Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.4.1 pkg v. 2.5.6 Issue(s)

    Scheduled Pinned Locked Moved pfSense Packages
    62 Posts 11 Posters 20.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      @judex:

      Bill, thx for testing the custom.rules issue.

      Now I did again what you supposed and pasted the rule from my posting into the custom.rules field -> Saved -> clicked on the rules tab again -> clicked Apply Changes -> stopped interface -> started interface ->

      snort[67588]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_48204_vtnet3/rules/custom.rules(1) Unknown rule type: "alert.

      Interface did not start. The first space character stops ist. I tried it with Chrome and IE. With IE there were no carriage returns in the custom.rules file but I got the same error as above when starting the interface. I am using English language in pfSense but have a German keyboard layout and system. I am using double quotes for the rule.

      If I clear the c.r.rules field and click save and apply settings and do "cat custom.rules" on the shell, the old rule ist still there. When I open c.r rules in the GUI the old rule is shown again. It seems as if the system would be one step behind the GUI all the time. I think there has been such an issue before but can find it in the forum. Maybe if have more time in the afternoon - it is 8:39 am here and I have to leave for work. This is really weird and baybe I can find some reproducable behaviour.

      Alex

      Thanks for the feedback.  If you will PM me and provide your e-mail address, I would like to send you the latest version of the PHP file that actually handles the custom rules save and edit functions.  Just curious if it will make any difference.  I was using IE 10 for my testing, but the IE version really should not matter.  If we can swap e-mail addresses via PM, I would also like you to send me the actual custom.rules file from your system.

      Bill

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        FYI.  Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve.  This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features.  This is a GUI update only.  The underlying Snort binary itself remains at 2.9.4.1.

        Here is a link to the Pull Request:  https://github.com/pfsense/pfsense-packages/pull/433

        Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7.  When it is merged, I will open a new thread containing the Change Log.

        Bill

        1 Reply Last reply Reply Quote 0
        • RonpfSR
          RonpfS
          last edited by

          One little issue still present for ages is that when you are in the Snort pages,
          if you click on the pfsense top left logo you end up with 404 - Not Found
          because  the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages.

          2.4.5-RELEASE-p1 (amd64)
          Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
          Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            Got this issue after I had upgraded. In the services widget Snort was running but in the Services -> Snort said it wasnt running. It showed as stated earlier that you needed to start Snort. I did and got this log:

            pr 26 06:40:57 php: /snort/snort_interfaces.php: Snort START for Internet(em0)…
            Apr 26 06:39:51 kernel: em0: promiscuous mode enabled
            Apr 26 06:39:51 SnortStartup[28731]: Snort START for Internet(9626_em0)…
            Apr 26 06:39:10 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
            Apr 26 06:39:08 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
            Apr 26 06:39:06 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
            Apr 26 06:39:06 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
            Apr 26 06:38:00 SnortStartup[45184]: Snort STOP for Internet(9626_em0)…
            Apr 26 06:37:58 SnortStartup[43710]: Snort START for Internet(9626_em0)…
            Apr 26 06:37:58 SnortStartup[42872]: Snort STOP for Internet(9626_em0)…
            Apr 26 06:37:49 php: /snort/snort_download_rules.php: [Snort] The Rules update has finished.
            Apr 26 06:37:49 php: /snort/snort_download_rules.php: [Snort] Emerging Threat rules are up to date…
            Apr 26 06:37:48 php: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules are up to date…
            Apr 26 06:37:47 php: /snort/snort_download_rules.php: [Snort] Snort VRT rules are up to date…
            Apr 26 06:37:47 php: /snort/snort_download_rules.php: [Snort] Snort MD5 Attempts: 1
            Apr 26 06:37:29 check_reload_status: Reloading filter
            Apr 26 06:37:27 check_reload_status: Syncing firewall
            Apr 26 06:37:26 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
            Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Starting Snort using rebuilt configuration…
            Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…
            Apr 26 06:37:24 php: /pkg_mgr_install.php: [Snort] Building new sig-msg.map file for WAN…
            Apr 26 06:37:22 php: /pkg_mgr_install.php: [Snort] Enabling any flowbit-required rules for: WAN…
            Apr 26 06:37:20 php: /pkg_mgr_install.php: [Snort] Updating rules configuration for: WAN …
            Apr 26 06:37:18 php: /pkg_mgr_install.php: [Snort] The Rules update has finished.
            Apr 26 06:37:11 php: /pkg_mgr_install.php: [Snort] EmergingThreats rules file update downloaded successfully
            Apr 26 06:37:08 php: /pkg_mgr_install.php: [Snort] There is a new set of EmergingThreats rules posted. Downloading…
            Apr 26 06:37:07 php: /pkg_mgr_install.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
            Apr 26 06:37:06 php: /pkg_mgr_install.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading…
            Apr 26 06:37:06 php: /pkg_mgr_install.php: [Snort] Snort VRT Rules Attempts: 1
            Apr 26 06:36:49 apinger: rrdtool respawning too fast, waiting 300s.
            Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] There is a new set of Snort VRT rules posted. Downloading…
            Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Snort MD5 Attempts: 1
            Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Downloading and updating configured rule types…
            Apr 26 06:36:22 php: /pkg_mgr_install.php: [Snort] Saved settings detected… rebuilding installation with saved settings...

            It came on fine, but not because of the services widget, but manually had to start it under services -> snort despite saying it was running!

            1 Reply Last reply Reply Quote 0
            • G
              gogol
              last edited by

              @RonpfS:

              One little issue still present for ages is that when you are in the Snort pages,
              if you click on the pfsense top left logo you end up with 404 - Not Found
              because  the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages.

              I don't have this problem, and I haven't seen this reported before. What is your version of snort?

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by

                I dont have that either….Clear your browser cache!

                1 Reply Last reply Reply Quote 0
                • G
                  gogol
                  last edited by

                  @bmeeks:

                  FYI.  Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve.  This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features.  This is a GUI update only.  The underlying Snort binary itself remains at 2.9.4.1.

                  Here is a link to the Pull Request:  https://github.com/pfsense/pfsense-packages/pull/433

                  Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7.  When it is merged, I will open a new thread containing the Change Log.

                  Bill

                  Great job again Bill, I have no reason to start a new topic with 2.5.7 issues yet. I have it running!

                  1 Reply Last reply Reply Quote 0
                  • RonpfSR
                    RonpfS
                    last edited by

                    Pfsense 2.0.3 x86 fresh install with 2.0.1 config restored
                    which give me Snort 2.9.4.1 pkg v. 2.5.6
                    pfsense_ng Theme

                    I don't think it's a cache problem, I tried with Chrome instead of FF same thing happens
                    go to Services/Snort page and the logo points to the  https://xxxxx/snort/index.php

                    Really not a big issue, just annoying  ::)

                    2.4.5-RELEASE-p1 (amd64)
                    Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                    Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned
                      last edited by

                      can you test without a restore??

                      Mine is pointing to https://xxxxx/index.php

                      1 Reply Last reply Reply Quote 0
                      • RonpfSR
                        RonpfS
                        last edited by

                        @Supermule:

                        can you test without a restore??

                        Mine is pointing to https://xxxxx/index.php

                        I could, that means doing and fresh install from scratch on another disk
                        doing a manual config, installing snort etc ….
                        I might  :-\

                        2.4.5-RELEASE-p1 (amd64)
                        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                        1 Reply Last reply Reply Quote 0
                        • S
                          Supermule Banned
                          last edited by

                          Could be the restore causing issues. Wh yI dont know, but mine hasnt been restored but build from scratch…

                          1 Reply Last reply Reply Quote 0
                          • RonpfSR
                            RonpfS
                            last edited by

                            I guess building from scratch would gimme the same results as you.
                            I only have one system so if I find a few hours to spare I might do that.

                            2.4.5-RELEASE-p1 (amd64)
                            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                            1 Reply Last reply Reply Quote 0
                            • RonpfSR
                              RonpfS
                              last edited by

                              I've reported it a year ago, dont remember where …
                              Here is another related one http://forum.pfsense.org/index.php/topic,61033.0.html
                              and http://forum.pfsense.org/index.php/topic,36309.0.html ... i guess a search should highlight the prob  ;)

                              2.4.5-RELEASE-p1 (amd64)
                              Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                              Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned
                                last edited by

                                Cannot restart it from Services widget as stated.

                                Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
                                Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
                                Apr 26 09:51:11 kernel: em0: promiscuous mode disabled
                                Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
                                Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
                                Apr 26 09:51:10 SnortStartup[17481]: Snort STOP for Internet(36256_em0)…
                                Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
                                Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
                                Apr 26 09:51:06 SnortStartup[62588]: Snort STOP for Internet(36256_em0)…
                                Apr 26 09:51:02 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
                                Apr 26 09:50:58 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
                                Apr 26 09:50:54 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …

                                Has to go into services -> Snort to do it.

                                Apr 26 09:54:22 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
                                Apr 26 09:52:57 kernel: em0: promiscuous mode enabled
                                Apr 26 09:52:57 SnortStartup[61780]: Snort START for Internet(36256_em0)…
                                Apr 26 09:52:41 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
                                Apr 26 09:52:39 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
                                Apr 26 09:52:37 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
                                Apr 26 09:52:37 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kilthro
                                  last edited by

                                  @bmeeks:

                                  FYI.  Just submitted the Pull Request on Github for Ermal and the pfSense team to review and approve.  This request updates the Snort package to 2.5.7 and contains a number of bug fixes for the issues reported in this thread along with several enhancements and new features.  This is a GUI update only.  The underlying Snort binary itself remains at 2.9.4.1.

                                  Here is a link to the Pull Request:  https://github.com/pfsense/pfsense-packages/pull/433

                                  Once approved by the pfSense team and merged into the master repository, the update will appear on your Installed Packages tab as 2.5.7.  When it is merged, I will open a new thread containing the Change Log.

                                  Bill

                                  Excellent work Bill Thanks!

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by

                                    @Supermule:

                                    Cannot restart it from Services widget as stated.

                                    Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
                                    Apr 26 09:51:11 snort[38724]: Could not remove pid file /var/run/snort_em036256.pid: No such file or directory
                                    Apr 26 09:51:11 kernel: em0: promiscuous mode disabled
                                    Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
                                    Apr 26 09:51:11 snort[38724]: *** Caught Term-Signal
                                    Apr 26 09:51:10 SnortStartup[17481]: Snort STOP for Internet(36256_em0)…
                                    Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
                                    Apr 26 09:51:07 snort[40003]: *** Caught Term-Signal
                                    Apr 26 09:51:06 SnortStartup[62588]: Snort STOP for Internet(36256_em0)…
                                    Apr 26 09:51:02 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
                                    Apr 26 09:50:58 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
                                    Apr 26 09:50:54 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …

                                    Has to go into services -> Snort to do it.

                                    Apr 26 09:54:22 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
                                    Apr 26 09:52:57 kernel: em0: promiscuous mode enabled
                                    Apr 26 09:52:57 SnortStartup[61780]: Snort START for Internet(36256_em0)…
                                    Apr 26 09:52:41 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
                                    Apr 26 09:52:39 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
                                    Apr 26 09:52:37 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
                                    Apr 26 09:52:37 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...

                                    I will check on this. I'm pretty sure that during my testing runs yesterday with 2.5.7 I started Snort from the Service widget, but I will try again.

                                    Is this problem happening on 2.0.3 or 2.1-BETA?

                                    Bill

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      @RonpfS:

                                      One little issue still present for ages is that when you are in the Snort pages,
                                      if you click on the pfsense top left logo you end up with 404 - Not Found
                                      because  the link points to https://xxxxx/snort/index.php instead of https://xxxxx/index.php on any other pages.

                                      I can't replicate that behavior on my test VMs.  It could very well be something held over during upgrades.  I'll see if I can research history a bit and identify a possible fix for you.  As several others have posted that they do not have the issue, I do think it is something hanging around in your specific configuration someplace.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        kilthro
                                        last edited by

                                        I haven't experienced this either..

                                        Bill update went fine and everything restarted and is running like it should. :-D Moving over to the new thread now to follow.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.