Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.4.1 pkg v. 2.5.5 Issue(s)

    Scheduled Pinned Locked Moved pfSense Packages
    111 Posts 14 Posters 30.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      @Gradius:

      On "install packages" it still shows as (even after refresh):
      Stable 2.9.4.1 pkg v. 2.5.4 platform: 2.0

      That will be fixed as soon as I can submit an update to the main package config XML file.  Forgot to bump the version number in it when I submitted my changes yesterday.

      As for your other error, my first guess is perhaps a Preprocessor issue.  For an experiment, turn on ALL the preprocessors except for the Sensitive-Data and the two SCADA ones at the bottom of the Preprocessors tab.  Click Save and then go restart Snort.  See if it comes up then.

      If that still fails, check for a zero-length classification.config file in the Snort interface directories under /usr/pbi/snort-i386/etc/snort.

      Report back.

      Bill

      1 Reply Last reply Reply Quote 0
      • G
        Gradius
        last edited by

        After a lot persistence, I fixed it (uninstalled 2x or 3x, then updated on all those tries).

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Good to hear it finally worked.  My goal is for it to not be so painful, though.  Looks like there is still room for improvement… :(

          Bill

          1 Reply Last reply Reply Quote 0
          • C
            Cino
            last edited by

            @bmeeks:

            If that still fails, check for a zero-length classification.config file in the Snort interface directories under /usr/pbi/snort-i386/etc/snort.

            Report back.

            Bill

            i had to copy the files over to get snort to work also… but good work on the update

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @Cino:

              i had to copy the files over to get snort to work also… but good work on the update

              So far I have been unable to reproduce this problem.  Are you guys having this issue with an empty classification.config file using JUST the new Snort GPLv2 rules by chance?  They do not include any *.config nor *.map files.  Just trying to get a basis for reproducing the problem.

              Bill

              1 Reply Last reply Reply Quote 0
              • AhnHELA
                AhnHEL
                last edited by

                Bill, I did the usual uninstall of Snort and then ran "find /* | grep -i snort | xargs rm -rv" to remove any left over traces of Snort.  This time, the list of left over files and directories were a significant amount less than with the previous version, good job Bill.  ;)

                Reinstalled and Snort was ready to start with newly downloaded rulesets.  Previous package required a manual update after installation, good job Bill.  :D

                Only thing missing was Snort actually starting itself, but I hit the Start toggle and it completed successfully without the errors that i got previously from the empty classification.config file.

                Awesome work sir.

                AhnHEL (Angel)

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @AhnHEL:

                  Bill, I did the usual uninstall of Snort and then ran "find /* | grep -i snort | xargs rm -rv" to remove any left over traces of Snort.  This time, the list of left over files and directories were a significant amount less than with the previous version, good job Bill.   ;)

                  Reinstalled and Snort was ready to start with newly downloaded rulesets.  Previous package required a manual update after installation, good job Bill.   :D

                  Only thing missing was Snort actually starting itself, but I hit the Start toggle and it completed successfully without the errors that i got previously from the empty classification.config file.

                  Awesome work sir.

                  Thank you.  I guess the auto-start might be a good idea when reinstalling using previously saved settings.  Will discuss that with Ermal for a future update.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cino
                    last edited by

                    @bmeeks:

                    @Cino:

                    i had to copy the files over to get snort to work also… but good work on the update

                    So far I have been unable to reproduce this problem.  Are you guys having this issue with an empty classification.config file using JUST the new Snort GPLv2 rules by chance?  They do not include any *.config nor *.map files.  Just trying to get a basis for reproducing the problem.

                    Bill

                    I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets.  I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this:

                    
                     */5  	*  	*  	*  	*  	root  	/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c 
                    
                    
                    1 Reply Last reply Reply Quote 0
                    • F
                      fragged
                      last edited by

                      After updating snort and going through all the new settings it throws an error:

                      snort[32626]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/preproc_rules/decoder.rules(1) Unknown ClassType: protocol-command-decode

                      I have all but SIP and the three bottom preprocessors enabled.
                      I have ET and VRT (balanced) rules enabled.

                      For update I did:
                      Remove with X on Installed Packages
                      Ran "find /* | grep -i snort | xargs rm -rv"
                      Installed snort from Available Packages

                      What am I missing?  ???

                      Edit:
                      Also there's a minor issue with the formatting of the text box for Log Directory Size Limit under General Settings. 3 tab's (?) are added before the value.

                      
                      			512
                      
                      
                      1 Reply Last reply Reply Quote 0
                      • AhnHELA
                        AhnHEL
                        last edited by

                        Fragged,

                        You're going to have to go to copy your classification.config file in /usr/pbi/snort-amd64/etc/snort/ and overwrite it to /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/

                        You can simply go into the GUI and go to Diagnostics/Command and write

                        cp /usr/pbi/snort-amd64/etc/snort/classification.config /usr/pbi/snort-amd64/etc/snort/snort_2226_em0/

                        Now try to start Snort and it should start without error.

                        For anyone else with this issue, you're going to have to place the file in its respective directory for the snort interface you're using, so the directories for the command should be different.

                        find /* | grep -i classification.config
                        

                        AhnHEL (Angel)

                        1 Reply Last reply Reply Quote 0
                        • F
                          fragged
                          last edited by

                          @AhnHEL,

                          I thought I checked the file being populated and not empty, but it seems it was indeed empty and copying it as you suggested let me to start Snort again.  :-\

                          1 Reply Last reply Reply Quote 0
                          • P
                            pareddefuego13
                            last edited by

                            Thanks AhnHEL, I had that same issue as fragged and your suggestion solve my problem. I had the below error that prevented snort from starting.

                            
                            snort[20991]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_29778_em3/rules/snort.rules(14640) Unknown rule option: 'ssl_state'
                            
                            
                            1 Reply Last reply Reply Quote 0
                            • F
                              fragged
                              last edited by

                              I couldn't reproduce the issue with empty classification.config with either of my 2.1 VM's snapshot from Thu Apr 11 07:01:06 EDT 2013. Neither VM had Snort installed before. The minor issue with Global Settings -> General Settings -> Log Directory Size Limit - box is there on both boxes.

                              1 Reply Last reply Reply Quote 0
                              • AhnHELA
                                AhnHEL
                                last edited by

                                @Cino:

                                I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets.  I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this

                                Are you still seeing this Cino?  I'm not getting this at all using the same rulesets, same cron job.

                                AhnHEL (Angel)

                                1 Reply Last reply Reply Quote 0
                                • C
                                  Cino
                                  last edited by

                                  @AhnHEL:

                                  @Cino:

                                  I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets.  I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this

                                  Are you still seeing this Cino?  I'm not getting this at all using the same rulesets, same cron job.

                                  I did a full re-install of the package this morning.. deleted everything before hand… installed.... then i went each interface main settings page and clicked save... when to global settings... changed remove blocked ip to never, saved; then changed it back to 1 hour, saved.

                                  so far so good.... i've ran the cron job from cmd and its not removing the ip... also, all my interfaces started without copying the classification.config file over

                                  i should had done this the other night, but when snort goes thru changes and if you re-using your old settings... you need to re-save the settings for some reason (i think even a little xml change throws off the settings) Now keep in mind, my settings were first created a couple of years ago... but have gone thru many many tweaks while the pfsense snort package has been maturing.

                                  great work btw!! keep it up....

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    Cino
                                    last edited by

                                    i spoke too soon, its still removing IPs from the block list… I doesn't if you manually run the cron job

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      Topper727
                                      last edited by

                                      I just got update in rules and now I see this problem also..

                                      snort[4656]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_33276_em0/preproc_rules/decoder.rules(1) Unknown ClassType: protocol-command-decode

                                      I run 2.1-BETA1 (amd64)
                                      built on Fri Apr 12 16:46:36 EDT 2013
                                      FreeBSD 8.3-RELEASE-p7

                                      Answer to removing all of snort. 
                                      http://forum.pfsense.org/index.php/topic,60994.0.html  on the top is a command you can remove all.. I had to do this couple days ago for another bug.

                                      Dell 2950 g3 server
                                      Intel(R) Xeon(R) CPU E5430 @ 2.66GHz
                                      Current: 2000 MHz, Max: 2667 MHz
                                      8 CPUs: 2 package(s) x 4 core(s)
                                      8152 MiB and 600meg 10k drive
                                      Pfsense 2.4 .. Hoping to get the phpvirtualbox going again.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned
                                        last edited by

                                        Have you tried to replicate this on i386???

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks
                                          last edited by

                                          I have been unable to reproduce this particular problem on my test machines.  The root cause of the error is an empty classification.config file getting copied into the interface sub-directory.  The update process (or for some folks, the reinstall) seems to create a zero-length file.  The quick fix is to copy the classification.config file from the /usr/local/etc/snort (or /usr/pbi/snort-{arch}/etc/snort if 2.1-BETA machine) to the interface's subdirectory under the main snort directory.

                                          I will look through the code and see if I figure out what might be at fault.  This has affected more than one person, so there is something amiss.  Just not able to put my finger on it yet.

                                          Bill

                                          1 Reply Last reply Reply Quote 0
                                          • AhnHELA
                                            AhnHEL
                                            last edited by

                                            Out of curiosity I forced an update and it looks like my classification.config file got overwritten to be blank again.  Looking at the update logs, ET and Snort VRT were already up to date and the only ruleset to get actually updated was the Community Rules.

                                            It has automatically updated a couple of times in the last 2 days and I haven't had a problem with the classification.config file.  Wondering if I just shot myself in the foot by just forcing the update.

                                            Starting rules update...  Time: 2013-04-11 00:03:00
                                            	Downloading Snort VRT md5 file...
                                            Starting rules update...  Time: 2013-04-11 00:03:00
                                            Starting rules update...  Time: 2013-04-11 00:03:00
                                            	Downloading Snort VRT md5 file...
                                            	Downloading Snort VRT md5 file...
                                            	Checking Snort VRT md5 file...
                                            	Snort VRT rules are up to date.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	Snort GPLv2 Community Rules are up to date.
                                            	Downloading EmergingThreats md5 file...
                                            	Checking EmergingThreats md5.
                                            	Emerging Threats rules are up to date.
                                            The Rules update has finished.  Time: 2013-04-11 00:03:35
                                            
                                            	Checking Snort VRT md5 file...
                                            	Snort VRT rules are up to date.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	Snort GPLv2 Community Rules are up to date.
                                            	Downloading EmergingThreats md5 file...
                                            	Checking EmergingThreats md5.
                                            	Emerging Threats rules are up to date.
                                            The Rules update has finished.  Time: 2013-04-11 00:06:47
                                            
                                            	Checking Snort VRT md5 file...
                                            	Snort VRT rules are up to date.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	Snort GPLv2 Community Rules are up to date.
                                            	Downloading EmergingThreats md5 file...
                                            	Checking EmergingThreats md5.
                                            	Emerging Threats rules are up to date.
                                            The Rules update has finished.  Time: 2013-04-11 00:07:30
                                            
                                            Starting rules update...  Time: 2013-04-12 00:03:01
                                            	Downloading Snort VRT md5 file...
                                            Starting rules update...  Time: 2013-04-12 00:03:01
                                            	Downloading Snort VRT md5 file...
                                            Starting rules update...  Time: 2013-04-12 00:03:01
                                            	Downloading Snort VRT md5 file...
                                            	Checking Snort VRT md5 file...
                                            	Snort VRT rules are up to date.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	There is a new set of Snort GPLv2 Community Rules posted. Downloading...
                                            	Done downloading Snort GPLv2 Community Rules file.
                                            	Extracting and installing Snort GPLv2 Community Rules...
                                            	Installation of Snort GPLv2 Community Rules completed.
                                            	Downloading EmergingThreats md5 file...
                                            	Checking EmergingThreats md5.
                                            	There is a new set of EmergingThreats rules posted. Downloading...
                                            	Checking Snort VRT md5 file...
                                            	Snort VRT rules are up to date.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	Snort GPLv2 Community Rules are up to date.
                                            	Downloading EmergingThreats md5 file...
                                            	Done downloading EmergingThreats rules file.
                                            	Extracting and installing EmergingThreats.org rules...
                                            	Checking EmergingThreats md5.
                                            	There is a new set of EmergingThreats rules posted. Downloading...
                                            	Installation of EmergingThreats.org rules completed.
                                            	Copying new config and map files...
                                            	Done downloading EmergingThreats rules file.
                                            	Extracting and installing EmergingThreats.org rules...
                                            	Installation of EmergingThreats.org rules completed.
                                            	Copying new config and map files...
                                            	Checking Snort VRT md5 file...
                                            	Snort VRT rules are up to date.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	Snort GPLv2 Community Rules are up to date.
                                            	Downloading EmergingThreats md5 file...
                                            	Checking EmergingThreats md5.
                                            	Emerging Threats rules are up to date.
                                            The Rules update has finished.  Time: 2013-04-12 00:05:11
                                            
                                            	Updating rules configuration for: WAN ...
                                            	Restarting Snort to activate the new set of rules...
                                            	Updating rules configuration for: WAN ...
                                            	Restarting Snort to activate the new set of rules...
                                            	Snort has restarted with your new set of rules.
                                            The Rules update has finished.  Time: 2013-04-12 00:05:18
                                            
                                            	Snort has restarted with your new set of rules.
                                            The Rules update has finished.  Time: 2013-04-12 00:05:55
                                            
                                            Starting rules update...  Time: 2013-04-13 00:03:01
                                            Starting rules update...  Time: 2013-04-13 00:03:01
                                            	Downloading Snort VRT md5 file...
                                            	Downloading Snort VRT md5 file...
                                            Starting rules update...  Time: 2013-04-13 00:03:01
                                            	Downloading Snort VRT md5 file...
                                            	Checking Snort VRT md5 file...
                                            	There is a new set of Snort VRT rules posted. Downloading...
                                            	Checking Snort VRT md5 file...
                                            	There is a new set of Snort VRT rules posted. Downloading...
                                            	Done downloading rules file.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	There is a new set of Snort GPLv2 Community Rules posted. Downloading...
                                            	Done downloading Snort GPLv2 Community Rules file.
                                            	Extracting and installing Snort GPLv2 Community Rules...
                                            	Installation of Snort GPLv2 Community Rules completed.
                                            	Downloading EmergingThreats md5 file...
                                            	Checking EmergingThreats md5.
                                            	There is a new set of EmergingThreats rules posted. Downloading...
                                            	Done downloading EmergingThreats rules file.
                                            	Extracting and installing EmergingThreats.org rules...
                                            	Installation of EmergingThreats.org rules completed.
                                            	Extracting and installing Snort VRT rules...
                                            	Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
                                            	Installation of Snort VRT rules completed.
                                            	Copying new config and map files...
                                            	Checking Snort VRT md5 file...
                                            	Snort VRT rules are up to date.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	Snort GPLv2 Community Rules are up to date.
                                            	Downloading EmergingThreats md5 file...
                                            	Checking EmergingThreats md5.
                                            	Emerging Threats rules are up to date.
                                            The Rules update has finished.  Time: 2013-04-13 00:06:38
                                            
                                            	Updating rules configuration for: WAN ...
                                            	Restarting Snort to activate the new set of rules...
                                            	Snort has restarted with your new set of rules.
                                            The Rules update has finished.  Time: 2013-04-13 00:07:22
                                            
                                            	Done downloading rules file.
                                            	Snort VRT rules file download failed.  Snort VRT rules will not be updated.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	Snort GPLv2 Community Rules md5 file download failed.  Community Rules will not be updated.
                                            	Downloading EmergingThreats md5 file...
                                            	Checking EmergingThreats md5.
                                            	EmergingThreats md5 file download failed.  EmergingThreats rules will not be updated.
                                            The Rules update has finished.  Time: 2013-04-13 00:07:44
                                            
                                            Starting rules update...  Time: 2013-04-13 16:15:19
                                            	Downloading Snort VRT md5 file...
                                            	Checking Snort VRT md5 file...
                                            	Snort VRT rules are up to date.
                                            	Downloading Snort GPLv2 Community Rules md5 file...
                                            	Checking Snort GPLv2 Community Rules md5.
                                            	There is a new set of Snort GPLv2 Community Rules posted. Downloading...
                                            	Done downloading Snort GPLv2 Community Rules file.
                                            	Extracting and installing Snort GPLv2 Community Rules...
                                            	Installation of Snort GPLv2 Community Rules completed.
                                            	Downloading EmergingThreats md5 file...
                                            	Checking EmergingThreats md5.
                                            	Emerging Threats rules are up to date.
                                            	Copying new config and map files...
                                            	Updating rules configuration for: WAN ...
                                            	Restarting Snort to activate the new set of rules...
                                            	Snort has restarted with your new set of rules.
                                            The Rules update has finished.  Time: 2013-04-13 16:15:30
                                            
                                            

                                            AhnHEL (Angel)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.