Snort update coming soon – please read about an important change!
-
Yeah I read that too, https://forum.pfsense.org/index.php?topic=69370.0
Regardless I still wanted to try it anyway….I didn't get any farther though.
-
The file inconsistency is fixed, someone that moved DNS only moved the A and not the AAAA which left things inconsistent. I fixed it.
-
@cmb:
The file inconsistency is fixed, someone that moved DNS only moved the A and not the AAAA which left things inconsistent. I fixed it.
Confirmed here, downloading and installing. Thank you!!!!!! :) ;D :) ;D
-
-
Thanks for fixing!
-
@cmb:
The file inconsistency is fixed, someone that moved DNS only moved the A and not the AAAA which left things inconsistent. I fixed it.
THANX 4 fixing !!! 8) :)
-
Snort package version was bumped because of the recent OpenSSL vulnerability by rbgarga. Snort has the package version number in a few other pages which haven't been touched to reflect the new 3.0.6 version number. Can someone from the core team please check the rest of the package to make sure the version number is consistent, thanks.
-
Bill,
Have not updated pfSense to 2.1.1 yet, Still on 2.1. Updated Snort pkg this morning and installation dialog looked complete with success. Now Snort will not start:snort[1683]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_34714_bge0/rules/snort.rules(9231) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
-
Bill,
Have not updated pfSense to 2.1.1 yet, Still on 2.1. Updated Snort pkg this morning and installation dialog looked complete with success. Now Snort will not start:snort[1683]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_34714_bge0/rules/snort.rules(9231) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
search is your friend, uncheck emerging-web_client.rules under Categories… I think the issue is with the ET rules itself and not snort
-
Bill,
Have not updated pfSense to 2.1.1 yet, Still on 2.1. Updated Snort pkg this morning and installation dialog looked complete with success. Now Snort will not start:snort[1683]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_34714_bge0/rules/snort.rules(9231) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
search is your friend, uncheck emerging-web_client.rules under Categories… I think the issue is with the ET rules itself and not snort
Thank you! That was it! I did spend some time looking but guess I wasn't looking in the right direction.
Odd, I always do a backup and reboot before I update anything and the previous version liked the rule but "this one" doesn't. I say "this one" because all indications are that we've gone to 3.0.6 but the Services/Snort page is still showing 3.0.5 so I'm not sure which is true.
Rick
-
Thats not necessary on 2.0.3
Just for your info. Emerging web client rules works fine.
-
Maybe this is a memory issue? How much memory are you guys using? Did you enable the same amount of rules on the WAN and LAN interface?
-
Looks like I'm running those rules just fine too on pfSense 2.1.1 and the latest package version. I have 8 GB of memory with over 6 GB free.
-
@BBcan17:
Maybe this is a memory issue? How much memory are you guys using? Did you enable the same amount of rules on the WAN and LAN interface?
System says I'm using 21% of the 4GB on board.
for Supermule: On the previous package, the Emerging Web Client rules worked fine. I double checked on a backup system I keep ready to go. It only fails on this new package.
EDIT
I've updated to pfsense 2.1.1. Update reinstalled all packages fine. Services/Snort still says v3.0.5, Installed packages shows v3.0.6… so not sure really what version is running.Snort will only start if "emerging-web_client.rules" is unchecked.
Rick
-
Snort package version was bumped because of the recent OpenSSL vulnerability by rbgarga.
Can you be more specific about differences between 3.0.5 and 3.0.6? I updated my secondary machine to 3.0.5 yesterday, now went to update the main machine and discovered yet another update… Now I wonder if I should hold off updating the main machine for 24h more.
-
It's exactly the same package, except the OpenSSL version bundled in the pbi is updated to one that has a fix to the heartbleed vulnerability. You will likely have to remove snort and install it again to get the updated pbi as the pbi version is exactly the same.
-
On the main Snort services page it says 3.0.5 after upgrading, yet the package installer confirms 3.0.6. I will assume that's just a typo, which brings me to a quick question for the group. Does anyone know a good method to check services version numbers easily? via command prompt, etc.?
Thank you in advance.
-
On the main Snort services page it says 3.0.5 after upgrading, yet the package installer confirms 3.0.6. I will assume that's just a typo, which brings me to a quick question for the group. Does anyone know a good method to check services version numbers easily? via command prompt, etc.?
Thank you in advance.
This happens literally every time someone other than Ermal or bmeeks touches the package. They always forget to change the version number within the Snort package files too.
-
It's exactly the same package, except the OpenSSL version bundled in the pbi is updated to one that has a fix to the heartbleed vulnerability. You will likely have to remove snort and install it again to get the updated pbi as the pbi version is exactly the same.
Did an upgrade, saw 3.0.5, uninstalled Snort , installed and still says
Services: Snort 2.9.6.0 pkg v3.0.5 in snort/snort_interfaces.php.
2.9.6.0 pkg v3.0.6 in Installed packagesI'm Running 2.0.3
-
Read my reply just before your last post.
There's an issue with the IP reputation files when using ramdisk for /tmp and /var. The file gets nuked on reboot and Snort wont start again until a rules download has been made to redownload the file.
snort[45934]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_330_em0/snort.conf(398) => Unable to open address file /var/db/snort/iprep/emerging-compromised-ips.txt, Error: No such file or directory
