Snort 2.9.6.2 pkg v3.1.1 Update – Release Notes
-
Hey guys:
Just posted a small bug fix update for the new Snort package. The new GUI package version is bumped to 3.1.1. The bug was in a path supplied to the cron task for rule updates. The old path was there and that meant the job was not executing.
All you need to do is just reinstall the GUI components on the System…Packages...Installed Packages menu in pfSense. I'm going to rename this topic to match the update.
Bill
Thanks Bill. Great Work on the Latest Version!! :) :)
-
As I said, some installs do not really need anything more than occasional check of the logs.
And to prevent clatter - I suggest it as an option, it can be implemented as filter - same as f/w logs currently. -
As I said, some installs do not really need anything more than occasional check of the logs.
And to prevent clatter - I suggest it as an option, it can be implemented as filter - same as f/w logs currently.+1
agree with you on the "Filter", that will be a "plus!"
-
As I said, some installs do not really need anything more than occasional check of the logs.
And to prevent clatter - I suggest it as an option, it can be implemented as filter - same as f/w logs currently.+1
agree with you on the "Filter", that will be a "plus!"
A filter for the ALERTS tab is on my TODO list.
Bill
-
I'm back! Now I'm getting this:
Loading package instructions... Include snort.inc is missing! Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Configuration... done. done. Failed to install package. Installation halted.EDIT: … and fixed. Failed 4 times, worked the 5th.
-
I'm back! Now I'm getting this:
Loading package instructions... Include snort.inc is missing! Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Configuration... done. done. Failed to install package. Installation halted.EDIT: … and fixed. Failed 4 times, worked the 5th.
Jason:
Are you in the U.S.? I wonder if there are multiple package repositories and the one you are pointing at is borked a little? I've reinstalled twice in the last two days on my personal firewall without any issue like this. I am located in the U.S. and use IPv4 for connectivity. Another avenue to investigate is any sporadic network path problems between your location and the packages server.
Bill
-
@chemlud:
…I simply went to the package manager (2.1.4) and said "reinstall" for the snort package showing the update. Everything went fine, no errors, but after a reboot, there is no snort under "Services", although the package manager indicates that snort is installed.... puuuuuhhhhhhh..... ???
UPDATE: Uninstalled Snort, reboot, new install Snort, reboot -> Still no Snort under Services
What can I try next? :o
...updating the GUI components doesn't help either...
UPDATE 2: In the SystemLog I find
snort[59701]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules": No such file or directory.
…every time a service for an interface is started...
Your install is not actually completing. The key is the missing Snort entry under SERVICES in the pfSense menu. Are you using a full install of pfSense or one of the Compact Flash versions? If the latter, how much free space exists on the /var partition?
Also just noticed that the path is all messed up:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesIt should look like this instead:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesThere is a double backslash where there should be only one, and the complete path is doubled.
Bill
It's 4GB nano installation, /var is 100 MB RAM disk…
How can I change any paths, I have done nothing with these paths...?!
...tried it again, but still no service Snort to find anywhere...
Funny thing: after a rules update 2 h ago there where some alerts on one of the Snort interfaces in the System Log.
-
Can you access Snort with this link:
https://x.x.x.x:XX/snort/snort_interfaces.php
Using http /s, and you box IP and port?
-
@chemlud:
@chemlud:
…I simply went to the package manager (2.1.4) and said "reinstall" for the snort package showing the update. Everything went fine, no errors, but after a reboot, there is no snort under "Services", although the package manager indicates that snort is installed.... puuuuuhhhhhhh..... ???
UPDATE: Uninstalled Snort, reboot, new install Snort, reboot -> Still no Snort under Services
What can I try next? :o
...updating the GUI components doesn't help either...
UPDATE 2: In the SystemLog I find
snort[59701]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules": No such file or directory.
…every time a service for an interface is started...
Your install is not actually completing. The key is the missing Snort entry under SERVICES in the pfSense menu. Are you using a full install of pfSense or one of the Compact Flash versions? If the latter, how much free space exists on the /var partition?
Also just noticed that the path is all messed up:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesIt should look like this instead:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesThere is a double backslash where there should be only one, and the complete path is doubled.
Bill
It's 4GB nano installation, /var is 100 MB RAM disk…
How can I change any paths, I have done nothing with these paths...?!
...tried it again, but still no service Snort to find anywhere...
Funny thing: after a rules update 2 h ago there where some alerts on one of the Snort interfaces in the System Log.
The Nano installations appear to frequently have issues installing/reinstalling packages due to RAM disk limitations. Odds are the 100 MB RAM disk is filling during the attempted install, and then the install goes south. As part of cleaning up after the botched install, the partial package files will get cleaned up and thus the RAM disk won't "look" full.
There are some other threads here related to package reinstallations on Nano installs, and not just with Snort but many other packages as well. Can you perhaps increase the size of the RAM disk? I have no experience with pfSense on NanoBSD. Perhaps some other users can help out here.
Bill
-
Can you access Snort with this link:
https://x.x.x.x:XX/snort/snort_interfaces.php
Using http /s, and you box IP and port?
With the IP of the pfSense box: YES! (no port required).
I set /tmp and /var to 200 MB and uninstalled Snort. Give it a new try… tbc...
-
@chemlud:
Can you access Snort with this link:
https://x.x.x.x:XX/snort/snort_interfaces.php
Using http /s, and you box IP and port?
With the IP of the pfSense box: YES! (no port required).
I set /tmp and /var to 200 MB and uninstalled Snort. Give it a new try… tbc...
Next try, the box becomes unresponsive, when I try to start a Snort on one interface at the https://x.x.x.x:/snort/snort_interfaces.php page.
Faster to do a fresh install or try with /var set to 500 MB?
update: more /var didn't help. Next box, same issue, new setup on all boxes…
Many, many thanx for the updated Snort package, without current signatures its not really helpful ;-)
-
@chemlud:
Next try, the box becomes unresponsive, when I try to start a Snort on one interface at the https://x.x.x.x:/snort/snort_interfaces.php page.
Faster to do a fresh install or try with /var set to 500 MB?
update: more /var didn't help. Next box, same issue, new setup on all boxes…
Many, many thanx for the updated Snort package, without current signatures its not really helpful ;-)
Can you post the output of you system log during a package reinstall attempt? I need to see if anything gets logged there that might help.
Here are some troubleshooting steps if you are willing to give them a try:
From a shell prompt or directly at the firewall console, execute this command -
php /usr/local/pkg/snort/snort_post_install.phpIt should execute with no errors. Next, browse to the URL https://x.x.x.x:/snort/snort_interfaces.php again to bring up the Snort tabs. See if things work better.
This still won't put the menu option in place under SERVICES. That is done by the native pfSense Package Manager code that actually installs the Snort PBI and associated PHP files.
Post back here with a list of files in the following directories: /usr/local/pkg/snort and /usr/local/www/snort. This will let me confirm all the files are actually present. Also verify you have a snort.sh script in /usr/local/etc/rc.d/ on the box. You can post the contents of that file if you wish. It contains nothing sensitive.
I have to be away for most of today, so it will be later tonight U.S. Eastern Time before I can reply again.
Bill
-
Here we go!
As the two nano boxes are now on fresh installs, I updated a 2.1.4 i386 installation, same result, no Snort service in the GUI. (I have one of nano 4gb CF cards, can I retrieve some files by mounting it in openSuse?… Have to try...).
With the link I can access the snort interfaces, initially there are no rules, after some tries I managed to get rules and then Snort appears to be up and running...
Here some of the things you requested:
First pic is the final message of the Snort update process, apparently the rules update didn't work. I tried it again and again, but I failed with connectivity issues, etc. pp. The rest should be self-explanatory, I guess...
Update: I'm too stupid, I can't get the screwed-up pfsense nano CF-card mounted under opensuse, not even as read-only... sorry...
-
@chemlud:
Here we go!
As the two nano boxes are now on fresh installs, I updated a 2.1.4 i386 installation, same result, no Snort service in the GUI. (I have one of nano 4gb CF cards, can I retrieve some files by mounting it in openSuse?… Have to try...).
With the link I can access the snort interfaces, initially there are no rules, after some tries I managed to get rules and then Snort appears to be up and running...
Here some of the things you requested:
First pic is the final message of the Snort update process, apparently the rules update didn't work. I tried it again and again, but I failed with connectivity issues, etc. pp. The rest should be self-explanatory, I guess...
Update: I'm too stupid, I can't get the screwed-up pfsense nano CF-card mounted under opensuse, not even as read-only... sorry...
Ok, the problem does not appear to be with the Snort package itself. The key error is the very first one showing in your system log capture. The one about an XMLRPC error is the reason Snort is not getting completely installed. That is from the package manager code within pfSense itself. I will have to refer this to the pfSense team.
Bill
-
I think there is an issue with the system auto downloading rules:
if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'
-
I think there is an issue with the system auto downloading rules:
if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'
That should have been fixed in the 3.1.1 update. Do a GUI package reinstall of Snort on the System…Packages...Installed Packages tab. I moved some files to a different directory to improve security per one of the developer's comments, and forgot to change the path in the cron task entry.
As I said, should be fixed if you install 3.1.1. If not, post back and let me know. It seems to be OK on my production firewall and test VMs, though.
Bill
-
Update on a full install pfSense 2.1.4 with no issues, many thanks Bill.
-
I think there is an issue with the system auto downloading rules:
if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'
That should have been fixed in the 3.1.1 update. Do a GUI package reinstall of Snort on the System…Packages...Installed Packages tab. I moved some files to a different directory to improve security per one of the developer's comments, and forgot to change the path in the cron task entry.
As I said, should be fixed if you install 3.1.1. If not, post back and let me know. It seems to be OK on my production firewall and test VMs, though.
Bill
Thanks Bill! Everything seems to be working now
-
I think there is an issue with the system auto downloading rules:
if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'
That should have been fixed in the 3.1.1 update. Do a GUI package reinstall of Snort on the System…Packages...Installed Packages tab. I moved some files to a different directory to improve security per one of the developer's comments, and forgot to change the path in the cron task entry.
As I said, should be fixed if you install 3.1.1. If not, post back and let me know. It seems to be OK on my production firewall and test VMs, though.
Bill
Thanks Bill! Everything seems to be working now
You're welcome. That little path bug was the main fix that went out in the 3.1.1 update. If found it shortly after 3.1 went "live".
Bill
-
Hi,
i installed latest snort package on latest pfsense. i dont know if it was reported before perhaps i will do again, but better than never. So on the update tab the link to the global setting tab lead to 404 page not found with url "snort/snort_global.php". the url of the global settings are "/snort/snort_interfaces_global.php"Hope that help for fixing a little bug ,)
