Snort missing under services?
-
Uninstall -> reboot -> reinstall -> report back
I did the same thing as above and had no success. I am running on a APU4 with a 30GB SSD. Full install. I can still get to snort interface through the widget. During install the process hangs during the vtl rule update. Usually around the 10% to 15% mark.
-
I have a user that volunteered to send me his configuration for testing. Give me a few days and let me see if can figure out where the failure mode might be. This is a hard one because it seems to only happen to a few users. I'm not discounting it is happening, but out of the number of Snort/Suricata users, the number that seem affected by this problem is small. So be patient as this may take some digging to uncover what is going on.
Bill
-
I have a user that volunteered to send me his configuration for testing. Give me a few days and let me see if can figure out where the failure mode might be. This is a hard one because it seems to only happen to a few users. I'm not discounting it is happening, but out of the number of Snort/Suricata users, the number that seem affected by this problem is small. So be patient as this may take some digging to uncover what is going on.
Bill
So I got snort to re-appear back under services by doing the following.
Went into Snort settings via the snort widget. Went to Global settings and unchecked 'Install Snort VRT rules'. Hit save. Re-installed the package. It was able to run the update it wanted to run against the other rules. Then via services I went back into Snort, re-enabled the VRT rules and hit save. Updated the rules which worked this time. I had to re-select the rules for the WAN interface but Snort is back for me. YMMV
-
So I got snort to re-appear back under services by doing the following.
Went into Snort settings via the snort widget. Went to Global settings and unchecked 'Install Snort VRT rules'. Hit save. Re-installed the package. It was able to run the update it wanted to run against the other rules. Then via services I went back into Snort, re-enabled the VRT rules and hit save. Updated the rules which worked this time. I had to re-select the rules for the WAN interface but Snort is back for me. YMMV
Thank you for the feedback. That is helpful information.
Bill
-
So upgraded to 2.2.2 tonight. Have the same issue with pfsense. I can't get it to download the updates, stalls everytime now. Checked my snort code, removed the package, rebooted, re-installed, attempted to re-enable and re-download the rules, same problem. Short rules stop around 40%. Checked Dia's -> table -> snort2c and there was nothing listed. Stuck :(
-
So upgraded to 2.2.2 tonight. Have the same issue with pfsense. I can't get it to download the updates, stalls everytime now. Checked my snort code, removed the package, rebooted, re-installed, attempted to re-enable and re-download the rules, same problem. Short rules stop around 40%. Checked Dia's -> table -> snort2c and there was nothing listed. Stuck :(
Is there any type of proxy between you and the Snort VRT web site? The Snort code just does a straight download from the URL using a pfSense system call. That system call in turn uses curl. If there is a proxy like squid or something, it may have cached some corrupted copy of the file or something. Strange that is starts and then stalls. Do you see anything in the pfSense system log that might give a clue?
Bill
-
So upgraded to 2.2.2 tonight. Have the same issue with pfsense. I can't get it to download the updates, stalls everytime now. Checked my snort code, removed the package, rebooted, re-installed, attempted to re-enable and re-download the rules, same problem. Short rules stop around 40%. Checked Dia's -> table -> snort2c and there was nothing listed. Stuck :(
Is there any type of proxy between you and the Snort VRT web site? The Snort code just does a straight download from the URL using a pfSense system call. That system call in turn uses curl. If there is a proxy like squid or something, it may have cached some corrupted copy of the file or something. Strange that is starts and then stalls. Do you see anything in the pfSense system log that might give a clue?
Bill
No proxy. Way I got around it was to login to the pfsense box. Go to /tmp and mv the current snort download folder to a .bak. Then I installed the emerging threat rules first and attempted the snort rules. That worked. I just kept trying things until it finally started to work again. Hope this helps in your troubleshooting quest. I saw more posts in the forums with people mentioning snort disappearing from services post upgrade. For me after the 2.2.2 upgrade I got the packages are still upgrading message forever which caused me to look into what was going on. It was snort again :(
Anyway all is fine for now with the package. If you need any logs let me know.
-
No proxy. Way I got around it was to login to the pfsense box. Go to /tmp and mv the current snort download folder to a .bak. Then I installed the emerging threat rules first and attempted the snort rules. That worked. I just kept trying things until it finally started to work again. Hope this helps in your troubleshooting quest. I saw more posts in the forums with people mentioning snort disappearing from services post upgrade. For me after the 2.2.2 upgrade I got the packages are still upgrading message forever which caused me to look into what was going on. It was snort again :(
Anyway all is fine for now with the package. If you need any logs let me know.
I correspond back and forth with a number of users, so forgive me if you stated this already. I don't remember if you have a conventional hard-disk install or a Nano install on CF. If Nano, you will need to manually bump up the size of the /tmp partition to at least 100 MB and potentially more. That partition gets used to temporarily store the PBI package details and is where all the Snort and ET rules packages download to and get unzipped before being copied to the /usr partition.If you have a conventional disk, double-check how much free space is showing for the /tmp partition.EDIT: never mind my question about Nano…scrolled back through this thread and saw you have a 30 GB SSD.
Bill
-
The real fix is to increase /tmp RAM Disk Size large enough to handle all of the installation data. None of the fixes shown above worked until I increased the size. I reinstalled it and it actually installed faster and worked this time.
-
@dolomite792 said in Snort missing under services?:
The real fix is to increase /tmp RAM Disk Size large enough to handle all of the installation data. None of the fixes shown above worked until I increased the size. I reinstalled it and it actually installed faster and worked this time.
+1 on this! I have advised Snort and Suricata users to not use RAM disks. Or at least if you insist on using them, make them at least 200 MB (or maybe larger) in size. You need enough space to hold all of the downloaded packages required for installation. This includes quite a few dependency packages in the case of Snort and Suricata. That's why it takes so much room. If you do not have enough free space, the package install will fail. And when that happens you are left with an incomplete installation and likely the Snort entry missing from the Services menu.
Same thing happens with downloading and updating rules archives. Those files are copied down to /tmp and then unpacked into separate sub-directories for manipulation and eventual copying to the system volume. This also takes a lot of space if you use Snort, Emerging Threats and Snort Community rules all together. Not having enough free space will result in rules updates failing in strange ways.