Disabled snort, now settings are blown away
-
I have Snort 2.9.6.0 pkg v3.0.8 installed. A few days ago I disabled snort so I could troubleshoot the network without the extra overhead. When I tried to enable snort this morning all the settings are GONE.
Everything was set back to the defaults. I checked the config file backup and the settings are not saved there. This cannot be right. Is there some way to get the settings back?
WARNING… if you try to this it most likely will destroy your settings. To verify the problem I enabled snort again, made some changes, saved them, disabled snort, saved and again the settings are gone.
-
I had this happen to me once before. Unless you made a backup of the pfSense config I don't think you can get it back.
When the interface is disabled, it seems to clear the settings even with the "Keep settings after deinstall".
-
@BBcan17:
I had this happen to me once before. Unless you made a backup of the pfSense config I don't think you can get it back.
When the interface is disabled, it seems to clear the settings even with the "Keep settings after deinstall".
Actually I did make a backup of the config - the problem is I don't see any snort settings in the config, so restoring that config would most likely have no effect.
-
You might have to look older backups before you disabled the Snort interface.
-
I have Snort 2.9.6.0 pkg v3.0.8 installed. A few days ago I disabled snort so I could troubleshoot the network without the extra overhead. When I tried to enable snort this morning all the settings are GONE.
Everything was set back to the defaults. I checked the config file backup and the settings are not saved there. This cannot be right. Is there some way to get the settings back?
WARNING… if you try to this it most likely will destroy your settings. To verify the problem I enabled snort again, made some changes, saved them, disabled snort, saved and again the settings are gone.
Did you disable or delete the Snort interface? I just tried this in a VM using the version listed. If I disable the interface, all the rules and preprocessor settings remained. The only things that got reset to defaults were some of the settings on the INTERFACE SETTINGS tab itself. I will fix that in the next update, but in the meantime there should only be a few checkboxes to reset.
Bill
-
The fix for this problem has been incorporated in the latest Snort package update Pull Request posted for review and approval by the pfSense Core Team.
Here is the link to the request: https://github.com/pfsense/pfsense-packages/pull/661
Bill
-
Did you disable or delete the Snort interface? I just tried this in a VM using the version listed. If I disable the interface, all the rules and preprocessor settings remained. The only things that got reset to defaults were some of the settings on the INTERFACE SETTINGS tab itself. I will fix that in the next update, but in the meantime there should only be a few checkboxes to reset.
For me, this occured a while ago (was a disable) , but I seem to remember that it also wiped the Pre-Processor settings. In particular if you added "Engine Names" and "Bind-To Address Alias" settings.
I don't have a VM to try this on, and don't really want to try this on one of my live machines :)
-
The problem is that I don't know exactly which settings were reset, only that some were. Everthing on the main settings tab seems to have been reset.
The problem is that since it has been months since I configured snort I cannot remember how I set it up. As I already stated the settings are NOT SAVED in the config.xml file - of course I looked in a backup version that had snort enabled. I need to take better notes.
Regardless it sounds like bmeeks has it under control - I will wait until the next release before configuring & enabling it again.
-
@BBcan17:
Did you disable or delete the Snort interface? I just tried this in a VM using the version listed. If I disable the interface, all the rules and preprocessor settings remained. The only things that got reset to defaults were some of the settings on the INTERFACE SETTINGS tab itself. I will fix that in the next update, but in the meantime there should only be a few checkboxes to reset.
For me, this occured a while ago (was a disable) , but I seem to remember that it also wiped the Pre-Processor settings. In particular if you added "Engine Names" and "Bind-To Address Alias" settings.
I don't have a VM to try this on, and don't really want to try this on one of my live machines :)
I made some other changes a couple of revs back that should have had the side-effect of fixing this for Preproc settings. I did a quick VM test the other night, but I can do a more thorough test with multiple engines to be sure. The Pull Request is still open, so if I find anything else that needs fixing, I will try and get it in the open request.
Bill
-
Thanks Bill we all appreciate the work you do in Maintaining these packages so well !
-
@BBcan17:
Thanks Bill we all appreciate the work you do in Maintaining these packages so well !
I just tested in a VM with multiple engines (HTTP_INSPECT for my test). All the previous settings are now retained when Snort is disabled on an interface. When you enable it again, the old settings are still there.
Note this behavior is different for a DELETE operation. If you delete a Snort interface on the INTERFACES tab, then all Snort settings belonging to that deleted interface are permanently removed. It does prompt for a confirmation before deleting the interface, though.
Bill