Snort 2.9.6.2 pkg v3.1.1 Update – Release Notes

bmeeks

@Cino:

I think there is an issue with the system auto downloading rules:

if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'

That should have been fixed in the 3.1.1 update.  Do a GUI package reinstall of Snort on the System…Packages...Installed Packages tab.  I moved some files to a different directory to improve security per one of the developer's comments, and forgot to change the path in the cron task entry.

As I said, should be fixed if you install 3.1.1.  If not, post back and let me know.  It seems to be OK on my production firewall and test VMs, though.

Bill

val

Update on a full install pfSense 2.1.4 with no issues, many thanks Bill.

Cino

@bmeeks:

@Cino:

I think there is an issue with the system auto downloading rules:

if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'

That should have been fixed in the 3.1.1 update.  Do a GUI package reinstall of Snort on the System…Packages...Installed Packages tab.  I moved some files to a different directory to improve security per one of the developer's comments, and forgot to change the path in the cron task entry.

As I said, should be fixed if you install 3.1.1.  If not, post back and let me know.  It seems to be OK on my production firewall and test VMs, though.

Bill

Thanks Bill! Everything seems to be working now

bmeeks

@Cino:

@bmeeks:

@Cino:

I think there is an issue with the system auto downloading rules:

if i run '/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php' from the command line, it returns 'No input file specified.'

That should have been fixed in the 3.1.1 update.  Do a GUI package reinstall of Snort on the System…Packages...Installed Packages tab.  I moved some files to a different directory to improve security per one of the developer's comments, and forgot to change the path in the cron task entry.

As I said, should be fixed if you install 3.1.1.  If not, post back and let me know.  It seems to be OK on my production firewall and test VMs, though.

Bill

Thanks Bill! Everything seems to be working now

You're welcome.  That little path bug was the main fix that went out in the 3.1.1 update.  If found it shortly after 3.1 went "live".

Bill

sunghost

Hi,
i installed latest snort package on latest pfsense. i dont know if it was reported before perhaps i will do again, but better than never. So on the update tab the link to the global setting tab lead to 404 page not found with url "snort/snort_global.php". the url of the global settings are "/snort/snort_interfaces_global.php"

Hope that help for fixing a little bug ,)

bmeeks

@sunghost:

Hi,
i installed latest snort package on latest pfsense. i dont know if it was reported before perhaps i will do again, but better than never. So on the update tab the link to the global setting tab lead to 404 page not found with url "snort/snort_global.php". the url of the global settings are "/snort/snort_interfaces_global.php"

Hope that help for fixing a little bug ,)

Thanks for reporting it.  I will fix it in the next update.

Bill

Guest

3rd nano installation 2.1.4 screwed up on update of snort. No snort in GUI anymore…

I saw no error messages in the syslog, the rules update completed according to the final message in the update window, but the snort interfaces didn't come up, after a reboot snort was gone from the GUI. As usual I can access it via https://IP/snort/snort_interfaces.php

wuuuuaaaahhh :'(

Supermule

Exactly why I would like the release available on 2.0.x…

I just dont believe that 2.1.x is "done" since lots of bugs is still coming in.

BBcan177

Bill was thinking that its a mirror issue as NA doesn't seem to have those issues?

Maybe you guys can try to point your DNS to NA Mirror Servers instead?

Guest

@BBcan177:

Bill was thinking that its a mirror issue as NA doesn't seem to have those issues?

Maybe you guys can try to point your DNS to NA Mirror Servers instead?

I'm done now with the actual "production systems" but still some backup systems to go in the near future… Any suggestions on what to do excatly ;-)

btw: I tried the updates in two different countries, both in Europe.

BBcan177

@chemlud:

Any suggestions on what to do excatly ;-)

The packages download from:

Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi …  [ repository]

When I ping files.pfsense.org

This is what IP it resolves to:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=55 time=55.767 ms

Try editing your DNS Forwarder (Host Over ride)

and point files.pfsense.org to this IP and see if it works? If you ping files.pfsense.org, you will receive an IP for a mirror that is closer to you. But obviously that ip/mirror is having issues.

bmeeks

@BBcan177:

@chemlud:

Any suggestions on what to do excatly ;-)

The packages download from:

Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi …  [ repository]

When I ping files.pfsense.org

This is what IP it resolves to:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=55 time=55.767 ms

Try editing your DNS Forwarder (Host Over ride)

and point files.pfsense.org to this IP and see if it works? If you ping files.pfsense.org, you will receive an IP for a mirror that is closer to you. But obviously that ip/mirror is having issues.

I agree with this approach.  I think something is wrong on a mirror.  If the package itself was messed up, then all of the North American folks would be impacted.  I have performed three installs since the last update with no issues at all.  My systems resolve the ULR to the same IP as BBcan177 posted.

Bill

Supermule

When pinging from Scandinavia we get this:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=50 time=152.243 ms

So we dont get a mirror on the package files…

bmeeks

@Supermule:

When pinging from Scandinavia we get this:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=50 time=152.243 ms

So we dont get a mirror on the package files…

Then I truly don't know what's wrong.  If the Snort package itself was messed up, you would expect it to fail for everyone.  Some (or a lot of) people have successfully installed the update.  I myself have installed it three times since it was posted – twice to virtual machines and once to my production box.  No problems encountered at all.  BBcan177 stated he has done multiple installs with no issues.  Others have posted success here as well.  This is a really perplexing problem.

Bill

Cino

Not sure if anyone else noticed this or if its an issue with my box only.. I run both snort and suricata but only have blocking enable with suricata. When I reboot my box, snort doesn't start:

snort[55775]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_60770_em3//usr/pbi/snort-i386/etc/snort/snort_60770_em3/rules/suricata.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_60770_em3//usr/pbi/snort-i386/etc/snort/snort_60770_em3/rules/suricata.rules": No such file or directory.

I'm puzzled why its looking for suricata.rules.

Now if I go and re-save each interface, i'm able to manually start them

BBcan177

Hollander had the same issue in another thread. He uninstall Suricata and re-installed it.

Cino

I did search this thread before posting, next time I'll search the board. As always, thank you for all your support and hard work.

bmeeks

@Cino:

I did search this thread before posting, next time I'll search the board. As always, thank you for all your support and hard work.

I'm thinking the root of this error might be the problem I found with an extra backslash in some paths in the Suricata and Snort PHP code.  However, as part of my testing for the upcoming Suricata update, I will test in my VM lab with both Suricata and Snort enabled on a box.

Bill

Guest

@Supermule:

When pinging from Scandinavia we get this:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=50 time=152.243 ms

So we dont get a mirror on the package files…

My ping goes to the same IP.

…to me this whole story is kind of VERY disturbing...

bmeeks

@chemlud:

@Supermule:

When pinging from Scandinavia we get this:

PING files.pfsense.org (208.123.73.81): 56 data bytes
64 bytes from 208.123.73.81: icmp_seq=0 ttl=50 time=152.243 ms

So we dont get a mirror on the package files…

My ping goes to the same IP.

…to me this whole story is kind of VERY disturbing...

For Nano image boxes, make sure you have at least 200 MB of free space in /tmp.  The package manager code gets tripped up if it runs out of space to unpack and install a package.  That might be what's happening to you.

There was also a problem a few days ago with the SHA256 checksum files not getting uploaded to the packages servers.  The developer team pushed a fix for that I noticed a few days ago.

Bill