Snort 2.9.4.1 pkg v. 2.5.6 Issue(s)
-
Bill, thx for testing the custom.rules issue.
Now I did again what you supposed and pasted the rule from my posting into the custom.rules field -> Saved -> clicked on the rules tab again -> clicked Apply Changes -> stopped interface -> started interface ->
snort[67588]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_48204_vtnet3/rules/custom.rules(1) Unknown rule type: "alert.
Interface did not start. The first space character stops ist. I tried it with Chrome and IE. With IE there were no carriage returns in the custom.rules file but I got the same error as above when starting the interface. I am using English language in pfSense but have a German keyboard layout and system. I am using double quotes for the rule.
If I clear the c.r.rules field and click save and apply settings and do "cat custom.rules" on the shell, the old rule ist still there. When I open c.r rules in the GUI the old rule is shown again. It seems as if the system would be one step behind the GUI all the time. I think there has been such an issue before but can find it in the forum. Maybe if have more time in the afternoon - it is 8:39 am here and I have to leave for work. This is really weird and baybe I can find some reproducable behaviour.
Alex
Thanks for the feedback. If you will PM me and provide your e-mail address, I would like to send you the latest version of the PHP file that actually handles the custom rules save and edit functions. Just curious if it will make any difference. I was using IE 10 for my testing, but the IE version really should not matter. If we can swap e-mail addresses via PM, I would also like you to send me the actual custom.rules file from your system.
Bill
-
FYI. Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve. This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features. This is a GUI update only. The underlying Snort binary itself remains at 2.9.4.1.
Here is a link to the Pull Request: https://github.com/pfsense/pfsense-packages/pull/433
Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7. When it is merged, I will open a new thread containing the Change Log.
Bill
-
One little issue still present for ages is that when you are in the Snort pages,
if you click on the pfsense top left logo you end up with 404 - Not Found
because the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages. -
Got this issue after I had upgraded. In the services widget Snort was running but in the Services -> Snort said it wasnt running. It showed as stated earlier that you needed to start Snort. I did and got this log:
pr 26 06:40:57 php: /snort/snort_interfaces.php: Snort START for Internet(em0)…
Apr 26 06:39:51 kernel: em0: promiscuous mode enabled
Apr 26 06:39:51 SnortStartup[28731]: Snort START for Internet(9626_em0)…
Apr 26 06:39:10 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 06:39:08 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 06:39:06 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 26 06:39:06 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
Apr 26 06:38:00 SnortStartup[45184]: Snort STOP for Internet(9626_em0)…
Apr 26 06:37:58 SnortStartup[43710]: Snort START for Internet(9626_em0)…
Apr 26 06:37:58 SnortStartup[42872]: Snort STOP for Internet(9626_em0)…
Apr 26 06:37:49 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
Apr 26 06:37:49 php: /snort/snort_download_rules.php: [Snort] Emerging Threat rules are up to date…
Apr 26 06:37:48 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules are up to date…
Apr 26 06:37:47 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules are up to date…
Apr 26 06:37:47 php: /snort/snort_download_rules.php: [Snort] Snort MD5 Attempts: 1
Apr 26 06:37:29 check_reload_status: Reloading filter
Apr 26 06:37:27 check_reload_status: Syncing firewall
Apr 26 06:37:26 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Starting Snort using rebuilt configuration…
Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…
Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 06:37:22 php: /pkg_mgr_install.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 06:37:20 php: /pkg_mgr_install.php: [Snort] Updating rules configuration for: WAN …
Apr 26 06:37:18 php: /pkg_mgr_install.php: [Snort] The Rules update has finished.
Apr 26 06:37:11 php: /pkg_mgr_install.php: [Snort] EmergingThreats rules file update downloaded successfully
Apr 26 06:37:08 php: /pkg_mgr_install.php: [Snort] There is a new set of EmergingThreats rules posted. Downloading…
Apr 26 06:37:07 php: /pkg_mgr_install.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
Apr 26 06:37:06 php: /pkg_mgr_install.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading…
Apr 26 06:37:06 php: /pkg_mgr_install.php: [Snort] Snort VRT Rules Attempts: 1
Apr 26 06:36:49 apinger: rrdtool respawning too fast, waiting 300s.
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] There is a new set of Snort VRT rules posted. Downloading…
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Snort MD5 Attempts: 1
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Downloading and updating configured rule types…
Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Saved settings detected… rebuilding installation with saved settings...It came on fine, but not because of the services widget, but manually had to start it under services -> snort despite saying it was running!
-
One little issue still present for ages is that when you are in the Snort pages,
if you click on the pfsense top left logo you end up with 404 - Not Found
because the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages.I don't have this problem, and I haven't seen this reported before. What is your version of snort?
-
I dont have that either….Clear your browser cache!
-
FYI. Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve. This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features. This is a GUI update only. The underlying Snort binary itself remains at 2.9.4.1.
Here is a link to the Pull Request: https://github.com/pfsense/pfsense-packages/pull/433
Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7. When it is merged, I will open a new thread containing the Change Log.
Bill
Great job again Bill, I have no reason to start a new topic with 2.5.7 issues yet. I have it running!
-
Pfsense 2.0.3 x86 fresh install with 2.0.1 config restored
which give me Snort 2.9.4.1 pkg v. 2.5.6
pfsense_ng ThemeI don't think it's a cache problem, I tried with Chrome instead of FF same thing happens
go to Services/Snort page and the logo points to the https://xxxxx/snort/index.phpReally not a big issue, just annoying ::)
-
can you test without a restore??
Mine is pointing to https://xxxxx/index.php
-
can you test without a restore??
Mine is pointing to https://xxxxx/index.php
I could, that means doing and fresh install from scratch on another disk
doing a manual config, installing snort etc ….
I might :-\ -
Could be the restore causing issues. Wh yI dont know, but mine hasnt been restored but build from scratch…
-
I guess building from scratch would gimme the same results as you.
I only have one system so if I find a few hours to spare I might do that. -
I've reported it a year ago, dont remember where …
Here is another related one http://forum.pfsense.org/index.php/topic,61033.0.html
and http://forum.pfsense.org/index.php/topic,36309.0.html ... i guess a search should highlight the prob ;) -
Cannot restart it from Services widget as stated.
Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
Apr 26 09:51:11 kernel: em0: promiscuous mode disabled
Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
Apr 26 09:51:10 SnortStartup[17481]: Snort STOP for Internet(36256_em0)…
Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
Apr 26 09:51:06 SnortStartup[62588]: Snort STOP for Internet(36256_em0)…
Apr 26 09:51:02 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 09:50:58 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 09:50:54 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …Has to go into services -> Snort to do it.
Apr 26 09:54:22 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
Apr 26 09:52:57 kernel: em0: promiscuous mode enabled
Apr 26 09:52:57 SnortStartup[61780]: Snort START for Internet(36256_em0)…
Apr 26 09:52:41 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 09:52:39 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 09:52:37 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 26 09:52:37 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)... -
FYI. Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve. This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features. This is a GUI update only. The underlying Snort binary itself remains at 2.9.4.1.
Here is a link to the Pull Request: https://github.com/pfsense/pfsense-packages/pull/433
Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7. When it is merged, I will open a new thread containing the Change Log.
Bill
Excellent work Bill Thanks!
-
Cannot restart it from Services widget as stated.
Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
Apr 26 09:51:11 kernel: em0: promiscuous mode disabled
Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
Apr 26 09:51:10 SnortStartup[17481]: Snort STOP for Internet(36256_em0)…
Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
Apr 26 09:51:06 SnortStartup[62588]: Snort STOP for Internet(36256_em0)…
Apr 26 09:51:02 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 09:50:58 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 09:50:54 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …Has to go into services -> Snort to do it.
Apr 26 09:54:22 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
Apr 26 09:52:57 kernel: em0: promiscuous mode enabled
Apr 26 09:52:57 SnortStartup[61780]: Snort START for Internet(36256_em0)…
Apr 26 09:52:41 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 09:52:39 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 09:52:37 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 26 09:52:37 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...I will check on this. I'm pretty sure that during my testing runs yesterday with 2.5.7 I started Snort from the Service widget, but I will try again.
Is this problem happening on 2.0.3 or 2.1-BETA?
Bill
-
One little issue still present for ages is that when you are in the Snort pages,
if you click on the pfsense top left logo you end up with 404 - Not Found
because the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages.I can't replicate that behavior on my test VMs. It could very well be something held over during upgrades. I'll see if I can research history a bit and identify a possible fix for you. As several others have posted that they do not have the issue, I do think it is something hanging around in your specific configuration someplace.
Bill
-
I haven't experienced this either..
Bill update went fine and everything restarted and is running like it should. :-D Moving over to the new thread now to follow.
