Snort 2.9.4.1 Pkg 2.5.4 – Fix for SO rules version mismatch and failed startup
-
Confirmed working after full uninstall and re-install (simple re-install ontop of existing did not work) on :
2.0.2-RELEASE (i386)
built on Fri Dec 7 16:30:38 EST 2012
FreeBSD 8.1-RELEASE-p13 -
I can confirmed it works on:
2.1-BETA1 (amd64)
built on Tue Mar 26 19:03:27 EDT 2013
FreeBSD 8.3-RELEASE-p6After a uninstall and re-installation, go to Snort, save the configuration, update and start snort.
pfsense: 2.1.5-RELEASE, AMD64
Running on: MB/CPU: ASUS P8H77-I / Core i3-2120T | MEM: 8GB DDR3 | HDD: WD Blue 120GB 2.5" SATA | WAN/LAN: Fujitsu D2735-2 – Intel® chip 82576NS | WLAN: Realtek® 8111F PCIe | Connection: 1000/1000Mbit (Bredband2.com)
[
/U -
I am still having signal 11 exits on my system as soon as I enable the "http_inspect" preprocessor. Without it I can run snort longer than 10 minutes ;)
System:
2.1-BETA1 (i386)
built on Tue Mar 26 06:16:08 EDT 2013
snort 2.9.4.1 pkg 2.5.4I did some testing like:```
/usr/local/bin/snort -T -c /usr/local/etc/snort/my_snort_sensor/snort.confThe previous package worked fine. Can I install that again and how? -
Hi all,
I've just installed Snort for the first time and seems like (based on my ini) the issue in post 1 is fixed. However, when I update rules I'm not sure it's actually installing them properly. I hit Update Rules, and afterwords I see:
INSTALLED SIGNATURE RULESET SNORT.ORG >>> N/A EMERGINGTHREATS.NET >>> 1d5323d8a461c52ada90fa1cd29cf540And the button to view the log is grayed out. Also, I have no Rules tab like in the Wiki, which I'm assuming is because of the N/A above.
System log (it had been more than 15 minutes since the last attempt to update):
Mar 27 09:29:30 php: /snort/snort_download_rules.php: The Rules update has finished... Mar 27 09:29:30 php: /snort/snort_download_rules.php: Emerging threat rules are up to date... Mar 27 09:29:29 php: /snort/snort_download_rules.php: Please wait... You may only check for New Rules every 15 minutes... Mar 27 09:29:29 php: /snort/snort_download_rules.php: Snort MD5 Attempts: 5Any idea what I'm doing wrong?
Thanks,
Ben -
Hi all,
I've just installed Snort for the first time and seems like (based on my ini) the issue in post 1 is fixed. However, when I update rules I'm not sure it's actually installing them properly. I hit Update Rules, and afterwords I see:
INSTALLED SIGNATURE RULESET SNORT.ORG >>> N/A EMERGINGTHREATS.NET >>> 1d5323d8a461c52ada90fa1cd29cf540And the button to view the log is grayed out. Also, I have no Rules tab like in the Wiki, which I'm assuming is because of the N/A above.
System log (it had been more than 15 minutes since the last attempt to update):
Mar 27 09:29:30 php: /snort/snort_download_rules.php: The Rules update has finished... Mar 27 09:29:30 php: /snort/snort_download_rules.php: Emerging threat rules are up to date... Mar 27 09:29:29 php: /snort/snort_download_rules.php: Please wait... You may only check for New Rules every 15 minutes... Mar 27 09:29:29 php: /snort/snort_download_rules.php: Snort MD5 Attempts: 5Any idea what I'm doing wrong?
Thanks,
BenSame thing here!
-
You're not doing anything wrong, Snort is working as it should for the current moment.
The reason it says N/A for the Snort.org Ruleset is because the current pfSense Snort package is at 2.9.4.1 which just came out in March but until the 30 day black out period ends for free, registered users, you wont be able to download any Snort rules for that package version. Only current way to download rules for 2.9.4.1 is to be a paid VRT Subscriber. April is almost here so I'm patiently waiting.
The Update Log has always been greyed out. A future feature that has yet been implemented, I'm assuming.
The Rules Tab will show if you hit the Edit Interface button while in the Snort Interfaces Tab.
-
You're not doing anything wrong, Snort is working as it should for the current moment.
The reason it says N/A for the Snort.org Ruleset is because the current pfSense Snort package is at 2.9.4.1 which just came out in March but until the 30 day black out period ends for free, registered users, you wont be able to download any Snort rules for that package version. Only current way to download rules for 2.9.4.1 is to be a paid VRT Subscriber. April is almost here so I'm patiently waiting.
The Update Log has always been greyed out. A future feature that has yet been implemented, I'm assuming.
Thanks for the info, I did notice that the update log has always been greyed out too! Never knew why though, thanks again.
-
You're not doing anything wrong, Snort is working as it should for the current moment.
The reason it says N/A for the Snort.org Ruleset is because the current pfSense Snort package is at 2.9.4.1 which just came out in March but until the 30 day black out period ends for free, registered users, you wont be able to download any Snort rules for that package version. Only current way to download rules for 2.9.4.1 is to be a paid VRT Subscriber. April is almost here so I'm patiently waiting.
The Update Log has always been greyed out. A future feature that has yet been implemented, I'm assuming.
The Rules Tab will show if you hit the Edit Interface button while in the Snort Interfaces Tab.
Perfect answer, thank you.
-
All seems to be working just great now. Updates (paid subscription) are good. Thanks again Bill :-)
-
Just uninstalled and reinstalled Snort 2.9.4.1 pkg v. 2.5.4 on pfSense 2.1-BETA1 (amd64) built on Fri Mar 29 14:58:31 EDT 2013
I am a Sourcefire VRT Certified Premium Rules paid subscriber but the update still says N/A for the Snort.org Ruleset when I update the rules. -
I too am a paid subscriber and am seeing the "N/A" for Snort.org rules as well. I'm going to remove snort and all configuration files and re-add to see if it makes any difference.
David
-
I jusat signed up for VRT rules and cannot get them to install after a reinstall and reconfiguration of snort. I'm currently running 2.0.2-RELEASE (amd64).
Edit: The issue may lie with my Snort account. I was unable to manually pull 2.9.4.1 rules with my Oinkmaster URL; I got an error saying I was not a subscriber, though I can manually download the 2.9.4.1 rules. I was able to pull 2.9.4.0 via Oinkmaster URL.
Edit 2: All problems with my account are cleared and I still cannot automatically download Snort 2.9.4.1 rules.
Edit 3: I had to change {$oinkid} in snort_check_for_rule_updates.php with my actual Oinkid. Then it worked.
-
snortrules-snapshot-2941.tar.gz is available to registered (as opposed to pay) users now
-
Didnt that get updated via the GUI??
I jusat signed up for VRT rules and cannot get them to install after a reinstall and reconfiguration of snort. I'm currently running 2.0.2-RELEASE (amd64).
Edit: The issue may lie with my Snort account. I was unable to manually pull 2.9.4.1 rules with my Oinkmaster URL; I got an error saying I was not a subscriber, though I can manually download the 2.9.4.1 rules. I was able to pull 2.9.4.0 via Oinkmaster URL.
Edit 2: All problems with my account are cleared and I still cannot automatically download Snort 2.9.4.1 rules.
Edit 3: I had to change {$oinkid} in snort_check_for_rule_updates.php with my actual Oinkid. Then it worked.
-
Didnt that get updated via the GUI??
I jusat signed up for VRT rules and cannot get them to install after a reinstall and reconfiguration of snort. I'm currently running 2.0.2-RELEASE (amd64).
Edit: The issue may lie with my Snort account. I was unable to manually pull 2.9.4.1 rules with my Oinkmaster URL; I got an error saying I was not a subscriber, though I can manually download the 2.9.4.1 rules. I was able to pull 2.9.4.0 via Oinkmaster URL.
Edit 2: All problems with my account are cleared and I still cannot automatically download Snort 2.9.4.1 rules.
Edit 3: I had to change {$oinkid} in snort_check_for_rule_updates.php with my actual Oinkid. Then it worked.
I haven't had time to troubleshoot any further. I have confirmed I have the right Oikcode in the GUI. Unless I change it in both spots it wound download the MD5 or rules. I don't have the exact errors from the system logs but it seemed like the download link was wrong so I'm guessing that it's not getting the Oinkcode variable. Troubleshooting time is minimal so any ideas on how to proceed would be appreciated.
