Snort 2.9.7.0 pkg v3.2.1 Update Release Notes
-
Just to let you know that when I upgraded from Snort 2.9.6.2 pkg v3.1.5 to Snort 2.9.7.0 pkg v3.2.1 using the Reinstall Snort package button.
I got this:
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_smtp_preproc file. Snort might error out!
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_sip_preproc file. Snort might error out!
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_gtp_preproc file. Snort might error out!
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_ssh_preproc file. Snort might error out!
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dce2_preproc file. Snort might error out!
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!Snort was running.
I stopped it and re-started it without any issues.This binary version of Snort changes the directory name where the preproc libraries are stored. The snort.conf file has to be updated with the new name (and the new directory has to be created and populated). That should have happened automatically prior to Snort startup on your box, but if you got errors then for some reason it did not. Stopping and then manually restarting via the START/STOP icons will forcibly create the new snort.conf file.
Bill
-
Oups i forgot to include a few lines above:
2014-12-21 14:43:39 User.Error 172.24.xx.yyy Dec 21 14:43:39 php: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…
2014-12-21 14:43:39 Daemon.Info 172.24.xx.yyy Dec 21 14:43:39 SnortStartup[5089]: Snort START for Wan Snort(18203_pppoe1)…2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
...
2014-12-21 14:44:07 User.Error 172.24.xx.yyy Dec 21 14:44:07 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!2014-12-21 14:49:37 Daemon.Error 172.24.xx.yyy Dec 21 14:49:37 snort[15120]: *** Caught Term-Signal
2014-12-21 14:49:37 Kernel.Info 172.24.xx.yyy Dec 21 14:49:37 kernel: pppoe1: promiscuous mode disabled
2014-12-21 14:49:45 User.Error 172.24.xx.yyy Dec 21 14:49:45 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(pppoe1)…
2014-12-21 14:49:45 User.Error 172.24.xx.yyy Dec 21 14:49:45 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
2014-12-21 14:50:00 Cron.Info 172.24.xx.yyy Dec 21 14:50:00 /usr/sbin/cron[71660]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
2014-12-21 14:50:06 User.Error 172.24.xx.yyy Dec 21 14:50:06 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
2014-12-21 14:50:08 User.Error 172.24.xx.yyy Dec 21 14:50:08 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
2014-12-21 14:50:11 User.Error 172.24.xx.yyy Dec 21 14:50:11 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(pppoe1)…
2014-12-21 14:50:34 Kernel.Info 172.24.xx.yyy Dec 21 14:50:34 kernel: pppoe1: promiscuous mode enabledSo no problem after a stopping and restarting Snort. :-)
-
I get this after update
I whitelist an IP range in aliases but Snort still blocks it…
-
I get this after update
I whitelist an IP range in aliases but Snort still blocks it…
Where is that IP range included in the Pass List for the interface? Check on the INTERFACE SETTINGS tab for that interface and verify the IP range is showing up when you click View List beside the PASS LIST drop-down box. Simply calling an Alias "whitelist" is not sufficient. You must assign the alias to a Pass List, then assign that Pass List to an interface and finally restart the interface for the whitelist to become effective.
Bill
-
I have :(
-
I have :(
No changes at all were made to anything related to the PASS LIST logic (neither in the GUI code nor in the binary). Did this just start recently? Is this a new IP alias recently added? Can you try defining it as 81.19.246.0/26 instead of as 81.19.246.1/26?
Bill
-
Yes I will try that. :)
-
Hi,
After enabling OpenAppID on my snort install, I'm seeing the following messages in System Logs:
Jan 1 12:05:39 snort[9245]: AppInfo: AppId 3861 is UNKNOWN Jan 1 10:10:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 09:30:00 snort[55346]: invalid appid in appStatRecord (502) Jan 1 09:20:00 snort[55346]: invalid appid in appStatRecord (502) Jan 1 09:15:00 snort[55346]: invalid appid in appStatRecord (502) Jan 1 09:10:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 09:10:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 09:05:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 03:35:00 snort[55346]: invalid appid in appStatRecord (502) Dec 31 23:10:00 snort[95021]: invalid appid in appStatRecord (186) Dec 31 22:59:35 snort[95021]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value) Dec 31 10:33:11 snort[61151]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value) Dec 30 20:36:51 snort[42521]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)Hoping to get some help with these messages. :)
I'm running 2.1.5-RELEASE (amd64) with snort 2.9.7.0 pkg v3.2.1. All rule sets are up to date.
Thanks!
-
Hi,
After enabling OpenAppID on my snort install, I'm seeing the following messages in System Logs:
Jan 1 12:05:39 snort[9245]: AppInfo: AppId 3861 is UNKNOWN Jan 1 10:10:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 09:30:00 snort[55346]: invalid appid in appStatRecord (502) Jan 1 09:20:00 snort[55346]: invalid appid in appStatRecord (502) Jan 1 09:15:00 snort[55346]: invalid appid in appStatRecord (502) Jan 1 09:10:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 09:10:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 09:05:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 03:35:00 snort[55346]: invalid appid in appStatRecord (502) Dec 31 23:10:00 snort[95021]: invalid appid in appStatRecord (186) Dec 31 22:59:35 snort[95021]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value) Dec 31 10:33:11 snort[61151]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value) Dec 30 20:36:51 snort[42521]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)Hoping to get some help with these messages. :)
I'm running 2.1.5-RELEASE (amd64) with snort 2.9.7.0 pkg v3.2.1. All rule sets are up to date.
Thanks!
I suspect these are errors within the OpenAppID detector scripts themselves. They would have come down via the latest update to those scripts (which happens on the same schedule as other rule updates). Try searching the Snort mailing list via Google or posting on the list to see if others have the same issue. There are sometimes syntax errors that creep into the rules as the authors are sometimes working fast and furious to get them out there.
Bill
-
Hi,
After enabling OpenAppID on my snort install, I'm seeing the following messages in System Logs:
Jan 1 12:05:39 snort[9245]: AppInfo: AppId 3861 is UNKNOWN Jan 1 10:10:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 09:30:00 snort[55346]: invalid appid in appStatRecord (502) Jan 1 09:20:00 snort[55346]: invalid appid in appStatRecord (502) Jan 1 09:15:00 snort[55346]: invalid appid in appStatRecord (502) Jan 1 09:10:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 09:10:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 09:05:00 snort[55346]: invalid appid in appStatRecord (367) Jan 1 03:35:00 snort[55346]: invalid appid in appStatRecord (502) Dec 31 23:10:00 snort[95021]: invalid appid in appStatRecord (186) Dec 31 22:59:35 snort[95021]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value) Dec 31 10:33:11 snort[61151]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value) Dec 30 20:36:51 snort[42521]: client /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/client_eDonkey.lua: error validating [string ""]:135: attempt to call global 'reverseBinaryStringToNumber' (a nil value)Hoping to get some help with these messages. :)
I'm running 2.1.5-RELEASE (amd64) with snort 2.9.7.0 pkg v3.2.1. All rule sets are up to date.
Thanks!
I suspect these are errors within the OpenAppID detector scripts themselves. They would have come down via the latest update to those scripts (which happens on the same schedule as other rule updates). Try searching the Snort mailing list via Google or posting on the list to see if others have the same issue. There are sometimes syntax errors that creep into the rules as the authors are sometimes working fast and furious to get them out there.
Bill
I am also seeing lots those type of error in my system log.
Jan 1 17:45:02 snort[70325]: invalid appid in appStatRecord (186) Jan 1 17:40:00 snort[70325]: invalid appid in appStatRecord (1603) Jan 1 17:40:00 snort[52449]: invalid appid in appStatRecord (1603) Jan 1 17:29:50 snort[70325]: Add service failed to create state Jan 1 17:29:50 snort[70325]: Failed to add to hash: 192.168.2.1:17:67 Jan 1 17:28:42 snort[70325]: Add service failed to create state Jan 1 17:28:42 snort[70325]: Failed to add to hash: 192.168.2.1:17:67 Jan 1 17:25:04 snort[70325]: Add service failed to create state Jan 1 17:25:04 snort[70325]: Failed to add to hash: 192.168.2.1:17:67 Jan 1 17:10:01 snort[52449]: invalid appid in appStatRecord (186) Jan 1 17:10:01 snort[70325]: invalid appid in appStatRecord (186) Jan 1 17:09:53 snort[70325]: Add service failed to create state Jan 1 17:09:53 snort[70325]: Failed to add to hash: 192.168.2.1:17:67 Jan 1 17:05:01 snort[52449]: invalid appid in appStatRecord (186) Jan 1 17:05:01 snort[70325]: invalid appid in appStatRecord (186) Jan 1 17:00:00 snort[70325]: invalid appid in appStatRecord (1603) Jan 1 17:00:00 snort[52449]: invalid appid in appStatRecord (1603) -
I'm getting the same errors on the App ID
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3861 is UNKNOWN
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3885 is UNKNOWN
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 699 is UNKNOWNJan 12 12:06:41 fw1 check_reload_status: Syncing firewall
Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (2734)
Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (2734)
Jan 12 18:10:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:10:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:15:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:15:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:20:16 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:20:16 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:25:10 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:25:10 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:35:01 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:35:01 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:40:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:40:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:00:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:00:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:05:04 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:05:04 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:15:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:15:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:45:05 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:45:05 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:50:11 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:50:15 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:55:13 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:55:13 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 20:02:29 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 20:04:38 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 22:20:02 fw1 snort[21362]: invalid appid in appStatRecord (2734)
Jan 12 22:20:02 fw1 snort[26114]: invalid appid in appStatRecord (2734)
Jan 12 22:30:04 fw1 snort[26114]: invalid appid in appStatRecord (186)
Jan 12 22:30:04 fw1 snort[21362]: invalid appid in appStatRecord (186)
Jan 13 10:00:01 fw1 snort[58024]: invalid appid in appStatRecord (3885) -
I'm getting the same errors on the App ID
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 740 is UNKNOWN
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3861 is UNKNOWN
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 3885 is UNKNOWN
Jan 13 12:06:16 fw1 snort[65321]: AppInfo: AppId 699 is UNKNOWNJan 12 12:06:41 fw1 check_reload_status: Syncing firewall
Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 17:45:00 fw1 snort[21362]: invalid appid in appStatRecord (2734)
Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 17:45:00 fw1 snort[26114]: invalid appid in appStatRecord (2734)
Jan 12 18:10:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:10:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:15:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:15:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:20:16 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:20:16 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:25:10 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:25:10 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:35:01 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:35:01 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:40:02 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 18:40:02 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:45:00 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 18:45:00 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:00:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:00:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:05:04 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:05:04 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:15:07 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:15:07 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:45:05 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:45:05 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:50:11 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:50:15 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 19:55:13 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 19:55:13 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 20:02:29 fw1 snort[26114]: invalid appid in appStatRecord (502)
Jan 12 20:04:38 fw1 snort[21362]: invalid appid in appStatRecord (502)
Jan 12 22:20:02 fw1 snort[21362]: invalid appid in appStatRecord (2734)
Jan 12 22:20:02 fw1 snort[26114]: invalid appid in appStatRecord (2734)
Jan 12 22:30:04 fw1 snort[26114]: invalid appid in appStatRecord (186)
Jan 12 22:30:04 fw1 snort[21362]: invalid appid in appStatRecord (186)
Jan 13 10:00:01 fw1 snort[58024]: invalid appid in appStatRecord (3885)These are issues within the OpenAppID templates themselves that are updated periodically from the Snort.org web site. When you see these kinds of errors, it means the latest update to the templates contains some errors. You can check the Snort VRT mail list to see if others are reporting issues. It's also likely these will magically fix themselves in a future update of the OpenAppID templates.
Bill
-
Hello,
I tried to get OpenAppId working, but it doesn't want to…
My snort is working, VRT & OpenAppId rules are downloaded. VRT alerts appear.
I followed this tutorial : https://forum.pfsense.org/index.php?topic=84227.0
When I go to reddit, nothing is logged in alerts. Nothing useful in the firewall logs neither.I'm running pfsense 2.1.5 with the latest version of snort.
Any idea ?
Thanks !
