XMLRPC Sync for Snort config broken on pfSense 2.2.6?
-
Hi,
after updating to 2.216 the XMLRPC Sync between my two pfSense boxes seems to be broken. I get all the time error messages like these:
01-06-16 17:39:13 [ A communications error occurred while attempting Snort XMLRPC sync with https://10.0.254.2:443. Failed to transfer file: disablesid-sample.conf]
01-06-16 17:40:28 [ A communications error occurred while attempting Snort XMLRPC sync with https://10.0.254.2:443. Failed to transfer file: disablesid-sample.conf]
01-06-16 17:40:29 [ A communications error occurred while attempting Snort XMLRPC sync with https://10.0.254.2:443. Failed to transfer file: enablesid-sample.conf]
01-06-16 17:40:30 [ A communications error occurred while attempting XMLRPC sync with username admin https://10.0.254.2:443.]
01-06-16 17:40:31 [ A communications error occurred while attempting XMLRPC sync with username admin https://10.0.254.2:443.]
01-06-16 17:41:43 [ A communications error occurred while attempting Snort XMLRPC sync with https://10.0.254.2:443. Failed to transfer file: enablesid-sample.conf]
01-06-16 17:41:44 [ A communications error occurred while attempting Snort XMLRPC sync with https://10.0.254.2:443. Failed to transfer file: modifysid-sample.conf]
01-06-16 17:42:59 [ A communications error occurred while attempting Snort XMLRPC sync with https://10.0.254.2:443. Failed to transfer file: modifysid-sample.conf]
01-06-16 17:43:00 [ A communications error occurred while attempting Snort XMLRPC sync with https://10.0.254.2:443. Failed to transfer file: emerging-compromised-ips.txt]
01-06-16 17:44:14 [ A communications error occurred while attempting Snort XMLRPC sync with https://10.0.254.2:443. Failed to transfer file: emerging-compromised-ips.txt]
01-06-16 17:44:15 [ A communications error occurred while attempting snort XMLRPC sync with https://10.0.254.2:443.]
01-06-16 17:44:45 [ A communications error occurred while attempting XMLRPC sync with username admin https://10.0.254.2:443.]
01-06-16 17:44:46 [ A communications error occurred while attempting XMLRPC sync with username admin https://10.0.254.2:443.]I know there was a XMLRPC Bug in 2.2.15 which got fixed in 2.2.16, could that have an impact on the snort XMLRPC Sync?
I may add also following, both pfSense boxes run Snort 2.9.7.6 pkg v3.2.9.1, they are configured with CARP interfaces and pfSense XMLRPC Sync (High Availability Sync page)
works as expected.Regards,
Emanuel
-
The XMLRPC Sync code is supposed to be identical in both packages. Are you saying you have Suricata and Snort both running on the same firewall pair, and they sync Snort properly but not Suricata? Or do you mean you have another firewall pair running Snort, and Snort syncs properly on that pair?
The change between 2.2.5 and 2.2.6 could be related to the error, but I would honestly expect it to break both Snort and Suricata since they share almost identical XMLRPC sync code. I will need to make some time to create two VMs and try to replicate the problem. I am very busy trying to get Snort and Suricata converted to Bootstrap for pfSense 2.3, though.
Bill
-
Hallo Bill,
no I have no Suricata installed. Snort is the only package installed on both firewalls. The firewalls are configured in HA mode (CARP and XMLRPC Sync of pfSense config).
XMLRPC Sync of the pfSense config runs without any problem. If I activate within the Snort settings to sync the Snort config to the second node, I recive the XMLRPC sync
problems as refered in my first mail.The settings for the Snort sync node are identical (password/IP) to the settings of the XMLRPC Sync (HA settings).
Regards,
Emanuel
-
Sorry I confused myself. Your post said nothing about Suricata, so I don't where I got that from… :-[. I have been working back and forth on both packages of late, so I confused myself.
Now on to the issue. I will need a little time to try and replicate the issue in my test VMs. I am using most all of my spare time converting Snort to the new Bootstrap code.
Bill
-
I just wanted to add, that a test with suricata had the same sync problems on my HA setup. The faild sync resulted on the second node also in an unresponsive web interface. I had to restart the web gui from the console or to reboot every node to access the web interface again.
Regards,
Emanuel
-
I have the same issue (2.2.6 with snort package 3.2.9.1). I installed snort on a primary/backup pair that have never had snort running. These servers were upgraded from 2.1.5 to 2.2.6 but snort was never installed until 2.2.6. I have snort community rules, ETOpen rules, and OpenAPPID enabled.
[ A communications error occurred while attempting Snort XMLRPC sync with https://10.1.1.2:31000. Failed to transfer file: modifysid-sample.conf]
01-21-16 16:38:42 [ An error code was received while attempting XMLRPC sync with username admin https://10.1.1.2:31000 - Code 2: Invalid return payload: enable debugging to examine incoming payload]I tried using the 'sync to configured backup server' setting and 'sync to host(s) defined below' making sure to set https, IP, port (not using a standard https port), and password. I have to restart the backup webgui sometimes when it attempts to sync. Interestingly the settings seem to be getting to the backup. If I disable only the snort sync then I don't get any sync errors during normal firewall XMLRPC syncs.
-
Hi,
see my Post on https://forum.pfsense.org/index.php?topic=106892.0
With creating the missing file localy for snort the log error for the missing files is gone… but i have still some problems...
Kind Regards
Andreas
-
Creating those files did get rid of the error for me too. I still get the other error though as you do. I am manually making changes on both firewalls until it gets figured out.
02-16-16 10:14:57 [ An error code was received while attempting XMLRPC sync with username admin https://10.1.1.2:31000 - Code 2: Invalid return payload: enable debugging to examine incoming payload]
02-16-16 10:16:12 [ A communications error occurred while attempting XMLRPC sync with username admin https://10.1.1.2:31000.]If nobody else is getting these problems maybe it is a combination of settings that we are using that creates the error.
Sniffing the traffic shows that the sync goes of for a bit and then port 31000 stops responding as I only see Syn packets from the primary to the secondary.
-
Looking into this issue is next on my list after getting Snort converted to Bootstrap. That is taking priority, and I'm trying not to make any other PHP code changes or add bug fixes until the GUI is good on pfSense 2.3-BETA and Bootstrap.
It apparently broke when the web server daemon changed in 2.2.6.
Bill
