Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort: Another solution to the rule enable/disable update reset problem

    Scheduled Pinned Locked Moved pfSense Packages
    21 Posts 8 Posters 12.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      UPDATE

      Found the errant code and fixed it.  The new code is posted as Snort Package version 2.5.5.

      Sorry about that.  It had been there since probably at least version 2.5.3, but I was unaware it wasn't working.

      Bill

      1 Reply Last reply Reply Quote 0
      • G
        gogol
        last edited by

        Are you sure that worked?

        I updated snort package again with your fix and as a test I disabled a rule (now listed in light yellow) in VRT rules and IPS enabled "balanced", but when I go to /usr/local/etc/snort/my_snort_sensor/rules/snort.rules it is still listed there.

        BTW I pressed "Apply changes"  ;)

        1 Reply Last reply Reply Quote 0
        • C
          CS
          last edited by

          I reinstalled the Snort package (2.5.5), I removed all Enable/Disable changes in all Categories (Rules tab), I enabled some of them again, I applied Changes, I started Snort…but I have still the same problem.

          I also confirm that the bug has been there for the previous versions too.

          • Comment1: I tried to trigger the signatures I enabled some hours later and now they are firing. :)

          • Comment2: The only prob is that the "Stop" button in "Snort Interfaces" as well as in "Services" doesn't stop snort service and gives me the following in the System Logs:

          php: /status_services.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @gogol:

            Are you sure that worked?

            I updated snort package again with your fix and as a test I disabled a rule (now listed in light yellow) in VRT rules and IPS enabled "balanced", but when I go to /usr/local/etc/snort/my_snort_sensor/rules/snort.rules it is still listed there.

            BTW I pressed "Apply changes"  ;)

            It will still be listed, but should have "#" in front of it to disable, or no "#" to enable.  Using the enable/disable SID function does not remove the rule from the list, but simply comments it out, or removes the comment character, depending on the action.

            I tested this using a couple of random rules in Emerging Threats, but should work the same for an IPS Policy.

            Bill

            1 Reply Last reply Reply Quote 0
            • C
              CS
              last edited by

              @/CS:

              The only prob is that the "Stop" button in "Snort Interfaces" as well as in "Services" doesn't stop snort service and gives me the following in the System Logs:

              php: /status_services.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''

              Hi Bill, do you have any comment on this? Any idea maybe?  ???

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @/CS:

                @/CS:

                The only prob is that the "Stop" button in "Snort Interfaces" as well as in "Services" doesn't stop snort service and gives me the following in the System Logs:

                php: /status_services.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''

                Hi Bill, do you have any comment on this? Any idea maybe?  ???

                Do you perhaps have a zombie Snort process?  Have you tried a reboot, or else a manual kill from the console?

                I have not seen this error before.

                Bill

                1 Reply Last reply Reply Quote 0
                • G
                  gogol
                  last edited by

                  @bmeeks:

                  @gogol:

                  Are you sure that worked?

                  I updated snort package again with your fix and as a test I disabled a rule (now listed in light yellow) in VRT rules and IPS enabled "balanced", but when I go to /usr/local/etc/snort/my_snort_sensor/rules/snort.rules it is still listed there.

                  BTW I pressed "Apply changes"  ;)

                  It will still be listed, but should have "#" in front of it to disable, or no "#" to enable.  Using the enable/disable SID function does not remove the rule from the list, but simply comments it out, or removes the comment character, depending on the action.

                  I tested this using a couple of random rules in Emerging Threats, but should work the same for an IPS Policy.

                  This still does not work on my system. I can see commented rules in /usr/local/etc/snort/my_snort_sensor/rules/snort.rules but those are the default commented rules from Snort and ET. If I enable a default commented rule (dark yellow) nothing changes too after pressing "Apply Changes". Am I looking at the right file?

                  Edit: I guess I found it. The changes are made in /usr/pbi/snort-i386/etc/snort/my_snort_sensor/rules/snort.rules. But that is not the right place, is it? It should be in /usr/local/etc/snort/my_snort_sensor/rules/snort.rules. Or am I totally wrong?

                  Edit 2: I see now this all changed in version 2.5.5. Even the configuration file is loaded from this directory in /usr/local/etc/rc.d/snort.sh. I thought that the pbi-directory should be left untouched as it is the directory where packages are situated and configuration files should not be in there.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    No, the idea with PBI is that all the files are in the PBI tree.  Packages install themselves into an isolated environment so they do not share stuff with other packages.  Only some symlinks are maintained for now by the package installer to keep some level of compatibility with non-PBI packages.

                    If you are using 2.1 Snort, then /usr/pbi/ is where you look for Snort now.

                    1 Reply Last reply Reply Quote 0
                    • G
                      gogol
                      last edited by

                      Thanks for the clarification. I still had the old directories from the previous (2.5.4) installation and I was looking there. That brought some confusion. I uninstalled snort again, removed old directories and installed it again.

                      You are doing a good job!

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @gogol:

                        Thanks for the clarification. I still had the old directories from the previous (2.5.4) installation and I was looking there. That brought some confusion. I uninstalled snort again, removed old directories and installed it again.

                        You are doing a good job!

                        Yeah, one of the things I added in this latest update was to try and do a better job of "cleaning up" when uninstalling.  Of course for the initial update from 2.5.4, or any earlier version, to 2.5.5, you will potentially have to do some manual clean up.  After that Snort should be a little better cleaning up.  It will leave some directories in the old locations, but they should be empty of files.

                        For 2.0.x pfSense users, the Snort files are still in /usr/local/etc/snort.  But for 2.1 pfSense users, everything now will be in /usr/pbi/snort-{arch}/etc/snort where {arch} is either i386 or amd64, depending on your platform.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.