Unable to modify (i.e., install, remove, or reinstall) packages via Web interface + Snort installed but not showing up in Web GUI

paanvaannd

• Hardware: SG-3100
• OS version: 21.05-RELEASE (arm)

I had installed Snort previously but it was no longer showing up in the Web interface for some reason. The Package Manager page also was not working and pfSense was failing to check for upgrades. Due to the number of issues I was having, I manually reinstalled pfSense and reloaded my backed up config file.

After the reinstall, the yellow banner stating that packages were being reinstalled in the background persisted for around 15 minutes (I only had Snort installed before) so I released the package lock and tried modifying the packages myself.

The Package Manager page now worked on my new install and showed Snort in red, indicating that it was configured but not fully installed. Re-installation and deletion didn't work via the GUI (the page would just sit there with the tab's loading spinner spinning, no text stating that the processes had started or anything).

Fed up with this, I decided to manually remove the package via the shell with $ pkg-static remove pfSense-pkg-snort-4.1.3_5 && pkg-static autoremove. Upon reloading the Web interface, Snort no longer showed up on the list. Success...?

So I tried installing Snort at this point again through the Web interface but the same stall happened: I clicked on the install button by the package's name and the Web interface tried to reload but nothing happened for several minutes. Reloading the installed packages tab did not show Snort as being installed, confirmed with $ pkg-static info | grep snort via the shell.

Executing $ pkg-static install pfSense-pkg-snort-4.1.3_5 from the shell goes through the whole Snort install process and completes successfully after having downloading the configured rule sets that it keeps finding on my system from the prior install. Snort now shows up in the Package Manager page but still does not show up in the Services menu for some reason. Interacting with the package once using the GUI still did nothing (same as before). The Package Manager page shows that Snort is still there, it is still not in the Services menu, and the package is still there when confirming via the shell.

I have no idea what is going on or what to do to fix this. Why is the GUI not working? Why is Snort not showing up? Any assistance would be greatly appreciated and I will provide any additional information one might need to further assist me.

P.S. One other thing that might be of importance is that I have configured pfSense to route traffic across my networks via PIA VPN using the official guide on their website. I found that the package management options via the shell that required an Internet connection (e.g., $ pkg-static update) would not work if the VPN was up. After turning OpenVPN off on the Web GUI, I was able to at least use the shell to manage packages as outlined above.

P.P.S. Trying to install pfBlockerNG via the Web GUI results in the same behavior (i.e., nothing).

bmeeks

You need to either wait for the upcoming release of pfSense-2.5.2, or you need to apply the patch for this issue. It is a problem with PHP itself on 32-bit ARM hardware, and it impacts several packages that make use of the PERL Regex library calls in PHP. What is happening is PHP is crashing during the Snort installation process when Snort is reading in your old configuration and migrating it back into the new Snort install. Because PHP itself crashes, the remainder of the Snort installation process does not complete. One of the last things done during the install process is the creation of the menu entries. So due to the crash and the install process not completing, you see nothing in the menus of pfSense.

Here is a link to a recent post from the Netgate team about the issue and patch: https://forum.netgate.com/topic/161050/snort-won-t-start-after-upgrade-to-21-02-on-sg-3100/24. To install the patch, you will first need to install the System Patches package. I think 2.5.2 is coming out very soon, so you might be better off to wait for that as it includes the patch.

paanvaannd

Thank you for taking the time to help and explain, @bmeeks!

Per your and others' comments in that linked thread, I'm not hopeful that Snort/Suricata would have much hope of working on my SG-3100 even after 2.5.2 rolls around (I'd link directly to your comment but I can't figure out how to copy a permalink on this site...) so I may just upgrade to the SG-6100 since it's Intel-based.

bmeeks

@paanvaannd said in Unable to modify (i.e., install, remove, or reinstall) packages via Web interface + Snort installed but not showing up in Web GUI:

Thank you for taking the time to help and explain, @bmeeks!

Per your and others' comments in that linked thread, I'm not hopeful that Snort/Suricata would have much hope of working on my SG-3100 even after 2.5.2 rolls around (I'd link directly to your comment but I can't figure out how to copy a permalink on this site...) so I may just upgrade to the SG-6100 since it's Intel-based.

Yes, the SG-3100 is not the best choice right now for the IDS/IPS packages. It is due to the 32-bit ARM processor chip in that box. Because of the 32-bit ARM processor and the lack of Rust support for it, it is not possible to run any version of Suricata on that hardware newer than 4.x. That is two versions behind, and no longer supported by the Suricata team.