Snort 2.9.4.1 pkg v. 2.5.6 Issue(s)
-
Everything is running as it should on 2.5.6 :)
Good to hear. I'm about ready to submit the Pull Request for my 2.5.7 update that solves all the open issues I posted earlier plus a handful of small nits I discovered during testing of my other fixes.
I also found some boo-boos in the rules update code where some string variables were not properly escaped with {} when used in quotes. While in there I decided to make the verification of the downloaded rules files a little more robust. The old code which I inherited simply looked at the downloaded file size, and if greater than a set amount, it assumed the file was OK to unpack and use. I changed that to now calculate the MD5 hash of the downloaded rules file and compare that to the posted MD5 hash from the origin web site. Only if they match is the file then unpacked and the rules within it used to update the system. This new verification process is performed for all the rule sets (Snort VRT, GPLv2 and ET). If there is a MD5 mismatch, it is logged in the new log file viewable from the Updates tab.
I'm going to run through my test battery one time this evening with 2.0.3 and 2.1 machines to see if I can break it with installs, uninstalls and updates. If it survives testing, then I will post the Pull Request Thursday evening U.S. Eastern time.
Bill
-
-
Does this new version fix snort ignoring the whitelist and blocking whitelisted IPs?
-
Good to hear. I'm about ready to submit the Pull Request for my 2.5.7 update that solves all the open issues I posted earlier plus a handful of small nits I discovered during testing of my other fixes.
I also found some boo-boos in the rules update code where some string variables were not properly escaped with {} when used in quotes. While in there I decided to make the verification of the downloaded rules files a little more robust. The old code which I inherited simply looked at the downloaded file size, and if greater than a set amount, it assumed the file was OK to unpack and use. I changed that to now calculate the MD5 hash of the downloaded rules file and compare that to the posted MD5 hash from the origin web site. Only if they match is the file then unpacked and the rules within it used to update the system. This new verification process is performed for all the rule sets (Snort VRT, GPLv2 and ET). If there is a MD5 mismatch, it is logged in the new log file viewable from the Updates tab.
I'm going to run through my test battery one time this evening with 2.0.3 and 2.1 machines to see if I can break it with installs, uninstalls and updates. If it survives testing, then I will post the Pull Request Thursday evening U.S. Eastern time.
Bill
Nice thanks Bill!!!
-
Does this new version fix snort ignoring the whitelist and blocking whitelisted IPs?
That problem should have been fixed back with the release of 2.5.5. It was a problem in the Spoink plugin that does the actual blocking. That has been fixed for about a month now as far as I know. Upgrade to at least the current 2.5.6 version if you are still having the problem.
If you have already upgraded and are still having the issue, then I need some more details. You can PM me if you wish with some additional information if necessary.
Bill
-
Bill, thx for testing the custom.rules issue.
Now I did again what you supposed and pasted the rule from my posting into the custom.rules field -> Saved -> clicked on the rules tab again -> clicked Apply Changes -> stopped interface -> started interface ->
snort[67588]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_48204_vtnet3/rules/custom.rules(1) Unknown rule type: "alert.
Interface did not start. The first space character stops ist. I tried it with Chrome and IE. With IE there were no carriage returns in the custom.rules file but I got the same error as above when starting the interface. I am using English language in pfSense but have a German keyboard layout and system. I am using double quotes for the rule.
If I clear the c.r.rules field and click save and apply settings and do "cat custom.rules" on the shell, the old rule ist still there. When I open c.r rules in the GUI the old rule is shown again. It seems as if the system would be one step behind the GUI all the time. I think there has been such an issue before but can find it in the forum. Maybe if have more time in the afternoon - it is 8:39 am here and I have to leave for work. This is really weird and baybe I can find some reproducable behaviour.
Alex
-
Bill, thx for testing the custom.rules issue.
Now I did again what you supposed and pasted the rule from my posting into the custom.rules field -> Saved -> clicked on the rules tab again -> clicked Apply Changes -> stopped interface -> started interface ->
snort[67588]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_48204_vtnet3/rules/custom.rules(1) Unknown rule type: "alert.
Interface did not start. The first space character stops ist. I tried it with Chrome and IE. With IE there were no carriage returns in the custom.rules file but I got the same error as above when starting the interface. I am using English language in pfSense but have a German keyboard layout and system. I am using double quotes for the rule.
If I clear the c.r.rules field and click save and apply settings and do "cat custom.rules" on the shell, the old rule ist still there. When I open c.r rules in the GUI the old rule is shown again. It seems as if the system would be one step behind the GUI all the time. I think there has been such an issue before but can find it in the forum. Maybe if have more time in the afternoon - it is 8:39 am here and I have to leave for work. This is really weird and baybe I can find some reproducable behaviour.
Alex
Thanks for the feedback. If you will PM me and provide your e-mail address, I would like to send you the latest version of the PHP file that actually handles the custom rules save and edit functions. Just curious if it will make any difference. I was using IE 10 for my testing, but the IE version really should not matter. If we can swap e-mail addresses via PM, I would also like you to send me the actual custom.rules file from your system.
Bill
-
FYI. Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve. This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features. This is a GUI update only. The underlying Snort binary itself remains at 2.9.4.1.
Here is a link to the Pull Request: https://github.com/pfsense/pfsense-packages/pull/433
Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7. When it is merged, I will open a new thread containing the Change Log.
Bill
-
One little issue still present for ages is that when you are in the Snort pages,
if you click on the pfsense top left logo you end up with 404 - Not Found
because the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages. -
Got this issue after I had upgraded. In the services widget Snort was running but in the Services -> Snort said it wasnt running. It showed as stated earlier that you needed to start Snort. I did and got this log:
pr 26 06:40:57 php: /snort/snort_interfaces.php: Snort START for Internet(em0)…
Apr 26 06:39:51 kernel: em0: promiscuous mode enabled
Apr 26 06:39:51 SnortStartup[28731]: Snort START for Internet(9626_em0)…
Apr 26 06:39:10 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 06:39:08 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 06:39:06 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 26 06:39:06 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
Apr 26 06:38:00 SnortStartup[45184]: Snort STOP for Internet(9626_em0)…
Apr 26 06:37:58 SnortStartup[43710]: Snort START for Internet(9626_em0)…
Apr 26 06:37:58 SnortStartup[42872]: Snort STOP for Internet(9626_em0)…
Apr 26 06:37:49 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
Apr 26 06:37:49 php: /snort/snort_download_rules.php: [Snort] Emerging Threat rules are up to date…
Apr 26 06:37:48 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules are up to date…
Apr 26 06:37:47 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules are up to date…
Apr 26 06:37:47 php: /snort/snort_download_rules.php: [Snort] Snort MD5 Attempts: 1
Apr 26 06:37:29 check_reload_status: Reloading filter
Apr 26 06:37:27 check_reload_status: Syncing firewall
Apr 26 06:37:26 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Starting Snort using rebuilt configuration…
Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…
Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 06:37:22 php: /pkg_mgr_install.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 06:37:20 php: /pkg_mgr_install.php: [Snort] Updating rules configuration for: WAN …
Apr 26 06:37:18 php: /pkg_mgr_install.php: [Snort] The Rules update has finished.
Apr 26 06:37:11 php: /pkg_mgr_install.php: [Snort] EmergingThreats rules file update downloaded successfully
Apr 26 06:37:08 php: /pkg_mgr_install.php: [Snort] There is a new set of EmergingThreats rules posted. Downloading…
Apr 26 06:37:07 php: /pkg_mgr_install.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
Apr 26 06:37:06 php: /pkg_mgr_install.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading…
Apr 26 06:37:06 php: /pkg_mgr_install.php: [Snort] Snort VRT Rules Attempts: 1
Apr 26 06:36:49 apinger: rrdtool respawning too fast, waiting 300s.
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] There is a new set of Snort VRT rules posted. Downloading…
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Snort MD5 Attempts: 1
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Downloading and updating configured rule types…
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Saved settings detected… rebuilding installation with saved settings...It came on fine, but not because of the services widget, but manually had to start it under services -> snort despite saying it was running!
-
One little issue still present for ages is that when you are in the Snort pages,
if you click on the pfsense top left logo you end up with 404 - Not Found
because the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages.I don't have this problem, and I haven't seen this reported before. What is your version of snort?
-
I dont have that either….Clear your browser cache!
-
FYI. Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve. This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features. This is a GUI update only. The underlying Snort binary itself remains at 2.9.4.1.
Here is a link to the Pull Request: https://github.com/pfsense/pfsense-packages/pull/433
Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7. When it is merged, I will open a new thread containing the Change Log.
Bill
Great job again Bill, I have no reason to start a new topic with 2.5.7 issues yet. I have it running!
-
Pfsense 2.0.3 x86 fresh install with 2.0.1 config restored
which give me Snort 2.9.4.1 pkg v. 2.5.6
pfsense_ng ThemeI don't think it's a cache problem, I tried with Chrome instead of FF same thing happens
go to Services/Snort page and the logo points to the https://xxxxx/snort/index.phpReally not a big issue, just annoying ::)
-
can you test without a restore??
Mine is pointing to https://xxxxx/index.php
-
can you test without a restore??
Mine is pointing to https://xxxxx/index.php
I could, that means doing and fresh install from scratch on another disk
doing a manual config, installing snort etc ….
I might :-\ -
Could be the restore causing issues. Wh yI dont know, but mine hasnt been restored but build from scratch…
-
I guess building from scratch would gimme the same results as you.
I only have one system so if I find a few hours to spare I might do that. -
I've reported it a year ago, dont remember where …
Here is another related one http://forum.pfsense.org/index.php/topic,61033.0.html
and http://forum.pfsense.org/index.php/topic,36309.0.html ... i guess a search should highlight the prob ;) -
Cannot restart it from Services widget as stated.
Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
Apr 26 09:51:11 kernel: em0: promiscuous mode disabled
Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
Apr 26 09:51:10 SnortStartup[17481]: Snort STOP for Internet(36256_em0)…
Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
Apr 26 09:51:06 SnortStartup[62588]: Snort STOP for Internet(36256_em0)…
Apr 26 09:51:02 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 09:50:58 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 09:50:54 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …Has to go into services -> Snort to do it.
Apr 26 09:54:22 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
Apr 26 09:52:57 kernel: em0: promiscuous mode enabled
Apr 26 09:52:57 SnortStartup[61780]: Snort START for Internet(36256_em0)…
Apr 26 09:52:41 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 09:52:39 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 09:52:37 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 26 09:52:37 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
