Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes

    Scheduled Pinned Locked Moved IDS/IPS
    18 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      Snort v3.2.9.12

      This update for the Snort GUI package corrects a rare edge-case install bug, removes a pair of deprecated system calls, fixes an issue with clearing blocked hosts on package uninstall and adds two new features.

      New Features:

      1. Add option for packet logging to INTERFACES EDIT tab. When enabled, Snort will capture packets associated with an alert and store them in a tcpdump compatible output file in the logging directory for the Snort interface. If you enable packet captures, you are strongly encouraged to enable automatic log size management on the LOGS MGMT tab and set reasonable limits for your hardware. Failure to do this can lead to disk space exhaustion!

      2. In preparation for Barnyard2 removal, migrate some OpenAppID logging to a stand-alone unified2 log file (appid.alerts) in the logging directory for the Snort interface. Future package enhancements will utilize this binary logging file. New settings were added to the LOGS MGMT tab to allow configuration of size and retention limits for these logs.

      Bug Fixes:

      1. Fix up code in the post-install process so that the critical unicode.map and other *-sample files are retained and used to replace any primary files that are incorrectly removed by a package update.

      2. Remove deprecated calls to the old conf_mount_rw() and conf_mount_ro() system functions as they are no longer required in current pfSense environments.

      3. The option to "Remove Blocked Hosts" is not honored when uninstalling the Snort package but retaining configuration settings.

      1 Reply Last reply Reply Quote 1
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Just an FYI data point-- I updated my personal pfSense firewall (a Netgate SG-5100) from Snort v3.2.9.11 to this new 3.2.9.12 package without incident.

        1 Reply Last reply Reply Quote 0
        • R
          Ramosel
          last edited by

          Same results here too Bill. After upgrading my SG-4860 to 2.4.5_p1, I updated Snort to your new Snort v3.2.9.12. One of the rules set took freakin' forever to update but other than that everything looks good and back to blocking the world's BS. Been a while since we chatted, so just wanted to say Hi! and thanks.

          1 Reply Last reply Reply Quote 0
          • S
            Skozzy
            last edited by

            Updated my SG-1100 to 2.4.5_p1 the other day, excited by the statement in the patch notes about finally getting suricata up and running only to find snort on the fritz the next day. It is unable to run on any interface 24hrs after the update. My services status were all green following the system update, then the next morning snort was down. I just reinstalled v3.2.9.12 to no avail. Any other SG-1100 users having problems?

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @Skozzy
              last edited by bmeeks

              @Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:

              Updated my SG-1100 to 2.4.5_p1 the other day, excited by the statement in the patch notes about finally getting suricata up and running only to find snort on the fritz the next day. It is unable to run on any interface 24hrs after the update. My services status were all green following the system update, then the next morning snort was down. I just reinstalled v3.2.9.12 to no avail. Any other SG-1100 users having problems?

              I need more information than simply "it's down after 24 hours".

              What error messages are you seeing in the pfSense system log related to Snort?

              Does it not restart, does it start and then die? If it starts and dies, can you provide a time period for how long it runs before it dies?

              S 1 Reply Last reply Reply Quote 0
              • S
                Skozzy @bmeeks
                last edited by

                @bmeeks It seemed up and running when i updated my system, but was then down when i logged back in. It no longer starts. these are the errors that im getting.

                Jun 14 22:05:54 SnortStartup 67897 Snort START for WAN(64037_mvneta0.4090)...
                Jun 14 22:05:54 snort 68170 FATAL ERROR: /usr/local/etc/snort/snort_64037_mvneta0.4090/snort.conf(170) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
                Jun 14 22:05:54 SnortStartup 69067 Snort START for LAN(9429_mvneta0.4091)...
                Jun 14 22:05:55 snort 69270 FATAL ERROR: /usr/local/etc/snort/snort_9429_mvneta0.4091/snort.conf(170) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @Skozzy
                  last edited by bmeeks

                  @Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:

                  @bmeeks It seemed up and running when i updated my system, but was then down when i logged back in. It no longer starts. these are the errors that im getting.

                  Jun 14 22:05:54 SnortStartup 67897 Snort START for WAN(64037_mvneta0.4090)...
                  Jun 14 22:05:54 snort 68170 FATAL ERROR: /usr/local/etc/snort/snort_64037_mvneta0.4090/snort.conf(170) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
                  Jun 14 22:05:54 SnortStartup 69067 Snort START for LAN(9429_mvneta0.4091)...
                  Jun 14 22:05:55 snort 69270 FATAL ERROR: /usr/local/etc/snort/snort_9429_mvneta0.4091/snort.conf(170) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.

                  This is an easy fix. Remove the Snort package entirely (as in delete it on the Package Manager tab for Installed Packages). You will not lose any settings.

                  Return to Package Manager > Available Packages and install Snort again.

                  This bug is actually fixed in the new version, but you don't get the "fixed" files until after you install the new version. And by then, the old "bad" file with bug has already deleted the unicode.map file as part of the package upgrade process (which actually deletes part of the package and reinstalls it).

                  The unicode.map file is part of the Snort binary, but because this update is for GUI code only and the binary is unchanged, the binary portion of the package (including the unicode.map file) is not reinstalled unless you delete the entire package.

                  And just as an information point for me, do you use the Snort Subscriber Rules or just Emerging Threats Rules?

                  S 1 Reply Last reply Reply Quote 1
                  • S
                    Skozzy
                    last edited by

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • S
                      Skozzy @bmeeks
                      last edited by

                      @bmeeks
                      The Snort sub Rules and the ETOpen rules.
                      Ah, so thats why the reinstall didn't initially work. Gotcha. Should I only be using either one or the other? I very much appreciate the comprehensive response and breakdown of how it solves my problem, by the way. Right now the reinstall is hanging at the~

                      "There is a new set of Snort Subscriber rules posted.
                      Downloading snortrules-snapshot-29160.tar.gz..."

                      ~step. I did delete the package before this reinstall though.

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @Skozzy
                        last edited by

                        @Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:

                        @bmeeks
                        The Snort sub Rules and the ETOpen rules.
                        Ah, so thats why the reinstall didn't initially work. Gotcha. Should I only be using either one or the other? I very much appreciate the comprehensive response and breakdown of how it solves my problem, by the way. Right now the reinstall is hanging at the~

                        "There is a new set of Snort Subscriber rules posted.
                        Downloading snortrules-snapshot-29160.tar.gz..."

                        ~step. I did delete the package before this reinstall though.

                        Those rules can take a while to download for some folks. As in several minutes in rare cases.

                        No, there is no necessary advantage of one set of rules over the other. I asked because I seem to recall that in the past one of those rules archives contained a copy of unicode.map that would get copied over during the rules update and thus masked the bug of the deleted file. My personal firewall, for instance, has never experienced that particular issue. I run the Snort Subscriber Rules and a handful of ET-Open rules.

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          Skozzy @bmeeks
                          last edited by

                          @bmeeks That would just cause the issue to perpetuate then, no?
                          The reinstall has been hung up on that same step for around 45ish mins now. Would you reccomend that I keep waiting, or should I refresh the webGUI and try another reinstall?

                          bmeeksB 1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks @Skozzy
                            last edited by

                            @Skozzy, 45 minutes is way too long. Sounds like pfSense can't reach the web site. Do you have any other packages installed that might interfere? Also, do you have sufficient free disk space in the /tmp directory? You need at least 256 MB of free space there to download and unpack the rules archives safely.

                            Some users create RAM disks, but those are never a good idea with the IDS/IPS packages. If you have a RAM disk, be sure the /tmp directory has enough free space. Usually, though, when that is the problem users get an error message about a corrupt archive.

                            S R 2 Replies Last reply Reply Quote 1
                            • S
                              Skozzy @bmeeks
                              last edited by

                              @bmeeks As far as packages go, I have dhcpd, dpinger, ntpd, pfb_dnsbl, pfb_filter, suricata, syslogd, and unbound running. arpwatch is disabled currently.

                              And my current resources are around:

                              CPU usage
                              58%

                              Memory usage
                              54% of 990 MiB

                              Disk usage:
                              /
                              34% of 7.0GiB - ufs

                               /var/run 	
                              

                              4% of 3.4MiB - ufs in RAM

                              bmeeksB 1 Reply Last reply Reply Quote 0
                              • R
                                Ramosel @bmeeks
                                last edited by

                                @bmeeks
                                Hey Bill, when I posted my response earlier in this thread, I too had an update go an unusually long time. It’s fine now and updating daily. I’m also experiencing an issue on the pfBlockerNG beta. Is any part of the update code using Python?

                                bmeeksB 1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks @Ramosel
                                  last edited by

                                  @Ramosel said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:

                                  @bmeeks
                                  Hey Bill, when I posted my response earlier in this thread, I too had an update go an unusually long time. It’s fine now and updating daily. I’m also experiencing an issue on the pfBlockerNG beta. Is any part of the update code using Python?

                                  No, there is no Python anywhere in the IDS/IPS packages.

                                  R 1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks @Skozzy
                                    last edited by

                                    @Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:

                                    @bmeeks As far as packages go, I have dhcpd, dpinger, ntpd, pfb_dnsbl, pfb_filter, suricata, syslogd, and unbound running. arpwatch is disabled currently.

                                    And my current resources are around:

                                    CPU usage
                                    58%

                                    Memory usage
                                    54% of 990 MiB

                                    Disk usage:
                                    /
                                    34% of 7.0GiB - ufs

                                     /var/run 	
                                    

                                    4% of 3.4MiB - ufs in RAM

                                    You never want Snort and Suricata installed on the same box! They will interfere with other, especially over the use of the snort2c table. Not to mention they will each absorb a large amount of the already slim RAM on the SG-1100 box.

                                    S 1 Reply Last reply Reply Quote 1
                                    • R
                                      Ramosel @bmeeks
                                      last edited by

                                      @bmeeks
                                      Thanks Bill. Just looking to confirm or exclude a commonality. It’s getting late East-coaster! Your bed is calling.

                                      Rick

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Skozzy @bmeeks
                                        last edited by

                                        @bmeeks Oh man, I had no idea! Thank you for the advice, I really appreciate it.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.