PfSense 2.4.0-RC - snort installation error



  • I can't install snort after upgrade to 2.4.0-RC I found that this have happened before when a new release have been published : https://forum.pfsense.org/index.php?topic=109148.0

    My setup:
    System Netgate SG-2440
    BIOS Vendor: coreboot
    Version: ADI_RCCVE-01.00.00.12-nodebug
    Release Date: Tue Feb 7 2017
    Version 2.4.0-RC (amd64) built on Fri Sep 08 10:23:59 CDT 2017
    FreeBSD 11.0-RELEASE-p12

    PHP ERROR: Type: 1, File: /usr/local/pkg/snort/snort.inc, Line: 3735, Message: Call to undefined function XML_RPC_encode()

    Crash report begins.  Anonymous machine information:

    amd64
    11.0-RELEASE-p12
    FreeBSD 11.0-RELEASE-p12 #20 8ac57d7d39c(RELENG_2_4_0): Fri Sep  8 10:32:31 CDT 2017    root@buildbot2.netgate.com:/xbuilder/crossbuild-240/pfSense/tmp/obj/xbuilder/crossbuild-240/pfSense/tmp/FreeBSD-src/sys/pfSense

    Crash report details:

    PHP Errors:
    [08-Sep-2017 23:53:17 Europe/Stockholm] PHP Fatal error:  Call to undefined function XML_RPC_encode() in /usr/local/pkg/snort/snort.inc on line 3735
    [08-Sep-2017 23:53:17 Europe/Stockholm] PHP Stack trace:
    [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  1. {main}() /etc/rc.start_packages:0
    [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  2. sync_package() /etc/rc.start_packages:58
    [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  3. eval() /etc/inc/pkg-utils.inc:664
    [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  4. sync_snort_package_config() /etc/inc/pkg-utils.inc(664) : eval()'d code:1
    [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  5. snort_sync_on_changes() /usr/local/pkg/snort/snort.inc:1059
    [08-Sep-2017 23:53:17 Europe/Stockholm] PHP  6. snort_do_xmlrpc_sync() /usr/local/pkg/snort/snort.inc:3692

    No FreeBSD crash data found.

    I have tried to uninstall snort and reinstall but to no avail, any ideas how to get around this problem ?



  • That function, XML_RPC_encode(), is a native pfSense function.  Or at least it is supposed to be.  Perhaps something is temporarily broken in the snapshot.  That has happened in the past.

    Bill



  • That function, does not seem to be present in 2.4RC and it seems it is a intended change that has been like that more than a year now.. https://redmine.pfsense.org/projects/pfsense/repository/revisions/357b5e93d797f504e27523cd84f38913ff63b100. So i think Snort package will need to be adapted to this.. https://redmine.pfsense.org/issues/3734

    Anyhow time to do some testing on 2.4rc before it gets released i guess ;)



  • I installed snort on 2.4.0 RC a few days ago and did not have any problems. Also no problem when I updated to the latest version today.



  • Thank you for the replies!

    This firewall was upgraded from 2.3.4-RELEASE-p1 with snort, pfblockerng and squid. With 2.3.4 everything was fine.

    I'm using the Sync feature in snort  to sync with two other sites I'm running so that may be the problem …

    The sync feature use the xmlrpc sync and the package use the saved configuration when doing a reinstall so, snort try to use the xmlrpc sync and fail ... could that be it ?

    If that is the problem how can I get the xlmrpc sync disabled in the config file when not having snort installed ?



  • Do a clean install and restore the configuration from a backup. It's likely that your system has unaccounted leftover files from previous versions that are now causing problems.


  • Banned

    @bmeeks: XMLRPC is done differently (and whole lot more simple) on 2.4. Look at Squid, FreeRADIUS or other packages for code to use on 2.4. Current one is broken. Actually, Suricata is already OK so just copy from there.



  • @doktornotor:

    @bmeeks: XMLRPC is done differently (and whole lot more simple) on 2.4. Look at Squid, FreeRADIUS or other packages for code to use on 2.4. Current one is broken. Actually, Suricata is already OK so just copy from there.

    Thanks for the tip.  I will take a look.  I have not looked at the old XMLRPC code in Snort for a few years.

    Bill



  • @bimmerdriver:

    I installed snort on 2.4.0 RC a few days ago and did not have any problems. Also no problem when I updated to the latest version today.

    This particular problem will only show up if you have firewall pairs using synchronization between them.  Since most users do not use that configuration (especially home users), they will not see the error.  Also why I missed it since I have not tested a sync pair of firewalls in quite some time.

    Bill


  • Banned

    @bmeeks:

    Thanks for the tip.  I will take a look.  I have not looked at the old XMLRPC code in Snort for a few years.

    Yeah I think I was the last person who touched it and that was back in 2.2.x days. :D



  • Good to know I'm a odd user :)

    I got it running now. Backed up the config .. edited the config.xml disabling sync in the <snortsync>section .. restored the modified backup. Now its ok but I assume I can forget about sync for now. Hopefully there is an update to snort in the near future.

    I have two SG-2440 and one SG-8860 running at three different sites. They all have the same config so I use the sync feature in pfblockerng, squid and snort. I have turned off sync in all packages for now to be safe until I learned a little more about 2.4. Anyone who knows if sync works in pfblockerng or squid running 2.4.0-RC?</snortsync>


  • Banned

    Both Squid and pfBNG are just fine with 2.4 and XMLRPC sync.



  • @seanr22a:

    Good to know I'm a odd user :)

    I got it running now. Backed up the config .. edited the config.xml disabling sync in the <snortsync>section .. restored the modified backup. Now its ok but I assume I can forget about sync for now. Hopefully there is an update to snort in the near future.</snortsync>

    I will submit an update for Snort to fix this in the near future.  Can't give an exact promise date.  I'm in the path to get some of Hurricane Irma as she dies down from a hurricane to a tropical storm.  I live in southern Georgia a little east of center, so exactly what we get here in terms of wind is going to be determined by just how far west Irma gets before making that big turn to the north the weather guys are predicting.  Might lose my Internet connection for a day or two …

    Bill



  • @bmeeks:

    I will submit an update for Snort to fix this in the near future.  Can't give an exact promise date.  I'm in the path to get some of Hurricane Irma as she dies down from a hurricane to a tropical storm.  I live in southern Georgia a little east of center, so exactly what we get here in terms of wind is going to be determined by just how far west Irma gets before making that big turn to the north the weather guys are predicting.  Might lose my Internet connection for a day or two …

    Bill

    Thank you for your effort to try make it work despite the weather disaster 8)

    @doktornotor:

    Both Squid and pfBNG are just fine with 2.4 and XMLRPC sync.

    Tested now with squid and pfblockerng and it's working great. Thank you  :)



  • The fix for the XMLRPC error has been submitted for review and approval by the pfSense developers.  Here is a link to the pull request:  https://github.com/pfsense/FreeBSD-ports/pull/418.

    Thanks to @doktornotor for the tip to copy and paste his working code from the Suricata package.

    Bill



  • @bmeeks, I hope you weathered Irma alright. That was a nasty storm.



  • @bimmerdriver:

    @bmeeks, I hope you weathered Irma alright. That was a nasty storm.

    Yep, turned out to be not much at my house.  Just a few small twigs down and five inches of rain, but we've had double that amount of rain in past storms.  I lost no trees, but some neighbors lost a few big pine trees.  Didn't even lose power at my house, but others in neighborhoods nearby did lose it and some are still out.  I guess I was lucky for this one.  We had wind gusts in the 40s here according to the local airport data.  This was less than the initial predictions.  Irma sort of started to die out rather quickly on the way north through Florida.

    Bill



  • @bmeeks:

    The fix for the XMLRPC error has been submitted for review and approval by the pfSense developers.  Here is a link to the pull request:  https://github.com/pfsense/FreeBSD-ports/pull/418.

    Thanks to @doktornotor for the tip to copy and paste his working code from the Suricata package.

    Bill

    Updated all three firewalls with the new snort version today. Sync works perfect :) Thank you !