Snort 2.9.4.1 pkg v. 2.5.5 Issue(s)
- 
 Just finished up my other 2 boxes. They all required copying over the classification.config file. All of them are amd64 using 2.1 Beta snapshots so the issue must lie with just those versions if you didn't notice it on your main test VM. Will this get overwritten on a rule update? On a side note, any reason why the Packages list in the GUI still list Snort as 2.5.4? 
- 
 After update, I'm getting this: snort[36080]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-i386/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-i386/lib/snort/dynamicengine/libsf_engine.so" version 1.17.So many issues from some of last updates, now I'm really afraid to update at all! 
- 
 Just finished up my other 2 boxes. They all required copying over the classification.config file. All of them are amd64 using 2.1 Beta snapshots so the issue must lie with just those versions if you didn't notice it on your main test VM. I tested on all versions and both platforms (32-bit and 64-bit, 2.0.x and 2.1-BETA). I did removes, reinstall, clean installs and thought I tried every possible combination. I thought I had the problems whipped. Obviously there are some differences in our environments. Will this get overwritten on a rule update? It should, but it should get overwritten with a good file. You can force an update and see by removing the *.md5 files in the main Snort directory, and then doing an update. On a side note, any reason why the Packages list in the GUI still list Snort as 2.5.4? Yeah, just realized I bumped the version in only 1 of the 2 files needed. I will submit a Pull Request for the other one this evening. That will fix it. 
- 
 I uninstalled, and reinstalled it worked, but if I try to use (enable) SNORT GPLv2 COMMUNITY RULES it stop working: 
 php: /status_services.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''On "install packages" it still shows as (even after refresh): 
 Stable 2.9.4.1 pkg v. 2.5.4 platform: 2.0
- 
 After update, I'm getting this: snort[36080]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-i386/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-i386/lib/snort/dynamicengine/libsf_engine.so" version 1.17.So many issues from some of last updates, now I'm really afraid to update at all! Did you do a package delete and then install fresh from the Available Packages tab? Sounds like perhaps not. Until all traces of the old version are gone via that package delete operation, you won't be able to fully kill the reinstall gremlins. Just make sure you check the "Save Settings on Package Removal" box under Global Settings (it's down at the bottom of that page), then click the X icon on the Installed Packages tab to remove Snort. Then, go to the command line directly (or via SSH) and remove the snort directory under /usr/lib (or /usr/pbi/snort-i386/lib/. Then install again from the Available Packages tab. That should work. Bill 
- 
 On "install packages" it still shows as (even after refresh): 
 Stable 2.9.4.1 pkg v. 2.5.4 platform: 2.0That will be fixed as soon as I can submit an update to the main package config XML file. Forgot to bump the version number in it when I submitted my changes yesterday. As for your other error, my first guess is perhaps a Preprocessor issue. For an experiment, turn on ALL the preprocessors except for the Sensitive-Data and the two SCADA ones at the bottom of the Preprocessors tab. Click Save and then go restart Snort. See if it comes up then. If that still fails, check for a zero-length classification.config file in the Snort interface directories under /usr/pbi/snort-i386/etc/snort. Report back. Bill 
- 
 After a lot persistence, I fixed it (uninstalled 2x or 3x, then updated on all those tries). 
- 
 Good to hear it finally worked. My goal is for it to not be so painful, though. Looks like there is still room for improvement… :( Bill 
- 
 If that still fails, check for a zero-length classification.config file in the Snort interface directories under /usr/pbi/snort-i386/etc/snort. Report back. Bill i had to copy the files over to get snort to work also… but good work on the update 
- 
 i had to copy the files over to get snort to work also… but good work on the update So far I have been unable to reproduce this problem. Are you guys having this issue with an empty classification.config file using JUST the new Snort GPLv2 rules by chance? They do not include any *.config nor *.map files. Just trying to get a basis for reproducing the problem. Bill 
- 
 Bill, I did the usual uninstall of Snort and then ran "find /* | grep -i snort | xargs rm -rv" to remove any left over traces of Snort. This time, the list of left over files and directories were a significant amount less than with the previous version, good job Bill. ;) Reinstalled and Snort was ready to start with newly downloaded rulesets. Previous package required a manual update after installation, good job Bill. :D Only thing missing was Snort actually starting itself, but I hit the Start toggle and it completed successfully without the errors that i got previously from the empty classification.config file. Awesome work sir. 
- 
 Bill, I did the usual uninstall of Snort and then ran "find /* | grep -i snort | xargs rm -rv" to remove any left over traces of Snort. This time, the list of left over files and directories were a significant amount less than with the previous version, good job Bill. ;) Reinstalled and Snort was ready to start with newly downloaded rulesets. Previous package required a manual update after installation, good job Bill. :D Only thing missing was Snort actually starting itself, but I hit the Start toggle and it completed successfully without the errors that i got previously from the empty classification.config file. Awesome work sir. Thank you. I guess the auto-start might be a good idea when reinstalling using previously saved settings. Will discuss that with Ermal for a future update. Bill 
- 
 i had to copy the files over to get snort to work also… but good work on the update So far I have been unable to reproduce this problem. Are you guys having this issue with an empty classification.config file using JUST the new Snort GPLv2 rules by chance? They do not include any *.config nor *.map files. Just trying to get a basis for reproducing the problem. Bill I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets. I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this: */5 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
- 
 After updating snort and going through all the new settings it throws an error: snort[32626]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/preproc_rules/decoder.rules(1) Unknown ClassType: protocol-command-decode I have all but SIP and the three bottom preprocessors enabled. 
 I have ET and VRT (balanced) rules enabled.For update I did: 
 Remove with X on Installed Packages
 Ran "find /* | grep -i snort | xargs rm -rv"
 Installed snort from Available PackagesWhat am I missing? ??? Edit: 
 Also there's a minor issue with the formatting of the text box for Log Directory Size Limit under General Settings. 3 tab's (?) are added before the value.512
- 
 Fragged, You're going to have to go to copy your classification.config file in /usr/pbi/snort-amd64/etc/snort/ and overwrite it to /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/ You can simply go into the GUI and go to Diagnostics/Command and write cp /usr/pbi/snort-amd64/etc/snort/classification.config /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/ Now try to start Snort and it should start without error. For anyone else with this issue, you're going to have to place the file in its respective directory for the snort interface you're using, so the directories for the command should be different. find /* | grep -i classification.config
- 
 I thought I checked the file being populated and not empty, but it seems it was indeed empty and copying it as you suggested let me to start Snort again. :-\ 
- 
 Thanks AhnHEL, I had that same issue as fragged and your suggestion solve my problem. I had the below error that prevented snort from starting. snort[20991]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_29778_em3/rules/snort.rules(14640) Unknown rule option: 'ssl_state'
- 
 I couldn't reproduce the issue with empty classification.config with either of my 2.1 VM's snapshot from Thu Apr 11 07:01:06 EDT 2013. Neither VM had Snort installed before. The minor issue with Global Settings -> General Settings -> Log Directory Size Limit - box is there on both boxes. 
- 
 I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets. I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this Are you still seeing this Cino? I'm not getting this at all using the same rulesets, same cron job. 
- 
 I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets. I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this Are you still seeing this Cino? I'm not getting this at all using the same rulesets, same cron job. I did a full re-install of the package this morning.. deleted everything before hand… installed.... then i went each interface main settings page and clicked save... when to global settings... changed remove blocked ip to never, saved; then changed it back to 1 hour, saved. so far so good.... i've ran the cron job from cmd and its not removing the ip... also, all my interfaces started without copying the classification.config file over i should had done this the other night, but when snort goes thru changes and if you re-using your old settings... you need to re-save the settings for some reason (i think even a little xml change throws off the settings) Now keep in mind, my settings were first created a couple of years ago... but have gone thru many many tweaks while the pfsense snort package has been maturing. great work btw!! keep it up.... 

