Snort 2.9.6.2 pkg v3.1.1 Update – Release Notes
-
…I simply went to the package manager (2.1.4) and said "reinstall" for the snort package showing the update. Everything went fine, no errors, but after a reboot, there is no snort under "Services", although the package manager indicates that snort is installed.... puuuuuhhhhhhh..... ???
UPDATE: Uninstalled Snort, reboot, new install Snort, reboot -> Still no Snort under Services
What can I try next? :o
...updating the GUI components doesn't help either...
UPDATE 2: In the SystemLog I find
snort[59701]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules": No such file or directory.
…every time a service for an interface is started...
-
I get this when reinstalling Snort via WebGUI on 2.0.3
Removing snort components…
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/8/All/snort-2.9.6.2.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/snort-2.9.6.2.tbz.
of snort-2.9.6.2 failed!Installation aborted.Backing up libraries...
Removing package...
Skipping package deletion for mysql55-client-5.5.35 because it is a dependency.
Skipping package deletion for barnyard2-1.13 because it is a dependency.
Skipping package deletion for libnet-1.1.6_1,1 because it is a dependency.
Skipping package deletion for libdnet-1.11_3 because it is a dependency.
Skipping package deletion for libpcap-1.5.2 because it is a dependency.
Skipping package deletion for daq-2.0.1 because it is a dependency.
Starting package deletion for snort-2.9.6.2...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.Package reinstallation failed.
-
I get this when reinstalling Snort via WebGUI on 2.0.3
Removing snort components…
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/8/All/snort-2.9.6.2.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/snort-2.9.6.2.tbz.
of snort-2.9.6.2 failed!Installation aborted.Backing up libraries...
Removing package...
Skipping package deletion for mysql55-client-5.5.35 because it is a dependency.
Skipping package deletion for barnyard2-1.13 because it is a dependency.
Skipping package deletion for libnet-1.1.6_1,1 because it is a dependency.
Skipping package deletion for libdnet-1.11_3 because it is a dependency.
Skipping package deletion for libpcap-1.5.2 because it is a dependency.
Skipping package deletion for daq-2.0.1 because it is a dependency.
Starting package deletion for snort-2.9.6.2...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.Package reinstallation failed.
Looks like the *.tbz package for 2.0.x failed to build and upload. I will notify the pfSense guys to take a look. I know you are loathe to do so, but it's about time to consider upgrading to the 2.1.x version.
UPDATE: I know you probably won't like this answer, but here is what I got back from the pfSense guys:
Hello Bill,
We are not building new .tbz packages for 2.0, I believe the best thing to do in this case is to mark snort package to require pfSense 2.1 or higher.
Regards
I am going to update the Snort package so that pfSense 2.1 or higher is required.
Bill
-
Thank you very much bmeeks for keeping the wonderful (and I think essential) package going and up to date.
I do a have a question about upgrading though.
I seem to remember way back when that it was advised to remove snort, reboot then install the new snort package to avoid potential problems.
Is this still the norm or can we just use the reinstall package function from the packages menu?
Cheers
With the new PBI package system used on 2.1.x and later, it handles the "remove and install" itself so all you have to do is click the PKG icon to update. The manual "remove and reinstall" still holds true for the older 2.0.x version of pfSense.
Bill
-
As posted in other thread - updated without any issues.
It just took approx 5 minutes, most of which was to download updated rule sets.BTW, once we are on the topic - could there be an option to show alerts for all interfaces on the same page?
I have only two, but still would like to see them together… People with many more may benefit from it even more... Of course, it should indicate which interface each alert is for... More like firewall log.Yeah, that's technically possible. It would require quite a bit of recoding for the ALERTS tab page, though. I will add it to my list of future features.
Bill
-
@chemlud:
…I simply went to the package manager (2.1.4) and said "reinstall" for the snort package showing the update. Everything went fine, no errors, but after a reboot, there is no snort under "Services", although the package manager indicates that snort is installed.... puuuuuhhhhhhh..... ???
UPDATE: Uninstalled Snort, reboot, new install Snort, reboot -> Still no Snort under Services
What can I try next? :o
...updating the GUI components doesn't help either...
UPDATE 2: In the SystemLog I find
snort[59701]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules": No such file or directory.
…every time a service for an interface is started...
Your install is not actually completing. The key is the missing Snort entry under SERVICES in the pfSense menu. Are you using a full install of pfSense or one of the Compact Flash versions? If the latter, how much free space exists on the /var partition?
Also just noticed that the path is all messed up:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesIt should look like this instead:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesThere is a double backslash where there should be only one, and the complete path is doubled.
Bill
-
This is not good :(
Can we build this "on the side" for 2.0.x??
A lot of people are still running this release and I think this is a major bummer for the community.
2.1.x is still flawed and NOT running widescreeen and with 243 VLANS I need this bad….
-
This is not good :(
Can we build this "on the side" for 2.0.x??
A lot of people are still running this release and I think this is a major bummer for the community.
2.1.x is still flawed and NOT running widescreeen and with 243 VLANS I need this bad….
No, "on the side" would be a frowned upon option. While widescreen is broken in 2.1, it does seem to work fine in the 2.2 snapshots. Could you limp by using 2.1.x until 2.2 goes production?
Bill
-
BTW, once we are on the topic - could there be an option to show alerts for all interfaces on the same page?
I have only two, but still would like to see them together… People with many more may benefit from it even more... Of course, it should indicate which interface each alert is for... More like firewall log.Yeah, that's technically possible. It would require quite a bit of recoding for the ALERTS tab page, though. I will add it to my list of future features.
Bill
Thank you, Bill. No rush :)
-
Problem is that 2.1.x doesnt upgrade correctly…
-
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ... [ repository] (extracting) Loading package configuration... done. Configuring package components... Additional files... snort_download_updates.php failed. Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.Any thoughts on the above?
EDIT: First dozen times it failed. Lucky #13 worked.
-
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ... [ repository] (extracting) Loading package configuration... done. Configuring package components... Additional files... snort_download_updates.php failed. Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.Any thoughts on the above?
EDIT: First dozen times it failed. Lucky #13 worked.
I have no clue. That message literally means the physical PHP file could not be found or pulled down from the packages repository. The fact it eventually worked indicates some type of glitch and not a permanent problem. Glad it finally worked for you.
Bill
-
Problem is that 2.1.x doesnt upgrade correctly…
It's been a while since I updated to 2.1, but if I remember correctly I did it coincident with upgrading my firewall hardware. So I just did a clean install of 2.1 and then imported my old config. In my case I had to adjust the NIC driver names from Realtek on the old hardware to Intel on the new. However, if you do an install on the same hardware; you should not have that problem.
Bill
-
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ... [ repository] (extracting) Loading package configuration... done. Configuring package components... Additional files... snort_download_updates.php failed. Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.When will be this fixed. I have on more server the same problem :((
-
How can i delete all old snort config file?
-
How can i delete all old snort config file?
To physically remove Snort from the disk, delete this folder and all sub-folders: /usr/pbi/snort-amd64
Removing Snort settings from your config.xml file is much more delicate and can lead to a non-working firewall if the file is corrupted.
The error you reported is more likely a temporary issue with one of the pfSense package repository servers. I don't know if those are mirrored. If they are, maybe one of them is missing that particular file.
Bill
-
As posted in other thread - updated without any issues.
It just took approx 5 minutes, most of which was to download updated rule sets.BTW, once we are on the topic - could there be an option to show alerts for all interfaces on the same page?
I have only two, but still would like to see them together… People with many more may benefit from it even more... Of course, it should indicate which interface each alert is for... More like firewall log.Yeah, that's technically possible. It would require quite a bit of recoding for the ALERTS tab page, though. I will add it to my list of future features.
Bill
Hi dgcom,
I would recommend using a Syslog program to collect all of these alerts. Tools like "Security Onion" have ELSA which can help you manage Alerts from a multitude of sources.
-
Yes, I know about Syslog and monitoring tools (I am planning to test ELK in one environment). But in some setups it is not feasible to have separate setup just for fw logs.
And you loose the ability to quickly react to those alerts when needed - like disabling rule, etc. -
Hey guys:
Just posted a small bug fix update for the new Snort package. The new GUI package version is bumped to 3.1.1. The bug was in a path supplied to the cron task for rule updates. The old path was there and that meant the job was not executing.
All you need to do is just reinstall the GUI components on the System…Packages...Installed Packages menu in pfSense. I'm going to rename this topic to match the update and also edit the release notes.
Bill
-
Once the system (Snort/Suricata) is Tuned, you can get more beneficial use from syslog tools like ELK or Security Onion. I like Security Onion as it is a Full Packet Capture system also. So anything that gets past pfSense Snort/Suricata is captured and can be pivoted for as long as you keep the pcaps.
I think putting all of the Logs into one screen will be too cumbersome. If things like IP Rep get added, it will make it that much more cluttered.
