Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes
-
Snort v3.2.9.12
This update for the Snort GUI package corrects a rare edge-case install bug, removes a pair of deprecated system calls, fixes an issue with clearing blocked hosts on package uninstall and adds two new features.
New Features:
-
Add option for packet logging to INTERFACES EDIT tab. When enabled, Snort will capture packets associated with an alert and store them in a tcpdump compatible output file in the logging directory for the Snort interface. If you enable packet captures, you are strongly encouraged to enable automatic log size management on the LOGS MGMT tab and set reasonable limits for your hardware. Failure to do this can lead to disk space exhaustion!
-
In preparation for Barnyard2 removal, migrate some OpenAppID logging to a stand-alone unified2 log file (appid.alerts) in the logging directory for the Snort interface. Future package enhancements will utilize this binary logging file. New settings were added to the LOGS MGMT tab to allow configuration of size and retention limits for these logs.
Bug Fixes:
-
Fix up code in the post-install process so that the critical
unicode.mapand other*-samplefiles are retained and used to replace any primary files that are incorrectly removed by a package update. -
Remove deprecated calls to the old conf_mount_rw() and conf_mount_ro() system functions as they are no longer required in current pfSense environments.
-
The option to "Remove Blocked Hosts" is not honored when uninstalling the Snort package but retaining configuration settings.
-
-
Just an FYI data point-- I updated my personal pfSense firewall (a Netgate SG-5100) from Snort v3.2.9.11 to this new 3.2.9.12 package without incident.
-
Same results here too Bill. After upgrading my SG-4860 to 2.4.5_p1, I updated Snort to your new Snort v3.2.9.12. One of the rules set took freakin' forever to update but other than that everything looks good and back to blocking the world's BS. Been a while since we chatted, so just wanted to say Hi! and thanks.
-
Updated my SG-1100 to 2.4.5_p1 the other day, excited by the statement in the patch notes about finally getting suricata up and running only to find snort on the fritz the next day. It is unable to run on any interface 24hrs after the update. My services status were all green following the system update, then the next morning snort was down. I just reinstalled v3.2.9.12 to no avail. Any other SG-1100 users having problems?
-
@Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:
Updated my SG-1100 to 2.4.5_p1 the other day, excited by the statement in the patch notes about finally getting suricata up and running only to find snort on the fritz the next day. It is unable to run on any interface 24hrs after the update. My services status were all green following the system update, then the next morning snort was down. I just reinstalled v3.2.9.12 to no avail. Any other SG-1100 users having problems?
I need more information than simply "it's down after 24 hours".
What error messages are you seeing in the pfSense system log related to Snort?
Does it not restart, does it start and then die? If it starts and dies, can you provide a time period for how long it runs before it dies?
-
@bmeeks It seemed up and running when i updated my system, but was then down when i logged back in. It no longer starts. these are the errors that im getting.
Jun 14 22:05:54 SnortStartup 67897 Snort START for WAN(64037_mvneta0.4090)...
Jun 14 22:05:54 snort 68170 FATAL ERROR: /usr/local/etc/snort/snort_64037_mvneta0.4090/snort.conf(170) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Jun 14 22:05:54 SnortStartup 69067 Snort START for LAN(9429_mvneta0.4091)...
Jun 14 22:05:55 snort 69270 FATAL ERROR: /usr/local/etc/snort/snort_9429_mvneta0.4091/snort.conf(170) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'. -
@Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:
@bmeeks It seemed up and running when i updated my system, but was then down when i logged back in. It no longer starts. these are the errors that im getting.
Jun 14 22:05:54 SnortStartup 67897 Snort START for WAN(64037_mvneta0.4090)...
Jun 14 22:05:54 snort 68170 FATAL ERROR: /usr/local/etc/snort/snort_64037_mvneta0.4090/snort.conf(170) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Jun 14 22:05:54 SnortStartup 69067 Snort START for LAN(9429_mvneta0.4091)...
Jun 14 22:05:55 snort 69270 FATAL ERROR: /usr/local/etc/snort/snort_9429_mvneta0.4091/snort.conf(170) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.This is an easy fix. Remove the Snort package entirely (as in delete it on the Package Manager tab for Installed Packages). You will not lose any settings.
Return to Package Manager > Available Packages and install Snort again.
This bug is actually fixed in the new version, but you don't get the "fixed" files until after you install the new version. And by then, the old "bad" file with bug has already deleted the
unicode.mapfile as part of the package upgrade process (which actually deletes part of the package and reinstalls it).The
unicode.mapfile is part of the Snort binary, but because this update is for GUI code only and the binary is unchanged, the binary portion of the package (including theunicode.mapfile) is not reinstalled unless you delete the entire package.And just as an information point for me, do you use the Snort Subscriber Rules or just Emerging Threats Rules?
-
This post is deleted! -
@bmeeks
The Snort sub Rules and the ETOpen rules.
Ah, so thats why the reinstall didn't initially work. Gotcha. Should I only be using either one or the other? I very much appreciate the comprehensive response and breakdown of how it solves my problem, by the way. Right now the reinstall is hanging at the~"There is a new set of Snort Subscriber rules posted.
Downloading snortrules-snapshot-29160.tar.gz..."~step. I did delete the package before this reinstall though.
-
@Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:
@bmeeks
The Snort sub Rules and the ETOpen rules.
Ah, so thats why the reinstall didn't initially work. Gotcha. Should I only be using either one or the other? I very much appreciate the comprehensive response and breakdown of how it solves my problem, by the way. Right now the reinstall is hanging at the~"There is a new set of Snort Subscriber rules posted.
Downloading snortrules-snapshot-29160.tar.gz..."~step. I did delete the package before this reinstall though.
Those rules can take a while to download for some folks. As in several minutes in rare cases.
No, there is no necessary advantage of one set of rules over the other. I asked because I seem to recall that in the past one of those rules archives contained a copy of
unicode.mapthat would get copied over during the rules update and thus masked the bug of the deleted file. My personal firewall, for instance, has never experienced that particular issue. I run the Snort Subscriber Rules and a handful of ET-Open rules. -
@bmeeks That would just cause the issue to perpetuate then, no?
The reinstall has been hung up on that same step for around 45ish mins now. Would you reccomend that I keep waiting, or should I refresh the webGUI and try another reinstall? -
@Skozzy, 45 minutes is way too long. Sounds like pfSense can't reach the web site. Do you have any other packages installed that might interfere? Also, do you have sufficient free disk space in the /tmp directory? You need at least 256 MB of free space there to download and unpack the rules archives safely.
Some users create RAM disks, but those are never a good idea with the IDS/IPS packages. If you have a RAM disk, be sure the /tmp directory has enough free space. Usually, though, when that is the problem users get an error message about a corrupt archive.
-
@bmeeks As far as packages go, I have dhcpd, dpinger, ntpd, pfb_dnsbl, pfb_filter, suricata, syslogd, and unbound running. arpwatch is disabled currently.
And my current resources are around:
CPU usage
58%Memory usage
54% of 990 MiBDisk usage:
/
34% of 7.0GiB - ufs/var/run4% of 3.4MiB - ufs in RAM
-
@bmeeks
Hey Bill, when I posted my response earlier in this thread, I too had an update go an unusually long time. It’s fine now and updating daily. I’m also experiencing an issue on the pfBlockerNG beta. Is any part of the update code using Python? -
@Ramosel said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:
@bmeeks
Hey Bill, when I posted my response earlier in this thread, I too had an update go an unusually long time. It’s fine now and updating daily. I’m also experiencing an issue on the pfBlockerNG beta. Is any part of the update code using Python?No, there is no Python anywhere in the IDS/IPS packages.
-
@Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:
@bmeeks As far as packages go, I have dhcpd, dpinger, ntpd, pfb_dnsbl, pfb_filter, suricata, syslogd, and unbound running. arpwatch is disabled currently.
And my current resources are around:
CPU usage
58%Memory usage
54% of 990 MiBDisk usage:
/
34% of 7.0GiB - ufs/var/run4% of 3.4MiB - ufs in RAM
You never want Snort and Suricata installed on the same box! They will interfere with other, especially over the use of the snort2c table. Not to mention they will each absorb a large amount of the already slim RAM on the SG-1100 box.
-
@bmeeks
Thanks Bill. Just looking to confirm or exclude a commonality. It’s getting late East-coaster! Your bed is calling.Rick
-
@bmeeks Oh man, I had no idea! Thank you for the advice, I really appreciate it.
