Snort 2.9.4.1 pkg v. 2.5.5 Issue(s)
-
Didnt change a thing compared to running it on 2.0.2.
I use identical OINK codes. I guess thats not good?
I am not a paid subscriber, so the GPLv2 rules I believe is not part of the VRT ruleset? -
Didnt change a thing compared to running it on 2.0.2.
I use identical OINK codes. I guess thats not good?
I am not a paid subscriber, so the GPLv2 rules I believe is not part of the VRT ruleset?Gogol is correct about the 15-minute window with Snort VRT. It is a limit imposed by them to limit traffic I guess.
As for the snort.sh script getting overwritten, it is true that several actions in the GUI will cause the generation of a new snort.sh file. For example, adding or deleting an interface, or enabling or disabling Barnyard2 on an interface, are all GUI edits that will cause a new snort.sh file to get created. Not saying you did that, but just go back and check that the snort.sh file still contains the mod you made.
Oh, and Gogol is also correct about the Flowbits syntax error and subsequent FATAL ERROR on startup. That's not related to the issue we've been chasing. There is either a typo in somebody's text rule that came down in one of the updates, or your downloaded file got corrupted somehow. I lean toward option #1 with maybe a typo in the rule.
My production firewall got updates at midnight U.S. Eastern last night for both VRT and ET and restarted with no problems. I run Snort on three interfaces. So the fact this is not affecting everyone makes it hard to nail down for sure. I still think I'm on the right track, though.
Bill -
I will send you info on your mail. Then you can see it "live" :)
-
I will send you info on your mail. Then you can see it "live" :)
OK. I have to be away from my PC for a while. It's currently 9:00 AM where I am, and my wife has me a list of things to take care of before this evening when some family arrives for a weekend visit… ;D
Bill
-
I updated to pfSense 2.0.3 last evening and Snort was updated automatically as well, despite the fact that Snort updates have been problematic for me for several years and, if given a choice, I would never have selected upgrading both Snort and pfSense at the same time.
My issue is the inability to start Snort. Attempting to start from the command-line gives this message: "/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout". Nothing related to snort is being logged in the system log. The new update logs shows that the rules updates were successful. I have removed and reinstalled Snort several times, including manual removals of Snort files and reboots before re-installs. Nothing seems to help.
Any suggestions?
-
Just send you the link and its a 5mn video :)
-
Bill,
I am going to put my posts here so you are not having to go between two topics.. Ok going back into the file today, I see that the sleep command was gone from my edit yesterday. Now, the only thing I can think of is I made a change to the gui and it overwrote the file back at its defaults. This is most likely what caused the fail this morning when I updated my rules manually. So I added the sleep command back and then deleted the md5 files. With snort running I clicked the update rules and it went through successfully without leaving snort in the stopped phase.Right now auto updates are turned off. So I went into the gui and turned them back on daily. I then rechecked the snort sh file and the sleep command is gone again. So my tests on that command not working were skewed since I didnt realize those changes would get removed if I touched the gui.
So since the manual test was successful, I am going to enable the auto updates, then edit the file with the sleep command and see if it works just fine.
-
Bill,
I am going to put my posts here so you are not having to go between two topics.. Ok going back into the file today, I see that the sleep command was gone from my edit yesterday. Now, the only thing I can think of is I made a change to the gui and it overwrote the file back at its defaults. This is most likely what caused the fail this morning when I updated my rules manually. So I added the sleep command back and then deleted the md5 files. With snort running I clicked the update rules and it went through successfully without leaving snort in the stopped phase.Right now auto updates are turned off. So I went into the gui and turned them back on daily. I then rechecked the snort sh file and the sleep command is gone again. So my tests on that command not working were skewed since I didnt realize those changes would get removed if I touched the gui.
So since the manual test was successful, I am going to enable the auto updates, then edit the file with the sleep command and see if it works just fine.
Yeah, I posted in another thread (or maybe this one, I'm losing track… :D) about how certain changes in the GUI will cause the snort.sh shell script to be recreated. This is necessary, for instance, should someone add or delete an interface, or enable or disable Barnyard2 on an interface. Other configuration changes can also trigger the recreation of snort.sh.
I'm working on a permanent fix now.
Bill
-
I updated to pfSense 2.0.3 last evening and Snort was updated automatically as well, despite the fact that Snort updates have been problematic for me for several years and, if given a choice, I would never have selected upgrading both Snort and pfSense at the same time.
My issue is the inability to start Snort. Attempting to start from the command-line gives this message: "/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout". Nothing related to snort is being logged in the system log. The new update logs shows that the rules updates were successful. I have removed and reinstalled Snort several times, including manual removals of Snort files and reboots before re-installs. Nothing seems to help.
Any suggestions?
This error message almost always means you have mixed 32-bit and 64-bit libraries on the system. These "unsupported layout" errors have happened before for many other packages besides just Snort, and each time it's caused by having a mix of 32-bit and 64-bit stuff on a system. In particular this error can happen when 64-bit libs wind up on a 32-bit box. I can't tell you how this might have happened, but I'm pretty sure that's what is wrong now.
You didn't mention in your post whether you were using the 32-bit or 64-bit version of pfSense 2.0.3. From the error, I'm guessing maybe 32-bit pfSense and you have somehow picked up some 64-bit libraries along the way. Did you by chance have any other packages installed besides Snort?
Here is my suggestion for you. Go to the Installed Packages tab and remove Snort by clicking the X icon.
Get command line access to the box and issue the three commands below.
rm -rf /usr/local/etc/snort rm -rf /usr/local/lib/snort rm -rf /usr/local/etc/snortIf possible, now reboot the firewall.
When it comes back up, install Snort again from the Available Packages tab.I still can't guarantee you this will fix it, though. With a mix of 32-bit and 64-bit stuff, I hate to say it but you might be better saving off the configuration and rebuilding the box from a fresh ISO image. Search the forums here for the "unsupported file layout" message and you should find several other posts about it. See what was suggested to those folks for a fix.
Bill
-
Didnt change a thing compared to running it on 2.0.2.
I use identical OINK codes. I guess thats not good?
I am not a paid subscriber, so the GPLv2 rules I believe is not part of the VRT ruleset?No problem using the same OINK code on another box, but an update of the VRT rules will fail if the update is within 15 minutes. You just have to take that into account.
If you are not paying for the VRT rules, you will get a 30 days old ruleset. The GPLv2 ruleset is a subset of the VRT ruleset (http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html), but you get them on the day they are released. -
Guys:
I think I have a good fix for the Snort restart issues after rule updates. I'm testing it out on my own box and on some VMs over the weekend. If all goes well, I will create a Github Pull Request for the pfSense team probably Sunday afternoon or evening. I have some family commitments this weekend that will prohibit me from working on and submitting the request until then.
Sorry for the small delay,
Bill -
Its ok Bill. Enjoy the time with the Family. Thanks for the update!
-
Take it easy mate! Family is more important than Pfsense :)
Enjoy!
Guys:
I think I have a good fix for the Snort restart issues after rule updates. I'm testing it out on my own box and on some VMs over the weekend. If all goes well, I will create a Github Pull Request for the pfSense team probably Sunday afternoon or evening. I have some family commitments this weekend that will prohibit me from working on and submitting the request until then.
Sorry for the small delay,
Bill -
Bill
Just following up. The sleep command did allow my rules to auto update this morning. So this will work until you are able to push out the fix.Thanks.
-
Log after updating ET rules and only "rc_start" mod (no sleep timer). I just have to wait for VRT rules update:
Apr 20 12:04:49 kernel: em0: promiscuous mode enabled Apr 20 12:04:18 kernel: em0: promiscuous mode disabled Apr 20 12:04:17 snort[91873]: SMTP reload: Changing the file_depth requires a restart. Apr 20 12:04:10 barnyard2[92336]: database: Closing connection to database "snort" Apr 20 12:04:10 php: : The Rules update has finished. Apr 20 12:04:10 php: : Snort has restarted with your new set of rules... Apr 20 12:04:08 SnortStartup[94539]: Snort SOFT START For WAN(54477_em0)... Apr 20 12:04:07 php: : Building new sig-msg.map file for WAN... Apr 20 12:03:59 php: : Resolving and auto-enabling any flowbit-required rules for WAN... Apr 20 12:03:51 php: : Updating rules configuration for: WAN ... Apr 20 12:03:50 php: : EmergingThreats rules file update downloaded succsesfully Apr 20 12:03:47 php: : There is a new set of EmergingThreats rules posted. Downloading... Apr 20 12:03:47 php: : Snort VRT rules are up to date... Apr 20 12:03:47 php: : Snort MD5 Attempts: 1Note: barnyard2 does not restart! I left out the other barnyard2 entries and snort.sh has changed. Barnyard2 is closing after the check for the pidfile? This should be fixed too.
-
I setup snort.sh with the "sleep 5" parameter and this is the result.
Apr 21 00:09:43 php: : The Rules update has finished.
Apr 21 00:09:43 php: : Snort has restarted with your new set of rules…
Apr 21 00:09:41 kernel: em0: promiscuous mode enabled
Apr 21 00:09:41 SnortStartup[34589]: Snort START For Internet(9626_em0)…
Apr 21 00:07:50 snort[26316]: Could not remove pid file /var/run/snort_em09626.pid: No such file or directory
Apr 21 00:07:50 snort[26316]: Could not remove pid file /var/run/snort_em09626.pid: No such file or directory
Apr 21 00:07:49 kernel: em0: promiscuous mode disabled
Apr 21 00:07:49 snort[26316]: *** Caught Term-Signal
Apr 21 00:07:49 snort[26316]: *** Caught Term-Signal
Apr 21 00:07:48 SnortStartup[50697]: Snort STOP For Internet(9626_em0)…
Apr 21 00:07:47 php: : Building new sig-msg.map file for WAN...
Apr 21 00:07:45 php: : Resolving and auto-enabling any flowbit-required rules for WAN...
Apr 21 00:07:43 php: : Updating rules configuration for: WAN ...
Apr 21 00:07:42 php: : EmergingThreats rules file update downloaded succsesfully
Apr 21 00:07:40 php: : There is a new set of EmergingThreats rules posted. Downloading...
Apr 21 00:07:38 php: : Snort GPLv2 Community Rules file update downloaded succsesfully
Apr 21 00:07:37 php: : There is a new set of Snort GPLv2 Community Rules posted. Downloading...
Apr 21 00:07:36 php: : Failed Rules Filesize: 0
Apr 21 00:07:36 php: : Snort VRT rules file download failed...
Apr 21 00:07:36 php: : Snort Rules Attempts: 5Snort started as it should and is running fine on BOTH the test box'es.
-
This error message almost always means you have mixed 32-bit and 64-bit libraries on the system. These "unsupported layout" errors have happened before for many other packages besides just Snort, and each time it's caused by having a mix of 32-bit and 64-bit stuff on a system. In particular this error can happen when 64-bit libs wind up on a 32-bit box. I can't tell you how this might have happened, but I'm pretty sure that's what is wrong now.
You didn't mention in your post whether you were using the 32-bit or 64-bit version of pfSense 2.0.3. From the error, I'm guessing maybe 32-bit pfSense and you have somehow picked up some 64-bit libraries along the way. Did you by chance have any other packages installed besides Snort?
Here is my suggestion for you. Go to the Installed Packages tab and remove Snort by clicking the X icon.
Get command line access to the box and issue the three commands below.
rm -rf /usr/local/etc/snort rm -rf /usr/local/lib/snort rm -rf /usr/local/etc/snortIf possible, now reboot the firewall.
When it comes back up, install Snort again from the Available Packages tab.I still can't guarantee you this will fix it, though. With a mix of 32-bit and 64-bit stuff, I hate to say it but you might be better saving off the configuration and rebuilding the box from a fresh ISO image. Search the forums here for the "unsupported file layout" message and you should find several other posts about it. See what was suggested to those folks for a fix.
Bill
this don't solve the problem in my case, snort won't start and doesn't report error on log, what can i do ?
tnx -
Clean install on the box from scratch. Something has fucked your box.
-
clean install all the box ? really ? this isn't Windows…there must be a solution....
how can i start snort from command line ? why i didn't get error on system logs ?
also I have note that snort start on LAN interface, only WAN don't work...so snort install should be right... -
clean install all the box ? really ? this isn't Windows…there must be a solution....
how can i start snort from command line ? why i didn't get error on system logs ?
also I have note that snort start on LAN interface, only WAN don't work...so snort install should be right...If only one interface won't start, then perhaps it is a problem with a preprocessor setting or a bogus rules files somehow.
Try deleting the WAN interface in the Snort settings and recreate it. I'm talking about from the Snort Settings tab, delete WAN interface and then add it back. Make sure that you click Save at the bottom of the page each time. This part is critical, because the startup shell script file gets created and/or modified only when the Save button is clicked. If the file does not get properly updated with all of your interfaces, then it won't know to start some of them.
Do you get no messages at all about Snort trying to start on your WAN interface? You should at least see a line saying "SnortStartup …" for your WAN interface. If you see nothing at all in the system log, then it really sounds like you missed clicking Save somewhere and the proper startup lines in the snort.sh shell script did not get created.
Post the complete contents of the file /usr/local/etc/rc.d/snort.sh (if you are Snort 2.0.x).
If you have 2.1-BETA install, then the file is in /usr/pbi/snort-{arch}/etc/rc.d where {arch} is i386 or amd64.
Bill
