Snort missing under services?

Supermule

Uninstall -> reboot -> reinstall -> report back

bmeeks

In addition to what Supermule suggested, can you tell me if you are using a NanoBSD install or the regular full install with conventional hard disks?

Bill

Visseroth

No, just regular install and I tried that, uninstalled, reboot and reinstalled, still not showing in the service list. It is listed in services on the main screen but nothing under "Status - Services" either.

Supermule

CTRL + F5 to clear the cached CSS files…

Visseroth

I thought maybe it might have something to do with my machine or my firewall but I am working on migrating towards virtualization and it seems my virtual firewall is having the exact same issue and I'm browsing it using a completely different machine.

jayntguru

Same problem here. Happened after the latest release. When I install/reinstall it always sits at "starting snort" and goes on forever and never does anything else. Meanwhile snort is started and running perfectly, no errors in the logs, and I can still manage it by going directly to the snort pages. No amount of uninstalling, rebooting, installing, xml installing, etc makes it work. It's not a caching issue either, I can go to a new browser on a new machine and it's not there either, doesn't show up in status\services, doesn't show up under the dashboard services either.

Oh I'm running a full regular install.

I'm at a loss.

-Jay

Pfsense 2.2.1 on HyperV

bmeeks

Try this for me from a command line session (via SSH or directly on the pfSense console at the shell prompt).  I want to see if an error is happening in the install scripts.

Run this command and post any unusual output:

php /usr/local/pkg/snort/snort_post_install.php

Also, look under Diagnostics > Backup/Restore and click the Config History tab.  Tell me if you see this line in the history:

(system): Snort pkg v3.2.4: post-install configuration saved.

I would love to get to the bottom of this problem.  It appears to be more common on Nano installs than full installs.  In my particular case on my production firewall, I've never seen this problem and I've obviously done all the Snort updates.  However, enough folks have the issue so there is something somewhere.  Post the info I requested above and let's go from there.

Thanks,
Bill

jayntguru

Nothing unusual.

login as: root
Using keyboard-interactive authentication.
Password for root@pfroute.jay.home:
*** Welcome to pfSense 2.2.1-RELEASE-pfSense (amd64) on pfroute ***

 WAN (wan)       -> hn1        -> v4/DHCP4: 73.7.172.9/23
 LAN (lan)       -> hn0        -> v4: 192.168.0.5/24
 WIRELESS (opt1) -> hn0_vlan999 -> v4: 192.168.10.1/24
 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) pfSense Developer Shell
 4) Reset to factory defaults         13) Upgrade from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 8

[2.2.1-RELEASE][root@pfroute.jay.home]/root: php /usr/local/pkg/snort/snort_post_install.php
Content-type: text/html

[2.2.1-RELEASE][root@pfroute.jay.home]/root:

And

	Date	Version	Size	Configuration Change	 
	3/28/15 10:35:00	11.7	474 KB	(system): Snort pkg v3.2.4: post-install configuration saved.	Current
		3/28/15 10:34:55	11.7	474 KB	(system): Installed cron job for /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 3600	 

Still no snort gui components or service listing.

-Jay

bmeeks

OK, I to be honest I was more hoping to see some kind of error message… :(.

The fact the config update history shows this line:

(system): Snort pkg v3.2.4: post-install configuration saved.

means the Snort package code itself completed and passed control back to the pfSense package manager code.  That last piece of pfSense code is what writes the entry under SERVICES.  For some reason that did not happen.  Maybe there is something weird with the format of your config.xml file.

We have two options.

(1) If you are OK with it, open up the /conf/config.xml file using the menu option Diagnostics > Edit File.  The file is plaintext XML.  Scroll down until you see the sections for <installedpackages>.  You will see tags in this section of the XML file for each installed package.  There are tags for displaying the menu under SERVICES and other tags that tell pfSense how to start the package if the package runs as a service.  I would like to see what that section of your config file looks like.

Here is an example from my firewall:

 <installedpackages><menu>
			<name>NUT</name>
			<tooltiptext>Set Network UPS Tools settings.</tooltiptext>
			Services
			<url>/status_nut.php</url>
		</menu>

<menu>
			<name>Snort</name>
			<tooltiptext>Set up snort specific settings</tooltiptext>
			Services
			<url>/snort/snort_interfaces.php</url>
		</menu>

		 <service><name>nut</name>
			<rcfile>nut.sh</rcfile>
			<executable>upsmon</executable></service> 
		 <service><name>snort</name>
			<rcfile>snort.sh</rcfile>
			<executable>snort</executable></service> 

 .... {lots of other config entries for each installed package} ...</installedpackages> 

What is shown above are entries for two packages I have installed:  NUT and Snort.  There is lots of config stuff for both (especially Snort) that I did not capture.  The key pieces for getting Snort to show on the menu under SERVICES are those

<menu>tags above for Snort.  The <service>tags tell pfSense how to start Snort.

(2) If you had rather not post that section of your config, then try editing it to include the two Snort entries I showed above.  Make a backup first just in case something goes wrong.  Mistyping in this file can render the firewall unbootable!

Bill</service> </menu></installedpackages>

jayntguru

OK so that's where the problem is.. there's a packages entry but no menu or services… ?

-Jay

	 <installedpackages><package><name>snort</name>
			<pkginfolink>https://doc.pfsense.org/index.php/Setup_Snort_Package</pkginfolink>
			<website>http://www.snort.org</website>

			<category>Security</category>
			<depends_on_package_pbi>snort-2.9.7.2-amd64.pbi</depends_on_package_pbi>
			 <build_pbi><port>security/snort</port>
				<ports_after>security/barnyard2</ports_after></build_pbi> 
			<build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET=PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET=PULLEDPORK FILEINSPECT HA;perl_SET=THREADS</build_options>
			<config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file>
			<version>2.9.7.2 pkg v3.2.4</version>
			<required_version>2.2</required_version>
			<status>Stable</status>
			<configurationfile>/snort.xml</configurationfile>
			<after_install_info>Please visit the Snort settings tab first and select your desired rules. Afterwards visit the update rules tab to download your configured rules.</after_install_info>
			<depends_on_package_base_url>https://files.pfsense.org/packages/10/All/</depends_on_package_base_url></package></installedpackages> 

bmeeks

@jayntguru:

OK so that's where the problem is.. there's a packages entry but no menu or services… ?

-Jay

	 <installedpackages><package><name>snort</name>
			<pkginfolink>https://doc.pfsense.org/index.php/Setup_Snort_Package</pkginfolink>
			<website>http://www.snort.org</website>
			
			<category>Security</category>
			<depends_on_package_pbi>snort-2.9.7.2-amd64.pbi</depends_on_package_pbi>
			 <build_pbi><port>security/snort</port>
				<ports_after>security/barnyard2</ports_after></build_pbi> 
			<build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET=PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET=PULLEDPORK FILEINSPECT HA;perl_SET=THREADS</build_options>
			<config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file>
			<version>2.9.7.2 pkg v3.2.4</version>
			<required_version>2.2</required_version>
			<status>Stable</status>
			<configurationfile>/snort.xml</configurationfile>
			<after_install_info>Please visit the Snort settings tab first and select your desired rules. Afterwards visit the update rules tab to download your configured rules.</after_install_info>
			<depends_on_package_base_url>https://files.pfsense.org/packages/10/All/</depends_on_package_base_url></package></installedpackages> 

Hmm…I really have no clue why those two sections are missing.  That is handled by the native pfSense code in the package manager functions and not by the Snort package itself.  At any rate, you can manually patch it up by adding the missing sections using the template in my earlier post.  Just copy out the

<menu>and <service>sections for Snort and paste into your config.xml file.  Since this is XML, be sure you grab the closing tags of</service></menu>

and as well.

Bill

Edit: to fix spelling error

jayntguru

I had a theory for a minute there that the service watchdog was restarting something during the install but snort isn't listed as a service. (In the xml for service watchdog I mean.)

I will add the entries manually. Thanks for the assist.

-Jay

BBcan177

I don't think you should use "Service Watchdog" with Snort or Suricata for this exact issue.

Visseroth

I actually don't have the "Service Watchdog" installed.

Anyone have any idea on when this will be fixed, it's rather annoying.

Supermule

Its pretty difficult to fix since no one have a clue of whats going on….

I have never had the issue.

Do you do a vanilla 2.2.1 install and then import config file or do you install Snort from packages on the vanilla machine?

Visseroth

I upgraded my configuration from 2.1.
Maybe I'll just setup from scratch. Granted it's a PITA but it would cleanup all the issues that come along with all the upgrades.

Supermule

It would.

I have an upgrade from 2.1.5 running and it seems to work ok.

bmeeks

@Visseroth:

I upgraded my configuration from 2.1.
Maybe I'll just setup from scratch. Granted it's a PITA but it would cleanup all the issues that come along with all the upgrades.

There is likely something in your config.xml file that is causing a problem with the package manager code at the end of the installation.  I can take a look and try to see if I can find what the problem is, but I will need a copy of the config.xml you are using to upgrade from.  The entire file would be most useful, but at the very least I will need the whole section between the _<installedpackages></installedpackages>_and tags in the file.

If you are willing to share that info, you can send me a PM (private message) and I will give you my e-mail address.  I will create a virtual machine with your starting version of pfSense and upgrade it with your configuration to see what happens.

Bill

luvablemarmot

@Supermule:

Uninstall -> reboot -> reinstall -> report back

I did the same thing as above and had no success. I am running on a APU4 with a 30GB SSD. Full install. I can still get to snort interface through the widget. During install the process hangs during the vtl rule update. Usually around the 10% to 15% mark.

bmeeks

I have a user that volunteered to send me his configuration for testing.  Give me a few days and let me see if can figure out where the failure mode might be.  This is a hard one because it seems to only happen to a few users.  I'm not discounting it is happening, but out of the number of Snort/Suricata users, the number that seem affected by this problem is small.  So be patient as this may take some digging to uncover what is going on.

Bill