Snort Package 2.5.7 – Issues
-
Please post any issues/problems encountered with the new Snort 2.5.7 package here.
It's most helpful if you provide:
1. pFsense platform and version (2.0.x or 2.1 and 32-bit or 64-bit)
2. Your upgrade procedure: package delete and reinstall, or just package reinstall
Bill
-
I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.
This happens
Apr 26 13:32:45 SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
Apr 26 13:32:41 kernel: em0: promiscuous mode disabled
Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
Apr 26 13:32:40 SnortStartup[27109]: Snort STOP for Internet(9626_em0)…
Apr 26 13:32:36 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 13:32:32 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 13:32:28 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
Apr 26 13:32:28 check_reload_status: Syncing firewallGo to services -> Snort and it shows Snort is not running. I click the green button and get this:
Last 500 system log entries
Apr 26 13:37:30 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
Apr 26 13:37:29 kernel: em0: promiscuous mode enabled
Apr 26 13:35:43 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 13:35:41 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 13:35:39 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 26 13:35:39 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
Apr 26 13:35:23 kernel: em0: promiscuous mode disabled
Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
Apr 26 13:35:22 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)…
Apr 26 13:35:22 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
Apr 26 13:35:21 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)...
Apr 26 13:35:21 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
Apr 26 13:34:35 kernel: em0: promiscuous mode enabled
Apr 26 13:34:35 SnortStartup[43762]: Snort START for Internet(9626_em0)…Takes a very long time to start Snort.
The only difference that I noticed was the change in interface name... From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...
2.0.3 x86 and package 2.9.4.1 v.2.5.7
-
I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.
This happens
Apr 26 13:32:45 SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
Apr 26 13:32:41 kernel: em0: promiscuous mode disabled
Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
Apr 26 13:32:40 SnortStartup[27109]: Snort STOP for Internet(9626_em0)…
Apr 26 13:32:36 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 13:32:32 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 13:32:28 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
Apr 26 13:32:28 check_reload_status: Syncing firewallGo to services -> Snort and it shows Snort is not running. I click the green button and get this:
Last 500 system log entries
Apr 26 13:37:30 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
Apr 26 13:37:29 kernel: em0: promiscuous mode enabled
Apr 26 13:35:43 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 13:35:41 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 13:35:39 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 26 13:35:39 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
Apr 26 13:35:23 kernel: em0: promiscuous mode disabled
Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
Apr 26 13:35:22 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)…
Apr 26 13:35:22 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
Apr 26 13:35:21 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)...
Apr 26 13:35:21 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
Apr 26 13:34:35 kernel: em0: promiscuous mode enabled
Apr 26 13:34:35 SnortStartup[43762]: Snort START for Internet(9626_em0)…Takes a very long time to start Snort.
The only difference that I noticed was the change in interface name... From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...
2.0.3 x86 and package 2.9.4.1 v.2.5.7
No, the log message interface names should not really matter. I will repeat your scenario and see if I can duplicate. Remember that the Services Widget and Services…Snort show two different icon colors for running. On the Services Widget screen, the green arrow icon means "running", while on the Services...Snort screen the red X means running. Ermal changed these quite some time back (last July if I remember correctly).
Bill
-
I know but I have the same on both. The green on Services widget and the red button on the Services -> Snort page…
It says running in the widget but its not.
And its on a complete uninstall -> reinstall of Snort.
-
I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.
This happens
Apr 26 13:32:45 SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
.....
Apr 26 13:32:28 check_reload_status: Syncing firewallGo to services -> Snort and it shows Snort is not running. I click the green button and get this:
Apr 26 13:37:30 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
Apr 26 13:37:29 kernel: em0: promiscuous mode enabled
Apr 26 13:35:43 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 13:35:41 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
.....
Apr 26 13:34:35 kernel: em0: promiscuous mode enabled
Apr 26 13:34:35 SnortStartup[43762]: Snort START for Internet(9626_em0)…Takes a very long time to start Snort.
The only difference that I noticed was the change in interface name... From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...
2.0.3 x86 and package 2.9.4.1 v.2.5.7
Supermule:
I tried this on my 2.0.3 i-386 virtual machine multiple times and it worked fine either way. I restarted Snort from the Services Dashboard Widget, and also from the Services…Status menu option. I went into the Snort tabs and made two edits on two different occasions. I enabled two preprocessors one time, and the next time I added a pair of custom SSH ports to the Variables tab. After each edit I restarted Snort successfully from the Services Dashboard Widget.
Just to be 100% sure your Snort shell script is properly constructed, go to your Snort Interfaces tab, click the edit icon to get to the If Settings tab, and click Save. This will force a rebuild of the snort.sh shell script in /usr/local/etc/rc.d on your machine. See if that helps with your problem.
Bill
-
I know but I have the same on both. The green on Services widget and the red button on the Services -> Snort page…
It says running in the widget but its not.
And its on a complete uninstall -> reinstall of Snort.
You're confusing me a bit with your first sentence. Green on the Services widget and the red button on the Services -> Snort page both indicate nothing is wrong and Snort is running. Get to a shell prompt and issue this command to see if Snort is really running (and how many times) –
ps -ax | grep snort
You should see one instance of Snort per interface it's enabled for, plus one line just showing the "grep" command.
Bill
-
Did that…
Last 500 system log entries
Apr 26 14:12:20 SnortStartup[30714]: Snort STOP for Internet(9626_em0)…
Apr 26 14:12:16 kernel: em0: promiscuous mode disabled
Apr 26 14:12:16 snort[18032]: *** Caught Term-Signal
Apr 26 14:12:16 snort[18032]: *** Caught Term-Signal
Apr 26 14:12:15 SnortStartup[28044]: Snort STOP for Internet(9626_em0)…
Apr 26 14:11:47 check_reload_status: Syncing firewallI will send you a link to the video so you can see it.
Restarted it from Services -> Snort and:
Apr 26 14:14:56 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
Apr 26 14:14:10 kernel: em0: promiscuous mode enabled
Apr 26 14:14:10 SnortStartup[21860]: Snort START for Internet(9626_em0)…
Apr 26 14:13:09 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 26 14:13:07 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 26 14:13:05 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 26 14:13:05 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)... -
Takes a very long time to start Snort.
The only difference that I noticed was the change in interface name… From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...
2.0.3 x86 and package 2.9.4.1 v.2.5.7
No, the log message interface names should not really matter.
I thought the interface name always has a random number in front of it?
-
Takes a very long time to start Snort.
The only difference that I noticed was the change in interface name… From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...
2.0.3 x86 and package 2.9.4.1 v.2.5.7
No, the log message interface names should not really matter.
I thought the interface name always has a random number in front of it?
The interface names seen in the Snort package are really a type of artificial construct to grease the skids for running multiple instances of Snort (on a box with multiple NICs) and letting the GUI keep them all straight. You are correct that each interface has a random number associated with it in the Snort files. The Snort GUI calls this the UUID. You can think of it as a simplified version of the GUID on Windows or UNIX boxes. For Snort, it's just usually a 4 or 5 digit number. The real interface, and the only one that matters to the running Snort binary, is the NIC driver such as "em0" or "em1", or "re0", etc.
The Snort GUI code actually stores and keeps track of three things related to interfaces: (1) the real interface such as "em0"; (2) the friendly interface name given in the pfSense setup such as "WAN" or "LAN"; and (3) a descriptive name the user could provide in the Snort setup such as "Internet-Facing". That UUID number gets used when naming the PID file in /var/run upon Snort startup. That's so the GUI code (and the shell script) can find the correct PID for a given Snort interface later on when it wants to shutdown or toggle a specific interface.
Probably more detail than you wanted, but the point is I don't believe the change in the log message interface description is Supermule's problem. I just altered which of those 3 fields I mentioned earlier was printed in the logs.
Bill
-
I think I can partially reproduce Supermule problem:
Apr 26 22:51:45 kernel: em0: promiscuous mode disabled Apr 26 22:51:45 snort[31039]: *** Caught Term-Signal Apr 26 22:51:45 SnortStartup[46963]: Snort START for WAN(54477_em0)... Apr 26 22:51:44 php: /snort/snort_interfaces.php: Snort STOP for WAN(em0)... Apr 26 22:51:44 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)... Apr 26 22:51:44 kernel: em0: promiscuous mode enabled Apr 26 22:51:31 SnortStartup[90854]: Snort STOP for WAN(54477_em0)... Apr 26 22:51:27 kernel: em0: promiscuous mode disabled Apr 26 22:51:27 snort[49210]: *** Caught Term-Signal Apr 26 22:51:26 SnortStartup[86273]: Snort STOP for WAN(54477_em0)...
I think Supermule is impatient, because the log above appeared when I restart snort from the Services Widget, then after the page reloads completely I go fast to Services>> Snort and I see the green arrow ( I have to be fast or else I see the red cross). He then thinks snort has not started but is still starting up and presses the green arrow again.
Supermule, can you try again and wait at least a few minutes? Maybe your system is a little bit slower.
-
I think I can partially reproduce Supermule problem:
Apr 26 22:51:45 kernel: em0: promiscuous mode disabled Apr 26 22:51:45 snort[31039]: *** Caught Term-Signal Apr 26 22:51:45 SnortStartup[46963]: Snort START for WAN(54477_em0)... Apr 26 22:51:44 php: /snort/snort_interfaces.php: Snort STOP for WAN(em0)... Apr 26 22:51:44 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)... Apr 26 22:51:44 kernel: em0: promiscuous mode enabled Apr 26 22:51:31 SnortStartup[90854]: Snort STOP for WAN(54477_em0)... Apr 26 22:51:27 kernel: em0: promiscuous mode disabled Apr 26 22:51:27 snort[49210]: *** Caught Term-Signal Apr 26 22:51:26 SnortStartup[86273]: Snort STOP for WAN(54477_em0)...
I think Supermule is impatient, because the log above appeared when I restart snort from the Services Widget, then after the page reloads completely I go fast to Services>> Snort and I see the green arrow ( I have to be fast or else I see the red cross). He then thinks snort has not started but is still starting up and presses the green arrow again.
Supermule, can you try again and wait at least a few minutes? Maybe your system is a little bit slower.
This may be a key. Having lots of enabled rules can make Snort take a long time to start. This is caused first by the rules build process now in the Snort package for flowbit resolution and enable/disable SID mods, the rules are then written to the Snort.rules file, and then the actual Snort binary itself cranks up to parse and load all the rules. This can take a while, but I've never seen it go over a minute. More typical in my testing with an Atom 330 processor (not the fastest on the block, for sure) is maybe 45 seconds or so to startup with a full rule set.
Bill
-
I think Supermule is impatient, because the log above appeared when I restart snort from the Services Widget, then after the page reloads completely I go fast to Services>> Snort and I see the green arrow ( I have to be fast or else I see the red cross). He then thinks snort has not started but is still starting up and presses the green arrow again.
Supermule, can you try again and wait at least a few minutes? Maybe your system is a little bit slower.
One other thing I notice on my barely adequate Atom 330 box with Snort running on three interfaces, is the Snort Interfaces tab will many times not display correctly. I get blanks for some values. Sometimes it's fine, but other times I have to hit page refresh in IE several times. I've seen this especially since moving to IE10 a while back. I was seeing this behavior even back in 2.5.5, though. I tried a fix in this current release to help this, but the results are inconsistent. The code currently enters a "foreach()" loop to find each configured interface and query the status of Snort and/or Barnyard2. It then prints the icons and words depending on what it discovers. There is probably a better way to code this.
Bill
-
Snort starts very slowly for me as well. Definitely over a minute. I have VRT Premium and ET rules enabled. Hardware is Intel(R) Xeon(R) CPU E5405 @ 2.00GHz.
Snort started very slowly with the previous version too. Also it occasionally just quits with nothing written in the logs. I suspect it just fails to restart after rules update.
I am running pfSense on physical machine.
Latest version:
2.0.3-RELEASE (amd64)
built on Fri Apr 12 10:27:56 EDT 2013
FreeBSD 8.1-RELEASE-p13 -
@daq:
Snort starts very slowly for me as well. Definitely over a minute. I have VRT Premium and ET rules enabled. Hardware is Intel(R) Xeon(R) CPU E5405 @ 2.00GHz.
Snort started very slowly with the previous version too. Also it occasionally just quits with nothing written in the logs. I suspect it just fails to restart after rules update.
I think the new 2.9.4.1 binary is a bit slower to start, and that is coupled with the more CPU-consuming task of generating the flowbit rules and stuff. So the both of them together make startup slower. One thing I did add in 2.5.7 that was not in 2.5.6 and earlier was a rules rebuild whenever you click the Green START icon on the Snort Interfaces tab. However, starting Snort from the Services Widget or following a firewall boot will not rebuild the rules. It just uses what is already in place from the last build.
Folks that are seeing super slow startups or other strange stuff, please report here and include your pfSense version plus whether you are on physical hardware or a virtual machine.
Bill
-
I'm seeing issues with Snort start from the Services widget with Snort interface still showing not running on Services -> Snort. The process is running and I've also seen 2 Snort processes running even than there should only be one as I only have it running on one interface.
I'm running 2.1 beta and 2.5.7 Snort. Below is me stopping Snort twice after noticing the two processes running and then starting Snort from the dashboard services widget. The log shows the pid of the process, right? Now top / ps shows Snort running with pid 85412, even than last start shows 86320.
Apr 27 02:35:43 SnortStartup[86320]: Snort START for snrtWAN(2226_em0)... Apr 27 02:35:42 kernel: em0: promiscuous mode enabled Apr 27 02:34:20 SnortStartup[18875]: Snort STOP for snrtWAN(2226_em0)... Apr 27 02:33:43 snort[39176]: Could not remove pid file /var/run/snort_em02226.pid: No such file or directory Apr 27 02:33:43 kernel: em0: promiscuous mode disabled Apr 27 02:33:43 snort[39176]: *** Caught Term-Signal Apr 27 02:33:42 SnortStartup[13036]: Snort STOP for snrtWAN(2226_em0)... Apr 27 02:33:25 snort[59926]: *** Caught Term-Signal Apr 27 02:33:24 SnortStartup[6827]: Snort STOP for snrtWAN(2226_em0)...
-
I'm seeing issues with Snort start from the Services widget with Snort interface still showing not running on Services -> Snort. The process is running and I've also seen 2 Snort processes running even than there should only be one as I only have it running on one interface.
I'm running 2.1 beta and 2.5.7 Snort. Below is me stopping Snort twice after noticing the two processes running and then starting Snort from the dashboard services widget. The log shows the pid of the process, right? Now top / ps shows Snort running with pid 85412, even than last start shows 86320.
Apr 27 02:35:43 SnortStartup[86320]: Snort START for snrtWAN(2226_em0)... Apr 27 02:35:42 kernel: em0: promiscuous mode enabled Apr 27 02:34:20 SnortStartup[18875]: Snort STOP for snrtWAN(2226_em0)... Apr 27 02:33:43 snort[39176]: Could not remove pid file /var/run/snort_em02226.pid: No such file or directory Apr 27 02:33:43 kernel: em0: promiscuous mode disabled Apr 27 02:33:43 snort[39176]: *** Caught Term-Signal Apr 27 02:33:42 SnortStartup[13036]: Snort STOP for snrtWAN(2226_em0)... Apr 27 02:33:25 snort[59926]: *** Caught Term-Signal Apr 27 02:33:24 SnortStartup[6827]: Snort STOP for snrtWAN(2226_em0)...
Try this for me. Stop all Snort processes. Best way is get to the shell prompt and issue
/usr/bin/killall snort
then do
ps -ax |grep snort
to see if any processes remain. Give it time to shut all of them down. If any remain after a couple of minutes, then do
/usr/bin/killall -9 snort
Now go into Snort and click on the Global Settings tab. Scroll down and just click the Save button. You don't have to actually change anything on the page, just click Save. This will rebuild the snort.sh shell script.
Now do either of the following:
1. On the Snort Interfaces tab click the green icon next to Snort
or
2. From the shell prompt, enter this command:
/usr/local/etc/rc.d/snort.sh start
Either of the methods above should start Snort. Option #1 will start Snort only on the clicked-on interface (if you have Snort enabled on more than one), while Option #2 will start Snort on all its configured interfaces. Option #2 (the snort.sh script) is what the Services Widget actually calls. I'm thinking maybe you have an older version of that script that allows starting of Snort more than once on the same interface?? This was an error in logic with that older version. That was fixed in 2.5.7, but it could be yours did not get updated with the rest of the GUI code update.
If you can, post back with the full contents of the /usr/local/etc/rc.d/snort.sh file so I can see what version it is.
Bill
-
Moved to its own thread, here: http://forum.pfsense.org/index.php/topic,61757.0.html
-
install the filemanager package and there is a DL function build in :)
-
install the filemanager package and there is a DL function build in :)
Thank you very much ;D
Your speedtest picture in your sig: ARE you a backbone yourself ???
:P
;D
-
I am still having problems with snort blocking whitelisted IPs. I sent just you a PM bmeeks.
Thanks for all your work so far, Snort has consistently been improving with all your hard work and releases! It's greatly appreciated by the community. :)