Snort 2.9.2.3 pkg v. 2.5.0 Issues

asterix · Jan 27, 2013, 6:44 PM

Get this on startup. Service re-start fails.

Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…

On manual start it fails with these messages in the system logs

Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...

eri-- · Jan 27, 2013, 10:36 PM

There is no failure there.
The error messages there are just too much noise.

asterix · Jan 28, 2013, 12:47 AM

Well I dont see any other logs in there.. It just fails to start. I am on a VM but that shouldnt be a an issue. Been using a VM for many months with no such issues.

monodactylus · Jan 28, 2013, 3:12 AM

Assuming this is the proper way to start snort from the prompt, you would see the following error:

/usr/local/etc/rc.d/snort.sh start
pgrep: Pidfile `/var/run/snort_vr152213.pid' is empty
/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.18" not found, required by "snort"

@asterix:

Get this on startup. Service re-start fails.

Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…

On manual start it fails with these messages in the system logs

Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...

asterix · Jan 28, 2013, 3:18 AM

Snort needs to be started automatically when pfSense boots. Even so the GUI service start should throw some errors.

The latest package definitely needs a fix.

eri-- · Jan 28, 2013, 8:41 AM

Hrm that is a problem with the building of the package.
barnyard2 requires mysql but snort does not require it.

Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz
i386


pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbz

AMD64


http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz

For 2.1 PBI should include that

Supermule · Jan 28, 2013, 10:00 AM

I run mine in VM too…. So it shouldnt be a problem.

LiamH · Jan 28, 2013, 1:00 PM

Hi,

The uninstall/install after reboot happens on my machine as well, with the same errors…

Another thing - I don't think HOME_NET is being populated correctly on my machine. On my LAN interface, instead of including my network it only includes pfSense IP (and my external IPs, DNS, etc) . I've ended up editing snort.inc and manually adding my network address but I guess this will hold only until next reboot and reinstall. Older posts mentioned the possibility if using the firewall aliases, but I can only choose "default" at the "Home net" dropdown list.

eri-- · Jan 28, 2013, 2:18 PM

You have to create a whitelist to override.
If you run snort on the LAN interface then there is no reason to trust your hosts, no?

fragged · Jan 28, 2013, 2:34 PM

Is this a bug or intentional feature / behavior that Snort doesn't download new rules after a uninstall / install (pfSense snapshot update)? I need to go and download the rules which will then start Snort when finished. Shouldn't this happen during the first start?

I'm fairly sure it ran just fine after a snapshot update before the latest changes. Today I updated from 24th January snapshot to:

2.1-BETA1 (amd64)
built on Sun Jan 27 20:37:59 EST 2013

eri-- · Jan 28, 2013, 2:51 PM

I put a fix on new pacakge to reapply the update during reinstall if the keep settings is on.
Normally your rules should be preserved during a reinstall but….

RonpfS · Jan 28, 2013, 6:11 PM

Is there a limit on the number of download of the snort rules per hour?

Supermule · Jan 28, 2013, 6:21 PM

Yes :)

spi · Jan 28, 2013, 6:33 PM

Hej ermal

Thanks for all your valuable knowledge and help here on snort.

Since libmysqlclient.so.18 file is missing after a reboot and not libmysqlclient.so.16

may I ask why it would not be more appropriate to apply```
pkg_add -v http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.5.29.tbz


this will give version 18 and not 16 as version 5.1.53 would do…or does it not matter ?

@ermal:

> Hrm that is a problem with the building of the package.
> barnyard2 requires mysql but snort does not require it.
> 
> Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz
> i386
> ```
> 
> pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbz
> 
> ```
> 
> AMD64
> ```
> 
> http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz
> 
> ```
> 
> For 2.1 PBI should include that

kilthro · Jan 28, 2013, 6:48 PM

@RonpfS:

Is there a limit on the number of download of the snort rules per hour?

once per 15 minutes is what it has told me in the past.

LiamH · Jan 29, 2013, 7:11 AM

@ermal:

You have to create a whitelist to override.
If you run snort on the LAN interface then there is no reason to trust your hosts, no?

Thanks for the feedback, But I'm not sure I'm following you…

I have this rule:

alert tcp any any -> any $HTTP_PORTS (msg:"INT-Babylon Detected"; flow:from_client; content:"User-Agent|3A20|Babylon"; HTTP_header; sid:1000007; classtype:policy-violation;)

It should monitor and notify me about a specific program being used - The only way it will work in by monitoring my LAN interface, with HOME_NET containing my LAN network. Appreciate if you can clear that for me.

LiamH · Jan 29, 2013, 8:47 AM

@spi:

Hej ermal

Thanks for all your valuable knowledge and help here on snort.

Since libmysqlclient.so.18 file is missing after a reboot and not libmysqlclient.so.16

may I ask why it would not be more appropriate to apply```
pkg_add -v http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.5.29.tbz
this will give version 18 and not 16 as version 5.1.53 would do…or does it not matter ?

Hi,

pkg_add -v -f -F http://files.pfsense.org/packages/8/All/mysql-client-5.5.29.tbz

worked on my machine. I had to use the "force" command because it complained about already having the package installed.

fragged · Jan 29, 2013, 10:28 AM

@LiamH:

It should monitor and notify me about a specific program being used - The only way it will work in by monitoring my LAN interface, with HOME_NET containing my LAN network. Appreciate if you can clear that for me.

If I understood you right, you would be monitoring a network (LAN) that you have completely whitelisted -> nothing is getting filtered and no warnings will trigger.

LiamH · Jan 29, 2013, 10:59 AM

@fragged:

If I understood you right, you would be monitoring a network (LAN) that you have completely whitelisted -> nothing is getting filtered and no warnings will trigger.

This is what happening when HOME_NET does not contains my LAN. When I set it manually (via snort.inc modification) I get the warnings and everything works as it should.

Am I doing something wrong and there is another way to get this information, or does the HOME_NET should include my local network?

eri-- · Jan 29, 2013, 4:14 PM

Corrected teh HOME_NET generation.
Also the libmysql issues should be fixed.