Snort-dev has been released. old snort has been renamed snort-old



  • Post issues if you find any.  ;D

    1; IE 8 stalls when downloading rules.

    2: /var/run/snort needs a cron job to watch the size and delete if it gets full.

    Snort-dev has been released. old snort has been renamed snort-old.

    TODO: for next release

    Add user suggested improvements.
    Test snort on all major browsers and OS's and adjust code.
    Add a cron job to remove /var/log/snort when it gets too full.
    Add IP spoofing tab
    Add threshold tab
    Add user upload tab.
    add nanobsd code.

    James



  • Thanks James for your work.

    More power.



  • Jamesdean, thanks for all your support and work on this snort. you are awsom!!



  • Thank you James! Great work! Running 1.19 on 1.2.3-RELEASE in a HA config with no issues other than a little threshold tuning. GUI looks great and everything works like it should. Thank you again!



  • @jamesdean:

    1; IE 8 stalls when downloading rules.

    More feedback - my IE8 D/L issue might be isolated. I had another setup sucessfully work controlled by IE8.



  • Thanks for all your help JamesDean!  I will say that I am still having Snort issues, but I'm going have to do another clean 1.2.3 install and see what happens.  I've loved using Snort, so I hope I can continue to.



  • Sweet! Thanks for all the great work on this package! I just installed the new version however I dont see where you can add adutional config options, it used to have a GUI section for custom options that would add <configpassthru>and <snortbarnyardlog_database>.

    LiGHT</snortbarnyardlog_database></configpassthru>



  • Humm…  Im also missing the rule editor. Is this in the new version as well? Perhaps my install went bad at some point.

    LiGHT



  • Never mind my previous posts, I went into my /cf/conf/config.xml and removed all traces of the snort package, reinstalled and everything is looking NICE! Good job on this package folks!

    LiGHT



  • Bad day so far.  I thought this would be easy install from the last dev to the release.  I uninstalled the last dev release and rebooted (I always like a clean boot).  Then pfsense (1.2.3)failed to respond.  I am guessing squid/squidguard, although I did notice the webconfigurator failed to start.
    I could not browse into the pfsense box, but I could ssh in.
    I needed it back in a hurry and after 30 minutes I could not figure it out.  So fresh install and restore and I am back up and running.  Maybe the next machine I'll skip the reboot process :)
      Just my warning….



  • tester_02

    It might've been easier to just reinstall the upgrade from ssh so you didn't have to reconfigure. This happened to me a little bit ago, but wasn't snort related.

    -J



  • I remember some posts on how to do it, but I could not get on the net easily and browse here to find the commands to do it.  It was easier to install and import config than to get on the net to find out how.  freebsd newb here.

    Got a new reinstall down to 1/2 hour with everything back to normal.  Good thing I've remembered to export any changes :)



  • Hi JamesDean,
    I just did an upgrade from what was "old-Snort" to the latest version.
    In the some where during the upgrade i got this error

    Fatal error: Cannot redeclare sync_package_snort_reinstall() (previously declared in /usr/local/pkg/snort.inc:46) in /usr/local/pkg/snort/snort.inc on line 323

    The upgrade froze, so i did the upgrade again and it seemed to install ok.

    I need to reset up Snort at this point so i do not have any useful feed back yet
    But i do have a GUI issue See screen shot
    Thanks for your help

    running PF 1.2.3 FULL
    tested on FF3.6.2 and IE 8

    ![4-1-2010 10-11-57 PM.png](/public/imported_attachments/1/4-1-2010 10-11-57 PM.png)
    ![4-1-2010 10-11-57 PM.png_thumb](/public/imported_attachments/1/4-1-2010 10-11-57 PM.png_thumb)
    ![4-1-2010 10-12-57 PM.png](/public/imported_attachments/1/4-1-2010 10-12-57 PM.png)
    ![4-1-2010 10-12-57 PM.png_thumb](/public/imported_attachments/1/4-1-2010 10-12-57 PM.png_thumb)



  • Just tried to run the update manually and it seems to stuck on clean up process.

    When checking the logs, I see this twice:
    snort[45846]: Could not remove pid file /var/run//snort_em19121_em1.pid: Permission denied

    I'm guessing this has something to do with the snort account permissions on the files/folder? Unfortunately, I'm still fairly new to using the CLI on FreeBSD and Linux, etc and not sure how to fix this.



  • @tester_02:

    Bad day so far.  I thought this would be easy install from the last dev to the release.  I uninstalled the last dev release and rebooted (I always like a clean boot).  Then pfsense (1.2.3)failed to respond.  I am guessing squid/squidguard, although I did notice the webconfigurator failed to start.
    I could not browse into the pfsense box, but I could ssh in.
    I needed it back in a hurry and after 30 minutes I could not figure it out.  So fresh install and restore and I am back up and running.  Maybe the next machine I'll skip the reboot process :)
      Just my warning….

    I have the same problem!! Fresh install :)



  • @netmethods:

    Just tried to run the update manually and it seems to stuck on clean up process.

    When checking the logs, I see this twice:
    snort[45846]: Could not remove pid file /var/run//snort_em19121_em1.pid: Permission denied

    I'm guessing this has something to do with the snort account permissions on the files/folder? Unfortunately, I'm still fairly new to using the CLI on FreeBSD and Linux, etc and not sure how to fix this.

    One low end systems cleanup may take a few minutes.
    "snort_em19121_em1.pid" has nothing to do with updates.

    I'll review the code but its working for me on firefox.

    Maybe its a IE thing I have to workout.

    Are you on nanobsd ?

    What browser and pfsense version are you using ?

    james



  • @simby:

    @tester_02:

    Bad day so far.  I thought this would be easy install from the last dev to the release.  I uninstalled the last dev release and rebooted (I always like a clean boot).  Then pfsense (1.2.3)failed to respond.  I am guessing squid/squidguard, although I did notice the webconfigurator failed to start.
    I could not browse into the pfsense box, but I could ssh in.
    I needed it back in a hurry and after 30 minutes I could not figure it out.  So fresh install and restore and I am back up and running.  Maybe the next machine I'll skip the reboot process :)
     Just my warning….

    I have the same problem!! Fresh install :)

    I think I know whats wrong. I am unistalling mysql and perl. I fix it in a bit.

    James



  • Anyone else missing the rules category Tab?…...All other Tabs are there including rules update and downloaded rules went ok.
    Ver. 2.8.5.3 pkg v. 1.19



  • @ColdFusion:

    Anyone else missing the rules category Tab?…...All other Tabs are there including rules update and downloaded rules went ok.
    Ver. 2.8.5.3 pkg v. 1.19

    This is the first time i am using the new package, so i am not sure if it should be somewhere else…
    But i do have a category tab on the interface



  • @vito:

    @ColdFusion:

    Anyone else missing the rules category Tab?…...All other Tabs are there including rules update and downloaded rules went ok.
    Ver. 2.8.5.3 pkg v. 1.19

    This is the first time i am using the new package, so i am not sure if it should be somewhere else…
    But i do have a category tab on the interface

    @anyone having troubles with the new package
    Tracked the problems to the old-snort.
    Seems old-snort is not uninstalling completely and is conflicting with the new install.
    Do a fresh install, sorry I didn't see this coming.

    James



  • RE:
              One low end systems cleanup may take a few minutes.
              "snort_em19121_em1.pid" has nothing to do with updates.

    I'll review the code but its working for me on firefox.

    Maybe its a IE thing I have to workout.

    Are you on nanobsd ?

    What browser and pfsense version are you using ?

    james

    It's not a low end system, quad core, 4gb, etc. I'm using the latest version firefox (although I might've been on my mac at the time) with 1.2.3-RELEASE (not nanobsd). I refreshed the browser and everything looks ok. Restarted snort and it came up ok. Looks like it's running ok, so probably nothing.



  • I found two issues after performing a fresh install of 1.2.3-Release.   First logging to mysql database does not look to be functioning properly. The configuration looks to be going into place but I never see any connection attempts to the mysql server.

    Syslog output from barnyard2:

    resistance.quantum.local daemon 10:42:27 barnyard2  barnyard2[41812]:   database: host   =   10.1.1.5
    resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: host = 10.1.1.5
    resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: ===============================================================================
    resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: ===============================================================================
    resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: user = snort
    resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: user = snort
    resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: Record Totals:
    resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: Record Totals:
    resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: database name = snort
    resistance.quantum.local daemon 10:42:27 barnyard2 barnyard2[41812]: database: database name = snort

    I ran a TCPdump at the time of snort starting up and I see it make an initial connection to the mysql server, I took at look at the database and it updates its sensor name and interface info however when alerts are generated by snort there is no updates sent to the database.

    Second, this is a minor issue, in the system.log everything from snort and barnyard2 is logging twice at startup, as you can see above. I think the old version may have done this too.

    Another feature that I liked in the old version was the ability to add in custom commands. In my syslogs I liked snort alerts to show up as warnings ie. <configpassthru>output alert_syslog: log_warning</configpassthru> (by default they are sent as alert).

    LiGHT



  • james when you have time,

    I tried to define some servers and on saving I get the following error

    snort release pf 2.0 April 3  windows 7 ff3.6.3

    Warning: touch(): Unable to create file because No such file or directory in /usr/local/www/snort/snort_define_servers.php on line 215 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 217 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 218 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 219 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 220 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 221 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 224



  • @jamesdean:

    @anyone having troubles with the new package
    Tracked the problems to the old-snort.
    Seems old-snort is not uninstalling completely and is conflicting with the new install.
    Do a fresh install, sorry I didn't see this coming.

    James

    Hi and thanks for your great work with Snort.

    Is there any way for doing this without doing full fresh install of Pfsense? I am using 1.2.3 release of Pfsense, and stuck with Snort 2.8.4.1_5 pkg v. 1.7. The new version just wont start (conflicting with the old-snort leftovers).



  • Does this new version of snort work in Pfsense 2.0 beta .I would like to test it but the last time i did that i could not get snort to run at all .



  • Hello jamesdean,

    First of all thank you for your great job,

    I have installed new snort package with success,i did all my conf and update,now lan interface working well,but when i stared my wan interface i received following errors on system logs

    Apr 5 09:34:32 SnortStartup[9193]: Interface Rule START for 0_39767_ng0…
    Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
    Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
    Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"
    Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"

    any idea?

    regards



  • my pf version is 1.2.3 stable



  • Probably wrong thread but I am in a big hurry. Just tried to add some defined servers after reinstalling to the newest snort on 1.2.3 release.

    Warning: touch(): Unable to create file because No such file or directory in /usr/local/www/snort/snort_define_servers.php on line 215 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 217 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 218 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 219 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 220 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 221 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/snort/snort_define_servers.php:215) in /usr/local/www/snort/snort_define_servers.php on line 224

    Just an fyi

    Looks like it is holding its settings though….  Also is it normal for Dashboard and Status:Services to say the service is stopped even though on the Snort Interfaces Panel I get a green arrow?



  • nope not working.

    uninstalled, and reinstalled will try more later…

    Apr 5 09:41:56	SnortStartup[1633]: Interface Rule START for 0_65478_vlan0...
    Apr 5 09:41:56	snort[1631]: FATAL ERROR: Invalid pidfile suffix: 65478_vlan0\. Suffix must less than 11 characters and not have ".." or "/" in the name.
    Apr 5 09:41:56	snort[1631]: FATAL ERROR: Invalid pidfile suffix: 65478_vlan0\. Suffix must less than 11 characters and not have ".." or "/" in the name.
    Apr 5 09:41:56	SnortStartup[1561]: Toggle for 65478_vlan0...
    Apr 5 09:41:23	SnortStartup[1160]: Error: snort.sh IS running
    Apr 5 09:38:32	kernel: msk0: watchdog timeout (missed Tx interrupts) -- recovering
    Apr 5 09:25:50	php: /pkg_mgr_install.php: Beginning package installation for snort.
    Apr 5 09:24:36	php: /pkg_mgr_install.php: cd /var/db/pkg && pkg_delete ls | grep snort
    Apr 5 09:24:36	php: /pkg_mgr_install.php: cd /var/db/pkg && pkg_delete ls | grep
    Apr 5 09:22:35	php: /pkg_mgr_install.php: Beginning package installation for snort.
    Apr 5 08:59:04	dnsmasq[908]: reading /var/dhcpd/var/db/dhcpd.leases
    Apr 5 08:46:42	dnsmasq[908]: reading /var/dhcpd/var/db/dhcpd.leases
    Apr 5 08:46:12	SnortStartup[49241]: Error: snort.sh IS running
    Apr 5 08:11:09	php: /pkg_mgr_install.php: Beginning package installation for snort.
    Apr 5 08:06:42	php: /pkg_mgr_install.php: Beginning package installation for snort.
    Apr 5 08:05:56	snort[2149]: Snort exiting
    Apr 5 08:05:56	snort[2149]: Snort exiting
    


  • Hi Jamesdean,

    Thanks for the snort package! I had the old package working well for several months until recently when the rules changed.

    With the new release I'm having trouble running snort on VLAN interfaces. It seems that when snort starts it is complaining that the pid file identifier is too long:

    snort[<pid>]: FATAL ERROR: Invalid pidfile suffix: 31477_vlan3.  Suffix must less than 11 characters and not have ".." or "/" in the name.

    Two of these messages appear in the system.log upon attempting to start snort on the vlan interface. The normal interfaces, like le0, start without issue.

    I tried hacking the "if_real" value in the php code to truncate the name, as in the following:

    $if_real = substr($if_real, 0, 1) . substr($if_real, -2);

    While this did work, sort of, it was a bit of a mess that would eventually require similar changes to many files. I think another variable is needed, one for the pid file alone, and the interface variable would then stay the same (as if_real).

    I'd be happy to take a shot at implementing the fix if this idea makes sense. It appears that both the files under /usr/local/www/snort and /usr/local/pkg/snort may need to be modified.

    In particular the "-R" parameter to snort needs to be corrected, and the "pidfile" value needs to be corrected where it is queried.</pid>



  • Hi,

    I am having the same problem when trying to put the new snort package to listen on VLAN interfaces.

    I tried to find some configuration file where i can change the pidfile suffix but with no success… Is there any way to change the pidfile suffix?

    I am available to do some tests with development packages or to follow some instructions provided by you guys ;)

    Kind regards,
    David Negreira.
    @dpg2:

    Hi Jamesdean,

    Thanks for the snort package! I had the old package working well for several months until recently when the rules changed.

    With the new release I'm having trouble running snort on VLAN interfaces. It seems that when snort starts it is complaining that the pid file identifier is too long:

    snort[<pid>]: FATAL ERROR: Invalid pidfile suffix: 31477_vlan3.  Suffix must less than 11 characters and not have ".." or "/" in the name.

    Two of these messages appear in the system.log upon attempting to start snort on the vlan interface. The normal interfaces, like le0, start without issue.

    I tried hacking the "if_real" value in the php code to truncate the name, as in the following:

    $if_real = substr($if_real, 0, 1) . substr($if_real, -2);

    While this did work, sort of, it was a bit of a mess that would eventually require similar changes to many files. I think another variable is needed, one for the pid file alone, and the interface variable would then stay the same (as if_real).

    I'd be happy to take a shot at implementing the fix if this idea makes sense. It appears that both the files under /usr/local/www/snort and /usr/local/pkg/snort may need to be modified.

    In particular the "-R" parameter to snort needs to be corrected, and the "pidfile" value needs to be corrected where it is queried.</pid>



  • I will say that  Snort-dev  does not work in the lastest pfsense it uninstalls itself and it will not block  a thing in pfsense 2.0 so i am back using old snort .Either fix the new snort or take it of the packages list because it does not work . :-[



  • Nice attitude cdx304….

    Just so you know, 2.0 is still beta. Try out the stable version of pfSense (1.2.3) before blasting on someone that has been working hard to contribute to this project. We're running 1.2.3 in a HA config with several VLANs, VPN's, etc and snort is working for us. We also upgraded from 1.2.2 using the old version of snort as well. (which did not work for us) The only thing we had to do was delete the /var/run/snort directory, which had a bunch of crap from the old install.



  • A patch for the vlan issue (I can comment on this more later tonight if that'd be helpful):

    *** snort.inc.install Tue Apr  6 18:44:12 2010
    –- snort.inc Tue Apr  6 20:39:18 2010


    *** 65,71 ****

    /* use ob_clean to clear output buffer, this code needs to be watched */
      ob_clean();
    ! $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $1;}'", $retval);

    if ($snort_up_prell != "") {
      $snort_uph = 'yes';
    --- 65,73 ----

    /* use ob_clean to clear output buffer, this code needs to be watched */
      ob_clean();
    !
    ! $snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2);
    ! $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep "R {$snort_pidfile}" | awk '{print $1;}'", $retval);

    if ($snort_up_prell != "") {
      $snort_uph = 'yes';


    *** 156,162 ****

    $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
      if ($snort_info_chk == 'on') {
    ! exec("/usr/local/bin/snort -u snort -g snort -R "{$snort_uuid}{$if_real}" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
      }
      /* define snortbarnyardlog_chk /
      /
    top will have trouble if the uuid is to far back */
    –- 158,165 ----

    $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
      if ($snort_info_chk == 'on') {
    ! $snort_pidfile = $snort_uuid . "" . substr($if_real, 0, 1) . substr($if_real, -2);
    ! exec("/usr/local/bin/snort -u snort -g snort -R "{$snort_pidfile}" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort
    {$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
      }
      /* define snortbarnyardlog_chk /
      /
    top will have trouble if the uuid is to far back */



  • @expert_az:

    I have installed new snort package with success,i did all my conf and update,now lan interface working well,but when i stared my wan interface i received following errors on system logs

    Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
    Apr 5 09:34:32 snort[9191]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf": Not a directory.
    Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"
    Apr 5 09:34:32 snort[9191]: Parsing Rules file "/usr/local/etc/snort/snort_39767_ng0/snort.conf"

    I had the same problem.  Your "FATAL ERROR" is trying to go to a non-existent directory ("snort_39767_ng0").  I got this same error, looked at the actual directory structure and found that my path to the snort.conf was "snort_xxxxx_sis0" (which IS the correct if for me) even though the IF Tab under Snort shows the if as "ng0".  A reboot will allow Snort to run correctly, but every time I try to stop & restart Snort I get this error.



  • @cdx304:

    I will say that   Snort-dev  does not work in the lastest pfsense it uninstalls itself and it will not block  a thing in pfsense 2.0 so i am back using old snort .Either fix the new snort or take it of the packages list because it does not work . :-[
    [/quote]

    I am running 1st april snapshot of 2.0 beta with snort installed and I have 150 log alerts and over 400 blocked ip's! must be something up with your config!

    Slam



  • Another try with the vlan patch; the last effort did not handle stopping with the revised $pidfile value properly. This patch now corrects the Startup (Running_Start), Stop (Running_Stop), and Check (RunningCk) functions of /usr/local/pkg/snort/snort.inc :

    
    *** snort.inc.install	Tue Apr  6 18:44:12 2010
    –- snort.inc	Wed Apr  7 00:23:17 2010
    ***************
    *** 65,71 ****
    
      	/* use ob_clean to clear output buffer, this code needs to be watched */
      	ob_clean();
    ! 	$snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'", $retval);
    
      	if ($snort_up_prell != "") {
      		$snort_uph = 'yes';
    --- 65,73 ----
    
      	/* use ob_clean to clear output buffer, this code needs to be watched */
      	ob_clean();
    ! 
    ! 	$snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2);
    ! 	$snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_pidfile}\" | awk '{print \$1;}'", $retval);
    
      	if ($snort_up_prell != "") {
      		$snort_uph = 'yes';
    ***************
    *** 111,117 ****
      	function Running_Stop($snort_uuid, $if_real, $id) {
      		global $config;
    
    ! 	$start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'");
      	$start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'");
      	$start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'");
    
    --- 113,120 ----
      	function Running_Stop($snort_uuid, $if_real, $id) {
      		global $config;
    
    ! 	$snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2);
    ! 	$start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_pidfile}\" | awk '{print \$1;}'");
      	$start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'");
      	$start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'");
    
    ***************
    *** 124,130 ****
      			if ($start_up_s != "")
      			{
      				exec("/bin/kill {$start_up_s}");
    ! 				exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*");
      			}
    
      			if ($start2_upb_s != "")
    --- 127,133 ----
      			if ($start_up_s != "")
      			{
      				exec("/bin/kill {$start_up_s}");
    ! 				exec("/bin/rm /var/run/snort_{$snort_pidfile}*");
      			}
    
      			if ($start2_upb_s != "")
    ***************
    *** 136,142 ****
      			if ($start_up_r != "")
      			{
      				exec("/bin/kill {$start_up_r}");
    ! 				exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*");
      			}
    
      			if ($start2_upb_r != "")
    --- 139,145 ----
      			if ($start_up_r != "")
      			{
      				exec("/bin/kill {$start_up_r}");
    ! 				exec("/bin/rm /var/run/snort_{$snort_pidfile}*");
      			}
    
      			if ($start2_upb_r != "")
    ***************
    *** 156,162 ****
    
      		$snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
      		if ($snort_info_chk == 'on') {
    ! 		exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}_{$if_real}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
      		}
      		/* define snortbarnyardlog_chk */
      		/* top will have trouble if the uuid is to far back */
    –- 159,166 ----
    
      		$snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
      		if ($snort_info_chk == 'on') {
    ! 		$snort_pidfile = $snort_uuid . "_" . substr($if_real, 0, 1) . substr($if_real, -2);
    ! 		exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_pidfile}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
      		}
      		/* define snortbarnyardlog_chk */
      		/* top will have trouble if the uuid is to far back */
    
    


  • @netmethods:

    Nice attitude cdx304….

    Just so you know, 2.0 is still beta. Try out the stable version of pfSense (1.2.3) before blasting on someone that has been working hard to contribute to this project. We're running 1.2.3 in a HA config with several VLANs, VPN's, etc and snort is working for us. We also upgraded from 1.2.2 using the old version of snort as well. (which did not work for us) The only thing we had to do was delete the /var/run/snort directory, which had a bunch of crap from the old install.

    Well every time you guys try to fix it snort just gets worse .Don't say that it works in cases either because it does not .It uninstalles it's self after saying there is dependencies missing and you can enable everything .the hardware is a quadcore 3.4ghz cpu with 12 gigs of ram and 2 gigabit network cards and 2 sata 500gig drives in raid 0 .



  • Thank you to all that have been patient with the move from snort-dev to snort. Sorry, its has been painful but I been busy with work and had not time to fix bugs.
    I promise once we get past this bump, changes this big will be a rare thing.

    For those who are demanding me to fix snort, be patient. Let me explain why snort is so hard to maintain. First for every new version of snort I have to rewrite in C++
    the the orion IPS code in snort to fit an ever changing API. Second, if we don't use the newest snort version rules may break. Third, snort.org changes snort.conf
    with every version so I have to adjust for that or snort will break. Fourth, from time to time snort.org changes the way rules get downloaded and snort breaks.
    Fifth, I had to recode snort from php 4 to php 5 but other dev did this, thank you. If you don't like what I am doing you are welcomed to help code. If not, be patient and be constructive and remember
    I do this for our community without pay.

    Lets do the release again, man this week been rough. snort package 1.20

    Fixed pid with vlan issue, hopefully

    Snort reinstalling:
    I added post install code to deinstall any old-snort entries in config.xml, fixed hopefully.

    Pfsense nano.
    I install snort package and every thing seems fine.

    James



  • Any chance of a workaround for deinstalling the old snort properly.  My pfsense 1.2.3 released died when I uninstalled it and rebooted.  A fresh install was my only way to get it back.  I have a friend who I helped install pfsense on, and I am scared to update snort for him.
      You mentioned that there is a problem with the old snort not properly uninstalling.  Any chance of a script that will properly uninstall, so that we can put the new one on?

    Jamesdean Please keep up the good work.  The new version is working great for me, and all the rules are working.  I think some people forget that there is always a need for someone to keep these packages updated and running, or they stop working as the main authors update their work (snort, squid, etc).

    Hey CDX.  You may not have noticed but the old snort stopped working a few weeks ago with a rules update from snort.org.  You could get it back running, but with many rules disabled.


Log in to reply