Snort Won't Start After Upgrade
-
Hi Ermal:
Just a quick post to say thank-you for the hard work you in getting Snort working again. Everything appears to be working fine for me now on the i386 version of pfSense 2.0-RC3 running Snort 2.9.0.5. The rules are updating now to the correct version, and all the rules I enable function for me.
I finally did a complete uninstall of Snort and did not save my settings. I then installed Snort fresh and typed my settings back in. During all of this I also found one self-inflicted wound that may have been part of my difficulties with Snort sporadically starting depending on which rules were selected. I had altered the Memory Performance setting and changed it away from AC-BNFA. That was causing Snort to sporadically run out of memory. Once I realized that and restored the setting to the default of AC-BNFA, things became much more stable… ;D
I was having non-stop problems of snort stopping and or the widget issue. I have two systems both high end with 4gig of memeory running a carp setup but with the latest update snort just kept stopping and or refusing to start after a reboot. I changed the memory setting from ac-std to the default ac-bnfa and the problems all stopped. So what changed to cause this?
-
Great, did you CLEAR the log after you changed from FULL to SHORT before? A reinstall will automaticly clear the Snort log.
I did. The issue now is that wen I looked at the log files in terminal I can see that is logging in full and not short even though the setting is set in short in the gui. This all started happening when I updated to the latest snort.
-
As far as I can see, snort is now fully working again.
I am running 2.0-RC3 amd64. Snort has been working, but wasn't able to block hosts, up until and including the Sept. 2nd pfsense update.
I just installed 2.0-RC3 (amd64) built on Tue Sep 6 22:44:22 EDT 2011 and toggled the "Block offenders" checkbox off (-> Save button) and on (-> Save button) and restarted Snort, and I am now receiving proper entries in the "Blocked Hosts" list.A huge Thank You to the maintainers!
-
You know a small donation does not hurt as well :)
-
@ermal:
You know a small donation does not hurt as well :)
You're right, I'm doing that now. Thanks again for your direct engagement in threads like this, it's tremendously helpful.
-
@ermal:
You know a small donation does not hurt as well :)
ermal,
I have no issues with passing you a donation. As a matter a fact I donated an Alix Board to James when he started the whole snort development and I wont mind donating hardware/cash again.
The issue I have is that snort though is very functional is still some what broken in other futures. If I clear the log in snort the interface takes me to a white page /snort/snort_alerts.php and does nothing. it does not clear the logs. Than we have the short log issue which you stated that you will not bother with it so to me this are futures that are need it. Maybe not to you but to others are and if you search the board it has been brought up once or twice. Maybe they are not bugs and is specific to me only but I have yet to see that….
I do appreciate the time you are spending to fix snort.Thank You!
Edit:
I manage to get the conf file to allow me to log in short format.
Thanks. -
ermal,
I have no issues with passing you a donation. As a matter a fact I donated an Alix Board to James when he started the whole snort development and I wont mind donating hardware/cash again.
The issue I have is that snort though is very functional is still some what broken in other futures. If I clear the log in snort the interface takes me to a white page /snort/snort_alerts.php and does nothing. it does not clear the logs. Than we have the short log issue which you stated that you will not bother with it so to me this are futures that are need it. Maybe not to you but to others are and if you search the board it has been brought up once or twice. Maybe they are not bugs and is specific to me only but I have yet to see that….If you have the resources, you should look into Snorby (http://snorby.org/) .. it's like ACID/Base on steroids. It works out of the box with barnyard2 on pfsense.
-
well if you found that something needs to be fixed in the package let me know so i can integrate it.
As related to other issues, you can report them with some info behind for me to be able to find the issue or even better submit a patch.
I am aware of the status of the package but as it is today it is way better than it was when i started.
Also continuing fixing that will be based either on funding donation or my free time that is the reasoning on my statements.
For the moment my time was backed with some funding behind and for the future will see.
You have to thank me as well as the pfSense guys for allocating time to this.
Certainly i will try to progress in free time to improve and there is a lot to improve but that has no timelines behind -
Where and how can we donate?
Thanks,
-th3r3isnospoon
-
You can contribute to pfSense directly at this link http://www.pfsense.org/index.php?option=com_content&task=view&id=69&Itemid=80
-
@ermal I don't know if this is a quick fit or not, but could you fix the log format spacing? It wasn't like this with the old ver of snort, see my screen shot
-
Cino,
I dont have this issue.
which version are you using? also what platform i386 or amd64? -
FF 6.02, PF2.1_Dev i386
-
By any chance.. do you have the widescreen package installed?
-
By any chance.. do you have the widescreen package installed?
nope… Would like to use it but not till its fully completed
-
… If I clear the log in snort the interface takes me to a white page /snort/snort_alerts.php and does nothing. it does not clear the logs. ...
I also have this issue.
Moreover, in the If settings of the interface configured to run snort, the only option available for HOME NET is the default (which includes the subnets of all interfaces). When I change it manually in the corresponding snort.conf file, after restarting the service it does take the same values again.Am I missing something or is it a kind of a bug?
Thanks
Antonios
-
…in the If settings of the interface configured to run snort, the only option available for HOME NET is the default (which includes the subnets of all interfaces)...
I did overcome this problem by using the "Advanced configuration pass through" to pass the HOME_NET and the EXTERNAL_NET parameters. In the snort.conf the file there are two definitions of this variables (the default and the passed through ones), but obviously the second overrides the first.
However, I still believe it is an issue that you cannot change the default value.
-
By any chance.. do you have the widescreen package installed?
nope… Would like to use it but not till its fully completed
Matthias did some changes to fix the issues with the widescreen pkg…
http://forum.pfsense.org/index.php/topic,35285.0.html
Though is a manual process and still requires some editing if you are not running 2.1... All in all it works and fixes a lot of bugs.
-
I personally consider it a bug since you don't normally think of your home net as your WAN interface. I don't know how pfSense feels about that, which is what will ultimately decide if this is a "bug" or "feature".
-
@Ermal I noticed you added some code to allow inspecting gzipped http flows.. After updating the package i'm receiving this error:
snort[1781]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(171) => Enable 'extended_response_inspection' inspection before setting 'inspect_gzip'
i removed the changes from my box and snort started again.
doing some research, i add extended_response_inspection before the changes you change and snort started. Based on the docs, this is needed for the inspect_gzip setting
extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \
Reviewing the different settings, think it would make sense have them under Preprocessors: HTTP Inspect Settings. With all the different settings available for snort, I can see why it would almost be a full-time job to make everything configurable within pfSense.
P.S I still can't clear the alert log. After clicking 'OK' to clear the log, nothing happens. At least i'm not being directed to a blank page now.