Snort 2.9.4.1 pkg v. 2.5.5 Issue(s)
-
On "install packages" it still shows as (even after refresh):
Stable 2.9.4.1 pkg v. 2.5.4 platform: 2.0That will be fixed as soon as I can submit an update to the main package config XML file. Forgot to bump the version number in it when I submitted my changes yesterday.
As for your other error, my first guess is perhaps a Preprocessor issue. For an experiment, turn on ALL the preprocessors except for the Sensitive-Data and the two SCADA ones at the bottom of the Preprocessors tab. Click Save and then go restart Snort. See if it comes up then.
If that still fails, check for a zero-length classification.config file in the Snort interface directories under /usr/pbi/snort-i386/etc/snort.
Report back.
Bill
-
After a lot persistence, I fixed it (uninstalled 2x or 3x, then updated on all those tries).
-
Good to hear it finally worked. My goal is for it to not be so painful, though. Looks like there is still room for improvement… :(
Bill
-
If that still fails, check for a zero-length classification.config file in the Snort interface directories under /usr/pbi/snort-i386/etc/snort.
Report back.
Bill
i had to copy the files over to get snort to work also… but good work on the update
-
i had to copy the files over to get snort to work also… but good work on the update
So far I have been unable to reproduce this problem. Are you guys having this issue with an empty classification.config file using JUST the new Snort GPLv2 rules by chance? They do not include any *.config nor *.map files. Just trying to get a basis for reproducing the problem.
Bill
-
Bill, I did the usual uninstall of Snort and then ran "find /* | grep -i snort | xargs rm -rv" to remove any left over traces of Snort. This time, the list of left over files and directories were a significant amount less than with the previous version, good job Bill. ;)
Reinstalled and Snort was ready to start with newly downloaded rulesets. Previous package required a manual update after installation, good job Bill. :D
Only thing missing was Snort actually starting itself, but I hit the Start toggle and it completed successfully without the errors that i got previously from the empty classification.config file.
Awesome work sir.
-
Bill, I did the usual uninstall of Snort and then ran "find /* | grep -i snort | xargs rm -rv" to remove any left over traces of Snort. This time, the list of left over files and directories were a significant amount less than with the previous version, good job Bill. ;)
Reinstalled and Snort was ready to start with newly downloaded rulesets. Previous package required a manual update after installation, good job Bill. :D
Only thing missing was Snort actually starting itself, but I hit the Start toggle and it completed successfully without the errors that i got previously from the empty classification.config file.
Awesome work sir.
Thank you. I guess the auto-start might be a good idea when reinstalling using previously saved settings. Will discuss that with Ermal for a future update.
Bill
-
i had to copy the files over to get snort to work also… but good work on the update
So far I have been unable to reproduce this problem. Are you guys having this issue with an empty classification.config file using JUST the new Snort GPLv2 rules by chance? They do not include any *.config nor *.map files. Just trying to get a basis for reproducing the problem.
Bill
I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets. I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this:
*/5 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c -
After updating snort and going through all the new settings it throws an error:
snort[32626]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/preproc_rules/decoder.rules(1) Unknown ClassType: protocol-command-decode
I have all but SIP and the three bottom preprocessors enabled.
I have ET and VRT (balanced) rules enabled.For update I did:
Remove with X on Installed Packages
Ran "find /* | grep -i snort | xargs rm -rv"
Installed snort from Available PackagesWhat am I missing? ???
Edit:
Also there's a minor issue with the formatting of the text box for Log Directory Size Limit under General Settings. 3 tab's (?) are added before the value.512 -
Fragged,
You're going to have to go to copy your classification.config file in /usr/pbi/snort-amd64/etc/snort/ and overwrite it to /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/
You can simply go into the GUI and go to Diagnostics/Command and write
cp /usr/pbi/snort-amd64/etc/snort/classification.config /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/
Now try to start Snort and it should start without error.
For anyone else with this issue, you're going to have to place the file in its respective directory for the snort interface you're using, so the directories for the command should be different.
find /* | grep -i classification.config -
I thought I checked the file being populated and not empty, but it seems it was indeed empty and copying it as you suggested let me to start Snort again. :-\
-
Thanks AhnHEL, I had that same issue as fragged and your suggestion solve my problem. I had the below error that prevented snort from starting.
snort[20991]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_29778_em3/rules/snort.rules(14640) Unknown rule option: 'ssl_state' -
I couldn't reproduce the issue with empty classification.config with either of my 2.1 VM's snapshot from Thu Apr 11 07:01:06 EDT 2013. Neither VM had Snort installed before. The minor issue with Global Settings -> General Settings -> Log Directory Size Limit - box is there on both boxes.
-
I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets. I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this
Are you still seeing this Cino? I'm not getting this at all using the same rulesets, same cron job.
-
I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets. I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this
Are you still seeing this Cino? I'm not getting this at all using the same rulesets, same cron job.
I did a full re-install of the package this morning.. deleted everything before hand… installed.... then i went each interface main settings page and clicked save... when to global settings... changed remove blocked ip to never, saved; then changed it back to 1 hour, saved.
so far so good.... i've ran the cron job from cmd and its not removing the ip... also, all my interfaces started without copying the classification.config file over
i should had done this the other night, but when snort goes thru changes and if you re-using your old settings... you need to re-save the settings for some reason (i think even a little xml change throws off the settings) Now keep in mind, my settings were first created a couple of years ago... but have gone thru many many tweaks while the pfsense snort package has been maturing.
great work btw!! keep it up....
-
i spoke too soon, its still removing IPs from the block list… I doesn't if you manually run the cron job
-
I just got update in rules and now I see this problem also..
snort[4656]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_33276_em0/preproc_rules/decoder.rules(1) Unknown ClassType: protocol-command-decode
I run 2.1-BETA1 (amd64)
built on Fri Apr 12 16:46:36 EDT 2013
FreeBSD 8.3-RELEASE-p7Answer to removing all of snort.
http://forum.pfsense.org/index.php/topic,60994.0.html on the top is a command you can remove all.. I had to do this couple days ago for another bug. -
Have you tried to replicate this on i386???
-
I have been unable to reproduce this particular problem on my test machines. The root cause of the error is an empty classification.config file getting copied into the interface sub-directory. The update process (or for some folks, the reinstall) seems to create a zero-length file. The quick fix is to copy the classification.config file from the /usr/local/etc/snort (or /usr/pbi/snort-{arch}/etc/snort if 2.1-BETA machine) to the interface's subdirectory under the main snort directory.
I will look through the code and see if I figure out what might be at fault. This has affected more than one person, so there is something amiss. Just not able to put my finger on it yet.
Bill
-
Out of curiosity I forced an update and it looks like my classification.config file got overwritten to be blank again. Looking at the update logs, ET and Snort VRT were already up to date and the only ruleset to get actually updated was the Community Rules.
It has automatically updated a couple of times in the last 2 days and I haven't had a problem with the classification.config file. Wondering if I just shot myself in the foot by just forcing the update.
Starting rules update... Time: 2013-04-11 00:03:00 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-11 00:03:00 Starting rules update... Time: 2013-04-11 00:03:00 Downloading Snort VRT md5 file... Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-11 00:03:35 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-11 00:06:47 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-11 00:07:30 Starting rules update... Time: 2013-04-12 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-12 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-12 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. There is a new set of Snort GPLv2 Community Rules posted. Downloading... Done downloading Snort GPLv2 Community Rules file. Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Installation of EmergingThreats.org rules completed. Copying new config and map files... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Copying new config and map files... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-12 00:05:11 Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-12 00:05:18 Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-12 00:05:55 Starting rules update... Time: 2013-04-13 00:03:01 Starting rules update... Time: 2013-04-13 00:03:01 Downloading Snort VRT md5 file... Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-13 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Done downloading rules file. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. There is a new set of Snort GPLv2 Community Rules posted. Downloading... Done downloading Snort GPLv2 Community Rules file. Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-13 00:06:38 Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-13 00:07:22 Done downloading rules file. Snort VRT rules file download failed. Snort VRT rules will not be updated. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. EmergingThreats md5 file download failed. EmergingThreats rules will not be updated. The Rules update has finished. Time: 2013-04-13 00:07:44 Starting rules update... Time: 2013-04-13 16:15:19 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. There is a new set of Snort GPLv2 Community Rules posted. Downloading... Done downloading Snort GPLv2 Community Rules file. Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-13 16:15:30
