Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Stopping /usr/local/etc/rc.d/snort.sh…done. - but snort is not installed....

    2.2 Snapshot Feedback and Problems - RETIRED
    4
    8
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firewalluser
      last edited by

      2.2-RC (amd64)
      built on Sat Jan 10 03:54:06 CST 2015
      FreeBSD 10.1-RELEASE-p3

      When I reboot the system (Diagnostics, Reboot, Yes), I see this message
      Stopping /usr/local/etc/rc.d/snort.sh…done.

      but snort is not installed, no packages are installed.

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • C
        Cino
        last edited by

        was it installed at one time? you can remove the script from the cmdline

        
rm /usr/local/etc/rc.d/snort.sh
        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          It looks like snort does not remove that snort.sh on deinstall: https://github.com/pfsense/pfsense-packages/pull/784

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Yeah, it was a bug leftover from some earlier experimenting when I was trying (unsuccessfully) to get each configured Snort interface to show up as a separate service under the SERVICES menu.  Looks like that piece of experimental code got sucked into the production branch due to an error on my part.

            Phil has submitted a Pull Request to fix the problem (thanks …  :)).  And as Cino noted, you can just manually delete the file and the message will go away.

            Bill

            1 Reply Last reply Reply Quote 0
            • F
              firewalluser
              last edited by

              Ok, so the problem was/is easily rectified and doesnt hopefully amount to much, but one question I do wonder, is what sort of oversight is there for code getting pulled?

              Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

              Asch Conformity, mainly the blind leading the blind.

              1 Reply Last reply Reply Quote 0
              • F
                firewalluser
                last edited by

                Just noticed as I've just installed snort (15:22 local time), firstly it wasnt showing in the packages, but having installed it, the below text is visable on the snort updates page.

                Snort VRT Rules Not Enabled Not Enabled
                Snort GPLv2 Community Rules e9cef31b25866760230a34cca074e854 Saturday, 10-Jan-15 13:01:08 GMT
                Emerging Threats Open Rules 1fe055c19fea21900ea4442022559ff5 Saturday, 10-Jan-15 13:01:09 GMT
                Snort OpenAppID Detectors Not Enabled Not Enabled

                Would this also be connected to the snort.sh script?

                Edit.

                Just to be clear, this was a fresh memstick install this morning, restored a backup but later decided to abort it so I chose to use the option 4 on the console, reset to factory defaults.

                Is it possible the Reset to factory defaults is not resetting everything ie there are still traces of apps & settings from packages left over?

                I could not see anything in the xml backup related to snort apart from "snort_alerts-" found in the <widgets><sequence>section having done the factory reset.

                fwiw.

                Edit 2
                https://192.168.10.1/snort/snort_rulesets.php
                Snort, Wan, Wan Catagories tab.
                Resolve Flowbits   If checked, Snort will auto-enable rules required for checked flowbits. The Default is Checked.

                Its not checked.

                Edit 3
                Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts.

                Its checked as default, but all other comments state in this section of https://192.168.10.1/snort/snort_preprocessors.php?id=0

                is to have  "Default is Checked." after the comment.

                Eg

                General Preprocessors
                Enable RPC Decode and Back Orifice detector Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is Checked.
                Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
                Enable SIP Detection The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is Checked.
                Enable GTP Detection The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts.
                Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts.
                Enable DNS Detection The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is Checked.
                Enable SSL Data SSL data searches for irregularities during SSL protocol exchange. Default is Checked.

                should be

                General Preprocessors
                Enable RPC Decode and Back Orifice detector Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is Checked.
                Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
                Enable SIP Detection The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is Checked.
                Enable GTP Detection The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts.
                Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts. Default is Checked.
                Enable DNS Detection The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is Checked.
                Enable SSL Data SSL data searches for irregularities during SSL protocol exchange. Default is Checked.

                Only cosmetic.  :)</sequence></widgets>

                Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                Asch Conformity, mainly the blind leading the blind.

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  @firewalluser:

                  Ok, so the problem was/is easily rectified and doesnt hopefully amount to much, but one question I do wonder, is what sort of oversight is there for code getting pulled?

                  The devs with commit access look at it before committing it - Renato seems to have been doing most of that lately, and I know he makes quite a few comments on people's pull requests.
                  I scan stuff for obvious dumb typos… but when it is a big pull request I don't think through every line of logic in detail. And there have been a few others who have caught and given code review comments also.
                  Obviously the more competent people who review this stuff, the less errors get through - so feel free to browse pull requests and commits regularly and comment on them.
                  But from a configuration/security point of view, I think the devs are doing good review now. There won't be any back-doors or other "bonus code" introduced by contributors - that will be caught before commit.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @firewalluser:

                    Just noticed as I've just installed snort (15:22 local time), firstly it wasnt showing in the packages, but having installed it, the below text is visable on the snort updates page.

                    Snort VRT Rules Not Enabled Not Enabled
                    Snort GPLv2 Community Rules e9cef31b25866760230a34cca074e854 Saturday, 10-Jan-15 13:01:08 GMT
                    Emerging Threats Open Rules 1fe055c19fea21900ea4442022559ff5 Saturday, 10-Jan-15 13:01:09 GMT
                    Snort OpenAppID Detectors Not Enabled Not Enabled

                    Would this also be connected to the snort.sh script?

                    No, this is simply showing that upon the reinstall, Snort detected an existing configuration in the config.xml file and acted upon those settings.  Snort's settings are stored in the _<installed_packages></installed_packages>_section.

                    @firewalluser:

                    Edit.

                    Just to be clear, this was a fresh memstick install this morning, restored a backup but later decided to abort it so I chose to use the option 4 on the console, reset to factory defaults.

                    Is it possible the Reset to factory defaults is not resetting everything ie there are still traces of apps & settings from packages left over?

                    I could not see anything in the xml backup related to snort apart from "snort_alerts-" found in the <widgets><sequence>section having done the factory reset.

                    fwiw.</sequence></widgets>

                    I have not tested this, but it very well could be that the reset to factory defaults only resets the pfSense firewall settings and leaves any existing packages information in the aforementioned _<installed_packges></installed_packges>_section of config.xml alone.

                    @firewalluser:

                    Edit 2
                    https://192.168.10.1/snort/snort_rulesets.php
                    Snort, Wan, Wan Catagories tab.
                    Resolve Flowbits   If checked, Snort will auto-enable rules required for checked flowbits. The Default is Checked.

                    Its not checked.

                    Edit 3
                    Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts.

                    Its checked as default, but all other comments state in this section of https://192.168.10.1/snort/snort_preprocessors.php?id=0

                    is to have  "Default is Checked." after the comment.

                    Eg

                    General Preprocessors
                    Enable RPC Decode and Back Orifice detector Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is Checked.
                    Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
                    Enable SIP Detection The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is Checked.
                    Enable GTP Detection The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts.
                    Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts.
                    Enable DNS Detection The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is Checked.
                    Enable SSL Data SSL data searches for irregularities during SSL protocol exchange. Default is Checked.

                    should be

                    General Preprocessors
                    Enable RPC Decode and Back Orifice detector Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is Checked.
                    Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
                    Enable SIP Detection The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is Checked.
                    Enable GTP Detection The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts.
                    Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts. Default is Checked.
                    Enable DNS Detection The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is Checked.
                    Enable SSL Data SSL data searches for irregularities during SSL protocol exchange. Default is Checked.

                    Only cosmetic.  :)

                    Thanks for reporting these inconsistencies.  I will look into them and fix them as necessary.  There have been at least three different sets of "hands" modifying the Snort package over the years, and there is some inconsistency here and there in all the PHP code.  For example, in some cases Boolean parameters in the config are stored as "yes" or "no", while in other places it may be "on" or "off".  I have been trying to clean those up.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post