Snort on 2.2

darkytoo

I just tried this today, updated to latest release for today (the 24th) and I get the same errors. I did also re-install snort, no affect.  I've also noticed on 2.2 that I can't download the snort VRT rules with a valid oinkcode.  I event signed up for a new account and tested manually downloading them, but I get a 403 error in the GUI, wonder if that's related to the pbi issue?

bmeeks

@darkytoo:

I just tried this today, updated to latest release for today (the 24th) and I get the same errors. I did also re-install snort, no affect.  I've also noticed on 2.2 that I can't download the snort VRT rules with a valid oinkcode.  I event signed up for a new account and tested manually downloading them, but I get a 403 error in the GUI, wonder if that's related to the pbi issue?

Possible that it is.  There is also a problem (or was last night) with Snort finding its shared libraries.  The PBI configuration is definitely changed from 2.1 and earlier pfSense versions.

I have a 2.2 VM and access to the -tools repo, so I will work on Snort and see what it takes to get it working reliably on 2.2.  Give me a day or so to finish up something with Suricata and then I can concentrate on this problem.

Bill

darkytoo

@bmeeks:

@darkytoo:

I just tried this today, updated to latest release for today (the 24th) and I get the same errors. I did also re-install snort, no affect.  I've also noticed on 2.2 that I can't download the snort VRT rules with a valid oinkcode.  I event signed up for a new account and tested manually downloading them, but I get a 403 error in the GUI, wonder if that's related to the pbi issue?

Possible that it is.  There is also a problem (or was last night) with Snort finding its shared libraries.  The PBI configuration is definitely changed from 2.1 and earlier pfSense versions.

I have a 2.2 VM and access to the -tools repo, so I will work on Snort and see what it takes to get it working reliably on 2.2.  Give me a day or so to finish up something with Suricata and then I can concentrate on this problem.

Bill

I just tried this again since there has been 3 snapshots and a new version of snort, still no go.  What's really weird is a also get a 403 forbidden when trying to update the snort vrt rules, even with a valid oinkcode and verifying I can download the files manually.

May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_smtp_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_ssl_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_sip_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_ssh_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_dce2_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_dns_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_pop_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_imap_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: …
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort__/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort__/preproc_rules/sensitive-data.rules: No such file or directory'
May 1 13:16:41 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: …
May 1 13:16:41 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for …
May 1 13:17:10 kernel: pid 58227 (sh), uid 0: exited on signal 11 (core dumped)
May 1 13:17:10 kernel: pid 57632 (.pbirun), uid 0: exited on signal 11 (core dumped)
May 1 13:17:15 kernel: pid 59100 (sh), uid 0: exited on signal 11 (core dumped)
May 1 13:17:16 kernel: pid 58568 (.pbirun), uid 0: exited on signal 11 (core dumped)
May 1 13:17:22 kernel: pid 59693 (sh), uid 0: exited on signal 11 (core dumped)
May 1 13:17:22 kernel: pid 59231 (.pbirun), uid 0: exited on signal 11 (core dumped)
May 1 13:17:23 check_reload_status: Syncing firewall
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_smtp_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_ssl_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_sip_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_ssh_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_dce2_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_dns_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_pop_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_imap_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
May 1 13:17:23 check_reload_status: Syncing firewall
May 1 13:17:24 kernel: pid 62702 (sh), uid 0: exited on signal 11 (core dumped)
May 1 13:17:24 kernel: pid 62012 (.pbirun), uid 0: exited on signal 11 (core dumped)

bmeeks

Yes, Snort and most (if not all) packages with PBI components are broken on 2.2.  It has to do with some problems and configuration changes the team is still working on with the PBI infrastructure in 2.2.

Once the Core Team declares the PBI infrastructure for 2.2 is "done", I will examine the Snort package and make any changes necessary to get it working on 2.2.  I will post a note when that is done.  Until then, consider Snort and Suricata both "broken" on the 2.2 snapshots.

Bill

Raul Ramos

Hi

<bump>This taking time. I like to test this ;). Suricata woks but no go with pppoe</bump>

Thanks

Guest

Are there news on Snort for 2.2? Still broken?

BBcan177

Snort and Suricata both are working in 2.2.

Guest

Many, many thanx for the reply, then I have to try again to make it work with the nano  image (do I have to enter an alternative source for the package?)…

And many thanx for replying, although I'm not at GOLD member, did not send money to whoever at pfSense or elsewhere in the world, but simply asked a question on a forum for an open-source software…

Raul Ramos

Hi

Working file but Suricata still doesn't support PPPoE interfaces yet.

bmeeks

@mais_um:

Hi

Working file but Suricata still doesn't support PPPoE interfaces yet.

Correct.  PPPoE support is a limitation within the Suricata binary itself and will require a patch.  It is actually not supported on any FreeBSD derivative at this point (by Suricata, I mean).  I plan to look into what it would take to create the required patch and then port it upstream into the Suricata source code tree.

Bill

Wolf666

@bmeeks:

@mais_um:

Hi

Working file but Suricata still doesn't support PPPoE interfaces yet.

Correct.  PPPoE support is a limitation within the Suricata binary itself and will require a patch.  It is actually not supported on any FreeBSD derivative at this point (by Suricata, I mean).  I plan to look into what it would take to create the required patch and then port it upstream into the Suricata source code tree.

Bill

Hi Bill,

is it confirmed that the following changes make Suricata works with PPPoE?

suricata.yaml:

pcap:
  - interface: physical interface (ie. em0, igb0 etc etc)    
    checksum-checks: auto
    promisc: yes

Thanks

bmeeks

@Wolf666:

@bmeeks:

@mais_um:

Hi

Working file but Suricata still doesn't support PPPoE interfaces yet.

Correct.  PPPoE support is a limitation within the Suricata binary itself and will require a patch.  It is actually not supported on any FreeBSD derivative at this point (by Suricata, I mean).  I plan to look into what it would take to create the required patch and then port it upstream into the Suricata source code tree.

Bill

Hi Bill,

is it confirmed that the following changes make Suricata works with PPPoE?

suricata.yaml:

pcap:
  - interface: physical interface (ie. em0, igb0 etc etc)    
    checksum-checks: auto
    promisc: yes

Thanks

No, this is not an officially sanctioned fix.  While Suricata will then not complain, it can still get confused by the PPPoE frame header that will be present.  It will work sort of, but not 100% correctly.  What this does is tell Suricata to treat the PPPoE data link as a physical Ethernet interface.  Physical Ethernet interfaces are not expected to contain PPPoE frame headers, so they can confuse Suricata.

Bill