Snort upgrade stuck, advice needed…



  • I saw there was an upgrade for snort, so I started the update.

    It looked like everything is going fine, but now it has been sitting at the following for 20+ minutes:
    Downloading snortrules-snapshot-2980.tar.gz…

    The full copy/paste from the upgrade window is below.

    Any thoughts on what the next right move is without screwing everything up?

    Jason

    Upgrading pfSense-pkg-snort...
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up-to-date.
    Updating pfSense repository catalogue...
    pfSense repository is up-to-date.
    All repositories are up-to-date.
    The following 1 package(s) will be affected (of 0 checked):

    Installed packages to be UPGRADED:
    pfSense-pkg-snort: 3.2.9.1_12 -> 3.2.9.1_13 [pfSense]

    132 KiB to be downloaded.
    Fetching pfSense-pkg-snort-3.2.9.1_13.txz: …....... done
    Checking integrity... done (0 conflicting)
    [1/1] Upgrading pfSense-pkg-snort from 3.2.9.1_12 to 3.2.9.1_13…
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    [1/1] Extracting pfSense-pkg-snort-3.2.9.1_13: …....... done
    Saving updated package information...
    overwrite!
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...Saved settings detected.
    Migrating settings to new configuration... done.
    Downloading Snort VRT rules md5 file... done.
    Checking Snort VRT rules md5 file... done.
    There is a new set of Snort VRT rules posted.
    Downloading snortrules-snapshot-2980.tar.gz...



  • Well…. I got impatient and reboot.... Tried to reinstall, back to the same place again.

    Is there any way to just manually clean snort out? I'm OK with losing my config, I can rebuild it.

    Installing pfSense-pkg-snort...
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up-to-date.
    Updating pfSense repository catalogue...
    pfSense repository is up-to-date.
    All repositories are up-to-date.
    Checking integrity... done (0 conflicting)
    The following 8 package(s) will be affected (of 0 checked):

    New packages to be INSTALLED:
    pfSense-pkg-snort: 3.2.9.1_13 [pfSense]
    barnyard2: 1.13 [pfSense]
    broccoli: 1.97,1 [pfSense]
    mysql56-client: 5.6.30 [pfSense]
    snort: 2.9.8.0_1 [pfSense]
    luajit: 2.0.4 [pfSense]
    daq: 2.0.6 [pfSense]
    libdnet: 1.12_1 [pfSense]

    The process will require 55 MiB more space.
    [1/8] Installing broccoli-1.97,1…
    [1/8] Extracting broccoli-1.97,1: …....... done
    [2/8] Installing mysql56-client-5.6.30…
    [2/8] Extracting mysql56-client-5.6.30: …....... done
    [3/8] Installing libdnet-1.12_1…
    [3/8] Extracting libdnet-1.12_1: …....... done
    [4/8] Installing barnyard2-1.13…
    [4/8] Extracting barnyard2-1.13: …... done
    [5/8] Installing luajit-2.0.4…
    [5/8] Extracting luajit-2.0.4: …....... done
    [6/8] Installing daq-2.0.6…
    [6/8] Extracting daq-2.0.6: …....... done
    [7/8] Installing snort-2.9.8.0_1…
    [7/8] Extracting snort-2.9.8.0_1: …....... done
    [8/8] Installing pfSense-pkg-snort-3.2.9.1_13…
    [8/8] Extracting pfSense-pkg-snort-3.2.9.1_13: …....... done
    Saving updated package information...
    overwrite!
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...Saved settings detected.
    Migrating settings to new configuration... done.
    Downloading Snort VRT rules md5 file... done.
    Checking Snort VRT rules md5 file... done.
    There is a new set of Snort VRT rules posted.
    Downloading snortrules-snapshot-2980.tar.gz...



  • Well, I did the package re-install again today… This time when it get to the snort definitions it simply said they were up to date,. and completed the installation.

    I don't know why it didn't work yesterday (tried multiple times) but it worked fine today - even though I did it the EXACT same way as yesterday.

    So that's good, I guess.

    Jason



  • @JasonJoel:

    Well, I did the package re-install again today… This time when it get to the snort definitions it simply said they were up to date,. and completed the installation.

    I don't know why it didn't work yesterday (tried multiple times) but it worked fine today - even though I did it the EXACT same way as yesterday.

    So that's good, I guess.

    Jason

    Sometimes the Snort VRT web site hosting the rules goes down or otherwise can have problems.  Not often, but it does happen now and then (just like with any web site).  The Snort package files and the rules definitions (the file you seemed to be having problems with) come from two different places.

    Bill



  • I can understand that.

    My only other comment would be that the upgrade basically hangs up if it can't download those definitions, leaving you in an unknown state where you don't know if the upgrade has been performed or not performed. Nor is it clear what to do next in that case…

    Perhaps that part of the upgrade should time out more gracefully? Or maybe it is rare enough it isn't worth changing.



  • @JasonJoel:

    I can understand that.

    My only other comment would be that the upgrade basically hangs up if it can't download those definitions, leaving you in an unknown state where you don't know if the upgrade has been performed or not performed. Nor is it clear what to do next in that case…

    Perhaps that part of the upgrade should time out more gracefully? Or maybe it is rare enough it isn't worth changing.

    That's a good suggestion.  It is true the package is not very fault-tolerant today.

    Bill



  • Oops, I am also facing this situation. So the reason is from Snort VRT Website :(