Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort Problem !!!!!

    pfSense Packages
    3
    17
    5884
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tixe last edited by

      Hi .. some one know why i have this error on Snort Rules Option ?

      Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39

      I use pfsense 1.2.2 (also pass with 1.2.3 RC1 )

      Thanks a lot

      1 Reply Last reply Reply Quote 0
      • J
        jamesdean last edited by

        @tixe:

        Hi .. some one know why i have this error on Snort Rules Option ?

        Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39

        I use pfsense 1.2.2 (also pass with 1.2.3 RC1 )

        Thanks a lot

        Hey can you tell me a little more.
        Did you update the rules first before trying to edit the rules ?
        What version of snort package do you have ?

        James

        1 Reply Last reply Reply Quote 0
        • T
          tixe last edited by

          Hi .. thanks for your response … i use the version that can download by the packager admin on pfsense ( 2.8.4.1 ), and the rules are traing to download from 1 day ago aprox. how many time need to download the package rules from the first time that is installed de package ?

          Thanks a lot

          1 Reply Last reply Reply Quote 0
          • T
            tixe last edited by

            @tixe:

            Hi .. thanks for your response … i use the version that can download by the packager admin on pfsense ( 2.8.4.1 ), and the rules are traing to download from 1 day ago aprox. how many time need to download the package rules from the first time that is installed de package ?

            Thanks a lot

            Also when i go to the Snort .. Update Rules … show it

            Please wait... You may only check for New Rules every 15 minutes...
            Rules are released every month from snort.org. You may download the Rules at any time.

            1 Reply Last reply Reply Quote 0
            • J
              jamesdean last edited by

              @tixe:

              @tixe:

              Hi .. thanks for your response … i use the version that can download by the packager admin on pfsense ( 2.8.4.1 ), and the rules are traing to download from 1 day ago aprox. how many time need to download the package rules from the first time that is installed de package ?

              Thanks a lot

              Also when i go to the Snort .. Update Rules … show it

              Please wait... You may only check for New Rules every 15 minutes...
              Rules are released every month from snort.org. You may download the Rules at any time.

              Can you please type this in the terminal.

              rm /usr/local/etc/snort/rules/*
              rm /usr/local/etc/snort/

              Wait 15 minutes and try to update the rules.

              You should try to update your rules once a day but I do it once a week.

              James

              1 Reply Last reply Reply Quote 0
              • D
                DigitalJer last edited by

                I am also having the exact same problem.

                Installed Snort 2.8.4.1 pkg v. 1.4 via the Packages module in the pfsense 1.2.2 gui, updated the rules manually (as per the wiki, as the gui times out), rebooted pfsense - but the Snort service won't start, and when clicking the Rules tab, this error appears at the top of the webgui:

                Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39

                …if it helps, I'm running pfsense on a Nokia IP330 (AMD K6 II-400, 256 MB RAM, 20 GB HD).

                Also, just noticed this error in the Diagnostics / System log:

                snort[48048]: FATAL ERROR: Dynamic detection lib /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort/dynamicengine/libsf_engine.so 1.10. The dynamic detection lib is compiled with an older version of the dynamic engine.

                1 Reply Last reply Reply Quote 0
                • J
                  jamesdean last edited by

                  @DigitalJer:

                  I am also having the exact same problem.

                  Installed Snort 2.8.4.1 pkg v. 1.4 via the Packages module in the pfsense 1.2.2 gui, updated the rules manually (as per the wiki, as the gui times out), rebooted pfsense - but the Snort service won't start, and when clicking the Rules tab, this error appears at the top of the webgui:

                  Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort_rules.php on line 101 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 35 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 36 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 37 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 38 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort_rules.php:101) in /usr/local/www/guiconfig.inc on line 39

                  …if it helps, I'm running pfsense on a Nokia IP330 (AMD K6 II-400, 256 MB RAM, 20 GB HD).

                  I'm running a Alix 2d3 running at 500mhz and 256 mb RAM. Rule updates takes 5 minutes. How long are you waiting for the rules updates to finish ?

                  Please post the output of

                  ls /usr/local/etc/snort/

                  and

                  ls /usr/local/etc/snort/rules

                  James

                  1 Reply Last reply Reply Quote 0
                  • D
                    DigitalJer last edited by

                    An Alix, sweeeet, I'd like to get my hands on a WRAP board to install in my car (dual wifi radios).

                    Sry the proc in my Nokia IP330 is a K6-II 500, not K6-II 400.

                    The gui seems to time out at extraction - at about the 9 minute mark, give or take 10 - 20 seconds.

                    Dunno if this means anything, but with top running in an SSH session, bsdtar keeps running for several minutes after the gui times out.

                    ls /usr/local/etc/snort/

                    classification.config          sid-msg.map-sample
                    classification.config-sample    snort.conf
                    gen-msg.map                    snort.conf-sample
                    gen-msg.map-sample              threshold.conf
                    reference.config                threshold.conf-sample
                    reference.config-sample        unicode.map
                    rules                          unicode.map-sample
                    sid-msg.map

                    …and

                    ls /usr/local/etc/snort/rules

                    doc            etc            rules          so_rules

                    Thanks James.  Been struggling and searching for a while before posting…pretty sure I've just missed something silly.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jamesdean last edited by

                      NP DigitalJer

                      There GUI errors you get are because the rules have not extracted to /usr/local/etc/snort/rules.

                      Dont touch the gui do this for me.

                      rm /usr/local/etc/snort/rules/*

                      and

                      ls /tmp/snort_rules_up/

                      James

                      1 Reply Last reply Reply Quote 0
                      • D
                        DigitalJer last edited by

                        rm /usr/local/etc/snort/rules/*

                        rm: /usr/local/etc/snort/rules/doc: is a directory
                        rm: /usr/local/etc/snort/rules/etc: is a directory
                        rm: /usr/local/etc/snort/rules/rules: is a directory
                        rm: /usr/local/etc/snort/rules/so_rules: is a directory

                        ..and

                        ls /tmp/snort_rules_up/

                        etc                                    snortrules-snapshot-2.8.tar.gz
                        pfsense_rules.tar.gz                    snortrules-snapshot-2.8.tar.gz.md5
                        pfsense_rules.tar.gz.md5                so_rules
                        rules

                        …looking into Alix / WRAP, I see the WRAPs are discontinued in favour of the Alix, since the last time I looked.  The Alix looks sharp.  waaaaannnnt!!

                        1 Reply Last reply Reply Quote 0
                        • J
                          jamesdean last edited by

                          @DigitalJer:

                          rm /usr/local/etc/snort/rules/*

                          rm: /usr/local/etc/snort/rules/doc: is a directory
                          rm: /usr/local/etc/snort/rules/etc: is a directory
                          rm: /usr/local/etc/snort/rules/rules: is a directory
                          rm: /usr/local/etc/snort/rules/so_rules: is a directory

                          ..and

                          ls /tmp/snort_rules_up/

                          etc                                     snortrules-snapshot-2.8.tar.gz
                          pfsense_rules.tar.gz                    snortrules-snapshot-2.8.tar.gz.md5
                          pfsense_rules.tar.gz.md5                so_rules
                          rules

                          …looking into Alix / WRAP, I see the WRAPs are discontinued in favour of the Alix, since the last time I looked.  The Alix looks sharp.  waaaaannnnt!!

                          Good news, looks like the rules are downloading fine, but your system cant handle the extraction processes.

                          Do this

                          rm -r /usr/local/etc/snort/rules/*

                          and

                          ls /tmp/snort_rules_up/rules

                          James

                          1 Reply Last reply Reply Quote 0
                          • D
                            DigitalJer last edited by

                            ls /tmp/snort_rules_up/rules

                            Makefile.am            local.rules            snmp.rules
                            VRT-License.txt        misc.rules              specific-threats.rules
                            attack-responses.rules  multimedia.rules        spyware-put.rules
                            backdoor.rules          mysql.rules            sql.rules
                            bad-traffic.rules      netbios.rules          telnet.rules
                            cgi-bin.list            nntp.rules              tftp.rules
                            chat.rules              open-test.conf          virus.rules
                            content-replace.rules  oracle.rules            voip.rules
                            ddos.rules              other-ids.rules        web-activex.rules
                            deleted.rules          p2p.rules              web-attacks.rules
                            dns.rules              policy.rules            web-cgi.rules
                            dos.rules              pop2.rules              web-client.rules
                            experimental.rules      pop3.rules              web-coldfusion.rules
                            exploit.rules          porn.rules              web-frontpage.rules
                            finger.rules            rpc.rules              web-iis.rules
                            ftp.rules              rservices.rules        web-misc.rules
                            icmp-info.rules        scada.rules            web-php.rules
                            icmp.rules              scan.rules              x11.rules
                            imap.rules              shellcode.rules
                            info.rules              smtp.rules

                            …my Nokia can't handle the truth??  boo!  Oh well it was only $20.

                            1 Reply Last reply Reply Quote 0
                            • J
                              jamesdean last edited by

                              @DigitalJer:

                              ls /tmp/snort_rules_up/rules

                              Makefile.am             local.rules             snmp.rules
                              VRT-License.txt         misc.rules              specific-threats.rules
                              attack-responses.rules  multimedia.rules        spyware-put.rules
                              backdoor.rules          mysql.rules             sql.rules
                              bad-traffic.rules       netbios.rules           telnet.rules
                              cgi-bin.list            nntp.rules              tftp.rules
                              chat.rules              open-test.conf          virus.rules
                              content-replace.rules   oracle.rules            voip.rules
                              ddos.rules              other-ids.rules         web-activex.rules
                              deleted.rules           p2p.rules               web-attacks.rules
                              dns.rules               policy.rules            web-cgi.rules
                              dos.rules               pop2.rules              web-client.rules
                              experimental.rules      pop3.rules              web-coldfusion.rules
                              exploit.rules           porn.rules              web-frontpage.rules
                              finger.rules            rpc.rules               web-iis.rules
                              ftp.rules               rservices.rules         web-misc.rules
                              icmp-info.rules         scada.rules             web-php.rules
                              icmp.rules              scan.rules              x11.rules
                              imap.rules              shellcode.rules
                              info.rules              smtp.rules

                              …my Nokia can't handle the truth??  boo!  Oh well it was only $20.

                              Never give up DigitalJer…...

                              Do this

                              cp /tmp/snort_rules_up/rules/ /usr/local/etc/snort/rules*

                              and

                              rm /usr/local/lib/snort/dynamicrules/*

                              cp /tmp/snort_rules_up/so_rules/ /usr/local/lib/snort/dynamicrules/*

                              and start snort by clicking save on the Settings Tab.

                              1 Reply Last reply Reply Quote 0
                              • D
                                DigitalJer last edited by

                                Heck no, not giving up, just mildly disappointed.

                                …and that worked - tyvm!!

                                How did you know that it was failing on the extraction?  Going forward - will it update automatically, do you think, or should I bookmark this thread.

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jamesdean last edited by

                                  snort will not update automatically for you, so bookmark this thread.
                                  The main problem is that your system cant handle extracting snortrules-snapshot-2.8.tar.gz.
                                  Hope you understand that I cant fix bsd tar problem, because your on a low end system.

                                  Just remember to

                                  rm /usr/local/etc/snort/rules/*
                                  cp /tmp/snort_rules_up/rules/ /usr/local/etc/snort/rules*

                                  rm /usr/local/lib/snort/dynamicrules/*
                                  cp /tmp/snort_rules_up/so_rules/ /usr/local/lib/snort/dynamicrules/*

                                  cp /tmp/snort_rules_up/pfsense_rules.tar.gz.md5 /usr/local/etc/snort/
                                  cp /tmp/snort_rules_up/snortrules-snapshot-2.8.tar.gz.md5 /usr/local/etc/snort/

                                  James

                                  P.S.

                                  You could write a small script to do this after snort package downloads the rules.

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    DigitalJer last edited by

                                    Got it.

                                    Thanks again :)

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      DigitalJer last edited by

                                      UPDATE:  You're right, the Nokia IP330 firewall turned out to be considerably less powerful than I thought.

                                      I recently ordered Shaw's 100 mbps service, and with just ONE decently seeded torrent the pfsense f/w CPU held steady at about 55%.  Even just surfing at the same time resulted in 100% CPU, saturation, and laaaag :(

                                      So, that's been retired, and an Athlon XP 64 3000+ with a gig of RAM moved in instead, and all is well.  I did the math, this should just slightly exceed requirements…so ought to be just about right.

                                      Anyway, thanks again jamesdean, for taking the time to help me out!  Happy Holidays :)

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post

                                      Products

                                      • Platform Overview
                                      • TNSR
                                      • pfSense
                                      • Appliances

                                      Services

                                      • Training
                                      • Professional Services

                                      Support

                                      • Subscription Plans
                                      • Contact Support
                                      • Product Lifecycle
                                      • Documentation

                                      News

                                      • Media Coverage
                                      • Press
                                      • Events

                                      Resources

                                      • Blog
                                      • FAQ
                                      • Find a Partner
                                      • Resource Library
                                      • Security Information

                                      Company

                                      • About Us
                                      • Careers
                                      • Partners
                                      • Contact Us
                                      • Legal
                                      Our Mission

                                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                      Subscribe to our Newsletter

                                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                      © 2021 Rubicon Communications, LLC | Privacy Policy