Snort Won't Start After Upgrade
-
Ran a quick port scan, snort is running but the "Portscan Detection Preprocessor" isn't detecting my port scan now. I was working on the previous ver.
-
That did the trick! I had to removed /usr/local/lib/snort/*
I'll do more testing later today and over the weekend and report back with my findings.
P.S Still can't clear alerts but I don't know if you worked on that work not… using FF6
Thanks Cino :)
-
Ran a quick port scan, snort is running but the "Portscan Detection Preprocessor" isn't detecting my port scan now. I was working on the previous ver.
Yup, same here, the only alert that pops is for VNC Scan on 5900.
-
@ermal:
You are sure there is no old library on that folder that is not compatible with newest snort?
I cannot replicate this.Do this to test.
Uninstall snort
Remove the snort/lib folder
Reinstall snortSee if it happens again.
Yep, that works for 2.0-RC3 (i386) built on Thu Aug 4 12:47:50 EDT 2011.
But… take a look on that screenshot below. It just happens in Snort Interfaces, Global Settings and Updates tab.
Browser Firefox 6.0.1
I know… it's out of the subject. Just reporting. Sorry if it's the wrong place for that.
-
With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn [2.0-RC3][root@kainak]/usr/local/bin(7):
I didn't have time to examine the real cause why barnyard2 binary fails to install. Since it's just a single binary file you can download and "install" it manually by executing one of these commands:
amd64
/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2
i386
/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2
At least for me it seems to be working and logging now just like it should… ;)
-
After several weeks of working Snort package on i386 platform, the last update broke it. Here is what I get on my system logs.
Sep 3 06:49:16 SnortStartup[4087]: Snort HARD Reload For 21540_em0_vlan10…
Sep 3 06:49:16 SnortStartup[850]: Snort Startup files Sync…I didn't just rely on status of running services (i.e. Snort not running) either but kicked off a port scan from grc.com which used to automatically add that ip to blocked list and now nothing. None of the suggestions mentioned on this thread have worked for me.
-
Can you try out this?
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 0b30a8c..09b8835 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -2123,7 +2123,7 @@ preprocessor sfportscan: scan_type { all } \ proto { all } \ memcap { 10000000 } \ sense_level { medium } \ - ignore_scanners { \$HOME_NET } + # ignore_scanners { \$HOME_NET } EOD;
-
I guess I don't understand what needs to be done as per your suggestion. Do I just reinstall the package?
-
i should look up how to use diff, but i manually edited the file instead:
Sep 3 13:56:25 snort[44707]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(302) => Invalid option 'preprocessor' to portscan preprocessor.
Sep 3 13:56:25 snort[44707]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(302) => Invalid option 'preprocessor' to portscan preprocessor. -
Great! pfsense 2.0-RC3 (i386) built on Sat Sep 3 21:08:08 EDT 2011 - Snort 2.9.0.5 pkg v. 2.0
Barnyard now configures correctly and doesn't corrupt previous settings (but is not installed and started like Jare stated correctly).The snort_netbios.rules fatal error still exists:
snort[33208]: FATAL ERROR: /usr/local/etc/snort/snort_54739_em1/rules/snort_netbios.rules(72) GID 1 SID 2511 in rule duplicates previous rule, with different protocol.
When the rule duplicates a previous rule, then the protocol should be the same(?) Otherwise it's not duplicate…
I use the same rulesets (snort.org/emergingthreats.net/pfsense.org) with pfsense 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009 - Snort 2.8.6.1 pkg v. 1.34 and the error does not come up... (?)
-
I just upgraded to 2.0-RC3 (i386) built on Sat Sep 3 21:08:08 EDT 2011 and continue to get the following error which is different from before but the result is same i.e. Snort not starting. No change in ruleset.
Sep 4 06:59:48 SnortStartup[24402]: Interface Rule START for 0_21540_em0_vlan10…
Reinstalling the Snort package results in the previous error message.
Sep 4 07:04:33 SnortStartup[43419]: Snort HARD Reload For 21540_em0_vlan10…
-
Try resintalling the package.
-
Not sure if it is an improvement, but after I uninstalled and installed Snort, I get the following after clicking the 'Update Rules' button:
Parse error: syntax error, unexpected '}' in /usr/local/www/snort/snort_download_rules.php on line 481
-
I try to update now and i get this error
Parse error: syntax error, unexpected '}' in /usr/local/www/snort/snort_download_rules.php on line 481
Is there a way to fix it ? -
Hi. In case you didn't find the solution for the line 481 error, all you need to do is remove the } on line 481. Then update will work again..
-
Hi. In case you didn't find the solution for the line 481 error, all you need to do is remove the } on line 481. Then update will work again..
was able to write that
-
My findings so far:
The package doesn't remove correctly. It still shows up on my Services page. Uninstalling the package twice seems to fix this issue.
Once rules are updated, I have to re-save my Categories then start the interface.
Snort rules seem to detecting attacks and auto-blocking is working :-)
Can't clear the alerts page, already reported and ticket.
Portscan Detection Preprocessor is not working, this was already reported 2 days ago. (This is a biggie for me since I'm always being scanned for open ports) -
Manually editing the snort_download_rules.php file to remove the extra '}' allows the rules to update again. However, I am no closer to having Snort start. I get the same message as before:
Sep 4 13:21:54 SnortStartup[49255]: Snort HARD Reload For 21540_em0_vlan10…
Sep 4 13:21:54 SnortStartup[46000]: Snort Startup files Sync… -
Fixed the syntax error.
hmishra - i am not sure what you mean by not being able to start snort!
Cino, i am not sure what changed to have snort not detect autoblocking.
Maybe a new directive is needed?! But the config is right afaik. -
Cino,
can you try a full reinstall of the package i recompiled the port with some options removed that might impact this.