Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.4.6 Pkg v 2.5.9

    Scheduled Pinned Locked Moved pfSense Packages
    203 Posts 28 Posters 119.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gogol
      last edited by

      Ok, for me it is definitely the check for the pid file that messes things up while booting and restarting packages twice as I understand it now. The pid file is written after snort has completely started up and that can take a while. So if the packages are restarted for the second time after a new WAN IP is detected the first snort process is still running without a pid file, so the snort.sh startup script thinks that snort is not running and doesn't stop the first process and just starts a new one. Hence two snort processes.

      Is it possible for the snort.sh script to write a dummy pid file that will be replaced after snort has started up? Or another check?

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        @gogol:

        Ok, for me it is definitely the check for the pid file that messes things up while booting and restarting packages twice as I understand it now. The pid file is written after snort has completely started up and that can take a while. So if the packages are restarted for the second time after a new WAN IP is detected the first snort process is still running without a pid file, so the snort.sh startup script thinks that snort is not running and doesn't stop the first process and just starts a new one. Hence two snort processes.

        Is it possible for the snort.sh script to write a dummy pid file that will be replaced after snort has started up? Or another check?

        Sorry to chime in late.  I am working out of town until the weekend and can't look at this until then.  I think you may be correct about the timing, but you can't really write a dummy file since that is in the hands of the OS. I have not seen this behavior, and apparently it is rare or I would expect lots of posts here with the same problem.  My current theory is perhaps there is something weird in your particular situation.

        Bill

        1 Reply Last reply Reply Quote 0
        • dotOneD Offline
          dotOne
          last edited by

          Unfortunately I have the same issue.
          After a reboot snort is always started twice and sometimes even three times.
          It's depending on the machine I run it on.

          on an Atom D525 based machine it's alway 2 times and sometimes three
          on a i5 3.3G machine it's most of the time only a single process.

          It looks like a timing issue indeed.

          1 Reply Last reply Reply Quote 0
          • G Offline
            gogol
            last edited by

            @bmeeks:

            @gogol:

            Ok, for me it is definitely the check for the pid file that messes things up while booting and restarting packages twice as I understand it now. The pid file is written after snort has completely started up and that can take a while. So if the packages are restarted for the second time after a new WAN IP is detected the first snort process is still running without a pid file, so the snort.sh startup script thinks that snort is not running and doesn't stop the first process and just starts a new one. Hence two snort processes.

            Is it possible for the snort.sh script to write a dummy pid file that will be replaced after snort has started up? Or another check?

            Sorry to chime in late.  I am working out of town until the weekend and can't look at this until then.  I think you may be correct about the timing, but you can't really write a dummy file since that is in the hands of the OS. I have not seen this behavior, and apparently it is rare or I would expect lots of posts here with the same problem.  My current theory is perhaps there is something weird in your particular situation.

            Hi Bill,

            I supposed you were away for some time, because I always get a rapid reply from you.
            I have an Atom (N270) based system and a VM on a quad core i5(3,1Ghz) with 2 processors dedicated to the VM. Both have this issue.
            This month /etc/rc.newwanip has changed on July 5th and as fas as my understanding of PHP goes I think that this caused it:

            
            46	46	  if($g['booting'])
            47	47	    exit;
            48	48	  
             	49	 +/* NOTE: Check #2495 before being smart here */
             	50	 +interface_ipalias_cleanup($interface, "inet4");
             	51	 +
            49	52	  function restart_packages() {
            50	53	    global $oldip, $curwanip, $g;
            51	54	  
            ...	...	 @@ -97,7 +100,6 @@ system_resolvconf_generate(true);
            97	100	  /* write current WAN IP to file */
            98	101	  file_put_contents("{$g['vardb_path']}/{$interface}_ip", $curwanip);
            99	102	  
            100	 	 -interface_ipalias_cleanup($interface, "inet4");
            101	103	  link_interface_to_vips($interface, "update");
            102	104	  
            103	105	  unset($gre);
            
            

            Going through my log files I have the double startup of snort process since a day later (not exactly sure).

            1 Reply Last reply Reply Quote 0
            • E Offline
              eri--
              last edited by

              Yeah that's something i am working on.
              Its not the final solution.

              1 Reply Last reply Reply Quote 0
              • G Offline
                gogol
                last edited by

                It is good to read that this is acknowledged. Thanks. In the meantime I kill the snort processes after boot and restart them again manually.

                1 Reply Last reply Reply Quote 0
                • bmeeksB Offline
                  bmeeks
                  last edited by

                  @gogol:

                  It is good to read that this is acknowledged. Thanks. In the meantime I kill the snort processes after boot and restart them again manually.

                  I am back home and read the response from Ermal.  If the problem started on July 5 and seems to coincide with a change being made in the pfSense core, I will hold off making any Snort adjustments.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    pfSenseRocks
                    last edited by

                    I repro multiple snort processes on the latest 2.1 builds as well. What additional information can I provide to help debug this issue and get a solution? Thanks!

                    SystemActivity_snort.PNG
                    SystemActivity_snort.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kilthro
                      last edited by

                      Has anyone else been experiencing this when Snort tries to update? I been getting it for a couple of weeks now. I have set to update once per day automatically which is around midnight.. Should the update run at a different time?
                      I do pay the yearly subscription to snort. I just have the snort.org rules and Emerging ones enabled. I am guessing its more of an issue with snort site than the app here with pfsense. Just wondering if I was the only one seeing this.

                      Bill would it be possible if everyone (mass population) would like it to, to have the most recent snort update entry at the top of the log rather than the bottom? Not a major issue just save me some scrolling which at times is a P.I.T.A. on a mobile device.. No worries if its left as is.. just thought I would ask.

                      system log
                      Aug 4 00:08:03 php: : [Snort] The Rules update has finished.
                      Aug 4 00:08:03 php: : [Snort] Emerging Threat rules are up to date…
                      Aug 4 00:08:02 php: : [Snort] Server returned error code '0'…
                      Aug 4 00:08:02 php: : [Snort] Snort VRT md5 download failed…
                      Aug 4 00:08:02 php: : File 'snortrules-snapshot-2946.tar.gz.md5' download attempts: 4 ...
                      Aug 4 00:07:47 php: : [Snort] Will retry in 15 seconds…
                      Aug 4 00:07:47 php: : [Snort] Rules download error: Empty reply from server
                      Aug 4 00:06:32 php: : [Snort] Will retry in 15 seconds…
                      Aug 4 00:06:32 php: : [Snort] Rules download error: Empty reply from server
                      Aug 4 00:05:17 php: : [Snort] Will retry in 15 seconds…
                      Aug 4 00:05:17 php: : [Snort] Rules download error: Empty reply from server
                      Aug 4 00:04:02 php: : [Snort] Will retry in 15 seconds…
                      Aug 4 00:04:02 php: : [Snort] Rules download error: Empty reply from server

                      Snort update log
                      Starting rules update…  Time: 2013-08-04 00:03:01
                      Downloading Snort VRT md5 file...
                      Snort VRT md5 download failed.
                      Server returned error code '0'.
                      Server error message was 'Empty reply from server'
                      Snort VRT rules will not be updated.
                      Downloading EmergingThreats md5 file...
                      Checking EmergingThreats md5.
                      Emerging Threats rules are up to date.
                      The Rules update has finished.  Time: 2013-08-04 00:08:03

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB Offline
                        bmeeks
                        last edited by

                        @kilthro:

                        Has anyone else been experiencing this when Snort tries to update? I been getting it for a couple of weeks now. I have set to update once per day automatically which is around midnight.. Should the update run at a different time?
                        I do pay the yearly subscription to snort. I just have the snort.org rules and Emerging ones enabled. I am guessing its more of an issue with snort site than the app here with pfsense. Just wondering if I was the only one seeing this.

                        Bill would it be possible if everyone (mass population) would like it to, to have the most recent snort update entry at the top of the log rather than the bottom? Not a major issue just save me some scrolling which at times is a P.I.T.A. on a mobile device.. No worries if its left as is.. just thought I would ask.

                        system log
                        Aug 4 00:08:03 php: : [Snort] The Rules update has finished.
                        Aug 4 00:08:03 php: : [Snort] Emerging Threat rules are up to date…
                        Aug 4 00:08:02 php: : [Snort] Server returned error code '0'…
                        Aug 4 00:08:02 php: : [Snort] Snort VRT md5 download failed…
                        Aug 4 00:08:02 php: : File 'snortrules-snapshot-2946.tar.gz.md5' download attempts: 4 ...
                        Aug 4 00:07:47 php: : [Snort] Will retry in 15 seconds…
                        Aug 4 00:07:47 php: : [Snort] Rules download error: Empty reply from server
                        Aug 4 00:06:32 php: : [Snort] Will retry in 15 seconds…
                        Aug 4 00:06:32 php: : [Snort] Rules download error: Empty reply from server
                        Aug 4 00:05:17 php: : [Snort] Will retry in 15 seconds…
                        Aug 4 00:05:17 php: : [Snort] Rules download error: Empty reply from server
                        Aug 4 00:04:02 php: : [Snort] Will retry in 15 seconds…
                        Aug 4 00:04:02 php: : [Snort] Rules download error: Empty reply from server

                        Snort update log
                        Starting rules update…  Time: 2013-08-04 00:03:01
                        Downloading Snort VRT md5 file...
                        Snort VRT md5 download failed.
                        Server returned error code '0'.
                        Server error message was 'Empty reply from server'
                        Snort VRT rules will not be updated.
                        Downloading EmergingThreats md5 file...
                        Checking EmergingThreats md5.
                        Emerging Threats rules are up to date.
                        The Rules update has finished.  Time: 2013-08-04 00:08:03

                        I would frequently see this error in my own logs using the default update time of 3 minutes past midnight and 12:03 PM.  Using the new option added in the 2.5.9 update that allows choosing other update times, I've eliminated this error by moving my updates to 1:00 AM and 1:00 PM.  My guess is maybe the default time is frequently hitting some maintenance or backup process on the rules update server at Snort.org.  I don't have anything to backup that supposition, but I can say that after moving my times to an hour later I have not had the issue happen again.

                        As for reordering the logs, I can take a look.  It would complicate the code because now it just appends to the end of the file.  The viewer is just a simple file reader (actually it just copies the contents into a HTML textarea object).  I could add some sorting of the lines prior to display, but it will be tricky due to the formatting.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB Offline
                          bmeeks
                          last edited by

                          @pfSenseRocks:

                          I repro multiple snort processes on the latest 2.1 builds as well. What additional information can I provide to help debug this issue and get a solution? Thanks!

                          According to a post earlier in this thread, Ermal is making some changes to the 2.1 Snapshot code that are likely responsible for this behavior.  It started after a Snapshot update and well after the Snort 2.5.9 package was released.  I have been quite busy the past three weeks and have not had a chance to test this nor investigate in my VMware test environment.  I will see if I can reproduce it.

                          FOLLOW UP: I had a 2.1 Snapshot VM running the July 4 code.  It does not exhibit the multiple Snort processes problem.  I rebooted it several times and only the correct number of Snort processes started (two on this particular VM since I have Snort instances on the WAN side and the LAN side).  Others have reported the odd behavior started with the July 5 update.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • K Offline
                            kilthro
                            last edited by

                            @bmeeks:

                            @kilthro:

                            Has anyone else been experiencing this when Snort tries to update? I been getting it for a couple of weeks now. I have set to update once per day automatically which is around midnight.. Should the update run at a different time?
                            I do pay the yearly subscription to snort. I just have the snort.org rules and Emerging ones enabled. I am guessing its more of an issue with snort site than the app here with pfsense. Just wondering if I was the only one seeing this.

                            Bill would it be possible if everyone (mass population) would like it to, to have the most recent snort update entry at the top of the log rather than the bottom? Not a major issue just save me some scrolling which at times is a P.I.T.A. on a mobile device.. No worries if its left as is.. just thought I would ask.

                            system log
                            Aug 4 00:08:03 php: : [Snort] The Rules update has finished.
                            Aug 4 00:08:03 php: : [Snort] Emerging Threat rules are up to date…
                            Aug 4 00:08:02 php: : [Snort] Server returned error code '0'…
                            Aug 4 00:08:02 php: : [Snort] Snort VRT md5 download failed…
                            Aug 4 00:08:02 php: : File 'snortrules-snapshot-2946.tar.gz.md5' download attempts: 4 ...
                            Aug 4 00:07:47 php: : [Snort] Will retry in 15 seconds…
                            Aug 4 00:07:47 php: : [Snort] Rules download error: Empty reply from server
                            Aug 4 00:06:32 php: : [Snort] Will retry in 15 seconds…
                            Aug 4 00:06:32 php: : [Snort] Rules download error: Empty reply from server
                            Aug 4 00:05:17 php: : [Snort] Will retry in 15 seconds…
                            Aug 4 00:05:17 php: : [Snort] Rules download error: Empty reply from server
                            Aug 4 00:04:02 php: : [Snort] Will retry in 15 seconds…
                            Aug 4 00:04:02 php: : [Snort] Rules download error: Empty reply from server

                            Snort update log
                            Starting rules update…  Time: 2013-08-04 00:03:01
                            Downloading Snort VRT md5 file...
                            Snort VRT md5 download failed.
                            Server returned error code '0'.
                            Server error message was 'Empty reply from server'
                            Snort VRT rules will not be updated.
                            Downloading EmergingThreats md5 file...
                            Checking EmergingThreats md5.
                            Emerging Threats rules are up to date.
                            The Rules update has finished.  Time: 2013-08-04 00:08:03

                            I would frequently see this error in my own logs using the default update time of 3 minutes past midnight and 12:03 PM.  Using the new option added in the 2.5.9 update that allows choosing other update times, I've eliminated this error by moving my updates to 1:00 AM and 1:00 PM.  My guess is maybe the default time is frequently hitting some maintenance or backup process on the rules update server at Snort.org.  I don't have anything to backup that supposition, but I can say that after moving my times to an hour later I have not had the issue happen again.

                            As for reordering the logs, I can take a look.  It would complicate the code because now it just appends to the end of the file.  The viewer is just a simple file reader (actually it just copies the contents into a HTML textarea object).  I could add some sorting of the lines prior to display, but it will be tricky due to the formatting.

                            Bill

                            Thanks Bill! I will move the time to 1 am. I was more concerned if it was just me or if others were seeing it. I appreciate the followup on it.

                            On the log issue, it seems like more work than what its worth. You dont have to worry about it unless you really feel bored. lol

                            1 Reply Last reply Reply Quote 0
                            • S Offline
                              shinzo
                              last edited by

                              Starting rules update…  Time: 2013-08-04 17:44:54
                              Downloading Snort VRT md5 file...
                              Checking Snort VRT md5 file...
                              There is a new set of Snort VRT rules posted. Downloading...
                              Done downloading rules file.
                              Downloading EmergingThreats md5 file...
                              Checking EmergingThreats md5.
                              There is a new set of EmergingThreats rules posted. Downloading...
                              Done downloading EmergingThreats rules file.
                              Extracting and installing EmergingThreats.org rules...
                              Installation of EmergingThreats.org rules completed.
                              Extracting and installing Snort VRT rules...
                              Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
                              Installation of Snort VRT rules completed.
                              Copying new config and map files...
                              Updating rules configuration for: WAN ...
                              The Rules update has finished.  Time: 2013-08-04 17:45:30

                              I did a clean install of 2.1 rc-1, i imported a backup file i had of 2.0.3 .  So my issue is,  the snort package runs fine but i am not getting hits on any of the rules sets. To make sure the rules are working, i do a shields up scan which usually does a few nmap scans of my machine but i dont get hits anymore.  I noticed that its saying freebsd-8-1 for the precompiled instead of 8-3. so i dont know if that might have something to do with it?

                              1 Reply Last reply Reply Quote 0
                              • K Offline
                                kilthro
                                last edited by

                                Do you have the rules enabled? Also do you have the block detected port scans enabled? If not, Snort will not be looking for them thus not blocking them.

                                1 Reply Last reply Reply Quote 0
                                • S Offline
                                  shinzo
                                  last edited by

                                  @kilthro:

                                  Do you have the rules enabled? Also do you have the block detected port scans enabled? If not, Snort will not be looking for them thus not blocking them.

                                  I had the nmap rules enabled along with the portscan option on.  I just uninstalled snort with the saved settings.  Started fresh and is working fine now  8)

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB Offline
                                    bmeeks
                                    last edited by

                                    @shinzo:

                                    I noticed that its saying freebsd-8-1 for the precompiled instead of 8-3. so i dont know if that might have something to do with it?

                                    The only precompiled rules included in current Snort.org rules are for FreeBSD 8.1.  They don't provide 8.3 versions yet.  However, I think it's really only the major version that matters (8.x, for example).

                                    Bill

                                    1 Reply Last reply Reply Quote 0
                                    • G Offline
                                      Gradius
                                      last edited by

                                      Just want to say the old bug is back again, it bans my OWN IP after a bit a while just looking some normal websites.

                                      Getting this:
                                      (http_inspect) IIS UNICODE CODEPOINT ENCODING - 08/05/13-22:46:05
                                      (portscan) TCP Portsweep - 08/05/13-22:48:52
                                      (ssp_ssl) Invalid Client HELLO after Server HELLO Detected - 08/05/13-22:55:55

                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        daniela
                                        last edited by

                                        I just tried to install snort and I am having trouble getting it to work.

                                        I have Alix 2D13 running pfSense 2.0.1-RELEASE (i386) and I know it's underdimensioned but my connections are not requiring much throughput. I have two connections and failover, one WAN is 7M downstream and 0.5 upstream, the other is even less than that, as 3G mobile signal from indoors is weak. I have currently disconnected the second one from the internet, for checking purposes, so it only talks to a small machine of mine, but I can't even enable there.

                                        I know IDS and IPS are resource intensive but they should at least start, so that I can figure out the performance requirements.

                                        I attach what I see. If I click the red "x" it waits about 10min (but still the firewall is passing traffic OK) with the web interface "waiting for reply", and then it reloads the page and I get exactly the same screen.

                                        I know it says new settings won't take place until interface restarts and so I have disabled and reenabled wanmobile interface, same thing.

                                        I wonder if I should remove package and then use a different version of snort to work with my pfSense 2.0.1 ?

                                        Thank you so very much

                                        Cattura-snort-not-starting.PNG
                                        Cattura-snort-not-starting.PNG_thumb

                                        1 Reply Last reply Reply Quote 0
                                        • D Offline
                                          doktornotor Banned
                                          last edited by

                                          You are trying to @daniela:

                                          I have Alix 2D13 running pfSense 2.0.1-RELEASE (i386) and I know it's underdimensioned but my connections are not requiring much throughput.

                                          No, they are not underdimensioned, they are absolutely unfit for purpose. Stop wasting your time.

                                          1 Reply Last reply Reply Quote 0
                                          • D Offline
                                            daniela
                                            last edited by

                                            Thank you a lot for saving me from heartache and waste of time. I will get something else: can you advise approx CPU and RAM specs? Theoretical max throughput in the foreseeable lifetime of the box is perhaps 20M per interface (unfortunately is located in the Internet Desert and no fiber anywhere near). Also what should I expect for disk usage? I am planning to get a SSD if it does not require too much space.

                                            I would get two such boxes, one to run Snort and the other to run Squid, do you think is the best policy or do you think better a more performing appliance and have it do both?

                                            Low energy consumption is a big plus.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.