Snort 2.9.4.6 pkg v2.6.0 Update
-
Well - If the Cisco acquisition of SNORT effects things and 90% or so of the group goes with Cisco, then get a new group. Call it something else and continue on. SNIFF (TM) is a good name…
And if the band you're in starts playing different tunes...
-
Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?
No I don't, but I also don't think it is necessarily on a regularly scheduled basis. I really don't know much about that process. Guess I need to dig in and learn.
Bill
-
I get this when trying to upgrade a 2.0.3 box…
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.12.tbz ... (extracting)Downloading http://files.pfsense.org/packages/8/All/mysql-client-5.5.33.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/mysql-client-5.5.33.tbz.
of barnyard2-1.12 failed!Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for mysql-client-5.5.30...done.
Starting package deletion for barnyard2-1.12...done.
Starting package deletion for libnet11-1.1.6,1...done.
Skipping package deletion for libdnet-1.11_3 because it is a dependency.
Starting package deletion for libpcap-1.3.0...done.
Starting package deletion for daq-2.0.0...done.
Starting package deletion for snort-2.9.4.6...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.Installation halted.
-
Supermule, how much do you pay for your connection a month or do you work at an ISP? That speed is nuts.
-
:D That is what I offer to my clients in my VDI environment.
All sitting on 10Gbit backbone direct to the internet exchange :)
Supermule, how much do you pay for your connection a month or do you work at an ISP? That speed is nuts.
-
I get this when trying to upgrade a 2.0.3 box…
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...Downloading http://files.pfsense.org/packages/8/All/mysql-client-5.5.33.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/mysql-client-5.5.33.tbz.
of barnyard2-1.12 failed!...
Installation aborted.Backing up libraries...
Cleaning up... Failed to install package.Installation halted.
jimp mentioned in an e-mail exchange with me that the 2.0.3 package builders had some issues with updates to the Ports. That's why the rollout of the updated binary was delayed a bit. Looks like the builder used a newer MySQL client package (5.5.33 instead of 5.5.30) than what is specified in the pkg_config.8.xml file. I'll pass this along to jimp. He should be able to fix it up easy enough.
I looked at files.pfsense.org and MySQL client packages are there for 5.5.30, 5.5.32, and 5.5.34. But no version 5.5.33, so something must have gone weird with the package builder. The pfSense guys should be able to get it sorted out. I've sent a note to them alerting them of the issue.
Bill
-
Damn nice Bill!!
-
Pls. notify when package is ready to install :)
-
Pls. notify when package is ready to install :)
Got a reply back from jimp. He says it should be OK now. Give it a try and let me know if you still have problems.
Bill
-
Its running and blocking!!
THAAAAAAAAAAAAAAAAAANK YOU!! :-*
-
Its running and blocking!!
THAAAAAAAAAAAAAAAAAANK YOU!! :-*
OK! Thanks for the feedback.
There is one small bug uncovered thus far with the new FQDN Alias support. I worked that one with another user who successfully tested a fix. I will hold up pushing out that update while I wait to see if anything else surfaces. That bug is sort of minor and only affects folks using the FQDN Alias with a particular configuration.
Bill
-
No worries! I will provide peadback asap if something pops up!
-
Thanks for the updates/fixes Bill!! Snort is running pretty smooth and no dup processes =D
-
Updated fine a few days ago, but today Snort won't start on all of my three interfaces.
All interfaces get the same fatal error:FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_35802_em2/snort.conf(194) => Invalid port number.
pfSense 2.1 i386 snort 2.9.4.6 pkg v2.60
Reinstalling the package gives the same error.
-
Updated fine a few days ago, but today Snort won't start on all of my three interfaces.
All interfaces get the same fatal error:FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_35802_em2/snort.conf(194) => Invalid port number.
pfSense 2.1 i386 snort 2.9.4.6 pkg v2.60
Reinstalling the package gives the same error.
Sounds like maybe something is corrupted in your configuration. Get a console prompt and open that file in vi. Goto line 194 and see what is shown. Post the results back if you can. The error message gives the offending line number in the text. It is 194 in this case. Did you make any changes to the configuration or edit any Aliases that may be referenced in Snort?
Bill
-
No, no changes. Even put back the backup from a day before, same problems.
Here are the lines at #194 (all interfaces hang at the same line):
Line 194 is in bold:preprocessor ftp_telnet_protocol: ftp server default
….
....
cmd_validity STRU < char FRP >
cmd_validity ALLO < int [ char R int ] >
cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >
cmd_validity PORT < host_port >preprocessor ftp_telnet_protocol: ftp client default
max_resp_len 256
bounce yes
ignore_telnet_erase_cmds yes
telnet_cmds yes -
Ok, found the problem… (Thanks for hinting me about the aliases)
In v2.0.3 I added the FTP ports alias:
20,21 AND 15002:15018That last one (with the semicolom) isn't supported anymore for the FTP preprocessor in the last version of the Snort package(?).
After removing the port range the interfaces all started again.
-
Ok, found the problem… (Thanks for hinting me about the aliases)
In v2.0.3 I added the FTP ports alias:
20,21 AND 15002:15018That last one (with the semicolom) isn't supported anymore for the FTP preprocessor in the last version of the Snort package(?).
After removing the port range the interfaces all started again.
Probably my bad with the last update. The port range should work. Post back exactly what your Alias looks like and let me reproduce the condition in my test VMs so I can fix it.
Thanks for reporting it,
Bill
-
Here is the alias as attachment.
-
Here is the alias as attachment.
Thanks for the information. It will be a few days, but I will see if I can fix this. I have some other conflicting activities the next few days.
Bill
