Snort 2.9.4.1 pkg v. 2.5.5 Issue(s)
-
I just got update in rules and now I see this problem also..
snort[4656]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_33276_em0/preproc_rules/decoder.rules(1) Unknown ClassType: protocol-command-decode
I run 2.1-BETA1 (amd64)
built on Fri Apr 12 16:46:36 EDT 2013
FreeBSD 8.3-RELEASE-p7Answer to removing all of snort.
http://forum.pfsense.org/index.php/topic,60994.0.html on the top is a command you can remove all.. I had to do this couple days ago for another bug. -
Have you tried to replicate this on i386???
-
I have been unable to reproduce this particular problem on my test machines. The root cause of the error is an empty classification.config file getting copied into the interface sub-directory. The update process (or for some folks, the reinstall) seems to create a zero-length file. The quick fix is to copy the classification.config file from the /usr/local/etc/snort (or /usr/pbi/snort-{arch}/etc/snort if 2.1-BETA machine) to the interface's subdirectory under the main snort directory.
I will look through the code and see if I figure out what might be at fault. This has affected more than one person, so there is something amiss. Just not able to put my finger on it yet.
Bill
-
Out of curiosity I forced an update and it looks like my classification.config file got overwritten to be blank again. Looking at the update logs, ET and Snort VRT were already up to date and the only ruleset to get actually updated was the Community Rules.
It has automatically updated a couple of times in the last 2 days and I haven't had a problem with the classification.config file. Wondering if I just shot myself in the foot by just forcing the update.
Starting rules update... Time: 2013-04-11 00:03:00 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-11 00:03:00 Starting rules update... Time: 2013-04-11 00:03:00 Downloading Snort VRT md5 file... Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-11 00:03:35 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-11 00:06:47 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-11 00:07:30 Starting rules update... Time: 2013-04-12 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-12 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-12 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. There is a new set of Snort GPLv2 Community Rules posted. Downloading... Done downloading Snort GPLv2 Community Rules file. Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Installation of EmergingThreats.org rules completed. Copying new config and map files... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Copying new config and map files... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-12 00:05:11 Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-12 00:05:18 Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-12 00:05:55 Starting rules update... Time: 2013-04-13 00:03:01 Starting rules update... Time: 2013-04-13 00:03:01 Downloading Snort VRT md5 file... Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-13 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading... Done downloading rules file. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. There is a new set of Snort GPLv2 Community Rules posted. Downloading... Done downloading Snort GPLv2 Community Rules file. Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. There is a new set of EmergingThreats rules posted. Downloading... Done downloading EmergingThreats rules file. Extracting and installing EmergingThreats.org rules... Installation of EmergingThreats.org rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-13 00:06:38 Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-13 00:07:22 Done downloading rules file. Snort VRT rules file download failed. Snort VRT rules will not be updated. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. EmergingThreats md5 file download failed. EmergingThreats rules will not be updated. The Rules update has finished. Time: 2013-04-13 00:07:44 Starting rules update... Time: 2013-04-13 16:15:19 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. There is a new set of Snort GPLv2 Community Rules posted. Downloading... Done downloading Snort GPLv2 Community Rules file. Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. Copying new config and map files... Updating rules configuration for: WAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2013-04-13 16:15:30 -
UPDATE – Never mind the request for info down below. I think I've found the issue. It's a logic bug triggered when just the Snort GPLv2 rules update. I'm not using those, and that's why I have not seen the bug. I have a paid VRT subscription, and with that there is no need to use the GPLv2 rules as well.
Let me be sure what I think is the logic flaw is really the only problem, and then I will submit a fix.
Bill
==================================
If you have not "fixed it already", can you give the timestamp from the empty classification.config file?
If you have already copied over a fresh file, can you get me the timestamp on the empty file the next time it happens? Also would be helpful to correlate that with the following information:
1. timestamp of classification.config file in the …/etc/snort directory.
2. time of the rule update (get from the log file as you showed above).
3. timestamp of empty classification.config file in the …/etc/snort/snort_xxxx_xx directory for the interface.Thanks,
Bill -
Bill, at midnight on the 12th and the 13th, the Community Rules got updated without issue. Another possible scenario seems to be at play in addition here as well.
-
I found the logic bug and just submitted a Pull Request to fix it. Hopefully one of the pfSense developers will see the request and Merge it this weekend. Once that is done, you can reinstall the package to pick up the fix. Here is a link to the Pull Request:
https://github.com/pfsense/pfsense-packages/pull/426
The bug required several things to come together at once in order to be triggered. It was a function of the rule downloads selected, and then depended on which particular set of enabled rule downloads actually had a new update. Also happened upon an unrelated copy-and-paste error that might have been responsible for the Barnyard2 problems some folks are seeing (me included). Fixed it as well, and hopefully it will address the Barnyard2 restart issues after rule updates.
You gave me the key clue when you said only the GPLv2 rules updated, and then it broke. Thanks for the hint! I replicated your setup with enabled rule sets, and then triggered an update of ONLY the GPLv2 rules. That gave me the zero-length classification.config and reference.config files in the interface sub-directory. It didn't take me long then to find the problem. I tested my fix against the same scenario, and it updated without issue.
Bill
-
Can you fix the minor bug with the text box in the attached picture. I'm not sure it it has any effect on functionality, but it can cause issues by making you think you had not set it up yet and you end up with odd values in the field.
-
Can you fix the minor bug with the text box in the attached picture. I'm not sure it it has any effect on functionality, but it can cause issues by making you think you had not set it up yet and you end up with odd values in the field.
I missed that one for the latest push, but will put it in the hopper for the next one.
Bill
-
UPDATE – Unknown ClassType: protocol-command-decode error fixed
I found and fixed the bug causing the following error:
FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_33276_em0/preproc_rules/decoder.rules(1) Unknown ClassType: protocol-command-decodeThe update was merged around 9:00 PM U.S. Eastern Saturday evening. The Snort package version was not bumped this time, but you can pick up the change by simply reinstalling the GUI code.
From the Installed Packages tab, click either the pkg or xml icons to reinstall the GUI components. Should be no need to delete the package and reinstall. The bug was triggered by just the right combination of enabled rule sets and which ones had an available update to download.
Once the GUI components reinstall completes, there is one more thing you should do to force a rules file update. From the Diagnostics menu, choose Edit File. Browse to your Snort base directory at the following location depending on pfSense version:
/usr/local/etc/snort – pfSense 2.0.x
/usr/pbi/snort-{arch}/etc/snort – pfSense 2.1-BETAwhere {arch} is either i386 or amd64
Open the MD5 files in the directory and simply change the last two digits of the md5 hash to something else and save the file. Do this for each MD5 rules hash file you see in the directory.
When finished, go to the Updates tab and perform an update. This will force new copies of all your enabled rule sets to be downloaded.
Bill
-
In regards to the md5 files, I just removed them with one command to make things a little easier to force the rules update.
rm /usr/pbi/snort-amd64/etc/snort/*.md5Thanks Bill, seems to be working just fine now.
-
After 4 or more updates I'm still forced to uninstall and reinstall Snort (I never needed to do this before):
snort[25337]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-i386/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-i386/lib/snort/dynamicengine/libsf_engine.so" version 1.17. -
After 4 or more updates I'm still forced to uninstall and reinstall Snort (I never needed to do this before):
snort[25337]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-i386/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-i386/lib/snort/dynamicengine/libsf_engine.so" version 1.17.You seem to have something weird going on in that install. You are clicking the "X" icon to completely remove the Snort package on the Installed Packages tab, and then going to the Available Packages tab and installing it again, correct? That error you are posting indicates an incomplete uninstall/reinstall process. Those files (with -example- in the filenames) are fixed up by the full package installation process. The fact you keep seeing this error means either that process is not happening, or is not running to conclusion.
One thing to try – click the "X" to totally remove Snort. Then go to the command line and issue this command to completely remove any remaining traces of Snort:
rm -rf /usr/pbi/snort-i386Then go to the Available Packages tab and install it fresh.
Bill
-
In regards to the md5 files, I just removed them with one command to make things a little easier to force the rules update.
rm /usr/pbi/snort-amd64/etc/snort/*.md5Thanks Bill, seems to be working just fine now.
Yep, your method is faster, but I was posting an alternative for anyone who might be "command-line shy"… ;)
Bill
-
Remember to reboot the system after removing Snort before adding it again in the available packages :)
-
INSTALLED RULESET SIGNATURES
SNORT.ORG –> xxxxxxxxxxxxxxxxxxx
EMERGINGTHREATS.NET --> xxxxxxxxxxxxxxxxxxxxxxxx
SNORT GPLv2 COMMUNITY RULES --> N/ANot seeing an update for GPLv2
-
INSTALLED RULESET SIGNATURES
SNORT.ORG –> xxxxxxxxxxxxxxxxxxx
EMERGINGTHREATS.NET --> xxxxxxxxxxxxxxxxxxxxxxxx
SNORT GPLv2 COMMUNITY RULES --> N/ANot seeing an update for GPLv2
Did you check and make sure they are enabled on the Global Settings tab? They default to "OFF", and must be explicitly enabled. Also, heed the note on that page. If you have a Snort VRT Paid Subscriber account, you already have all the Community Rules embedded within your paid package, so no need to install them. If you did, you would have the same rules twice. On the other had, if you have only a Free Registered User Snort account, or previously used only the Emerging Threats rules without VRT rules, then enabling the Community Rules is a good idea.
Bill
-
What does your Snort Update Log state? I saw in my own update logs where Snort was down a few days ago at a certain time after midnight and my download failed. Could just be a possible download failure which resides on snort.org side of things which will resolve itself later.
Will take a while Bill before others get used to checking on their update logs as well as the system logs when they have issues. Great feature to have now, thanks to Bmeeks.
-
Looking through my own update logs in response to Asterix' issue I noticed the following:
Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Starting rules update... Time: 2013-04-15 00:03:01 Downloading Snort VRT md5 file... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:03:57 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:05:31 Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Checking Snort GPLv2 Community Rules md5. Snort GPLv2 Community Rules are up to date. Downloading EmergingThreats md5 file... Checking EmergingThreats md5. Emerging Threats rules are up to date. The Rules update has finished. Time: 2013-04-15 00:06:28Cron only has the 'check for rule updates' command listed once. I only have Snort running on one interface and I confirmed there is only one instance of the Snort process running but it seems to have attempted the download 3x simultaneously last night. Any thoughts Bill?
Update: Looking at my other 2 boxes, they both show two simultaneous attempts at Update time.
-
I'm using Snort Basic VRT Rules, Snort GPLv2, and Emerging Threats rule sets. I've also noticed that auto blocking is removing IPs after 5 minutes instead of an hour. The cron job looks like this
Are you still seeing this Cino? I'm not getting this at all using the same rulesets, same cron job.
Anyone else having this issue? IPs are removed from the block list after 5 minutes when the cron job is run. I've check the snort2c table and they aren't there anymore. Any ideas?
