Snort Package automatically stop?!

jason001

The logs say nothing about the error..

bmeeks

@jason001 said in Snort Package automatically stop?!:

The logs say nothing about the error..

I will try to load your list on one of my testing virtual machines to see what I can determine. Will post back the results in a bit ...

bmeeks

It works for me with one caveat. When I initially enable the IP REPUTATION preprocessor with Snort running, Snort will stop. But I can then restart it without issue. I downloaded your list and then uploaded it to a pfSense 2.4.4-p2 firewall running as a virtual machine.

Here is your IP list uploaded (the funny prefix at the front was added by the forum here when I did a "save as" on the link you posted):

and here is the Snort Interfaces tab of the VM showing Snort's status:

bmeeks

I do see a cosmetic issue on the IP REP tab when adding an IP blacklist or whitelist. I will get that fixed in the next update which I'm working on now. I will also look into why Snort stops when initially enabling the preprocessor. Might be that is by design within the binary as usually changing a preprocessor requires a Snort restart. If it is by design within the binary, perhaps I can make it a bit more seamless using an auto shutdown/restart sequence from the GUI when changing the preprocessor's state.

jason001

@bmeeks
At my side if i restart it does nothing.. Just show an x icon.. Like service not started..

bmeeks

@jason001 said in Snort Package automatically stop?!:

@bmeeks
At my side if i restart it does nothing.. Just show an x icon.. Like service not started..

Are you running the latest version of the package (should be 3.2.9.8_5), and what is your underlying hardware and how much RAM is installed? When you click the icon to start Snort on the INTERFACES tab you should see a little spinning gear for a few seconds and then it will either turn to a green check indicating startup success, or it will return to a red x indicating startup failure. Do you never see the spinning blue gear icon?

My test VM is running the latest pfSense-RELEASE and the latest Snort package. It has 4GB of RAM configured.

jason001

Wonder when there be a new pfsense update?

2.4.4-RELEASE-p2 (amd64)
Im running snort 3.2.9.8_4

Hardware:
Intel(R) Celeron(R) CPU J1900 @ 1.99GHz
Current: 1992 MHz, Max: 1993 MHz
4 CPUs: 1 package(s) x 4 core(s)
4GB DDR3l RAM..

il update snort now..

jason001

got error cant update..

Upgrading pfSense-pkg-snort...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
pfSense-pkg-snort: 3.2.9.8_4 -> 3.2.9.8_5 [pfSense]

Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-pkg-snort from 3.2.9.8_4 to 3.2.9.8_5...
[1/1] Extracting pfSense-pkg-snort-3.2.9.8_5: .......... done
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
pfSense-pkg-snort-3.2.9.8_4: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.8_4/APACHE20
pfSense-pkg-snort-3.2.9.8_4: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.8_4/LICENSE
pfSense-pkg-snort-3.2.9.8_4: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.8_4/catalog.mk
pkg-static: Fail to rename /var/db/snort/sidmods/.disablesid-sample.conf.EE88zIQqrT2p -> /var/db/snort/sidmods/disablesid-sample.conf:No such file or directory
Failed

jason001

Had to uninstall and reinstall snort to get it to latest version

bmeeks

Those error messages are from the FreeBSD pkg utility itself and indicate something went wrong with the package file download and extraction. Those errors are not from Snort. It is not even present on the machine at that point other than as a collection of temp files being unzipped and copied to their proper locations and renamed.

jason001

iv solved the installation error.. just logout, Login again, delete package and reinstall..
i see also now with this version of snort the custom Ip also loaded without problems!..
Green Icon..

Thanks iv seen alot of Ip addresses trying to access the server behind pfsense....
wonder if there is a packet fail2ban option?

Thanks...