Snort 2.9.4.1 Pkg 2.5.4 – Fix for SO rules version mismatch and failed startup
-
Any news on this ?
My Pull Request for the Spoink patch was accepted, but so far it has not been incorporated into a new build of the binary as far as I can tell. I don't know what the process is nor the timeline for the binary side. On the GUI side, once a Pull Request is accepted by the Core Team it is immediately available for download. I know the binaries have to be built, but I don't know if that is automated (I think it is) or a human has to intervene.
Bill
-
Just uninstall , then install package.
It looks like is NOT rebuilt yet , I see my WAN blocked . :(
(Snort 2.9.4.1 Pkg 2.5.4 , Emergingthreats rules only )
Thanks -
I reported that to Bmeeks some time ago since I saw my WAN blocked as well. It must be the implementation of Snort into PFsense that is causing this behaviour…
-
I found my WAN blocked yesterday. I removed the block, but it came right back. Restarted the service and it has been running fine since. Never saw this before upgrading to Snort 2.9.4.1.
If it matters, I do have the paid VRT rules. (Well worth $2.50/month. I think it's a good value and money worth spent)
-
I found my WAN blocked yesterday. I removed the block, but it came right back. Restarted the service and it has been running fine since. Never saw this before upgrading to Snort 2.9.4.1.
If it matters, I do have the paid VRT rules. (Well worth $2.50/month. I think it's a good value and money worth spent)
Until my latest bug fix is incorporated into the binary build of Snort on pfSense, you will see your WAN IP (and any other normally whitelisted IPs) get blocked. The blocking of offenders in Snort on pfSense is done with an optional output plugin.
Snort, natively, has no "blocking" capability. The Snort team leaves that to others. There are two popular methods in use: Snortsam and Spoink. The pfSense folks chose Spoink. This works as an optional output plugin compiled into the Snort binary. The Snort source code is patched during the pfSense package build process to incorporate the Spoink output plugin. This plugin receives each Alert from Snort as it is on the way to the log files. It compares the IP addresses in the Alert (SRC, DST or BOTH according to how you configure blocking) to the list of Whitelist IPs. If the offending IP is NOT in the whitelist, then an API call is made into the pfSense packet filter code to insert a blocking rule for that IP. The IP whitelist is just a text file in the same directory as the Snort configuration files. That file is created by the GUI code and then read at Snort startup by the Spoink plugin patched into Snort.
The bug that got introduced in 2.9.4.1 is in the Spoink plugin patch. During startup, when it reads the Whitelist file and stores the addresses in there into the in-memory table of whitelist IP addresses, it zeroes out the data it reads from the file just prior to parsing it! So it sees an "empty" whitelist file and thus blocks ALL alerting IP addresses. The intent of the zero-out call was to initialize the buffer with zeros prior to reading in the whitelist, but the memory clearing call was typed in the wrong spot such that it clears the buffer immediately after it was just filled with the file's data. I submitted a fix for this bug, but it has not made its way into the compiled binary package yet. Until it gets fixed, this bug will keep causing people issues with their WAN IP and other normally whitelisted IPs getting blocked.
Bill
-
ERMAL WE NEED YOU URGENTLY!!
-
Bill, that explanation was maybe my favourite post ever here. While I make no claims on code prowess, I really appreciate the under-hood explanation of what's going on. I used to try the variety of work-arounds that are normally offered up after debugging a package. It's a lot more time efficient however to watch posts like yours, and enter back into debugging/testing contribution phase once it looks like things "should" work. Again thanks to all for their efforts.
Cheers,
Dennis. -
Until my latest bug fix is incorporated into the binary build of Snort on pfSense,…......
Is it possible for us to apply this fix ourselves? If so I am sure we would all be very grateful if you could describe the solution for us.
Kind regards
-
I wasn't aware this needed a manual package build, I just kicked one off on both the 8.1 (2.0.x) package builders.
-
package build finished and is uploaded. Entirely untested, please try it out and report back.
-
@cmb:
package build finished and is uploaded. Entirely untested, please try it out and report back.
Thanks for everyone's hard work on this. :)
I just tested out the latest build and it seems to have fixed the wan blocking problem.
Thanks!
-th3r3isnospoon
-
@cmb:
I wasn't aware this needed a manual package build, I just kicked one off on both the 8.1 (2.0.x) package builders.
Thanks! When I submitted the Pull Request, I was also unaware that a manual build would be required. Next time I will raise the flag for the manual rebuild of the binary.
Is there a reason the Snort package is different from the other packages with regards to the manual build?
Bill
-
Just uninstall , then install package.
It looks like is working , I see same IPs blocked ,but WAN is OK so far.
(Snort 2.9.4.1 Pkg 2.5.4 , Emergingthreats rules only )
Thanks -
Thanks! When I submitted the Pull Request, I was also unaware that a manual build would be required. Next time I will raise the flag for the manual rebuild of the binary.
Thanks, I'd appreciate that.
Otherwise we end up with chicken littles who somehow extrapolate the package not getting built as "the project is dying". ::)
Is there a reason the Snort package is different from the other packages with regards to the manual build?
The 2.0.x packages aren't auto-built at all (AFAIK), I believe that only happens with PBIs. JimP is more authoritative on that subject and he's on vacation at the moment.
-
Thank you so much for the fix. Snort is up and working well
-
It appears to be working for me as well, many thanks this is much appreciated.
-
Whatever I try, I cannot get it to work.
Mar 26 09:53:26 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... Mar 26 09:53:26 php: /snort/snort_interfaces.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them Mar 26 09:53:27 php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:42 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... Mar 26 09:53:42 kernel: em0: promiscuous mode enabled Mar 26 09:58:25 kernel: pid 68798 (snort), uid 0: exited on signal 11 Mar 26 09:58:25 kernel: em0: promiscuous mode disabled
I am on the latest 2.1 snapshot, removed everything related to snort and started from scratch.
I have an alias Whitelist with some IP's in it, so I do not understand the "Non ip() parameter passed" error.
And then the "signal 11 exit". Where should I look, because there is nog logging too? -
Whatever I try, I cannot get it to work.
Mar 26 09:53:26 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... Mar 26 09:53:26 php: /snort/snort_interfaces.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them Mar 26 09:53:27 php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:35 snort[68519]: Non ip() parameter passed with white list, skipping... Mar 26 09:53:42 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... Mar 26 09:53:42 kernel: em0: promiscuous mode enabled Mar 26 09:58:25 kernel: pid 68798 (snort), uid 0: exited on signal 11 Mar 26 09:58:25 kernel: em0: promiscuous mode disabled
I am on the latest 2.1 snapshot, removed everything related to snort and started from scratch.
I have an alias Whitelist with some IP's in it, so I do not understand the "Non ip() parameter passed" error.
And then the "signal 11 exit". Where should I look, because there is nog logging too?Oops! I only submitted the patch to the 2.0.x tree. I believe the 2.1-BETA tree is a different Git repository. I have been working solely in the 2.0.x tree so far as Snort goes. I'm still new at this and not 100% familiar with the pfSense processes for user code submissions. Let me see if I can get a fork of the 2.1-BETA repository and submit the same patches into that code branch for the pfSense guys to look at.
Bill
-
That would be greatly appreciated =).
Could you tell us what and where to edit in the mean time?
-
Could you tell us what and where to edit in the mean time?
Unfortunately it's not an editable change in the GUI. The actual Snort binary code itself has to be modified and recompiled to incorporate the fix. That's not possible on the firewall.