Snort Package v4.1.3 Update -- Release Notes
-
pfSense-pkg-snort-4.1.3
This update to the GUI package provides support for the latest Snort 2.9.17 binary. Four bug fixes and one new feature is included in the update.This package update is currently available only in the pfSense-2.5 Development Snapshot branch. The update will be migrated to the 2.4.5-RELEASE branch in the near future after further user testing in the DEVELOPMENT branch.
New Features:
- When enabling required Flowbits rules using the automatic flowbits resolution logic, add the flowbits:noalert tag to rules that were not enabled initially by the user but needed to be enabled to satisfy checked flowbits. This suppresses alerts from disabled rules auto-enabled by the flowbits resolution logic.
Bug Fixes:
-
On the CATEGORIES tab, the IPS Policy Mode control should be hidden unless Inline IPS Mode is selected.
-
On the RULES tab, make sure User-Disabled rules are included when filtering for Disabled Rules.
-
Update the help text on the SUPPRESS LIST EDIT tab.
-
Fix typo in Snort GPLv2 Community Rules MD5 file and Snort OpenAppID Rules MD5 file paths. See Forum post here: https://forum.netgate.com/topic/159168/problems-downloading-custom-rules-in-suricata/4.
-
@bmeeks PFSENSE 2.45 has the new snort 4.1.3_1, however I am unable to complete the installation. It get stuck in the first step "Please wait while the update system initializes" then it hangs. Is the reason being that it can only be installed on PFSENSE 2.5?
-
@dwighthenry61 said in Snort Package v4.1.3 Update -- Release Notes:
@bmeeks PFSENSE 2.45 has the new snort 4.1.3_1, however I am unable to complete the installation. It get stuck in the first step "Please wait while the update system initializes" then it hangs. Is the reason being that it can only be installed on PFSENSE 2.5?
pfSense 2.4.5 is now essentially EOL with the release of 2.5. Because pfSense packages are ALWAYS compiled only against the latest RELEASE version of pfSense (or DEVEL snapshot if you are using that branch), you can't install packages on older pfSense versions once a new pfSense version is released. And if you do, you can break your pfSense installation -- sometimes so badly that only a reinstall from scratch using a backup of
config.xml
will bring your system back.If you want to update or install any packages now, you MUST update pfSense first to the latest version (in this case, 2.5).
-
@bmeeks thank you. I dont see the option yet for 2.5, but as soon as I can I will update. Thank you so much for your quick response.
-
@dwighthenry61 said in Snort Package v4.1.3 Update -- Release Notes:
@bmeeks thank you. I dont see the option yet for 2.5, but as soon as I can I will update. Thank you so much for your quick response.
Huh??? It should show up on your firewall Dashboard screen. I have a Netgate SG-5100 that I have not yet updated, so my screen shows the 21.02 update being available, but if you are running CE (Community Edition) on non-Netgate hardware you should see a notice that pfSense-2.5 is available for updating.
-
@bmeeks yes I did see it, I needed to squint to see it colored in green. I ran both updates and it works great. You are great, thank you so much for caring.
-
@bmeeks Sorry to be a pain, so the Snort install completed, and I can see it as an installed package. However it does not show up on the services list, and if i go to service watchdog to add it, it does not show up there as well, nor as an installed service on the dashboard. I rebooted the appliance without any success, even removed and reinstall with no success. Any thoughts on what I could try?
-
@dwighthenry61 said in Snort Package v4.1.3 Update -- Release Notes:
@bmeeks Sorry to be a pain, so the Snort install completed, and I can see it as an installed package. However it does not show up on the services list, and if i go to service watchdog to add it, it does not show up there as well, nor as an installed service on the dashboard. I rebooted the appliance without any success, even removed and reinstall with no success. Any thoughts on what I could try?
If it does not show up under the SERVICES menu, then the installation did not complete successfully. Perhaps you either did not wait long enough (you should see a "green" success screen at the end of the installation), or an error occurred near the end of the process. Either way, do not navigate away from the Package Installation screen until it 100% completes and shows you a green success message. You may need to remove the package, and install it again. This time be sure to wait until the screen gives you a green progress bar and a "success" installation message.
You mentioned Service Watchdog. NEVER use Service Watchdog with Snort!! It is not compatible with the Snort pacakge (nor the Suricata package).
-
@bmeeks this is what i see after install "This can be done by appending '-lro' to your ifconfig_ line in rc.conf.
Message from pfSense-pkg-snort-4.1.3_1:
--
Please visit Services - Snort - Interfaces tab first to add an interface, then select your desired rules packages at the Services - Snort - Global tab. Afterwards visit the Updates tab to download your configured rulesets.Cleaning up cache... done.
Success"The bar above also changes from red to all green.
-
Is there anything listed in the pfSense System Log? Do you see any errors listed there?
-
@bmeeks The install is finally showing up after 5 installs. I am now good to go. Thanks.
-
@bmeeks multi-threading please
-
@beachbum2021 said in Snort Package v4.1.3 Update -- Release Notes:
@bmeeks multi-threading please
Sorry, not happening. I got fully and thoroughly disgusted with Snort3 trying to convert the current package to the new binary. I'm done with that horse. Someone else is welcome to try if they want to. If multithreading is a must have, then use Suricata.
-
@bmeeks hey bmeeks, so after installing the patch for the pósense + issue that was affecting negate 3100, Snort went from not running to disappearing once more. I can see that the package is installed in the package manager, however not showing in the Services menu.
-
@dwighthenry61 said in Snort Package v4.1.3 Update -- Release Notes:
@bmeeks hey bmeeks, so after installing the patch for the pósense + issue that was affecting negate 3100, Snort went from not running to disappearing once more. I can see that the package is installed in the package manager, however not showing in the Services menu.
Snort on the SG-3100 is still not working. We are looking into the problem, but it's a confusing one at the moment.
-
Confirmed that it's not working on SG-3100. Installed succeeded, but it doesn't start (or fails after it starts, although I'm not seeing that in the logs).
-
@rloeb said in Snort Package v4.1.3 Update -- Release Notes:
Confirmed that it's not working on SG-3100. Installed succeeded, but it doesn't start (or fails after it starts, although I'm not seeing that in the logs).
The main issue on the SG-3100 is that a portion of the Snort GUI code that runs when you click the Start icon is crashing PHP itself on the firewall. Why that happens has not yet been pinned down. The exact same GUI code runs just fine on everything else (SG-1100, SG-5100 and any other device that has a CPU that is not a 32-bit ARM chip). So that hints the issue is something with PHP itself on 32-bit ARM architecture, but nothing is proven yet.
This crashing of PHP will also likely interfere with the installation of Snort as it calls the same area of code during post-installation configuration. If PHP crashes then, it will likely not complete the last step of the installation which is creating the menu entry under SERVICES.
-
@bmeeks I upgraded to the latest version of PfSense+ 21.02.2-RELEASE (arm)
built on Mon Apr 12 07:50:07 EDT 2021 so now I can install Snort and see it on the Services list. Trouble now however is that after configuring it won't start. -
@dwighthenry61 said in Snort Package v4.1.3 Update -- Release Notes:
@bmeeks I upgraded to the latest version of PfSense+ 21.02.2-RELEASE (arm)
built on Mon Apr 12 07:50:07 EDT 2021 so now I can install Snort and see it on the Services list. Trouble now however is that after configuring it won't start.Look at the post immediately above yours and you will see why. Nothing has changed on that front. Snort nor Suricata will run on the SG-3100 hardware (or any ARM 32-bit appliance).
This issue is unlikely to get fixed, so if you want to run an IDS/IPS package, you will want to get something besides 32-bit ARM hardware to run it on.