Snort pkg 3.2.5 Update Release Notes

bmeeks

An update for Snort has been posted for pfSense 2.2.x users.  The new package version is v3.2.5.

NOTE: The pfSense Team decided to drop support for Snort updates on 2.1.x.  This is because of the failure of current binary source packages to build on FreeBSD 8.3.  This failure happens because of changes to compiler and package management systems on the current FreeBSD 10.x series.  Besides, FreeBSD 8.3 is officially EOL and it's time to move on.  So no more Snort or Suricata updates for pfSense 2.1.x and older.

---

Snort 3.2.5
This updates the Snort binary to version 2.9.7.3 and fixes one reported GUI package bug.  An adjustment to PHP memory is also included to provide extra memory for manipulating large rules arrays.  Details on bug fixes and features in the 2.9.7.3 Snort binary can be found here:  http://blog.snort.org/2015/05/snort-2973-is-now-available.html.

New Features
None

Bug Fixes
1. A corrupt snort.conf file is produced when the IP REPUTATION preprocessor is enabled but no IP Lists have been assigned for the interface.

cmb

Thanks Bill! Appreciate your efforts.

Guest

The update to Snort pkg 3.2.5 led to no service entry on my pfSense 2.2.2 firewalls.

Running php /usr/local/pkg/snort/snort_post_install.php terminates without any errors, but the config.xml
has no entries for snort in

<installedpackages><package>…</package>

<menu>...</menu>

Would appreciate any help.</installedpackages>

bmeeks

@somosane:

The update to Snort pkg 3.2.5 led to no service entry on my pfSense 2.2.2 firewalls.

Running php /usr/local/pkg/snort/snort_post_install.php terminates without any errors, but the config.xml
has no entries for snort in

<installedpackages><package>…</package>

<menu>...</menu>

Would appreciate any help.</installedpackages>

I have tried and tried and tried and tried to duplicate this bug, and I have never been able to.  You are not the first person to report this, but it's only a very small percentage of Snort users that seem to have this problem.

Provide me with the type of pfSense installation you are using (full install on a conventional hard disk or Nano-based installed on CF).  I would really like to find what is causing this for some users.  As I mentioned, it's not many, but more than one have had this exact issue.

Are you waiting until the installation completely and totally finishes before you leave the page?  Wait until you see a long string of messages in the status window.  The third line from the bottom will say "Installation completed".  You must wait until you see that message before browsing away from the installation screen.  If you leave the page before then, the package installation will be interrupted.

@somosane:

Running php /usr/local/pkg/snort/snort_post_install.php terminates without any errors, but the config.xml
has no entries for snort in

<installedpackages><package>…</package>

<menu>...</menu></installedpackages>

That PHP file is not responsible for creating the entries for the SERVICES menu.  In fact, packages do not create those entries.  They are handled by the built-in pfSense package installer code.  For some reason for some people, that code does not always execute.  It starts the Snort installation and then hands control over to the Snort package for a bit.  When the Snort package post-install code returns control to the pfSense package installer, the installer writes the menu entries under SERVICES, prints a "success" message and terminates.

In the output I posted below of a successful install, these two lines indicate control has been passed to the custom Snort package post-install code:

Executing custom_php_install_command()...done.
Executing custom_php_resync_config_command()...done.

After that last "…done." is printed, the Snort package returns control to the pfSense package installer so it can finish the GUI package installation by creating the menu entries under SERVICES.  It's this last part that appears to never happen for some folks.  One possibility is they get impatient and browse away from the install screen before everything actually finishes.

This is the entire installation message string that should appear in the output window at the end of the installation:

Beginning package installation for snort .
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies... 
Checking for package installation... 
 Downloading http://vm-pfpackages.themeeks.net/files/packages/10/All/snort-2.9.7.3-amd64.pbi ...  (extracting)
Loading package configuration... done.
Configuring package components...
Loading package configuration... done.
Additional files... done.
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...done.
Executing custom_php_resync_config_command()...done.
Menu items... done.
Services... done.
Writing configuration... done.

Installation completed.
snort setup instructions:
Please visit the Snort settings tab first and select your desired rules. Afterwards visit the update rules tab to download your configured rules.

Copy and paste the messages back here that appear in the output window from your box during the installation.  Also post all of the relevant messages from the system log (any and all that appear related to the Snort installation and rules download).

Bill

pfcode

Upgraded it without issues. Appreciated!

Guest

Hi Bill,

I'm using pfSense on a Crucial SSD. I have disabled the session timeout before performing the update and let it run for an hour without closing the browser window, so that was not the reason I suppose.

I have disabled manually all my 6 snort interfaces within the config.xml file and performed the update again. Now it installed as supposed with the corresponding service entries.
The activation of all 6 snort interfaces takes around 10 minutes (SuperMicro SYS-5018A-FTN4) so I would expect that there is a timing issue when the snort startup takes too long.

Regards,

Emanuel

bmeeks

@somosane:

Hi Bill,

The activation of all 6 snort interfaces takes around 10 minutes (SuperMicro SYS-5018A-FTN4) so I would expect that there is a timing issue when the snort startup takes too long.

Regards,

Emanuel

Thanks for the feedback.  You could very well be correct.  I can change the startup at the end of the post-install code to launch as a background task.  That should stop any timing issue with package installation.

Bill

Beerman

Had some troubles to update the package.

Output of the installation process stops sometimes at "…waiting for snort to start...". Sometimes it stops at "... generating interface configuation...".

Even the attempt to remove the package, was sometimes not successful. Output stops at some point. Second try, works...

I tried several times the installation, but no success... Snort was running, but no entry in the web-config.

Then I restarted "php-fpm", and use the IE (before I was using Firefox - v.38.0.5) and installation was OK and did not take long...

I don´t know what helped... My guess is the change of browser, because on console I saw the whole installation process and snort did run after that, but the output stuck.

Unfortunately I tried both together... :-(

Beerman

@Beerman:

Had some troubles to update the package.

Output of the installation process stops sometimes at "…waiting for snort to start...". Sometimes it stops at "... generating interface configuation...".

Even the attempt to remove the package, was sometimes not successful. Output stops at some point. Second try, works...

I tried several times the installation, but no success... Snort was running, but no entry in the web-config.

Then I restarted "php-fpm", and use the IE (before I was using Firefox - v.38.0.5) and installation was OK and did not take long...

I don´t know what helped... My guess is the change of browser, because on console I saw the whole installation process and snort did run after that, but the output stuck.

Unfortunately I tried both together... :-(

I checked again, today.

Removing and installation fails with Firefox 38.0.5

Output at removing of the package stops at:

Starting package deletion for snort-2.9.7.3-amd64...

Output at installation of the package stops at:

Please wait while Snort is started...

But with IE11 removing and installing of the package worked.

Installation took ~ 5 min.