Snort Won't Start After Upgrade
-
By any chance.. do you have the widescreen package installed?
nope… Would like to use it but not till its fully completed
Matthias did some changes to fix the issues with the widescreen pkg…
http://forum.pfsense.org/index.php/topic,35285.0.html
Though is a manual process and still requires some editing if you are not running 2.1... All in all it works and fixes a lot of bugs.
-
I personally consider it a bug since you don't normally think of your home net as your WAN interface. I don't know how pfSense feels about that, which is what will ultimately decide if this is a "bug" or "feature".
-
@Ermal I noticed you added some code to allow inspecting gzipped http flows.. After updating the package i'm receiving this error:
snort[1781]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(171) => Enable 'extended_response_inspection' inspection before setting 'inspect_gzip'
i removed the changes from my box and snort started again.
doing some research, i add extended_response_inspection before the changes you change and snort started. Based on the docs, this is needed for the inspect_gzip setting
extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \Reviewing the different settings, think it would make sense have them under Preprocessors: HTTP Inspect Settings. With all the different settings available for snort, I can see why it would almost be a full-time job to make everything configurable within pfSense.
P.S I still can't clear the alert log. After clicking 'OK' to clear the log, nothing happens. At least i'm not being directed to a blank page now.
-
Thanks Cino for the usual help.
The alert mostly works when it does not work its mostly because of snort reloading or php doing something stupid though i have not investigated which is that does this.
-
Anytime!
Looks like someone figured out a fix for clearing the alert log. Take a look when you have time, http://redmine.pfsense.org/issues/1765
-
I just pushed the fixes for the alert.
Test it out. -
tested and confirm it is working.. Thanks again
-
How did you manage to update Snort with that fix? Is it in a new ISO or must I place the new snort_alerts.php there manually?
-
How did you manage to update Snort with that fix? Is it in a new ISO or must I place the new snort_alerts.php there manually?
Basically, when you see updates in forum and no change in package version, just reinstall(in this case snort package) to get latest files version.
-
Yes, I think that worked. Thanks for filling me in.
-
Sorry for reviving an old thread, but I've been having the Unknown output plugin: "alert_pf" problem on my AMD64 pfSense 2.0 install.
I originally thought it could be a package problem; but after a few updates and apparently no one else has this problem anymore, I suspect I'm missing something.
Can anyone clarify if "Block offenders" is working on AMD64?
If so, any clues about why mine doesn't work?
-
did you tried to uninstall / reinstall snort package?
-
Yes, every single time.
Just in case, I did it again. No luck.Pretty sure my messing around caused this, anyone knows which library contains the alert_pf plugin?
-
Try to uninstall again, then go ti console and remove any snort package or dependencie left behind.
I think some post on this topic has a detailed info about this. -
Locking this thread so it won't get hijacked over and over by numerous different issues, please start new threads instead.
