Snort 2.9.6.2 pkg v3.1.1 Update – Release Notes
-
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ... [ repository] (extracting) Loading package configuration... done. Configuring package components... Additional files... snort_download_updates.php failed. Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.Any thoughts on the above?
EDIT: First dozen times it failed. Lucky #13 worked.
I have no clue. That message literally means the physical PHP file could not be found or pulled down from the packages repository. The fact it eventually worked indicates some type of glitch and not a permanent problem. Glad it finally worked for you.
Bill
-
Problem is that 2.1.x doesnt upgrade correctly…
It's been a while since I updated to 2.1, but if I remember correctly I did it coincident with upgrading my firewall hardware. So I just did a clean install of 2.1 and then imported my old config. In my case I had to adjust the NIC driver names from Realtek on the old hardware to Intel on the new. However, if you do an install on the same hardware; you should not have that problem.
Bill
-
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ... [ repository] (extracting) Loading package configuration... done. Configuring package components... Additional files... snort_download_updates.php failed. Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.When will be this fixed. I have on more server the same problem :((
-
How can i delete all old snort config file?
-
How can i delete all old snort config file?
To physically remove Snort from the disk, delete this folder and all sub-folders: /usr/pbi/snort-amd64
Removing Snort settings from your config.xml file is much more delicate and can lead to a non-working firewall if the file is corrupted.
The error you reported is more likely a temporary issue with one of the pfSense package repository servers. I don't know if those are mirrored. If they are, maybe one of them is missing that particular file.
Bill
-
As posted in other thread - updated without any issues.
It just took approx 5 minutes, most of which was to download updated rule sets.BTW, once we are on the topic - could there be an option to show alerts for all interfaces on the same page?
I have only two, but still would like to see them together… People with many more may benefit from it even more... Of course, it should indicate which interface each alert is for... More like firewall log.Yeah, that's technically possible. It would require quite a bit of recoding for the ALERTS tab page, though. I will add it to my list of future features.
Bill
Hi dgcom,
I would recommend using a Syslog program to collect all of these alerts. Tools like "Security Onion" have ELSA which can help you manage Alerts from a multitude of sources.
-
Yes, I know about Syslog and monitoring tools (I am planning to test ELK in one environment). But in some setups it is not feasible to have separate setup just for fw logs.
And you loose the ability to quickly react to those alerts when needed - like disabling rule, etc. -
Hey guys:
Just posted a small bug fix update for the new Snort package. The new GUI package version is bumped to 3.1.1. The bug was in a path supplied to the cron task for rule updates. The old path was there and that meant the job was not executing.
All you need to do is just reinstall the GUI components on the System…Packages...Installed Packages menu in pfSense. I'm going to rename this topic to match the update and also edit the release notes.
Bill
-
Once the system (Snort/Suricata) is Tuned, you can get more beneficial use from syslog tools like ELK or Security Onion. I like Security Onion as it is a Full Packet Capture system also. So anything that gets past pfSense Snort/Suricata is captured and can be pivoted for as long as you keep the pcaps.
I think putting all of the Logs into one screen will be too cumbersome. If things like IP Rep get added, it will make it that much more cluttered.
-
Hey guys:
Just posted a small bug fix update for the new Snort package. The new GUI package version is bumped to 3.1.1. The bug was in a path supplied to the cron task for rule updates. The old path was there and that meant the job was not executing.
All you need to do is just reinstall the GUI components on the System…Packages...Installed Packages menu in pfSense. I'm going to rename this topic to match the update.
Bill
Thanks Bill. Great Work on the Latest Version!! :) :)
-
As I said, some installs do not really need anything more than occasional check of the logs.
And to prevent clatter - I suggest it as an option, it can be implemented as filter - same as f/w logs currently. -
As I said, some installs do not really need anything more than occasional check of the logs.
And to prevent clatter - I suggest it as an option, it can be implemented as filter - same as f/w logs currently.+1
agree with you on the "Filter", that will be a "plus!"
-
As I said, some installs do not really need anything more than occasional check of the logs.
And to prevent clatter - I suggest it as an option, it can be implemented as filter - same as f/w logs currently.+1
agree with you on the "Filter", that will be a "plus!"
A filter for the ALERTS tab is on my TODO list.
Bill
-
I'm back! Now I'm getting this:
Loading package instructions... Include snort.inc is missing! Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Configuration... done. done. Failed to install package. Installation halted.EDIT: … and fixed. Failed 4 times, worked the 5th.
-
I'm back! Now I'm getting this:
Loading package instructions... Include snort.inc is missing! Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Configuration... done. done. Failed to install package. Installation halted.EDIT: … and fixed. Failed 4 times, worked the 5th.
Jason:
Are you in the U.S.? I wonder if there are multiple package repositories and the one you are pointing at is borked a little? I've reinstalled twice in the last two days on my personal firewall without any issue like this. I am located in the U.S. and use IPv4 for connectivity. Another avenue to investigate is any sporadic network path problems between your location and the packages server.
Bill
-
@chemlud:
…I simply went to the package manager (2.1.4) and said "reinstall" for the snort package showing the update. Everything went fine, no errors, but after a reboot, there is no snort under "Services", although the package manager indicates that snort is installed.... puuuuuhhhhhhh..... ???
UPDATE: Uninstalled Snort, reboot, new install Snort, reboot -> Still no Snort under Services
What can I try next? :o
...updating the GUI components doesn't help either...
UPDATE 2: In the SystemLog I find
snort[59701]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules": No such file or directory.
…every time a service for an interface is started...
Your install is not actually completing. The key is the missing Snort entry under SERVICES in the pfSense menu. Are you using a full install of pfSense or one of the Compact Flash versions? If the latter, how much free space exists on the /var partition?
Also just noticed that the path is all messed up:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesIt should look like this instead:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesThere is a double backslash where there should be only one, and the complete path is doubled.
Bill
It's 4GB nano installation, /var is 100 MB RAM disk…
How can I change any paths, I have done nothing with these paths...?!
...tried it again, but still no service Snort to find anywhere...
Funny thing: after a rules update 2 h ago there where some alerts on one of the Snort interfaces in the System Log.
-
Can you access Snort with this link:
https://x.x.x.x:XX/snort/snort_interfaces.php
Using http /s, and you box IP and port?
-
@chemlud:
@chemlud:
…I simply went to the package manager (2.1.4) and said "reinstall" for the snort package showing the update. Everything went fine, no errors, but after a reboot, there is no snort under "Services", although the package manager indicates that snort is installed.... puuuuuhhhhhhh..... ???
UPDATE: Uninstalled Snort, reboot, new install Snort, reboot -> Still no Snort under Services
What can I try next? :o
...updating the GUI components doesn't help either...
UPDATE 2: In the SystemLog I find
snort[59701]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules": No such file or directory.
…every time a service for an interface is started...
Your install is not actually completing. The key is the missing Snort entry under SERVICES in the pfSense menu. Are you using a full install of pfSense or one of the Compact Flash versions? If the latter, how much free space exists on the /var partition?
Also just noticed that the path is all messed up:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesIt should look like this instead:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesThere is a double backslash where there should be only one, and the complete path is doubled.
Bill
It's 4GB nano installation, /var is 100 MB RAM disk…
How can I change any paths, I have done nothing with these paths...?!
...tried it again, but still no service Snort to find anywhere...
Funny thing: after a rules update 2 h ago there where some alerts on one of the Snort interfaces in the System Log.
The Nano installations appear to frequently have issues installing/reinstalling packages due to RAM disk limitations. Odds are the 100 MB RAM disk is filling during the attempted install, and then the install goes south. As part of cleaning up after the botched install, the partial package files will get cleaned up and thus the RAM disk won't "look" full.
There are some other threads here related to package reinstallations on Nano installs, and not just with Snort but many other packages as well. Can you perhaps increase the size of the RAM disk? I have no experience with pfSense on NanoBSD. Perhaps some other users can help out here.
Bill
-
Can you access Snort with this link:
https://x.x.x.x:XX/snort/snort_interfaces.php
Using http /s, and you box IP and port?
With the IP of the pfSense box: YES! (no port required).
I set /tmp and /var to 200 MB and uninstalled Snort. Give it a new try… tbc...
-
@chemlud:
Can you access Snort with this link:
https://x.x.x.x:XX/snort/snort_interfaces.php
Using http /s, and you box IP and port?
With the IP of the pfSense box: YES! (no port required).
I set /tmp and /var to 200 MB and uninstalled Snort. Give it a new try… tbc...
Next try, the box becomes unresponsive, when I try to start a Snort on one interface at the https://x.x.x.x:/snort/snort_interfaces.php page.
Faster to do a fresh install or try with /var set to 500 MB?
update: more /var didn't help. Next box, same issue, new setup on all boxes…
Many, many thanx for the updated Snort package, without current signatures its not really helpful ;-)
