Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.4.0-RC - snort installation error

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    18 Posts 6 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seanr22a
      last edited by

      I can't install snort after upgrade to 2.4.0-RC I found that this have happened before when a new release have been published : https://forum.pfsense.org/index.php?topic=109148.0

      My setup:
      System Netgate SG-2440
      BIOS Vendor: coreboot
      Version: ADI_RCCVE-01.00.00.12-nodebug
      Release Date: Tue Feb 7 2017
      Version 2.4.0-RC (amd64) built on Fri Sep 08 10:23:59 CDT 2017
      FreeBSD 11.0-RELEASE-p12

      PHP ERROR: Type: 1, File: /usr/local/pkg/snort/snort.inc, Line: 3735, Message: Call to undefined function XML_RPC_encode()

      Crash report begins.  Anonymous machine information:

      amd64
      11.0-RELEASE-p12
      FreeBSD 11.0-RELEASE-p12 #20 8ac57d7d39c(RELENG_2_4_0): Fri Sep  8 10:32:31 CDT 2017    root@buildbot2.netgate.com:/xbuilder/crossbuild-240/pfSense/tmp/obj/xbuilder/crossbuild-240/pfSense/tmp/FreeBSD-src/sys/pfSense

      Crash report details:

      PHP Errors:
      [08-Sep-2017 23:53:17 Europe/Stockholm] PHP Fatal error:  Call to undefined function XML_RPC_encode() in /usr/local/pkg/snort/snort.inc on line 3735
      [08-Sep-2017 23:53:17 Europe/Stockholm] PHP Stack trace:
      [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  1. {main}() /etc/rc.start_packages:0
      [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  2. sync_package() /etc/rc.start_packages:58
      [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  3. eval() /etc/inc/pkg-utils.inc:664
      [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  4. sync_snort_package_config() /etc/inc/pkg-utils.inc(664) : eval()'d code:1
      [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  5. snort_sync_on_changes() /usr/local/pkg/snort/snort.inc:1059
      [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  6. snort_do_xmlrpc_sync() /usr/local/pkg/snort/snort.inc:3692

      No FreeBSD crash data found.

      I have tried to uninstall snort and reinstall but to no avail, any ideas how to get around this problem ?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        That function, XML_RPC_encode(), is a native pfSense function.  Or at least it is supposed to be.  Perhaps something is temporarily broken in the snapshot.  That has happened in the past.

        Bill

        1 Reply Last reply Reply Quote 0
        • P
          PiBa
          last edited by

          That function, does not seem to be present in 2.4RC and it seems it is a intended change that has been like that more than a year now.. https://redmine.pfsense.org/projects/pfsense/repository/revisions/357b5e93d797f504e27523cd84f38913ff63b100. So i think Snort package will need to be adapted to this.. https://redmine.pfsense.org/issues/3734

          Anyhow time to do some testing on 2.4rc before it gets released i guess ;)

          1 Reply Last reply Reply Quote 0
          • B
            bimmerdriver
            last edited by

            I installed snort on 2.4.0 RC a few days ago and did not have any problems. Also no problem when I updated to the latest version today.

            1 Reply Last reply Reply Quote 0
            • S
              seanr22a
              last edited by

              Thank you for the replies!

              This firewall was upgraded from 2.3.4-RELEASE-p1 with snort, pfblockerng and squid. With 2.3.4 everything was fine.

              I'm using the Sync feature in snort  to sync with two other sites I'm running so that may be the problem …

              The sync feature use the xmlrpc sync and the package use the saved configuration when doing a reinstall so, snort try to use the xmlrpc sync and fail ... could that be it ?

              If that is the problem how can I get the xlmrpc sync disabled in the config file when not having snort installed ?

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by

                Do a clean install and restore the configuration from a backup. It's likely that your system has unaccounted leftover files from previous versions that are now causing problems.

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  @bmeeks: XMLRPC is done differently (and whole lot more simple) on 2.4. Look at Squid, FreeRADIUS or other packages for code to use on 2.4. Current one is broken. Actually, Suricata is already OK so just copy from there.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @doktornotor:

                    @bmeeks: XMLRPC is done differently (and whole lot more simple) on 2.4. Look at Squid, FreeRADIUS or other packages for code to use on 2.4. Current one is broken. Actually, Suricata is already OK so just copy from there.

                    Thanks for the tip.  I will take a look.  I have not looked at the old XMLRPC code in Snort for a few years.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @bimmerdriver:

                      I installed snort on 2.4.0 RC a few days ago and did not have any problems. Also no problem when I updated to the latest version today.

                      This particular problem will only show up if you have firewall pairs using synchronization between them.  Since most users do not use that configuration (especially home users), they will not see the error.  Also why I missed it since I have not tested a sync pair of firewalls in quite some time.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        @bmeeks:

                        Thanks for the tip.  I will take a look.  I have not looked at the old XMLRPC code in Snort for a few years.

                        Yeah I think I was the last person who touched it and that was back in 2.2.x days. :D

                        1 Reply Last reply Reply Quote 0
                        • S
                          seanr22a
                          last edited by

                          Good to know I'm a odd user :)

                          I got it running now. Backed up the config .. edited the config.xml disabling sync in the <snortsync>section .. restored the modified backup. Now its ok but I assume I can forget about sync for now. Hopefully there is an update to snort in the near future.

                          I have two SG-2440 and one SG-8860 running at three different sites. They all have the same config so I use the sync feature in pfblockerng, squid and snort. I have turned off sync in all packages for now to be safe until I learned a little more about 2.4. Anyone who knows if sync works in pfblockerng or squid running 2.4.0-RC?</snortsync>

                          1 Reply Last reply Reply Quote 0
                          • D
                            doktornotor Banned
                            last edited by

                            Both Squid and pfBNG are just fine with 2.4 and XMLRPC sync.

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by

                              @seanr22a:

                              Good to know I'm a odd user :)

                              I got it running now. Backed up the config .. edited the config.xml disabling sync in the <snortsync>section .. restored the modified backup. Now its ok but I assume I can forget about sync for now. Hopefully there is an update to snort in the near future.</snortsync>

                              I will submit an update for Snort to fix this in the near future.  Can't give an exact promise date.  I'm in the path to get some of Hurricane Irma as she dies down from a hurricane to a tropical storm.  I live in southern Georgia a little east of center, so exactly what we get here in terms of wind is going to be determined by just how far west Irma gets before making that big turn to the north the weather guys are predicting.  Might lose my Internet connection for a day or two …

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • S
                                seanr22a
                                last edited by

                                @bmeeks:

                                I will submit an update for Snort to fix this in the near future.  Can't give an exact promise date.  I'm in the path to get some of Hurricane Irma as she dies down from a hurricane to a tropical storm.  I live in southern Georgia a little east of center, so exactly what we get here in terms of wind is going to be determined by just how far west Irma gets before making that big turn to the north the weather guys are predicting.  Might lose my Internet connection for a day or two …

                                Bill

                                Thank you for your effort to try make it work despite the weather disaster 8)

                                @doktornotor:

                                Both Squid and pfBNG are just fine with 2.4 and XMLRPC sync.

                                Tested now with squid and pfblockerng and it's working great. Thank you  :)

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  The fix for the XMLRPC error has been submitted for review and approval by the pfSense developers.  Here is a link to the pull request:  https://github.com/pfsense/FreeBSD-ports/pull/418.

                                  Thanks to @doktornotor for the tip to copy and paste his working code from the Suricata package.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    bimmerdriver
                                    last edited by

                                    @bmeeks, I hope you weathered Irma alright. That was a nasty storm.

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      @bimmerdriver:

                                      @bmeeks, I hope you weathered Irma alright. That was a nasty storm.

                                      Yep, turned out to be not much at my house.  Just a few small twigs down and five inches of rain, but we've had double that amount of rain in past storms.  I lost no trees, but some neighbors lost a few big pine trees.  Didn't even lose power at my house, but others in neighborhoods nearby did lose it and some are still out.  I guess I was lucky for this one.  We had wind gusts in the 40s here according to the local airport data.  This was less than the initial predictions.  Irma sort of started to die out rather quickly on the way north through Florida.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        seanr22a
                                        last edited by

                                        @bmeeks:

                                        The fix for the XMLRPC error has been submitted for review and approval by the pfSense developers.  Here is a link to the pull request:  https://github.com/pfsense/FreeBSD-ports/pull/418.

                                        Thanks to @doktornotor for the tip to copy and paste his working code from the Suricata package.

                                        Bill

                                        Updated all three firewalls with the new snort version today. Sync works perfect :) Thank you !

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.