Snort IF does not Start and Failed to Reinstall Cron
-
I upgraded to pfSense-base-2.4.0.b.20170318.0814 from pfSense-base-2.4.0.b.20170313.xxxx
Edit: Upgraded from pfSense-base-2.4.0.b.20170313.1355
Since the upgrade a Snort IF will not start. I thought to reinstall the package. The Snort package reinstall worked. The IF still did not start. So I thought restore settings and reinstall all packages. Then I get more errors.
I went to reinstall all packages from Diagnostics>Backup & Restore>Reinstall Packages. Failed.
Reinstalling pfSense-pkg-Cron >>> Upgrading pfSense-pkg-Cron... Updating pfSense-core repository catalogue... pfSense-core repository is up-to-date. Updating pfSense repository catalogue... pfSense repository is up-to-date. All repositories are up-to-date. Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): Installed packages to be REINSTALLED: pfSense-pkg-Cron-0.3.7_1 [pfSense] Number of packages to be reinstalled: 1 [1/1] Reinstalling pfSense-pkg-Cron-0.3.7_1... [1/1] Extracting pfSense-pkg-Cron-0.3.7_1: .......... done Removing Cron components... Menu items... done. Loading package instructions... Deinstall commands... done. pkg: Fail to rename /usr/local/www/packages/cron/.cron.php.tJJigfijGw23 -> /usr/local/www/packages/cron/cron.php: No such file or directory Failed
I tried to reinstall an individual package at System>Package Manager. Failed.
The following 1 package(s) will be affected (of 0 checked): Installed packages to be REINSTALLED: pfSense-pkg-Cron-0.3.7_1 [pfSense] Number of packages to be reinstalled: 1 [1/1] Reinstalling pfSense-pkg-Cron-0.3.7_1... [1/1] Extracting pfSense-pkg-Cron-0.3.7_1: .......... done Removing Cron components... Menu items... done. Loading package instructions... Deinstall commands... done. pkg: Fail to rename /usr/local/www/packages/cron/.cron.php.v7l9u0xOZPhO -> /usr/local/www/packages/cron/cron.php: No such file or directory Failed
I tried reinstalling other packages such as Snort and pfBlockerNG and that works.
Thoughts? (I already sense a "reinstall from scratch" coming my way…)
Edit: I should add that on the VGA output it continues to output:
pfr_update_stats: assertion failed.
-
Remove the package first and install it again. There's some super-retarded bug in pkg that spits out similar crap trying to rename something for completely unknown reason.
https://redmine.pfsense.org/issues/7310
https://redmine.pfsense.org/issues/7229 -
I read both redmine links. Thanks. I updated the original post with the full package name info (pfSense-base-2.4.0.b.20170313.1355) I was upgrading from for future reference.
I completed:
pkg remove pfSense-pkg-snort-3.2.9.2_16
and then,
pkg install pfSense-pkg-snort-3.2.9.2_16
I browsed to Services>Snort>Snort Interfaces where my Interface is still listed from before. I attempt to restart said interface but it fails.
The tutorial I used to configure this Interface was by bmeeks here https://forum.pfsense.org/index.php?topic=61018.0 "Quick Snort Setup…" (thank you bmeeks!)
Shortened output of:
clog /var/log/system.log | grep -i snort
Mar 19 14:18:28 Nighthawk snort[18377]: FATAL ERROR: /usr/local/etc/snort/snort_62137_re0/rules/snort.rules(427) Unknown rule option: 'sd_pattern'. Mar 19 15:56:48 Nighthawk php: /etc/rc.packages: [Snort] Snort package uninstall in progress... Mar 19 15:56:59 Nighthawk php: /etc/rc.packages: [Snort] Removing package files... Mar 19 15:56:59 Nighthawk php: /etc/rc.packages: [Snort] Package files removed but all Snort configuration info has been retained. Mar 19 15:56:59 Nighthawk pkg: pfSense-pkg-snort-3.2.9.2_16 deinstalled Mar 19 15:57:14 Nighthawk php: /etc/rc.packages: Beginning package installation for snort . Mar 19 15:57:15 Nighthawk php: /etc/rc.packages: [Snort] Saved settings detected... rebuilding installation with saved settings. Mar 19 15:57:15 Nighthawk php: /etc/rc.packages: [Snort] Checking configuration settings version... Mar 19 15:57:15 Nighthawk php: /etc/rc.packages: [Snort] Configuration version is current... Mar 19 15:57:15 Nighthawk php: /etc/rc.packages: [Snort] Downloading and updating configured rule sets. Mar 19 15:57:15 Nighthawk php: /etc/rc.packages: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2983.tar.gz... Mar 19 16:00:08 Nighthawk php: /etc/rc.packages: [Snort] Snort VRT rules file update downloaded successfully Mar 19 16:00:16 Nighthawk php: /etc/rc.packages: [Snort] The Rules update has finished. Mar 19 16:00:16 Nighthawk php: /etc/rc.packages: [Snort] Updating rules configuration for: WAN ... Mar 19 16:00:24 Nighthawk php: /etc/rc.packages: [Snort] Enabling any flowbit-required rules for: WAN... Mar 19 16:00:25 Nighthawk php: /etc/rc.packages: [Snort] Building new sid-msg.map file for WAN... Mar 19 16:00:28 Nighthawk php: /etc/rc.packages: [Snort] Finished rebuilding installation from saved settings. Mar 19 16:00:28 Nighthawk php: /etc/rc.packages: [Snort] Package post-installation tasks completed... Mar 19 16:00:29 Nighthawk php: /etc/rc.packages: Successfully installed package: snort. Mar 19 16:00:29 Nighthawk pkg: pfSense-pkg-snort-3.2.9.2_16 installed Mar 19 16:45:45 Nighthawk php-fpm[46486]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ... Mar 19 16:45:53 Nighthawk php-fpm[46486]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN... Mar 19 16:45:54 Nighthawk php-fpm[46486]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN... Mar 19 16:45:56 Nighthawk php-fpm[46486]: /snort/snort_interfaces.php: Starting Snort on WAN(re0) per user request... Mar 19 16:45:56 Nighthawk php-fpm[46486]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(re0)... Mar 19 16:45:56 Nighthawk snort[68751]: Could not open RnaAppMapping Table file: /usr/local/etc/snort/appid/odp/appMapping.data
further down…
Mar 19 18:07:01 Nighthawk snort[70525]: FATAL ERROR: /usr/local/etc/snort/snort_62137_re0/rules/snort.rules(427) Unknown rule option: 'sd_pattern'. Mar 19 18:07:01 Nighthawk php-fpm[60365]: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 62137 -D -q --suppress-config-log -l /var/log/snort/snort_re062137 --pid-path /var/run --nolock-pidfile -G 62137 -c /usr/local/etc/snort/snort_62137_re0/snort.conf -i re0' returned exit code '1', the output was '' Mar 19 18:15:12 Nighthawk php-fpm[67484]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ... Mar 19 18:15:19 Nighthawk php-fpm[67484]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN... Mar 19 18:15:20 Nighthawk php-fpm[67484]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN... Mar 19 18:15:22 Nighthawk php-fpm[67484]: /snort/snort_interfaces.php: Starting Snort on WAN(re0) per user request... Mar 19 18:15:22 Nighthawk php-fpm[67484]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(re0)... Mar 19 18:15:23 Nighthawk snort[55157]: Could not open RnaAppMapping Table file: /usr/local/etc/snort/appid/odp/appMapping.data
further still…
Mar 19 18:15:23 Nighthawk snort[55157]: FATAL ERROR: /usr/local/etc/snort/snort_62137_re0/rules/snort.rules(427) Unknown rule option: 'sd_pattern'. Mar 19 18:15:23 Nighthawk php-fpm[67484]: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 62137 -D -q --suppress-config-log -l /var/log/snort/snort_re062137 --pid-path /var/run --nolock-pidfile -G 62137 -c /usr/local/etc/snort/snort_62137_re0/snort.conf -i re0' returned exit code '1', the output was ''
Should I uncheck "Keep Snort Settings After Deinstall", then uninstall, then reinstall again?
Then reconfigure Snort per bmeeks' tutorial?
Or am I misunderstanding what dok was trying to show me? -
I upgraded to pfSense-base-2.4.0.b.20170319.1015
I unchecked "Keep Snort Settings After Deinstall", then uninstalled, then reinstalled via GUI. Settings were still preserved across the re-installation. :o Interface did not start.
I ensured "Keep Snort Settings After Deinstall" was uncheck, then uninstalled/installed Snort via shell. Settings still preserved across re-installation. Interface did not start.
I deleted the interface then GUI spit out: (see attached image)
I added a new interface and configured it according to https://forum.pfsense.org/index.php?topic=61018.0
The interface does not start. Realized the rules needed to be downloaded again. Forced an Update. Interface started.
Thanks bmeeks for the tutorial.
-
Start a new thread about the translation crap. Has nothing to do with the original issue here, which is - the interface does not start because you have a broken rule there and Snort is so retarded that it cannot ignore it. That one has nothing to do with 2.4 upgrade.
Mar 19 14:18:28 Nighthawk snort[18377]: FATAL ERROR: /usr/local/etc/snort/snort_62137_re0/rules/snort.rules(427) Unknown rule option: 'sd_pattern'.
-
I hear you dok. I read in other places your distaste for Snort halting upon hitting a broken rule and saw that in the code it coughed up at me.
I am partly guilty here too because after the reinstall merely deleting the interface, reinstalling the interface and redownloading the rules seemed to remedy the issue I was having.
Thanks dok for looking it over and thanks to everyone for your work on pfSense, packages, and your help in these forums.