Snort Won't Start After Upgrade
-
Not sure if this is a new topic, but I'll ask here and move it if needed. I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not. Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort. But, I'm wondering if anyone else has the same issue?
It has nothing to do with snort config. Its just looks like the widget is way out dated.
You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3
-
Not sure if this is a new topic, but I'll ask here and move it if needed. I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not. Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort. But, I'm wondering if anyone else has the same issue?
It has nothing to do with snort config. Its just looks like the widget is way out dated.
You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3
Thats not the case in 2.0
-
@NightHawk007 I did a firmware update for other reasons, nothing to do with snort… probably shouldn't had mention it.. The Snort package has had its binary updated to a more recent version from Snort. A side effect it seems is that port scanning detecting isn't working. From my current testing, any attack that matches a rule is being detected.
I did a test after a snort reinstall and did a port scan and seem to be work fine now :) :)
Thank You
-
I am running i386 2.0-RC3. Is it safe now to update snort?
I just want to make sure everything is ok before updating as my box is under production env.
Thanks You!
-
Not sure if this is a new topic, but I'll ask here and move it if needed. I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not. Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort. But, I'm wondering if anyone else has the same issue?
It has nothing to do with snort config. Its just looks like the widget is way out dated.
You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3
Funny… after a re install is started working.
-
Hi Ermal:
Just a quick post to say thank-you for the hard work you in getting Snort working again. Everything appears to be working fine for me now on the i386 version of pfSense 2.0-RC3 running Snort 2.9.0.5. The rules are updating now to the correct version, and all the rules I enable function for me.
I finally did a complete uninstall of Snort and did not save my settings. I then installed Snort fresh and typed my settings back in. During all of this I also found one self-inflicted wound that may have been part of my difficulties with Snort sporadically starting depending on which rules were selected. I had altered the Memory Performance setting and changed it away from AC-BNFA. That was causing Snort to sporadically run out of memory. Once I realized that and restored the setting to the default of AC-BNFA, things became much more stable… ;D
-
Looks like SNORT on AMD64 is getting close. I had SNORT working on an uninstall and reinstall.
I just upgraded from the Aug 30th snap to the latest snap today (sept 6th) and it broke again.
Here's the output:
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Filename: /usr/local/etc/snort/snort_4256_em0/unicode.map
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Filename: /usr/local/etc/snort/snort_4256_em0/unicode.map
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Codepage: 1252
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Codepage: 1252
Sep 6 22:55:06 snort[1686]: Max Gzip Memory: 838860
Sep 6 22:55:06 snort[1686]: Max Gzip Memory: 838860
Sep 6 22:55:06 snort[1686]: Max Gzip Sessions: 191
Sep 6 22:55:06 snort[1686]: Max Gzip Sessions: 191
Sep 6 22:55:06 snort[1686]: Gzip Compress Depth: 1460
Sep 6 22:55:06 snort[1686]: Gzip Compress Depth: 1460
Sep 6 22:55:06 snort[1686]: Gzip Decompress Depth: 2920
Sep 6 22:55:06 snort[1686]: Gzip Decompress Depth: 2920
Sep 6 22:55:06 snort[1686]: FATAL ERROR: /usr/local/etc/snort/snort_4256_em0/snort.conf(168) => Invalid argument to 'flow_depth'.
Sep 6 22:55:06 snort[1686]: FATAL ERROR: /usr/local/etc/snort/snort_4256_em0/snort.conf(168) => Invalid argument to 'flow_depth'.
Sep 6 22:55:06 SnortStartup[1948]: Interface Rule START for 0_4256_em0…Ideas?
Thanks,
-th3r3isnospoon
-
Looks like SNORT on AMD64 is getting close. I had SNORT working on an uninstall and reinstall.
I just upgraded from the Aug 30th snap to the latest snap today (sept 6th) and it broke again.
Here's the output:
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Filename: /usr/local/etc/snort/snort_4256_em0/unicode.map
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Filename: /usr/local/etc/snort/snort_4256_em0/unicode.map
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Codepage: 1252
Sep 6 22:55:06 snort[1686]: IIS Unicode Map Codepage: 1252
Sep 6 22:55:06 snort[1686]: Max Gzip Memory: 838860
Sep 6 22:55:06 snort[1686]: Max Gzip Memory: 838860
Sep 6 22:55:06 snort[1686]: Max Gzip Sessions: 191
Sep 6 22:55:06 snort[1686]: Max Gzip Sessions: 191
Sep 6 22:55:06 snort[1686]: Gzip Compress Depth: 1460
Sep 6 22:55:06 snort[1686]: Gzip Compress Depth: 1460
Sep 6 22:55:06 snort[1686]: Gzip Decompress Depth: 2920
Sep 6 22:55:06 snort[1686]: Gzip Decompress Depth: 2920
Sep 6 22:55:06 snort[1686]: FATAL ERROR: /usr/local/etc/snort/snort_4256_em0/snort.conf(168) => Invalid argument to 'flow_depth'.
Sep 6 22:55:06 snort[1686]: FATAL ERROR: /usr/local/etc/snort/snort_4256_em0/snort.conf(168) => Invalid argument to 'flow_depth'.
Sep 6 22:55:06 SnortStartup[1948]: Interface Rule START for 0_4256_em0…Ideas?
Thanks,
-th3r3isnospoon
Nevermind….typo ! I had a (-) instead of a (0) :-[
Sorry!
Thanks!
-th3r3isnospoon
-
My only issue now is that SNORT will not start on its own after a reboot of the firewall. I'll have to poke around some more :)
-th3r3isnospoon
-
@ermal:
i have no plans and never even used the snort widget.
ermal,
The problem is not the widget. The problem is that your latest update broke the ability to switch from full logging to short logging.
Can you please look in to it since is not the widget but the option in snort it self.Thank you very much!
-
From what i have checked the snort config is correct.
Investigation where it breaks is up to you for now.My target was to make snort run more fixes will have to wait someone backing it up or me having the time for it:)
-
Not sure if this is a new topic, but I'll ask here and move it if needed. I'm noticing that while Snort is now working, the Snort Alert module on the Dashboard is not. Truthfully, I've never had this module work yet so it could just be something in how I've setup Snort. But, I'm wondering if anyone else has the same issue?
It has nothing to do with snort config. Its just looks like the widget is way out dated.
You should use SHORT alert descriptions to get the widget working with pfsense 1.2.3
Funny… after a re install is started working.
Great, did you CLEAR the log after you changed from FULL to SHORT before? A reinstall will automaticly clear the Snort log.
-
Hi Ermal:
Just a quick post to say thank-you for the hard work you in getting Snort working again. Everything appears to be working fine for me now on the i386 version of pfSense 2.0-RC3 running Snort 2.9.0.5. The rules are updating now to the correct version, and all the rules I enable function for me.
I finally did a complete uninstall of Snort and did not save my settings. I then installed Snort fresh and typed my settings back in. During all of this I also found one self-inflicted wound that may have been part of my difficulties with Snort sporadically starting depending on which rules were selected. I had altered the Memory Performance setting and changed it away from AC-BNFA. That was causing Snort to sporadically run out of memory. Once I realized that and restored the setting to the default of AC-BNFA, things became much more stable… ;D
I was having non-stop problems of snort stopping and or the widget issue. I have two systems both high end with 4gig of memeory running a carp setup but with the latest update snort just kept stopping and or refusing to start after a reboot. I changed the memory setting from ac-std to the default ac-bnfa and the problems all stopped. So what changed to cause this?
-
Great, did you CLEAR the log after you changed from FULL to SHORT before? A reinstall will automaticly clear the Snort log.
I did. The issue now is that wen I looked at the log files in terminal I can see that is logging in full and not short even though the setting is set in short in the gui. This all started happening when I updated to the latest snort.
-
As far as I can see, snort is now fully working again.
I am running 2.0-RC3 amd64. Snort has been working, but wasn't able to block hosts, up until and including the Sept. 2nd pfsense update.
I just installed 2.0-RC3 (amd64) built on Tue Sep 6 22:44:22 EDT 2011 and toggled the "Block offenders" checkbox off (-> Save button) and on (-> Save button) and restarted Snort, and I am now receiving proper entries in the "Blocked Hosts" list.A huge Thank You to the maintainers!
-
You know a small donation does not hurt as well :)
-
@ermal:
You know a small donation does not hurt as well :)
You're right, I'm doing that now. Thanks again for your direct engagement in threads like this, it's tremendously helpful.
-
@ermal:
You know a small donation does not hurt as well :)
ermal,
I have no issues with passing you a donation. As a matter a fact I donated an Alix Board to James when he started the whole snort development and I wont mind donating hardware/cash again.
The issue I have is that snort though is very functional is still some what broken in other futures. If I clear the log in snort the interface takes me to a white page /snort/snort_alerts.php and does nothing. it does not clear the logs. Than we have the short log issue which you stated that you will not bother with it so to me this are futures that are need it. Maybe not to you but to others are and if you search the board it has been brought up once or twice. Maybe they are not bugs and is specific to me only but I have yet to see that….
I do appreciate the time you are spending to fix snort.Thank You!
Edit:
I manage to get the conf file to allow me to log in short format.
Thanks. -
ermal,
I have no issues with passing you a donation. As a matter a fact I donated an Alix Board to James when he started the whole snort development and I wont mind donating hardware/cash again.
The issue I have is that snort though is very functional is still some what broken in other futures. If I clear the log in snort the interface takes me to a white page /snort/snort_alerts.php and does nothing. it does not clear the logs. Than we have the short log issue which you stated that you will not bother with it so to me this are futures that are need it. Maybe not to you but to others are and if you search the board it has been brought up once or twice. Maybe they are not bugs and is specific to me only but I have yet to see that….If you have the resources, you should look into Snorby (http://snorby.org/) .. it's like ACID/Base on steroids. It works out of the box with barnyard2 on pfsense.
-
well if you found that something needs to be fixed in the package let me know so i can integrate it.
As related to other issues, you can report them with some info behind for me to be able to find the issue or even better submit a patch.
I am aware of the status of the package but as it is today it is way better than it was when i started.
Also continuing fixing that will be based either on funding donation or my free time that is the reasoning on my statements.
For the moment my time was backed with some funding behind and for the future will see.
You have to thank me as well as the pfSense guys for allocating time to this.
Certainly i will try to progress in free time to improve and there is a lot to improve but that has no timelines behind
