Snort on 2.1 dev ??
-
The only reason I am not able to install 2.1 dev is because snort package is not working on this new build.
Is there a way I could get snort started on 2.1 dev? It works perfectly on 2.0.1 at the moment. I install the latest 2.1 dev snapshot from time to time but have to revert back to 2.0.1 as after upgrade everything works except snort.
-
I haven't actually checked that it's fully functional by testing it, but Snort appears to be "just working" on my 2.1 box:
2.1-DEVELOPMENT (i386)
built on Wed May 23 09:39:19 EDT 2012
FreeBSD 8.3-RELEASE-p1I simply installed it from packages, along with the Dashboard widget:
snort 2.9.1 pkg v. 2.1.1
Dashboard Widget: Snort 0.3.1Fed snort my oinkmaster code, and successfully updated.
Snort services page (snort/snort_interfaces.php) claims that snort is enabled, but Barnyard2 is disabled.
Does any of that help?
-
Well, I seem to be able to make all the settings, update rules, etc.
The interface is listed as enabled, as is snort, except: if I start snort, it will never show as running e.g. on the Dashboard's "Services Status" list. Similarly, the green "start" icon is always next to the interface, no matter how often I start the service there.So something seems to be a bit busted, unless snort is allergic to the fact that all my traffic leaves the system through an IPSec tunnel, which makes me wonder what Snort will even detect when I have it set up on the WAN interface, given that I cannot select the IPSec as the source to monitor.
-
I have tried numerous times but have never been able to start snort. Exact same settings work on 2.0.1. Even a clean 2.1 install makes no difference. Always get some pf_alert issue. Tried re-installing on top of existing install too.
I really want to start using 2.1 dev builds but don't want to opt out snort. Feel a bit secure with snort on my firewall.
-
The only error I see is ERROR: Can't set DAQ BPF filter to 'start' (pcap_daq_set_filter: pcap_compile: syntax error)!
if you logon ino shell and type snort start what do you get -
Will do a clean install tonight and update the post.
-
Any updates on this did you try to use ssh to connect to pfsense and type in snort start and post the out put you get ?
Does anyone knows how to solve this error : Can't set DAQ BPF filter to 'start' (pcap_daq_set_filter: pcap_compile: syntax error)! This prevents me from starting snort. -
Logs show snort[4544]: FATAL ERROR: /usr/local/etc/snort/snort_59149_bge0/snort.conf(323) Unknown output plugin: "alert_pf"
May 27 21:39:44 snort[4544]: FATAL ERROR: /usr/local/etc/snort/snort_59149_bge0/snort.conf(323) Unknown output plugin: "alert_pf"How I can fix that ?
-
Check my second post in this thread. That is exactly the error I am getting. I was not able to start snort even through SSH.
-
Any progress on this?
I checked with a clean install again last night. Same issue with Snort.
-
this may work… install the package log into the box via ssh. run
pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz
goto gui, update rules and see if it starts... make sure all the per-processors are checked..
-
Isin't that an older package? Is it compatible with the latest pfSense FreeBSD version?
-
Isin't that an older package? Is it compatible with the latest pfSense FreeBSD version?
it should work.. it worked for me a month ago when i tested 2.1 binaries… Remember that packages are built for the stable version of pfSense. The pfSense package is built around snort 2.9.0.5_1 binaries
-
this may work… install the package log into the box via ssh. run
pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz
goto gui, update rules and see if it starts... make sure all the per-processors are checked..
How is this going to affect future updates, both of the packages and/or the OS or snort?
-
this may work… install the package log into the box via ssh. run
pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz
goto gui, update rules and see if it starts... make sure all the per-processors are checked..
How is this going to affect future updates, both of the packages and/or the OS or snort?
you would have to reapply it… i'm hoping once 2.1 is released, that snort will also be updated.
-
iirc a few months ago there was a monetary donation earmarked specifically for Snort, to finally integrate it with pf (ala spoink, snort2c, SnortSam etc). Perhaps do a new round of "crowdfunding" to finally get this done?
-
iirc a few months ago there was a monetary donation earmarked specifically for Snort, to finally integrate it with pf (ala spoink, snort2c, SnortSam etc). Perhaps do a new round of "crowdfunding" to finally get this done?
i remember donating for that…... not sure what is left from the pool... but If I was PMing pfSense, i would want to get 2.1 release first...
-
There is something interesting the snort package provided by 8.3 free is older than older freebsd version stable version 2.9.2.3
What do you get when you type /usr/local/etc/rc.d/snort start can you post output .
When I type snort start
Initializing Output Plugins!
Snort BPF option: start
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "bge0".
ERROR: Can't set DAQ BPF filter to 'start' (pcap_daq_set_filter: pcap_compile: syntax error)!
Fatal Error, Quitting..
Is pfsense 2.1 build on old packages ? It seems that when I try to install something on pfsense it states that needs newer packages -
pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz
This does not work. It installs via ssh but nothing shows up in GUI.
-
pkg_add -f http://files.pfsense.com/packages/8/All/snort-2.9.0.5_1.tbz
This does not work. It installs via ssh but nothing shows up in GUI.
install the pfsense snort package first via the gui…. then drop down ssh and run the above command
this will overwrite the binaries that were installed from the pfsense snort package