SNORT

bmeeks

@modesty said in SNORT:

Hi

i run on latest pfsense with installed pagages:
squid
snort
pfBlockerNG
Lightsquid
bandwidthd

and updated snort from 3.2.9.6_1 to 3.2.9.8_4

I get errors, here is my log. hope sombody can give me a hand:

Upgrading pfSense-pkg-snort...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
pfSense-pkg-snort: 3.2.9.6_1 -> 3.2.9.8_4 [pfSense]

Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-pkg-snort from 3.2.9.6_1 to 3.2.9.8_4...
[1/1] Extracting pfSense-pkg-snort-3.2.9.8_4: .......... done
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
pfSense-pkg-snort-3.2.9.6_1: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.6_1/APACHE20
pfSense-pkg-snort-3.2.9.6_1: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.6_1/LICENSE
pfSense-pkg-snort-3.2.9.6_1: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.6_1/catalog.mk
pfSense-pkg-snort-3.2.9.6_1: missing file /usr/local/www/snort/snort_download_rules.php
pkg-static: Fail to rename /var/db/snort/sidmods/.disablesid-sample.conf.WevUUm19O5CM -> /var/db/snort/sidmods/disablesid-sample.conf:No such file or directory
Failed

Are you by chance using a RAM disk for /tmp? This kind of issue can happen when you run out of free space in the /tmp tree. Packages need a lot of free space to download dependencies and such and then unzip them for installation. If you are using a RAM disk, then try bumping up the volume size to at least 256 MB.

Is this repeatable? Do you get the same error if you retry the package installation?

Modesty

@bmeeks thanks for answer.

I run on PC Engines APU2, pfsens version:

2.4.4-RELEASE-p1 (amd64)
built on Mon Nov 26 11:40:26 EST 2018
FreeBSD 11.2-RELEASE-p4

I have an SSD disk on 60 gbyte

So i assume there is enough space, but i dont know if it is a RAM disk for /tmp

My installation is pretty close to standard.
I have tryed to update, i have not done a uninstall + install.

And snort is not running after failed update. Any other tips?

bmeeks

Your installation errors are happening well before the Snort package is ready to start. Actually, it's the pkg utility that is logging those errors and they appear to be from the uninstallation of the existing package. Notice the package version numbers in the errors.

Try this.

1. Remove the Snort package completely if it shows up under SYSTEM > PACKAGE MANAGER on the Installed Packages tab. You will not lose your previous configuration if Save Settings is checked on the GLOBAL SETTINGS tab of Snort.

2. After removing the package, then go back to SYSTEM > PACKAGE MANAGER and install the package from the Available Packages tab. See if that works.

If you still have problems, post back. The pkg utility will first uninstall any previous version before installing an upgrade. It appears something is amiss with your previous version (at least within the database where pkg stores installed packages information).

lshantz

@modesty
Try changing the tmo directory from ram to HD. Go to system/advanced/misc. Scroll down to RAM disk settings. If use ram disk is clicked. Uncheck it, reboot and try again.

Modesty

Hi, and thanks!

Uninstal+install did it. Snort is running:

PS I did not use RAM disk, and i dont use.

bmeeks

@modesty said in SNORT:

Hi, and thanks!

Uninstal+install did it. Snort is running:

PS I did not use RAM disk, and i dont use.

Happy you got it fixed. When I first read your installation error message I did not pay enough attention to the version information. Somehow the original install files (or at least some of them) from your 3.2.9.6_1 package version got deleted by something other than the pkg utility. That utility keeps a database of what files it copied to where during a package installation sequence. When upgrading that package later on, the pkg utility first removes the old version's files and then copies over the new ones. In your case, it could not find the old version files and was aborting the upgrade process.

Modesty

Snort is running and i get a lot of alerts :

Is there a analyze tool i can use, preferably a open source (free) so i can start understanding what is happening outside my router?

I am no TCP/IP expert so a graphical tool would be the best in the beginning.

Thanks up front.

bmeeks

@modesty
There was a tool called Snorby, but it is no longer maintained. Some users here are experimenting with a tool called Graylog available here. Other folks use ELK, but to be honest ELK works better with Suricata using the EVE log options in that package. You can learn about ELK here.

Modesty

@bmeeks
Hi. I only run windows + pfsense so Graylog is not for me.
Can it be that there is no opensource log analyzer for snort logs?

bmeeks

@modesty said in SNORT:

@bmeeks
Hi. I only run windows + pfsense so Graylog is not for me.
Can it be that there is no opensource log analyzer for snort logs?

For pretty much all of the open source stuff out there for log consolidation and analysis, you are going to need a Linux box to host the software. I suggest a VMware host and then one or more Linux virtual machines. If you are a Windows shop, then Hyper-V can be your host and you can run the Linux VMs on it.

The new fad these days is JSON logging, so most of the tools that ingest log files are tending toward accepting that format natively. However, some can still take plain text logs. You just might have to fiddle around with regular expressions and other minutia to get it working.