Snort fails to install.
-
And if you decide to perform a fresh install of pfSense, and you did not choose the ZFS option the first time, I recommend installing using the ZFS option when choosing the filesystem. That filesystem is much more resilient in case of sudden power loss. ZFS will be an option in the installer window.
-
@bmeeks ZFS asks me to do raid all the time.
-
@BlueCoffee said in Snort fails to install.:
@bmeeks ZFS asks me to do raid all the time.
No, you do not have to choose RAID. It will let you install to a single disk. Look through the options carefully. RAID is typically used with ZFS, but it is not a requirement that blocks installation otherwise.
Have a look here: https://docs.netgate.com/pfsense/en/latest/install/install-zfs.html.
-
ive installed again (before I had seen your ZFS post and I ran the command again
[2.7.0-RELEASE][admin@pfSense.home.arpa]/root: fsck ** /dev/ufsid/64e75ea55ebb8f0b (NO WRITE) ** SU+J Recovering /dev/ufsid/64e75ea55ebb8f0b USE JOURNAL? no ** Skipping journal, falling through to full fsck ** Last Mounted on / ** Root file system ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=25721102 (8 should be 0) CORRECT? no INCORRECT BLOCK COUNT I=40224271 (712 should be 704) CORRECT? no ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts UNREF FILE I=23317317 OWNER=root MODE=100644 SIZE=12462 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=23317318 OWNER=root MODE=100644 SIZE=12589 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=24999963 OWNER=root MODE=100600 SIZE=3389 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=24999964 OWNER=root MODE=100644 SIZE=748 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=24999965 OWNER=root MODE=100600 SIZE=419 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=24999966 OWNER=root MODE=100644 SIZE=104 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=27163420 OWNER=root MODE=100644 SIZE=2228 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=40224291 OWNER=root MODE=100644 SIZE=0 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=40624914 OWNER=root MODE=100644 SIZE=0 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=41666593 OWNER=root MODE=100644 SIZE=6 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=46554389 OWNER=root MODE=100644 SIZE=553 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=50480645 OWNER=root MODE=100666 SIZE=0 MTIME=Aug 24 14:45 2023 CLEAR? no UNREF FILE I=50480649 OWNER=root MODE=100644 SIZE=522 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no ** Phase 5 - Check Cyl groups FREE BLK COUNT(S) WRONG IN SUPERBLK SALVAGE? no SUMMARY INFORMATION BAD SALVAGE? no BLK(S) MISSING IN BIT MAPS SALVAGE? no 26286 files, 459947 used, 119573829 free (3669 frags, 14946270 blocks, 0.0% fragmentation) ** /dev/nvd0p1 (NO WRITE) ** Phase 1 - Read FAT and checking connectivity ** Phase 2 - Checking Directories ** Phase 3 - Checking for Lost Files 6 files, 259 MiB free (16549 clusters) MARK FILE SYSTEM CLEAN? no ***** FILE SYSTEM IS LEFT MARKED AS DIRTY ***** [2.7.0-RELEASE][admin@pfSense.home.arpa]/root:Odd right
-
@BlueCoffee:
Follow the instructions very carefully in the documentation links I've provided from Netgate. Both of them for repairing the disk and installing using ZFS single-disk mode (also called Stripe 0). -
@bmeeks said in Snort fails to install.:
@BlueCoffee:
Follow the instructions very carefully in the documentation links I've provided from Netgate. Both of them for repairing the disk and installing using ZFS single-disk mode (also called Stripe 0).im sending it back mega crash than a flashing screen thanks for the help bmeeks.
-
Yeah, that hardware seems to have some gremlins inside. Exchange is a good idea.
-
@bmeeks could you recommend me one for around 200 pounds? (if you know of any)
-
@BlueCoffee said in Snort fails to install.:
@bmeeks could you recommend me one for around 200 pounds? (if you know of any)
The hardware you provided a link to appears fine for the job. Looks like maybe you just got unlucky and received a unit that should have failed the factory testing before it was stocked and shipped to a customer.
I am partial to Netgate hardware as purchasing that directly funds the continued development of pfSense CE.
But pretty much any Intel 64-bit CPU should work. If you want to use Snort, then you want the fastest CPU clock speed you can get. Snort is single-threaded, so that means no matter how many cores a CPU may have, Snort will only use one of them. In that scenario, faster clocks speeds trump more cores (at least for Snort).
The IDS/IPS packages want either a SSD or an actual spinning disk for logging. They can log so much stuff that a smaller eMMC can wear out quickly. In terms of RAM, anything over 4 GB is suffiicient. 8 GB would be more than enough for home use.
If you want to consider changing, Suricata is multithreaded and can can efficiently use all the cores in the CPU.
-
@bmeeks said in Snort fails to install.:
@BlueCoffee said in Snort fails to install.:
@bmeeks could you recommend me one for around 200 pounds? (if you know of any)
The hardware you provided a link to appears fine for the job. Looks like maybe you just got unlucky and received a unit that should have failed the factory testing before it was stocked and shipped to a customer.
I am partial to Netgate hardware as purchasing that directly funds the continued development of pfSense CE.
But pretty much any Intel 64-bit CPU should work. If you want to use Snort, then you want the fastest CPU clock speed you can get. Snort is single-threaded, so that means no matter how many cores a CPU may have, Snort will only use one of them. In that scenario, faster clocks speeds trump more cores (at least for Snort).
The IDS/IPS packages want either a SSD or an actual spinning disk for logging. They can log so much stuff that a smaller eMMC can wear out quickly. In terms of RAM, anything over 4 GB is suffiicient. 8 GB would be more than enough for home use.
If you want to consider changing, Suricata is multithreaded and can can efficiently use all the cores in the CPU.
Ive gone with the same one getting it tomorrow hopefully all's well with this one.
Are you the guy who made snort? I remember reading some stuff many years ago with that avatar you have.
Also can't believe I've been ruining it wrong all these years.
-
@BlueCoffee said in Snort fails to install.:
Are you the guy who made snort? I remember reading some stuff many years ago with that avatar you have.
Also can't believe I've been ruining it wrong all these years.
I did not create the original pfSense package, but I did eventually take over maintenance of it many years ago. I have been responsible for the updates to it for many years. I did create the Suricata package on pfSense.
And no, you have not been "ruining Snort" by running it on the WAN. It's just that the LAN turns out to be better. Don't despair, the very first time I installed the package many, many years ago I chose the WAN as well. But later, as I learned more about how the internal plumbing of FreeBSD and pfSense worked, I realized that putting it on the WAN makes it busy scanning Internet "noise" that the default firewall rules on the WAN are going to drop anyway. Snort (or Suricata) when running on the WAN sees inbound traffic before the firewall does. So, the firewall rules have not yet acted to clean-up and filter out the noise. But when running on the LAN, the WAN firewall rules have already eliminated the noise. And of course there is the annoyance of all the local IP addresses being masked behind the NAT operation of the firewall engine. That means all local hosts show up in any alerts as having your public WAN IP. That makes it hard to track a problem to an indvidual local host on your LAN. Running on an internal interface eliminates these disadvantages and does not impact security. All the WAN traffic still must come and go through the Snort instance on the LAN interface in order to reach any of the hosts on the LAN.
-
@bmeeks I was meant to say "running" :) Thanks for the info and I thank you for your hard work over the years.
What is Suricata is it similar to snort?
-
@BlueCoffee said in Snort fails to install.:
@bmeeks I was meant to say "running" :) Thanks for the info and I thank you for your hard work over the years.
What is Suricata is it similar to snort?
Suricata is also an IDS/IPS like Snort. It is much newer and was created by a consortium originally sponsored by Emerging Threats. Emerging Threats was purchased and absorbed into Proofpoint a few years ago.
Here is the Suricata official website: https://suricata.io/.
Snort on pfSense is currently running the older 2.9.x branch which is single-threaded. There is a new Snort3 branch that is multithreaded, but there is currently no plan to port that to pfSense. I tried twice, and there were just too many changes required and porting over an existing install was almost impossible. So, I gave up on a Snort3 package. Someone else in the future may decide to create one, but I'm not interested. I had rather continue support for Suricata. At some point in the future, the upstream Snort/Cisco folks will discontinue the Snort 2.9.x branch. At that point, unless someone has created a Snort3 package for pfSense, then Suricata will be the only IDS/IPS option on pfSense. However, a case can certainly be made that without MITM (man-in-the-middle) breaking of the encryption prevalent in all of modern network traffic, IDS/IPS software on any host but an endpoint is becoming almost useless. At least that's true in terms of payload inspection. Sure the IDS can examine headers for now, but even there moves are afoot to encrypt them as well.
Suricata offers many advantages to Snort. Chief among them is more detailed logging. You can find discussions of both Snort and Suricata in the IDS/IPS forum here on the Netgate forums site. At the moment the only shortcoming of Suricata is that it lacks an equivalent of OpenAppID.
-
@bmeeks said in Snort fails to install.:
@BlueCoffee said in Snort fails to install.:
@bmeeks I was meant to say "running" :) Thanks for the info and I thank you for your hard work over the years.
What is Suricata is it similar to snort?
Suricata is also an IDS/IPS like Snort. It is much newer and was created by a consortium originally sponsored by Emerging Threats. Emerging Threats was purchased and absorbed into Proofpoint a few years ago.
Here is the Suricata official website: https://suricata.io/.
Snort on pfSense is currently running the older 2.9.x branch which is single-threaded. There is a new Snort3 branch that is multithreaded, but there is currently no plan to port that to pfSense. I tried twice, and there were just too many changes required and porting over an existing install was almost impossible. So, I gave up on a Snort3 package. Someone else in the future may decide to create one, but I'm not interested. I had rather continue support for Suricata. At some point in the future, the upstream Snort/Cisco folks will discontinue the Snort 2.9.x branch. At that point, unless someone has created a Snort3 package for pfSense, then Suricata will be the only IDS/IPS option on pfSense. However, a case can certainly be made that without MITM (man-in-the-middle) breaking of the encryption prevalent in all of modern network traffic, IDS/IPS software on any host but an endpoint is becoming almost useless. At least that's true in terms of payload inspection. Sure the IDS can examine headers for now, but even there moves are afoot to encrypt them as well.
Suricata offers many advantages to Snort. Chief among them is more detailed logging. You can find discussions of both Snort and Suricata in the IDS/IPS forum here on the Netgate forums site. At the moment the only shortcoming of Suricata is that it lacks an equivalent of OpenAppID.
Thanks again mbeeks for the information ill have a read on the site
I do have one quick question is it safe to use. no spying from the owners etc,,, -
@BlueCoffee said in Snort fails to install.:
I do have one quick question is it safe to use. no spying from the owners etc,,,
Of course! It is fully open source software, and it is used by many corporations and individuals around the world.
-
@bmeeks said in Snort fails to install.:
@BlueCoffee said in Snort fails to install.:
I do have one quick question is it safe to use. no spying from the owners etc,,,
Of course! It is fully open source software, and it is used by many corporations and individuals around the world.
got the new box and all is well guess the other one was bad. Ive installed Suricata (looks alot like snort) Would you set this up on lan also? Do you know where I can read more about the setup? don't want to not have it set correct this time around. -
@BlueCoffee said in Snort fails to install.:
got the new box and all is well guess the other one was bad. Ive installed Suricata (looks alot like snort) Would you set this up on lan also? Do you know where I can read more about the setup? don't want to not have it set correct this time around.
You can find several Sticky Posts at the top of the IDS/IPS sub-forum here: https://forum.netgate.com/category/53/ids-ips.
As with Snort, I recommend putting Suricata only on internal interfaces (LAN, DMZ, etc.). The only time I would veer from this approach is on a box with very limited RAM and/or CPU horsepower and I had a fairly large rule set enabled. That might be a point where you conserve RAM and CPU by just putting a single instance on the WAN instead of several instances on internal interfaces. But you will have the limitations I mentioned in my earlier post. Best practice would dictate that the different interfaces on a firewall likely will need different IDS/IPS rules enabled. Rules should be tailored to the unique vulnerabilities and threats present on the protected network. So, in that scenario, individual IDS/IPS instances on internal interfaces works better (if you have the necessary RAM and CPU power).
As you noticed, Suricata and Snort have an almost identical GUI. That's because a ton of the Suricata PHP GUI code was a copy and paste from the Snort GUI.
Any basic set up instructions you find for Snort on pfSense will also apply to Suricata on pfSense. One key difference is that Suricata does not use Preprocessors in the way that Snort does. Suricata just works differently internally. The preprocessors were a way for Snort to add new features over the years. Suricata accomplishes that a bit differently internally, so no need for specific preprocessors. There are settings similar to the Snort preprocessor settings under the FLOW/STREAM and APP PARSERS tabs in Suricata.
A big difference in the packages is the rich EVE.JSON logging system in Suricata. Initially EVE.JSON logging is disabled causing Suricata to log essentially the same way as Snort did. But if you enable EVE.JSON logging for an interface, you can capture a lot of data about network traffic and of course any alerts. Suricata can log a lot of data with EVE.JSON logging and many of the options underneath that feature enabled. Just be sure you go to the LOGS MGMT tab and enable automatic log management. The defaults you find there should be fine for an initial install.
Here is a link to the official documentation: https://docs.suricata.io/en/suricata-6.0.13/.
