Snort Problems Snap 1-3-2011

vito

Updated to 1/3 snap and snort GUI components are not working

1. Snort had to be reinstalled after upgrade
2. after snort was reinstalled, the gui is not working when selected from menu
   https://.../snort/snort_interfaces.php

FF Error:
Content Encoding Error
The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

PF full install i386

JSmorada

same problem here.

gpapaiko

Hi,

Just tried to install snort on 2.0-BETA5 ( updated on 05/01/2011) and it fails.
Any ideas.

below is the package installation log

Installation of snort FAILED!
Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
  Downloading http://www.pfsense.com/packages/config/snort/bin/8.1x64/mysql-client-5.1.53.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-    release/All/mysql-client-5.1.53.tbz.
of mysql-client-5.1.53 failed!

Installation aborted.Backing up libraries...
Removing package...
Skipping package deletion for pcre-8.10 because it is required by other packages.
Starting package deletion for mysql-client-5.1.53...done.
Starting package deletion for snort-2.8.6.1...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

vito

Different problem…see threads below
http://forum.pfsense.org/index.php/topic,30833.0.html
http://forum.pfsense.org/index.php/topic,31058.msg160687.html#msg160687

@gpapaiko:

Hi,

Just tried to install snort on 2.0-BETA5 ( updated on 05/01/2011) and it fails.
Any ideas.

below is the package installation log

Installation of snort FAILED!
Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
  Downloading http://www.pfsense.com/packages/config/snort/bin/8.1x64/mysql-client-5.1.53.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-    release/All/mysql-client-5.1.53.tbz.
of mysql-client-5.1.53 failed!

Installation aborted.Backing up libraries...
Removing package...
Skipping package deletion for pcre-8.10 because it is required by other packages.
Starting package deletion for mysql-client-5.1.53...done.
Starting package deletion for snort-2.8.6.1...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

JSmorada

I just installed the latest snapshot and the content encoding error persists. Also, the Snort package won't start. The system log shows:

Jan 5 09:20:29 SnortStartup[29475]: Snort HARD Reload For 58373_fxp1…
Jan 5 09:20:29 snort[24719]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_58373_fxp1//usr/local/etc/snort/snort_58373_fxp1/rules/snort_attack-responses.rules": No such file or directory.
Jan 5 09:20:29 snort[24719]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_58373_fxp1//usr/local/etc/snort/snort_58373_fxp1/rules/snort_attack-responses.rules": No such file or directory.

Is anyone even working on this issue?

vito

@nipstech:

I just installed the latest snapshot and the content encoding error persists. Also, the Snort package won't start. The system log shows:

Jan 5 09:20:29 SnortStartup[29475]: Snort HARD Reload For 58373_fxp1…
Jan 5 09:20:29 snort[24719]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_58373_fxp1//usr/local/etc/snort/snort_58373_fxp1/rules/snort_attack-responses.rules": No such file or directory.
Jan 5 09:20:29 snort[24719]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_58373_fxp1//usr/local/etc/snort/snort_58373_fxp1/rules/snort_attack-responses.rules": No such file or directory.

Is anyone even working on this issue?

Those errors most of the time indicate your rules need to be downloaded.
Try to force a rules update.
On a different note, with the latest snap can you see the gui?

JSmorada

I'm using the latest snapshot and the gui shows an "encoding error" (different issue) so I can't even get to the update tab to force an update.

vito

@nipstech:

I'm using the latest snapshot and the gui shows an "encoding error" (different issue) so I can't even get to the update tab to force an update.

this thread was started for the gui not showing up in the latest snaps….  ;)
When the issue is resolved, try the update. It seems after a snort package update the rules need to be re-downloaded. Some rules may have been changed/removed and you need to adjust your settings.
If this is not the case, i recommend starting a new thread. (again, when you can see the gui) :)

Wolfsokin

as a temporary work around until this is fixed, I opened my config.xml and in the menu section I changed the url for snort from snort_interfaces.php to snort_alerts.php and rebooted. snort_interfaces.php is the only file that this seems to be effecting. Once you actually get into the snort pages, all links work except snort_interfaces.php

JSmorada

It worked, thanks!

Hopefully the issue will be fixed soon…Jon

louis-m

confirmed but it's a problem if you can't get into the interfaces to set one up.

JSmorada

True…At least the rules can update. I installed the short dashboard widget and I'm not seeing any alerts though, so I assume that none of them are enabled.

Wolfsokin

@louis-m:

confirmed but it's a problem if you can't get into the interfaces to set one up.

If you don't already have an interface set up or don't have a backup to restore one from, you can use the snort_interfaces_edit.php page to add one.

JSmorada

I just looked at the syslog and snort is working. The dashboard widget is what isn't working.

JSmorada

I can edit the interface settings now but still cannot access the interface tab; getting the same content encoding error. It's been about a week since this problem started but it seems like forever and every time I update to a new snapshot I have to spend a lot of time making sure everything is working… getting old but actually worth the time. The price you pay when using a beta version :'(

Wolfsokin

The second snap for today (Mon Jan 10 13:14:45 EST 2011) allows me to see snort_interfaces.php again and all seems to be working as it should.