Snort missing under services?
-
Nothing unusual.
login as: root Using keyboard-interactive authentication. Password for root@pfroute.jay.home: *** Welcome to pfSense 2.2.1-RELEASE-pfSense (amd64) on pfroute *** WAN (wan) -> hn1 -> v4/DHCP4: 73.7.172.9/23 LAN (lan) -> hn0 -> v4: 192.168.0.5/24 WIRELESS (opt1) -> hn0_vlan999 -> v4: 192.168.10.1/24 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) pfSense Developer Shell 4) Reset to factory defaults 13) Upgrade from console 5) Reboot system 14) Disable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Enter an option: 8 [2.2.1-RELEASE][root@pfroute.jay.home]/root: php /usr/local/pkg/snort/snort_post_install.php Content-type: text/html [2.2.1-RELEASE][root@pfroute.jay.home]/root:
And
Date Version Size Configuration Change 3/28/15 10:35:00 11.7 474 KB (system): Snort pkg v3.2.4: post-install configuration saved. Current 3/28/15 10:34:55 11.7 474 KB (system): Installed cron job for /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 3600
Still no snort gui components or service listing.
-Jay
-
OK, I to be honest I was more hoping to see some kind of error message… :(.
The fact the config update history shows this line:
(system): Snort pkg v3.2.4: post-install configuration saved.
means the Snort package code itself completed and passed control back to the pfSense package manager code. That last piece of pfSense code is what writes the entry under SERVICES. For some reason that did not happen. Maybe there is something weird with the format of your config.xml file.
We have two options.
(1) If you are OK with it, open up the /conf/config.xml file using the menu option Diagnostics > Edit File. The file is plaintext XML. Scroll down until you see the sections for <installedpackages>. You will see tags in this section of the XML file for each installed package. There are tags for displaying the menu under SERVICES and other tags that tell pfSense how to start the package if the package runs as a service. I would like to see what that section of your config file looks like.
Here is an example from my firewall:
<installedpackages><menu> <name>NUT</name> <tooltiptext>Set Network UPS Tools settings.</tooltiptext> Services <url>/status_nut.php</url> </menu> <menu> <name>Snort</name> <tooltiptext>Set up snort specific settings</tooltiptext> Services <url>/snort/snort_interfaces.php</url> </menu> <service><name>nut</name> <rcfile>nut.sh</rcfile> <executable>upsmon</executable></service> <service><name>snort</name> <rcfile>snort.sh</rcfile> <executable>snort</executable></service> .... {lots of other config entries for each installed package} ...</installedpackages>
What is shown above are entries for two packages I have installed: NUT and Snort. There is lots of config stuff for both (especially Snort) that I did not capture. The key pieces for getting Snort to show on the menu under SERVICES are those
<menu>tags above for Snort. The <service>tags tell pfSense how to start Snort.
(2) If you had rather not post that section of your config, then try editing it to include the two Snort entries I showed above. Make a backup first just in case something goes wrong. Mistyping in this file can render the firewall unbootable!
Bill</service> </menu></installedpackages>
-
OK so that's where the problem is.. there's a packages entry but no menu or services… ?
-Jay
<installedpackages><package><name>snort</name> <pkginfolink>https://doc.pfsense.org/index.php/Setup_Snort_Package</pkginfolink> <website>http://www.snort.org</website> <category>Security</category> <depends_on_package_pbi>snort-2.9.7.2-amd64.pbi</depends_on_package_pbi> <build_pbi><port>security/snort</port> <ports_after>security/barnyard2</ports_after></build_pbi> <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET=PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET=PULLEDPORK FILEINSPECT HA;perl_SET=THREADS</build_options> <config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file> <version>2.9.7.2 pkg v3.2.4</version> <required_version>2.2</required_version> <status>Stable</status> <configurationfile>/snort.xml</configurationfile> <after_install_info>Please visit the Snort settings tab first and select your desired rules. Afterwards visit the update rules tab to download your configured rules.</after_install_info> <depends_on_package_base_url>https://files.pfsense.org/packages/10/All/</depends_on_package_base_url></package></installedpackages>
-
OK so that's where the problem is.. there's a packages entry but no menu or services… ?
-Jay
<installedpackages><package><name>snort</name> <pkginfolink>https://doc.pfsense.org/index.php/Setup_Snort_Package</pkginfolink> <website>http://www.snort.org</website> <category>Security</category> <depends_on_package_pbi>snort-2.9.7.2-amd64.pbi</depends_on_package_pbi> <build_pbi><port>security/snort</port> <ports_after>security/barnyard2</ports_after></build_pbi> <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET=PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET=PULLEDPORK FILEINSPECT HA;perl_SET=THREADS</build_options> <config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file> <version>2.9.7.2 pkg v3.2.4</version> <required_version>2.2</required_version> <status>Stable</status> <configurationfile>/snort.xml</configurationfile> <after_install_info>Please visit the Snort settings tab first and select your desired rules. Afterwards visit the update rules tab to download your configured rules.</after_install_info> <depends_on_package_base_url>https://files.pfsense.org/packages/10/All/</depends_on_package_base_url></package></installedpackages>
Hmm…I really have no clue why those two sections are missing. That is handled by the native pfSense code in the package manager functions and not by the Snort package itself. At any rate, you can manually patch it up by adding the missing sections using the template in my earlier post. Just copy out the
<menu>and <service>sections for Snort and paste into your config.xml file. Since this is XML, be sure you grab the closing tags of</service></menu>
and as well.
Bill
Edit: to fix spelling error
-
I had a theory for a minute there that the service watchdog was restarting something during the install but snort isn't listed as a service. (In the xml for service watchdog I mean.)
I will add the entries manually. Thanks for the assist.
-Jay
-
I don't think you should use "Service Watchdog" with Snort or Suricata for this exact issue.
-
I actually don't have the "Service Watchdog" installed.
Anyone have any idea on when this will be fixed, it's rather annoying.
-
Its pretty difficult to fix since no one have a clue of whats going on….
I have never had the issue.
Do you do a vanilla 2.2.1 install and then import config file or do you install Snort from packages on the vanilla machine?
-
I upgraded my configuration from 2.1.
Maybe I'll just setup from scratch. Granted it's a PITA but it would cleanup all the issues that come along with all the upgrades. -
It would.
I have an upgrade from 2.1.5 running and it seems to work ok.
-
I upgraded my configuration from 2.1.
Maybe I'll just setup from scratch. Granted it's a PITA but it would cleanup all the issues that come along with all the upgrades.There is likely something in your config.xml file that is causing a problem with the package manager code at the end of the installation. I can take a look and try to see if I can find what the problem is, but I will need a copy of the config.xml you are using to upgrade from. The entire file would be most useful, but at the very least I will need the whole section between the _<installedpackages></installedpackages>_and tags in the file.
If you are willing to share that info, you can send me a PM (private message) and I will give you my e-mail address. I will create a virtual machine with your starting version of pfSense and upgrade it with your configuration to see what happens.
Bill
-
Uninstall -> reboot -> reinstall -> report back
I did the same thing as above and had no success. I am running on a APU4 with a 30GB SSD. Full install. I can still get to snort interface through the widget. During install the process hangs during the vtl rule update. Usually around the 10% to 15% mark.
-
I have a user that volunteered to send me his configuration for testing. Give me a few days and let me see if can figure out where the failure mode might be. This is a hard one because it seems to only happen to a few users. I'm not discounting it is happening, but out of the number of Snort/Suricata users, the number that seem affected by this problem is small. So be patient as this may take some digging to uncover what is going on.
Bill
-
I have a user that volunteered to send me his configuration for testing. Give me a few days and let me see if can figure out where the failure mode might be. This is a hard one because it seems to only happen to a few users. I'm not discounting it is happening, but out of the number of Snort/Suricata users, the number that seem affected by this problem is small. So be patient as this may take some digging to uncover what is going on.
Bill
So I got snort to re-appear back under services by doing the following.
Went into Snort settings via the snort widget. Went to Global settings and unchecked 'Install Snort VRT rules'. Hit save. Re-installed the package. It was able to run the update it wanted to run against the other rules. Then via services I went back into Snort, re-enabled the VRT rules and hit save. Updated the rules which worked this time. I had to re-select the rules for the WAN interface but Snort is back for me. YMMV
-
So I got snort to re-appear back under services by doing the following.
Went into Snort settings via the snort widget. Went to Global settings and unchecked 'Install Snort VRT rules'. Hit save. Re-installed the package. It was able to run the update it wanted to run against the other rules. Then via services I went back into Snort, re-enabled the VRT rules and hit save. Updated the rules which worked this time. I had to re-select the rules for the WAN interface but Snort is back for me. YMMV
Thank you for the feedback. That is helpful information.
Bill
-
So upgraded to 2.2.2 tonight. Have the same issue with pfsense. I can't get it to download the updates, stalls everytime now. Checked my snort code, removed the package, rebooted, re-installed, attempted to re-enable and re-download the rules, same problem. Short rules stop around 40%. Checked Dia's -> table -> snort2c and there was nothing listed. Stuck :(
-
So upgraded to 2.2.2 tonight. Have the same issue with pfsense. I can't get it to download the updates, stalls everytime now. Checked my snort code, removed the package, rebooted, re-installed, attempted to re-enable and re-download the rules, same problem. Short rules stop around 40%. Checked Dia's -> table -> snort2c and there was nothing listed. Stuck :(
Is there any type of proxy between you and the Snort VRT web site? The Snort code just does a straight download from the URL using a pfSense system call. That system call in turn uses curl. If there is a proxy like squid or something, it may have cached some corrupted copy of the file or something. Strange that is starts and then stalls. Do you see anything in the pfSense system log that might give a clue?
Bill
-
So upgraded to 2.2.2 tonight. Have the same issue with pfsense. I can't get it to download the updates, stalls everytime now. Checked my snort code, removed the package, rebooted, re-installed, attempted to re-enable and re-download the rules, same problem. Short rules stop around 40%. Checked Dia's -> table -> snort2c and there was nothing listed. Stuck :(
Is there any type of proxy between you and the Snort VRT web site? The Snort code just does a straight download from the URL using a pfSense system call. That system call in turn uses curl. If there is a proxy like squid or something, it may have cached some corrupted copy of the file or something. Strange that is starts and then stalls. Do you see anything in the pfSense system log that might give a clue?
Bill
No proxy. Way I got around it was to login to the pfsense box. Go to /tmp and mv the current snort download folder to a .bak. Then I installed the emerging threat rules first and attempted the snort rules. That worked. I just kept trying things until it finally started to work again. Hope this helps in your troubleshooting quest. I saw more posts in the forums with people mentioning snort disappearing from services post upgrade. For me after the 2.2.2 upgrade I got the packages are still upgrading message forever which caused me to look into what was going on. It was snort again :(
Anyway all is fine for now with the package. If you need any logs let me know.
-
No proxy. Way I got around it was to login to the pfsense box. Go to /tmp and mv the current snort download folder to a .bak. Then I installed the emerging threat rules first and attempted the snort rules. That worked. I just kept trying things until it finally started to work again. Hope this helps in your troubleshooting quest. I saw more posts in the forums with people mentioning snort disappearing from services post upgrade. For me after the 2.2.2 upgrade I got the packages are still upgrading message forever which caused me to look into what was going on. It was snort again :(
Anyway all is fine for now with the package. If you need any logs let me know.
I correspond back and forth with a number of users, so forgive me if you stated this already. I don't remember if you have a conventional hard-disk install or a Nano install on CF. If Nano, you will need to manually bump up the size of the /tmp partition to at least 100 MB and potentially more. That partition gets used to temporarily store the PBI package details and is where all the Snort and ET rules packages download to and get unzipped before being copied to the /usr partition.If you have a conventional disk, double-check how much free space is showing for the /tmp partition.EDIT: never mind my question about Nano…scrolled back through this thread and saw you have a 30 GB SSD.
Bill
-
The real fix is to increase /tmp RAM Disk Size large enough to handle all of the installation data. None of the fixes shown above worked until I increased the size. I reinstalled it and it actually installed faster and worked this time.