Snort package doesn't shows up on the available package list

ypmict

Hi,
before this I am using the previous version of Snort package and then after I uninstall the package, the Snort is not int the available package list on my pfSense v2.0.1?
what is the problem?
anyone know why Snort is not in my package list?
thanks

phil.davis

 <package><name>snort</name>
	<version>2.9.6.2 pkg v3.1.4</version>
	<required_version>2.1</required_version>
	<status>Stable</status></package> 

Some selected bits of pkg_config.8.xml
The current version of Snort requires pfSense 2.1 or later.
pfSense V2.0.1 is now very old - time to upgrade and get loads of bug and security fixes.

ypmict

@phil.davis:

 <package><name>snort</name>
	<version>2.9.6.2 pkg v3.1.4</version>
	<required_version>2.1</required_version>
	<status>Stable</status></package> 

Some selected bits of pkg_config.8.xml
The current version of Snort requires pfSense 2.1 or later.
pfSense V2.0.1 is now very old - time to upgrade and get loads of bug and security fixes.

I see…
thanks for your reply...
One question though.. If I auto invoke the uprade, does all my pfsense setting intact? or is it safe using this auto update from v2.0.1 to v2.1.5?
thank you very much for your reply

phil.davis

Backup your config (and system) before upgrading - this is standard advice in the computing world.
The upgrade preserves (or converts as needed) all settings.
It also reinstalls all packages with the latest version.
You might need to access the webGUI of some packages and enable them again after an upgrade (e.g. pfBlocker disables itself after an upgrade/reinstall).

BBcan177

@ypmict:

One question though.. If I auto invoke the uprade, does all my pfsense setting intact? or is it safe using this auto update from v2.0.1 to v2.1.5?

There should be an option in the Snort:Global Tab to "Keep Snort Settings After Deinstall".

Not sure if there will be issues or not, so Please ensure you make a backup of the Config.

ypmict

thanks to both of you for the reply…  :)

bmeeks

@phil.davis:

 <package><name>snort</name>
	<version>2.9.6.2 pkg v3.1.4</version>
	<required_version>2.1</required_version>
	<status>Stable</status></package> 

Some selected bits of pkg_config.8.xml
The current version of Snort requires pfSense 2.1 or later.
pfSense V2.0.1 is now very old - time to upgrade and get loads of bug and security fixes.

Phil is correct.  At the request of the pfSense developers, support for pfSense versions older than 2.1 was removed a while back.  I will also admit that the move made maintaining the code easier because it no longer had to cope with multiple versions of the PHP engine…  ;)

Bill

ypmict

Hi…
after i upgrade my pfsense to the latest version and reinstaling snort...
I got some errors now after i try to start snort

as below:

Nov 14 00:08:03 snort[88692]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_46086_bge0/rules/snort.rules(5030) Unknown rule option: 'stream_size'.
Nov 14 00:08:03 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 46086 -D -q -l /var/log/snort/snort_bge046086 –pid-path /var/run --nolock-pidfile -G 46086 -c /usr/pbi/snort-amd64/etc/snort/snort_46086_bge0/snort.conf -i bge0' returned exit code '1', the output was ''

...hope you guys can help me..
thank you very much

BBcan177

@ypmict:

Nov 14 00:08:03 snort[88692]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_46086_bge0/rules/snort.rules(5030) Unknown rule option: 'stream_size'.
Nov 14 00:08:03 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 46086 -D -q -l /var/log/snort/snort_bge046086 –pid-path /var/run --nolock-pidfile -G 46086 -c /usr/pbi/snort-amd64/etc/snort/snort_46086_bge0/snort.conf -i bge0' returned exit code '1', the output was ''

Enable the "Stream5" Pre-Processor, as the rule is failing because its not enabled.

See the following link:

https://forum.pfsense.org/index.php?topic=82346.msg450504#msg450504

ypmict

@BBcan177:

@ypmict:

Nov 14 00:08:03 snort[88692]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_46086_bge0/rules/snort.rules(5030) Unknown rule option: 'stream_size'.
Nov 14 00:08:03 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 46086 -D -q -l /var/log/snort/snort_bge046086 –pid-path /var/run --nolock-pidfile -G 46086 -c /usr/pbi/snort-amd64/etc/snort/snort_46086_bge0/snort.conf -i bge0' returned exit code '1', the output was ''

Enable the "Stream5" Pre-Processor, as the rule is failing because its not enabled.

See the following link:

https://forum.pfsense.org/index.php?topic=82346.msg450504#msg450504

Hi…
thank you for the reply.. very much appreciated..

but when I checked my Stream5 pre-proc it already tick and enable…

after sometime I try to disable the SIP and … weird it can now start/run the Snort..
do you know why it happened?

thanks...

bmeeks

You need to enable the SIP preprocessor or else you will encounter additional start failures.  NEVER DISABLE ANY PREPROCESSORS except perhaps Portscan and Sensitive Data.  If you don't run any SCADA rules, then you can disable those two (Modbus and DNP3).

Your problems are likely a result of staying on an older version of pfSense and Snort.  The upgrade may have left some defaults unset.  That's just a guess.  I suggest blowing away your Snort configuration and starting from scratch.  You can do that by deleting all the configured interfaces in Snort and creating them anew.

Bill

ypmict

Hi..
I right now already uninstalled and uncheck the save config after deinstalled and then reinstalled snort fresh… but it shows the same error when i try to start it...
anyway that I need to search all snort config file and delete manually by using the ssh?

thanks..