Snort Won't Start After Upgrade

Cino

@ermal:

Can you show me hte generated snort conf?

Here you go:

#!/bin/sh
########
# This file was automatically generated
# by the pfSense service handler.
# Code added to protect from double starts on pfSense bootup
######## Begining of Main snort.sh

rc_start() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then

		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0

	fi

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid

	#### Remake the configs on boot Important!
	/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php &
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..."

###### For Each Iface

#### Fake start only used on bootup and Pfsense IP changes
#### Only try to restart if snort is running on Iface
if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" != "" ]; then

	snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`"
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart"

	#### Restart Iface
	/bin/kill -HUP ${snort_pid}
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For 39737_..."

fi

	/bin/rm /tmp/snort.sh.pid

	#### If on Fake start snort is NOT running DO a real start.
	if [ "`/bin/ps -auwx | grep -v grep | grep "R 39737" | awk '{print $2;}'`" = "" ]; then

		rc_start_real

	fi
}

rc_start_real() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0
	fi

	###### For Each Iface

# If Snort proc is NOT running
if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" = "" ]; then

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid

	# Start snort and barnyard2
	/bin/rm /var/run/snort_39737_.pid
	/bin/rm /var/run/snort_39737_.pid.lck

	/usr/local/bin/snort -u snort -g snort -R 39737 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 39737 -c /usr/local/etc/snort/snort_39737_/snort.conf -i 

	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For 39737_..."

fi

	/bin/rm /tmp/snort.sh.pid

}

rc_stop() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0
	fi

pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`
sleep 3
pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_39737_.u2" | /usr/bin/awk '{print $2;}'`

if [ ${pid_s} ] ; then

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For 39737_..."

	/bin/kill ${pid_s}
	sleep 3
	/bin/kill ${pid_b}

	/bin/rm /var/run/snort_39737_.pid.lck
	/bin/rm /var/run/snort_39737_.pid

fi

	/bin/rm /tmp/snort.sh.pid
	/bin/rm /var/run/snort*

}

case $1 in
	start)
		rc_start
		;;
	start_real)
		rc_start_real
		;;
	stop)
		rc_stop
		;;
	restart)
		rc_stop
		rc_start_real
		;;
esac

eri--

Try the new update i just made.

That is the startup script and not the config. But for now all should be fixed.

Cino

@ermal:

That is the startup script and not the config. But for now all should be fixed.

sorry about that… Just tried the new updates and seeing a different error... snort engine is trying to start tho. When i'm in 'Snort: Interface Edit:' the server, preprocessors, barnyard2 tab show the interface as '0em3' instead of '39737 em3' but the other tabs are showing the interface correctly.

Aug 2 20:39:43 	SnortStartup[22178]: Interface Rule START for 0_39737_em3...
Aug 2 20:39:43 	snort[21986]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(292) => Invalid ip_list to 'ignore_scanners' option.
Aug 2 20:39:43 	snort[21986]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(292) => Invalid ip_list to 'ignore_scanners' option.
Aug 2 20:39:43 	snort[21986]: alert_multiple_requests: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_multiple_requests: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_incomplete: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_incomplete: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_large_fragments: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_large_fragments: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_fragments: INACTIVE
Aug 2 20:39:43 	snort[21986]: alert_fragments: INACTIVE
Aug 2 20:39:43 	snort[21986]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Aug 2 20:39:43 	snort[21986]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Aug 2 20:39:43 	snort[21986]: rpc_decode arguments:
Aug 2 20:39:43 	snort[21986]: rpc_decode arguments:

here is my conf

# snort configuration file
# generated by the pfSense
# package manager system
# see /usr/local/pkg/snort.inc
# for more information
#	snort.conf
#   Snort can be found at http://www.snort.org/
#
#	Copyright (C) 2009-2010 Robert Zelaya
#	part of pfSense
#	All rights reserved.
#
#	Redistribution and use in source and binary forms, with or without
#	modification, are permitted provided that the following conditions are met:
#
#	1\. Redistributions of source code must retain the above copyright notice,
#	   this list of conditions and the following disclaimer.
#
#	2\. Redistributions in binary form must reproduce the above copyright
#	   notice, this list of conditions and the following disclaimer in the
#	   documentation and/or other materials provided with the distribution.
#
#	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
#	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
#	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
#	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
#	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
#	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
#	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
#	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#	POSSIBILITY OF SUCH DAMAGE.

#########################
                        #
# Define Local Network  #
                        #
#########################

var HOME_NET [68.xxx.xxx.xxx/22,192.168.0.1/24,192.168.200.1/32,192.168.201.1/32,/,192.168.5.1/24,68.xxx.xxx.x,2001:xxx:xx::2,8.8.8.8,8.8.4.4,127.0.0.1]
var EXTERNAL_NET !$HOME_NET

###################
                  #
# Define Servers  #
                  #
###################

var DNS_SERVERS [$HOME_NET]
var SMTP_SERVERS [$HOME_NET]
var HTTP_SERVERS [$HOME_NET]
var SQL_SERVERS [$HOME_NET]
var TELNET_SERVERS [$HOME_NET]
var SNMP_SERVERS [$HOME_NET]
var FTP_SERVERS [$HOME_NET]
var SSH_SERVERS [$HOME_NET]
var POP_SERVERS [$HOME_NET]
var IMAP_SERVERS [$HOME_NET]
var RPC_SERVERS $HOME_NET
var WWW_SERVERS [$HOME_NET]
var SIP_PROXY_IP [$HOME_NET]
var AIM_SERVERS \
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

########################
                       #
# Define Server Ports  #
                       #
########################

portvar HTTP_PORTS [80]
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS [1521]
portvar AUTH_PORTS [113]
portvar DNS_PORTS [53]
portvar FINGER_PORTS [79]
portvar FTP_PORTS [21]
portvar IMAP_PORTS [143]
portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
portvar MSSQL_PORTS [1433]
portvar NNTP_PORTS [119]
portvar POP2_PORTS [109]
portvar POP3_PORTS [110]
portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
portvar RLOGIN_PORTS [513]
portvar RSH_PORTS [514]
portvar SMB_PORTS [139,445]
portvar SMTP_PORTS [25]
portvar SNMP_PORTS [161]
portvar SSH_PORTS [222]
portvar TELNET_PORTS [23]
portvar MAIL_PORTS [25,143,465,691]
portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995]
portvar SIP_PROXY_PORTS [5060:5090,16384:32768]

# DCERPC NCACN-IP-TCP
portvar DCERPC_NCACN_IP_TCP [139,445]
portvar DCERPC_NCADG_IP_UDP [138,1024:]
portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
portvar DCERPC_NCACN_UDP_LONG [135,1024:]
portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
portvar DCERPC_NCACN_TCP [2103,2105,2107]
portvar DCERPC_BRIGHTSTORE [6503,6504]

#####################
                    #
# Define Rule Paths #
                    #
#####################

var RULE_PATH /usr/local/etc/snort/snort_39737_em3/rules
# var PREPROC_RULE_PATH ./preproc_rules

################################
                               #
# Configure the snort decoder  #
                               #
################################

config checksum_mode: all
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops

###################################
                                  #
# Configure the detection engine  #
# Use lower memory models         #
                                  #
###################################

config detection: search-method ac-bnfa max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length

#Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort/dynamicrules

###################
                  #
# Flow and stream #
                  #
###################

preprocessor frag3_global: max_frags 8192
preprocessor frag3_engine: policy bsd detect_anomalies

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp yes, track_icmp yes
preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes
preprocessor stream5_udp:
preprocessor stream5_icmp:

	##########################
                         #
# NEW                    #
# Performance Statistics #
                         #
##########################

preprocessor perfmonitor: time 300 file /var/log/snort/snort_39737_em3.stats pktcnt 10000

	#################
                #
# HTTP Inspect  #
                #
#################

preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
                        ports  { 80 8080 }  \
                        non_strict \
                        non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                        flow_depth 0  \
                        apache_whitespace no \
                        directory no \
                        iis_backslash no \
                        u_encode yes \
                        ascii no \
                        chunk_length 500000 \
                        bare_byte yes \
                        double_decode yes \
                        iis_unicode no \
                        iis_delimiter no \
                        multi_slash no

	##################
                 #
# Other preprocs #
                 #
##################

preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
preprocessor bo

	#####################
                    #
# ftp preprocessor  #
                    #
#####################

preprocessor ftp_telnet: global \
inspection_type stateless

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: \
    ftp server default \
    def_max_param_len 100 \
    ports { 21 } \
    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
    ftp_cmds { FEAT CEL CMD MACB } \
    ftp_cmds { MDTM REST SIZE MLST MLSD } \
    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
    alt_max_param_len 256 { RNTO CWD } \
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE } \
    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
    chk_str_fmt { FEAT CEL CMD } \
    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity STRU < char FRP > \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity PORT < host_port >

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes

	#####################
                    #
# SMTP preprocessor #
                    #
#####################

preprocessor SMTP: \
    ports { 25 465 691 } \
    inspection_type stateful \
    normalize cmds \
    valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    max_header_line_len 1000 \ 
    max_response_line_len 512 \
    alt_max_command_line_len 260 { MAIL } \
    alt_max_command_line_len 300 { RCPT } \
    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
    alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
    alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    xlink2state { enable }

	################
               #
# sf Portscan  #
               #
################

preprocessor sfportscan: scan_type { all } \
                         proto  { all } \
                         memcap { 10000000 } \
                         sense_level { medium } \
                         ignore_scanners { $HOME_NET }

############################
                           #
# OLD                      #
# preprocessor dcerpc: \   #
#    autodetect \          #
#    max_frag_size 3000 \  #
#    memcap 100000         #
                           #
############################

	###############
              #
# NEW         #
# DCE/RPC 2   #
              #
###############

preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

	####################
                   #
# DNS preprocessor #
                   #
####################

preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow

##############################
                             #
# NEW                        #
# Ignore SSL and Encryption  #
                             #
##############################

preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted

#####################
                    #
# Snort Output Logs #
                    #
#####################

	output unified: filename snort_39737_em3.log, limit 128
	output alert_full: alert

#################
                #
# Misc Includes #
                #
#################

include /usr/local/etc/snort/snort_39737_em3/reference.config
include /usr/local/etc/snort/snort_39737_em3/classification.config

# Snort user pass through configuration

###################
                  #
# Rules Selection #
                  #
###################

	include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/emerging-ciarmy.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-current_events.rules
include $RULE_PATH/emerging-deleted.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/emerging-dshield.rules
include $RULE_PATH/emerging-exploit.rules

EDIT: I found the issue in the conf file under var HOME_NET    01.1/32,/,192.168.5.1/24

was able to manually start snort after editing the conf file :-)

It doesnt create the folder/file for the suppress list

Aug 2 21:59:38 	snort[13300]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.
Aug 2 21:59:38 	snort[13300]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.

swinn

I have a couple of issues:

1. When updating rules, when it tries to download the snort.org rules, the following error is shown at the bottom of the page and the rules are not processed:

Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 820

2. If I have the option enabled to "Keep snort settings after deinstall" and then reinstall the package, the menu link for Snort does not appear and Snort is not listed in the "Status: Services" page. I have to backup the config, remove the "snortglobal" section, upload the new config and reinstall Snort to fix it.

Thanks!

robo

Thank you all for great work - snort kicks back online on my router - I really felt naked during last few weeks.
BTW. If I understand it correctly classic snort package maintenance was shifted from JamesDean, I really admire his work, I can only hope that you will get on well.

@swinn:

I have a couple of issues:

1. When updating rules, when it tries to download the snort.org rules, the following error is shown at the bottom of the page and the rules are not processed:

Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 820

2. If I have the option enabled to "Keep snort settings after deinstall" and then reinstall the package, the menu link for Snort does not appear and Snort is not listed in the "Status: Services" page. I have to backup the config, remove the "snortglobal" section, upload the new config and reinstall Snort to fix it.

Thanks!

I think that no 1 is fixed with the latest update (package version did not change).
I encountered the same issue as in no 2, although I didn't try fiddling with config yet.
What I did was simply use direct link to snort webconfiguration:
http://192.168.1.1/snort/snort_interfaces.php
to update rules and start snort and it seems to be working correctly.
During the snort "holiday" break I messed up with the snort-dev package - maybe something left over from it.

Gloom

2.0-RC3 (amd64)
built on Tue Aug 2 22:54:59 EDT 2011

First let me say thanks for getting this package back now I can go back to testing  ;D

The only problem I've found is that if you tick the Block Offenders under the if settings tab then snort refuses to restart. The following error is logged.

snort[9497]: FATAL ERROR: /usr/local/etc/snort/snort_50697_bce0/snort.conf(351) Unknown output plugin: "alert_pf"

Untick the box and it fires up fine but obviously no hosts get added to the block list.

th3r3isnospoon

Just got the e-mail that this was fixed.  Awesome!  Thank you!

http://redmine.pfsense.org/issues/1590

-th3r3isnospoon

Cino

@Ermal great work! I found small bug with the Suppress List. The interface doesn't seem to be saving the file needed for the interface to come up. Is the path wrong?

Aug 3 09:03:12 	snort[57613]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.
Aug 3 09:03:12 	snort[57613]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.

I'm going to do more testing with white list and home net list today and report back… I know white list wasn't working in the old package but the work around was to use the home net instead if you needed to white list an IP.

eri--

All the issues should be solved now.
Please reinstall and test.

Cino

@ermal:

All the issues should be solved now.
Please reinstall and test.

new problem.. After updating snort, all the menu items for other packages are missing. I did a full firmware update so it would re-download all the packages.. Same thing, all package menu items are removed but Services-Snort is there..

countryblock, LCDproc, cron, shellcmd, vnstat2, ntop, notes are all missing from the menu

EDIT: I removed the code that was added to pkg-utils.inc, https://github.com/bsdperimeter/pfsense/commit/27018d3cc4f12c995efadf5dc5ba90eb7c1aa641  Rebooted the box and did a package re-install.. Now my package menu items are there

Cino

white list doesn't work.. I put the IPs into my home net list and snort also blocked them.

i checked my conf file and var HOME_NET contains none of the IPs i added. Not sure how the white list works since it broke a long time ago. The file "MainWhiteList 10285" doesn't contain any of the IPs i put in that list either.. Also, there is a space in the file name..

eri--

Well the whitelist option in snort:interfaces:edit works only if Block offenders is on!

Cino

@ermal:

Well the whitelist option in snort:interfaces:edit works only if Block offenders is on!

I had Block offenders on and it was blocking whitelist IPs. I noticed you made some more changes… I'll update and retest

EDIT:  new issue, snort wont start. See below:

Aug 3 15:16:23 	SnortStartup[13847]: Snort HARD Reload For 39737_em3...
Aug 3 15:16:23 	snort[13005]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.
Aug 3 15:16:23 	snort[13005]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.

Cino

also change https://github.com/bsdperimeter/pfsense/commit/27018d3cc4f12c995efadf5dc5ba90eb7c1aa641 is still removing package menu items. I see that you put a piece back in https://github.com/bsdperimeter/pfsense/commit/05ca39d93d972908e61da6f1b0b9132dd39b017b but that didn't fix it

as i re-install a package, its removing the last installed package from the menu

Edit: I' opened a ticket on this as this has nothing to do with Snort but with 2.1 Development code, ticket 1743

mschiek01

@Cino:

@ermal:

Well the whitelist option in snort:interfaces:edit works only if Block offenders is on!

I had Block offenders on and it was blocking whitelist IPs. I noticed you made some more changes… I'll update and retest

EDIT:  new issue, snort wont start. See below:

Aug 3 15:16:23 	SnortStartup[13847]: Snort HARD Reload For 39737_em3...
Aug 3 15:16:23 	snort[13005]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.
Aug 3 15:16:23 	snort[13005]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.

I can confirm same issue as above on the latest update.  I do not have a problem with the package removal though

eri--

Hmm just remove and reinstall the binaries again not just the snort files.
Those are files that come wiht the package difficult to loose those without something wrong :)

EDIT:

I put another fix to prevent the errors you are seeing.

Cino

@ermal:

Hmm just remove and reinstall the binaries again not just the snort files.
Those are files that come wiht the package difficult to loose those without something wrong :)

All my re-installs have been 'Reinstall this Package'

btw, thank you very much for the quick responses on fixing the snort package as i'v been finding issues… I've been kind hoping other users would be reporting on issues other then myself since there was an outcry for snort a week ago...

mdovey

I've already done two reinstalls of PfSense 2RC3 in the last week due to things going awry during a snapshot update (which may or may not have been related to having snort or snort-dev installed), and my first attempt to install the new snort didn't go too well (Snort was missing from the menu and services list after installation but someone else reported this before I could, with more insight as to the circumstances under which it occurred than I had).

So I'm afraid, I'm sitting on the fence at the moment, waiting for an all-clear!

Matthew

mschiek01

@ermal:

Hmm just remove and reinstall the binaries again not just the snort files.
Those are files that come wiht the package difficult to loose those without something wrong :)

EDIT:

I put another fix to prevent the errors you are seeing.

Just did a reinstall same error:
Aug 3 15:06:12 snort[18906]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.
Aug 3 15:06:12 snort[18906]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.

Snort was this morning this only started occurring after the reinstall.

Cino

@emarl  Im able to start snort again :-) had some issues starting it but i forgot that in my main home net list, i have to uncheck 'Add WAN DNS servers to the list.' since I have a IPv6 in my WAN DNS entries. Snort doesn't like IPv6 yet.

looking at the conf file, my net list is there.. Going to test the IDS then enable blocking and see if whitelist works again.

EDIT:  Issue with the suppress file again. The file looks good

the file:

# This file is auto generated by the snort package. Please do not edit this file by hand.

suppress gen_id 119, sig_id 2, track by_src, ip 68.x.x.x

system log

Aug 3 16:28:32 	SnortStartup[57067]: Interface Rule START for 0_39737_em3...
Aug 3 16:28:32 	snort[56934]: FATAL ERROR: /usr/local/etc/snort/suppress/(1) Invalid configuration line: Ú^Y^O
Aug 3 16:28:32 	snort[56934]: FATAL ERROR: /usr/local/etc/snort/suppress/(1) Invalid configuration line: Ú^Y^O

Whitelist isn't working. It is creating the file but there is a space in the name "MainWhiteList 10285" Also when I check 'Block offenders' and Select 'MainWhiteList' from the drop down; it goes back to 'default' when i click on 'Save'