Snort 2.9.4.1 Package with 03/20/13 Snapshot
-
Is $29.99/year for personal use:
http://www.snort.org/vrt/buy-a-subscription/I don't mind to pay that but this looks like they are pushing into more subscribes by force (not cool). ::)
Besides, they won't accept PayPal only CC directly by them. :o
-
I've deselected everything but a handful of emerging threat rules, no snort rules are selected. The DCE/RPC preproc still fails to load. I'm guessing when the package was upgraded, it left behind some prior version settings that the new package isn't seeing. e.g. unselecting the DCE/RPC preproc is removing/commenting the config for it for the latest version, but the previous versions config is still in the same file, hence it breaks it. At least that's my best guess. I'm trying to avoid rebuilding and reinstalling my snort installation. That would be the last thing I try.
Also, I noticed there are symlinks to some config files, the links are RO while the actual files are RW. I'm assuming that if I wanted to modify the config outside of the gui, I would modify the RW. However, I don't know where the snort install is actually reading it's config from or where it's getting it's rules. I can only assume the RW snort.conf and rules folder are the primary, and the symlinks are for the package to read from. The main reason I'm not sure is, I would watch the files and see what changed as I selected/deselected and saved preroc settings, I did not see the DCE/RPC get commented/uncommented in the snort.conf I was looking at when changing the setting.
Files referenced:
/usr/local/etc/snort/ - where the RO symlinks are
/usr/pbi/snort-i386/etc/snort/ - where the RW files are, also where I assume i need to modify files. -
After some more digging I'm even more confused.
It seems that my config has been lost across package installs. I'm guessing because of the below line, the oddly named snort_34124_re1 says to me, custom config storage.
php: /pkg_mgr_install.php: The dir for /usr/pbi/snort-i386/etc/snort/snort_34124_re1/threshold.conf does not exist. Cannot add symlink to /usr/local/etc/snort/snort_34124_re1/threshold.conf.After looking at the symlinks i noticed something odd for snort.conf
Inside /usr/pbi/snort-i386/etc/snort/
snort.conf -> /usr/local/etc/snort/snort.conf
Inside /usr/local/etc/snort/
snort.conf -> /usr/pbi/snort-i386/etc/snort/snort.conf-sampleSo it's just a loop, well almost. But that it's pointing to a sample config really sets off alarms saying that what is in the GUI is not what is actually happening.
-
And a litle more testing. It seems once I disable a pre-processor, in order to really disable it, I have to reinstall snort.
I fixed the DCE problem after reinstalling, then the SSL preproc started having fits, I disabled it, saved, and got the same error again, except for the SSL preproc, not the DCE/RPC. I reinstalled snort, with the SSL pre-proc disabled, it picked up on the FTP preproc complaing. So I disabled all preprocs. reinstalled, now it "acts" normal, however, it terminates with a sig 11. -
And it's now fixed.
I deselected all snort categories I had enabled. (Since I don't have a subscription)
Left my emerging threat rules alone.
Deselected all pre-processors.
Reinstalled snort.
Deleted everything under all dynamic folders under:
/usr/local/lib/snort/dynamic* (cleared each folders files, I didn't just wipe the folders out)
Started up snort, started getting alerts and blocks from Russia (normal)
Everything seems to be working fine now.P.S.
I did lose network for a moment while snort started, like 10 seconds worth. Not sure if that was because it set the NIC to promiscuous mode then decided to rebuild everything, meanwhile the nic was in a weird state. -
Alright, so I was having the same issue as you since I update to the newest snapshot almost every day. I've been struggling with this for the past 3 days. I saw your post and what you did just now and decided to just delete the directory you specified above and reinstall snort. That fixed it lol.
Simple as that. Now one thing to note is that this also happens on a fresh install of pfsense using the newest snapshots from the past 3-4 days. So even on a fresh install it happens… something is broken and should be addressed. Looks like those dynamic files shouldn't be there? They seem to be causing issues...
-
I agree :)
-
I've done most of my work and testing on 2.0.2 and not 2.1-BETA. I do have a 2.1-BETA virtual machine for testing, and it has some weirdness with removing and reinstalling Snort.
I have not studied the "install and remove" code in the Snort package enough to understand how it works (at least not completely). I agree it could definitely be improved, though. The higher priority item for me at the moment is the WAN IP blocking problem caused by the whitelist parsing bug in the Spoink plug-in code. Because of this bug, I have not yet upgraded my own production Snort install with the 2.9.4.1 port. I have just been working with the new version in VMware virtual machines to test it.
I am working on completing my pfSense package repository in VMware so I can compile packages on my own and run test installs and removes. That way, I can learn the system and perhaps make some improvements in the behavior of Snort when upgrading.
Bill
-
My issue was fixed here:
http://forum.pfsense.org/index.php/topic,59473.15.htmlWaiting for WAN (whitelist) fix now.
-
Can you please let us know when the fix would be available?
TIA
-
Can you please let us know when the fix would be available?
TIA
The WAN IP blocking problem should be fixed in the new binary recently posted. Do the typical package remove and reinstall to pickup the fix.
Bill
-
I've done most of my work and testing on 2.0.2 and not 2.1-BETA. I do have a 2.1-BETA virtual machine for testing, and it has some weirdness with removing and reinstalling Snort.
I have not studied the "install and remove" code in the Snort package enough to understand how it works (at least not completely). I agree it could definitely be improved, though. The higher priority item for me at the moment is the WAN IP blocking problem caused by the whitelist parsing bug in the Spoink plug-in code. Because of this bug, I have not yet upgraded my own production Snort install with the 2.9.4.1 port. I have just been working with the new version in VMware virtual machines to test it.
I am working on completing my pfSense package repository in VMware so I can compile packages on my own and run test installs and removes. That way, I can learn the system and perhaps make some improvements in the behavior of Snort when upgrading.
Bill
Thanks Bill for all the hard work! I just wanted to make sure the issue didn't go unnoticed.
-
The WAN IP blocking problem should be fixed in the new binary recently posted. Do the typical package remove and reinstall to pickup the fix.
Bill
Thanks Bill!
-
I got
2.1-BETA1 (amd64)
built on Tue Apr 9 15:18:17 EDT 2013
FreeBSD 8.3-RELEASE-p7snort Security 2.9.4.1 pkg v. 2.5.5
And get this error now that I just upgraded this package.
snort[37908]: FATAL ERROR: Failed to load /usr/pbi/snort-amd64/lib/snort/dynamicengine/libsf_engine.so: Cannot open "/usr/pbi/snort-amd64/lib/snort/dynamicengine/libsf_engine.so"I looked in folder and found that file. Nothing I did there fix it.
I could change the library and all that but I just hope a fix without me having to do the hacking