -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); @unlink("{$g['tmp_path']}/sedcmd");See also: https://github.com/bsdperimeter/pfsense-packages/pull/286/files
(5) Within the webConfigurator go to Diagnostics: Command Prompt and enter the 2 php statements into the PHP execute field:
require_once('/usr/local/pkg/snort/snort.inc');
snort_postinstall();This operates silently unless there is an error.
(6) Check the result with
find /usr/local/etc/snort -name '*.bak'
You should see at least 2 backup files.
Good luck.
UPDATE: the patch does not solve the
FATAL ERROR: /usr/local/etc/snort/snort_9486_em1/preproc_rules/preprocessor.rules(202) Unknown ClassType: sdf
problem (though that should be easy to fix, rules were commented out a couple of days ago, but I don't know what the real problem was). -
Marcello,
do you have a quick explanation how the GUI part of a package gets installed? Obviously, there are no PHP files inside snort-2.9.2.3.tbz. Maybe they come from pkg-config-0.25_1.tbz or somewhere else.
Thanx for your time.
-
Do you have a quick explanation how the GUI part of a package gets installed?
The package install script copy xml, inc and php files and then install freebsd package.
att,
Marcello Coutinho -
Ermal, am seeing consistently the same behaviour now with Snort 2.5.0 on AMD64 2.0.1 ( 2 different installations)
1. If emerging threats or snort files are not updated, all ok.
2. If either file set is updated during auto update, the GUI shows both interfaces stopped.
3. Running ps aux | grep snort however shows one of the two interfaces running.$ ps aux | grep snort
root 17164 0.0 0.1 9120 1124 ?? S 1:24AM 0:00.01 grep snort4. If I attempt to start the interface from the GUI, the log generates:
snort[57587]: FATAL ERROR: /usr/local/etc/snort/snort_56964_re1/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
Cheers,
Dennis. -
$ ps aux | grep snort
root 17164 0.0 0.1 9120 1124 ?? S 1:24AM 0:00.01 grep snortI do not see any interface running, just a grep process that searches for snort…
Anyway, the impacts seem to be very different. So I have to delete the MD5 file and snort rules get downloaded. If I do not do that and update manually snort keeps running - no sdf error any more. Autoupdate always returns that "download 15 min blabla etc..." message.
-
I've suggested a code change (https://github.com/Fesoj/pfsense-packages/compare/patch-2). This and obeying aaronritter's remark (http://forum.pfsense.org/index.php/topic,51493.msg275905.html#msg275905) seems to let the sensitive data preproc run correctly. Currently, the classification.config files should be patched by hand after every update of the rules.
I haven't found the place that writes the classification.config files. If this gets patched, snort should survive updates again.
UPDATE: with package vs. 2.5.1 this is obsolete
-
Hello,
just uninstalled/reinstalled this morning, the package works fine (Sensitive Data Processor disabled), but it still blocks the WAN addresses… so I am still running with blocking off.Thanks,
Michele -
mdima,
do you mean with WAN address the WAN side of your box or any outside address? If it is the WAN address of your box, then you need to add the ip to the whitelist of the interface.
-
@Fesoj: It's the same, with or without whitelist… and by default it should exclude local IP addresses and so on.
Probably this can help: my current HomeNet is an Alias that contains sub-aliases of local and remote IP addresses that should not be detected/blocked by Snort...
Thanks,
Michele -
mdima,
HOME_NET != WHITELIST. On the WAN side, I have the default HOME_NET, but a special whitelist (including the IP address on the WAN side (I don't know what to do in case of an ISP supplied address using DHCP)) and this works fine. It's just the way things are setup. As I said before, it is now easier than ever to shoot oneself in the foot.
