Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade causes snort to enable barnyard (Snort 2.9.5.6 pkg v3.0.6)

    Scheduled Pinned Locked Moved
    pfSense Packages
    2
    4
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adam65535
      last edited by

      Snort 2.9.5.6 pkg v3.0.6 and using snort pfsync settings to keep the secondary updated.

      I just upgraded my secondary cluster member to 2.1.2 and barnyard somehow is enabled now.  The primary still shows barnyard as disabled for both LAN and WAN.

      Apr 10 16:59:06	barnyard2[70293]: Waiting for new data
Apr 10 16:59:06	barnyard2[70293]: Opened spool file '/var/log/snort/snort_em135697/snort_35697_em1.u2.1397163545'
Apr 10 16:59:06	barnyard2[70293]: Closing spool file '/var/log/snort/snort_em135697/snort_35697_em1.u2.1397163519'. Read 0 records
Apr 10 16:58:50	barnyard2[71751]: Waiting for new data
Apr 10 16:58:50	barnyard2[71751]: Opened spool file '/var/log/snort/snort_em048137/snort_48137_em0.u2.1397163527'
Apr 10 16:58:50	barnyard2[71751]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/snort_em048137/barnyard2/48137_em0.waldo'
Apr 10 16:58:50	barnyard2[71751]: Barnyard2 initialization completed successfully (pid=71751)
Apr 10 16:58:50	barnyard2[71751]: --== Initialization Complete ==--
Apr 10 16:58:50	barnyard2[71751]:
Apr 10 16:58:50	barnyard2[71751]: Writing PID "71751" to file "/var/run/barnyard2_em048137.pid"
Apr 10 16:58:50	barnyard2[71751]: PID path stat checked out ok, PID path set to /var/run
Apr 10 16:58:50	barnyard2[71751]: Daemon initialized, signaled parent pid: 71626
Apr 10 16:58:50	barnyard2[71626]: Daemon parent exiting
Apr 10 16:58:50	barnyard2[71626]: Initializing daemon mode
Apr 10 16:58:50	barnyard2[71626]: Log directory = /var/log/snort/snort_em048137
Apr 10 16:58:50	barnyard2[71626]: Barnyard2 spooler: Event cache size set to [8192]
Apr 10 16:58:50	barnyard2[71626]: Found pid path directive (/var/run)
Apr 10 16:58:50	barnyard2[71626]: Parsing config file "/usr/pbi/snort-amd64/etc/snort/snort_48137_em0/barnyard2.conf"
Apr 10 16:58:50	barnyard2[71626]: Initializing Output Plugins!
Apr 10 16:58:50	barnyard2[71626]: Initializing Input Plugins!
Apr 10 16:58:50	barnyard2[71626]: --== Initializing Barnyard2 ==--
Apr 10 16:58:50	barnyard2[71626]:
Apr 10 16:58:50	barnyard2[71626]: Running in Continuous mode
Apr 10 16:58:50	barnyard2[71626]: Found pid path directive (/var/run)
Apr 10 16:58:50	SnortStartup[71526]: Barnyard2 START for WanSnort(48137_em0)...
Apr 10 16:58:46	SnortStartup[70691]: Snort START for WanSnort(48137_em0)...
Apr 10 16:58:46	barnyard2[70293]: Waiting for new data
Apr 10 16:58:46	barnyard2[70293]: Opened spool file '/var/log/snort/snort_em135697/snort_35697_em1.u2.1397163519'
Apr 10 16:58:46	barnyard2[70293]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/snort_em135697/barnyard2/35697_em1.waldo'
Apr 10 16:58:46	barnyard2[70293]: Barnyard2 initialization completed successfully (pid=70293)
Apr 10 16:58:46	barnyard2[70293]: --== Initialization Complete ==--
Apr 10 16:58:46	barnyard2[70293]:
Apr 10 16:58:46	barnyard2[70293]: Writing PID "70293" to file "/var/run/barnyard2_em135697.pid"
Apr 10 16:58:46	barnyard2[70293]: PID path stat checked out ok, PID path set to /var/run
Apr 10 16:58:46	barnyard2[70293]: Daemon initialized, signaled parent pid: 70056
Apr 10 16:58:46	barnyard2[70056]: Daemon parent exiting
Apr 10 16:58:46	barnyard2[70056]: Initializing daemon mode
Apr 10 16:58:46	barnyard2[70056]: Log directory = /var/log/snort/snort_em135697
Apr 10 16:58:46	barnyard2[70056]: Barnyard2 spooler: Event cache size set to [8192]
Apr 10 16:58:46	barnyard2[70056]: Found pid path directive (/var/run)
Apr 10 16:58:42	barnyard2[70056]: Parsing config file "/usr/pbi/snort-amd64/etc/snort/snort_35697_em1/barnyard2.conf"
Apr 10 16:58:42	barnyard2[70056]: Initializing Output Plugins!
Apr 10 16:58:42	barnyard2[70056]: Initializing Input Plugins!
Apr 10 16:58:42	barnyard2[70056]: --== Initializing Barnyard2 ==--
Apr 10 16:58:42	barnyard2[70056]:
Apr 10 16:58:42	barnyard2[70056]: Running in Continuous mode
Apr 10 16:58:42	barnyard2[70056]: Found pid path directive (/var/run)
Apr 10 16:58:42	SnortStartup[69971]: Barnyard2 START for LanSnort(35697_em1)...
Apr 10 16:58:18	sshlockout[42290]: sshlockout/webConfigurator v3.0 starting up
Apr 10 16:58:18	login: login on ttyv0 as root
Apr 10 16:58:15	SnortStartup[34800]: Snort START for LanSnort(35697_em1)...
Apr 10 16:58:12	php: rc.filter_synchronize: Config sync not being done because of missing sync IP (this is normal on secondary systems).
Apr 10 16:58:05	php: rc.filter_synchronize: Config sync not being done because of missing sync IP (this is normal on secondary systems).
Apr 10 16:58:04	php: rc.start_packages: Restarting/Starting all packages.
Apr 10 16:58:03	syslogd: kernel boot file is /boot/kernel/kernel
Apr 10 16:58:03	syslogd: exiting on signal 15
Apr 10 16:58:03	php: rc.bootup: Finished reinstalling all packages.
      1 Reply Last reply Reply Quote 0
      • A
        adam65535
        last edited by

        I forgot to disable sync before upgrading the secondary so it might have something to do with the secondary is running a different version of snort now than the primary.  Both the primary and secondary had Snort 2.9.5.6 pkg v3.0.4 before the upgrade of the secondary.  In the future I should make sure to disable sync before upgrading and then enable sync after both systems are upgraded (I forgot to do that) just in case this is related to config differences or something between snort versions (just a wild guess that might be the issue).

        I bet it will get fixed when I upgrade the primary and the primary syncs the same version of snort config over that the secondary is running.  We shall see.

        EDIT: To be clear… I have never enabled barnyard on any of the systems.

        1 Reply Last reply Reply Quote 0
        • A
          adam65535
          last edited by

          Upgrade of the primary… Now the primary has barnyard enabled for both LAN and WAN too.  Not sure what is causing this.  Not a big deal though.  I just disabled it on the primary for both instances and the backup server got the synced snort config and is disabled there now too.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @adam65535:

            Upgrade of the primary… Now the primary has barnyard enabled for both LAN and WAN too.  Not sure what is causing this.  Not a big deal though.  I just disabled it on the primary for both instances and the backup server got the synced snort config and is disabled there now too.

            There was a little logic error I introduced into the Barnyard2 migration code that migrates old settings into the new format to support the enhanced output plugins.  I was keying off only one of two parameter that must BOTH be true for Barnyard to have been enabled under the old config.  As a consequence of only looking at one and not both, the migration script was turning on Barnyard2 if it had ever been enabled in the past on an interface.

            I am fixing that for future upgrades, but for this one the damage is sort of done.  Thankfully it's not a fatal thing.  Just disable Barnyard2 on the interface again and save the update.

            There are some problems with updating synced pairs with sync still on.  I recommend turning off sync, upgrading all the machines to the same version, then re-enable sync.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.