Snort 2.9.6.2 pkg v3.1.1 Update – Release Notes

Guest

@chemlud:

@BBcan177:

Can you access Snort with this link:

https://x.x.x.x:XX/snort/snort_interfaces.php

Using http /s, and you box IP and port?

With the IP of the pfSense box: YES! (no port required).

I set /tmp and /var to 200 MB and uninstalled Snort. Give it a new try… tbc...

Next try, the box becomes unresponsive, when I try to start a Snort on one interface at the https://x.x.x.x:/snort/snort_interfaces.php page.

Faster to do a fresh install or try with /var set to 500 MB?

update: more /var didn't help. Next box, same issue, new setup on all boxes…

Many, many thanx for the updated Snort package, without current signatures its not really helpful ;-)

bmeeks

@chemlud:

Next try, the box becomes unresponsive, when I try to start a Snort on one interface at the https://x.x.x.x:/snort/snort_interfaces.php page.

Faster to do a fresh install or try with /var set to 500 MB?

update: more /var didn't help. Next box, same issue, new setup on all boxes…

Many, many thanx for the updated Snort package, without current signatures its not really helpful ;-)

Can you post the output of you system log during a package reinstall attempt?  I need to see if anything gets logged there that might help.

Here are some troubleshooting steps if you are willing to give them a try:

From a shell prompt or directly at the firewall console, execute this command -

php /usr/local/pkg/snort/snort_post_install.php

It should execute with no errors.  Next, browse to the URL https://x.x.x.x:/snort/snort_interfaces.php again to bring up the Snort tabs.  See if things work better.

This still won't put the menu option in place under SERVICES.  That is done by the native pfSense Package Manager code that actually installs the Snort PBI and associated PHP files.

Post back here with a list of files in the following directories:  /usr/local/pkg/snort and /usr/local/www/snort.  This will let me confirm all the files are actually present.  Also verify you have a snort.sh script in /usr/local/etc/rc.d/ on the box.  You can post the contents of that file if you wish.  It contains nothing sensitive.

I have to be away for most of today, so it will be later tonight U.S. Eastern Time before I can reply again.

Bill

Guest

Here we go!

As the two nano boxes are now on fresh installs, I updated a 2.1.4 i386 installation, same result, no Snort service in the GUI. (I have one of nano 4gb CF cards, can I retrieve some files by mounting it in openSuse?… Have to try...).

With the link I can access the snort interfaces, initially there are no rules, after some tries I managed to get rules and then Snort appears to be up and running...

Here some of the things you requested:

First pic is the final message of the Snort update process, apparently the rules update didn't work. I tried it again and again, but I failed with connectivity issues, etc. pp. The rest should be self-explanatory, I guess...

Update: I'm too stupid, I can't get the screwed-up pfsense nano CF-card mounted under opensuse, not even as read-only... sorry...

snortsh.txt

bmeeks

@chemlud:

Here we go!

As the two nano boxes are now on fresh installs, I updated a 2.1.4 i386 installation, same result, no Snort service in the GUI. (I have one of nano 4gb CF cards, can I retrieve some files by mounting it in openSuse?… Have to try...).

With the link I can access the snort interfaces, initially there are no rules, after some tries I managed to get rules and then Snort appears to be up and running...

Here some of the things you requested:

First pic is the final message of the Snort update process, apparently the rules update didn't work. I tried it again and again, but I failed with connectivity issues, etc. pp. The rest should be self-explanatory, I guess...

Update: I'm too stupid, I can't get the screwed-up pfsense nano CF-card mounted under opensuse, not even as read-only... sorry...

Ok, the problem does not appear to be with the Snort package itself. The key error is the very first one showing in your system log capture.  The one about an XMLRPC error is the reason Snort is not getting completely installed.  That is from the package manager code within pfSense itself.  I will have to refer this to the pfSense team.

Bill

Cino

I think there is an issue with the system auto downloading rules:

if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'

bmeeks

@Cino:

I think there is an issue with the system auto downloading rules:

if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'

That should have been fixed in the 3.1.1 update.  Do a GUI package reinstall of Snort on the System…Packages...Installed Packages tab.  I moved some files to a different directory to improve security per one of the developer's comments, and forgot to change the path in the cron task entry.

As I said, should be fixed if you install 3.1.1.  If not, post back and let me know.  It seems to be OK on my production firewall and test VMs, though.

Bill

val

Update on a full install pfSense 2.1.4 with no issues, many thanks Bill.

Cino

@bmeeks:

@Cino:

I think there is an issue with the system auto downloading rules:

if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'

That should have been fixed in the 3.1.1 update.  Do a GUI package reinstall of Snort on the System…Packages...Installed Packages tab.  I moved some files to a different directory to improve security per one of the developer's comments, and forgot to change the path in the cron task entry.

As I said, should be fixed if you install 3.1.1.  If not, post back and let me know.  It seems to be OK on my production firewall and test VMs, though.

Bill

Thanks Bill! Everything seems to be working now

bmeeks

@Cino:

@bmeeks:

@Cino:

I think there is an issue with the system auto downloading rules:

if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'

That should have been fixed in the 3.1.1 update.  Do a GUI package reinstall of Snort on the System…Packages...Installed Packages tab.  I moved some files to a different directory to improve security per one of the developer's comments, and forgot to change the path in the cron task entry.

As I said, should be fixed if you install 3.1.1.  If not, post back and let me know.  It seems to be OK on my production firewall and test VMs, though.

Bill

Thanks Bill! Everything seems to be working now

You're welcome.  That little path bug was the main fix that went out in the 3.1.1 update.  If found it shortly after 3.1 went "live".

Bill

sunghost

Hi,
i installed latest snort package on latest pfsense. i dont know if it was reported before perhaps i will do again, but better than never. So on the update tab the link to the global setting tab lead to 404 page not found with url "snort/snort_global.php". the url of the global settings are "/snort/snort_interfaces_global.php"

Hope that help for fixing a little bug ,)

bmeeks

@sunghost:

Hi,
i installed latest snort package on latest pfsense. i dont know if it was reported before perhaps i will do again, but better than never. So on the update tab the link to the global setting tab lead to 404 page not found with url "snort/snort_global.php". the url of the global settings are "/snort/snort_interfaces_global.php"

Hope that help for fixing a little bug ,)

Thanks for reporting it.  I will fix it in the next update.

Bill

Guest

3rd nano installation 2.1.4 screwed up on update of snort. No snort in GUI anymore…

I saw no error messages in the syslog, the rules update completed according to the final message in the update window, but the snort interfaces didn't come up, after a reboot snort was gone from the GUI. As usual I can access it via https://IP/snort/snort_interfaces.php

wuuuuaaaahhh :'(

Supermule

Exactly why I would like the release available on 2.0.x…

I just dont believe that 2.1.x is "done" since lots of bugs is still coming in.

BBcan177

Bill was thinking that its a mirror issue as NA doesn't seem to have those issues?

Maybe you guys can try to point your DNS to NA Mirror Servers instead?

Guest

@BBcan177:

Bill was thinking that its a mirror issue as NA doesn't seem to have those issues?

Maybe you guys can try to point your DNS to NA Mirror Servers instead?

I'm done now with the actual "production systems" but still some backup systems to go in the near future… Any suggestions on what to do excatly ;-)

btw: I tried the updates in two different countries, both in Europe.

BBcan177

@chemlud:

Any suggestions on what to do excatly ;-)

The packages download from:

Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi …  [ repository]

When I ping files.pfsense.org

This is what IP it resolves to:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=55 time=55.767 ms

Try editing your DNS Forwarder (Host Over ride)

and point files.pfsense.org to this IP and see if it works? If you ping files.pfsense.org, you will receive an IP for a mirror that is closer to you. But obviously that ip/mirror is having issues.

bmeeks

@BBcan177:

@chemlud:

Any suggestions on what to do excatly ;-)

The packages download from:

Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi …  [ repository]

When I ping files.pfsense.org

This is what IP it resolves to:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=55 time=55.767 ms

Try editing your DNS Forwarder (Host Over ride)

and point files.pfsense.org to this IP and see if it works? If you ping files.pfsense.org, you will receive an IP for a mirror that is closer to you. But obviously that ip/mirror is having issues.

I agree with this approach.  I think something is wrong on a mirror.  If the package itself was messed up, then all of the North American folks would be impacted.  I have performed three installs since the last update with no issues at all.  My systems resolve the ULR to the same IP as BBcan177 posted.

Bill

Supermule

When pinging from Scandinavia we get this:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=50 time=152.243 ms

So we dont get a mirror on the package files…

bmeeks

@Supermule:

When pinging from Scandinavia we get this:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=50 time=152.243 ms

So we dont get a mirror on the package files…

Then I truly don't know what's wrong.  If the Snort package itself was messed up, you would expect it to fail for everyone.  Some (or a lot of) people have successfully installed the update.  I myself have installed it three times since it was posted – twice to virtual machines and once to my production box.  No problems encountered at all.  BBcan177 stated he has done multiple installs with no issues.  Others have posted success here as well.  This is a really perplexing problem.

Bill

Cino

Not sure if anyone else noticed this or if its an issue with my box only.. I run both snort and suricata but only have blocking enable with suricata. When I reboot my box, snort doesn't start:

snort[55775]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_60770_em3//usr/pbi/snort-i386/etc/snort/snort_60770_em3/rules/suricata.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_60770_em3//usr/pbi/snort-i386/etc/snort/snort_60770_em3/rules/suricata.rules": No such file or directory.

I'm puzzled why its looking for suricata.rules.

Now if I go and re-save each interface, i'm able to manually start them