Snort Won't Start After Upgrade



  • FF 6.02, PF2.1_Dev i386



  • By any chance.. do you have the widescreen package installed?



  • @asterix:

    By any chance.. do you have the widescreen package installed?

    nope… Would like to use it but not till its fully completed



  • @serialdie:

    … If I clear the log in snort the interface takes me to a white page /snort/snort_alerts.php and does nothing. it does not clear the logs. ...

    I also have this issue.
    Moreover, in the If settings of the interface configured to run snort, the only option available for HOME NET is the default (which includes the subnets of all interfaces). When I change it manually in the corresponding snort.conf file, after restarting the service it does take the same values again.

    Am I missing something or is it a kind of a bug?

    Thanks

    Antonios



  • @atlasis:

    …in the If settings of the interface configured to run snort, the only option available for HOME NET is the default (which includes the subnets of all interfaces)...

    I did overcome this problem by using the "Advanced configuration pass through" to pass the HOME_NET and the EXTERNAL_NET parameters. In the snort.conf the file there are two definitions of this variables (the default and the passed through ones), but obviously the second overrides the first.

    However, I still believe it is an issue that you cannot change the default value.



  • @Cino:

    @asterix:

    By any chance.. do you have the widescreen package installed?

    nope… Would like to use it but not till its fully completed

    Matthias did some changes to fix the issues with the widescreen pkg…

    http://forum.pfsense.org/index.php/topic,35285.0.html

    Though is a manual process and still requires some editing if you are not running 2.1... All in all it works and fixes a lot of bugs.



  • I personally consider it a bug since you don't normally think of your home net as your WAN interface.  I don't know how pfSense feels about that, which is what will ultimately decide if this is a "bug" or "feature".



  • @Ermal I noticed you added some code to allow inspecting gzipped http flows.. After updating the package i'm receiving this error:

    snort[1781]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(171) => Enable 'extended_response_inspection' inspection before setting 'inspect_gzip'

    i removed the changes from my box and snort started again.

    doing some research, i add extended_response_inspection before the changes you change and snort started. Based on the docs, this is needed for the inspect_gzip setting

    
    			extended_response_inspection \
    			inspect_gzip \
    			normalize_utf \
    			unlimited_decompress \
    
    

    Reviewing the different settings, think it would make sense have them under Preprocessors: HTTP Inspect Settings. With all the different settings available for snort, I can see why it would almost be a full-time job to make everything configurable within pfSense.

    P.S I still can't clear the alert log. After clicking 'OK' to clear the log, nothing happens. At least i'm not being directed to a blank page now.



  • Thanks Cino for the usual help.

    The alert mostly works when it does not work its mostly because of snort reloading or php doing something stupid though i have not investigated which is that does this.



  • Anytime!

    Looks like someone figured out a fix for clearing the alert log. Take a look when you have time, http://redmine.pfsense.org/issues/1765



  • I just pushed the fixes for the alert.
    Test it out.



  • tested and confirm it is working.. Thanks again



  • How did you manage to update Snort with that fix?  Is it in a new ISO or must I place the new snort_alerts.php there manually?



  • @bdwyer:

    How did you manage to update Snort with that fix?  Is it in a new ISO or must I place the new snort_alerts.php there manually?

    Basically, when you see updates in forum and no change in package version, just reinstall(in this case snort package) to get latest files version.



  • Yes, I think that worked.  Thanks for filling me in.



  • Sorry for reviving an old thread, but I've been having the Unknown output plugin: "alert_pf" problem on my AMD64 pfSense 2.0 install.

    I originally thought it could be a package problem; but after a few updates and apparently no one else has this problem anymore, I suspect I'm missing something.

    Can anyone clarify if "Block offenders" is working on AMD64?

    If so, any clues about why mine doesn't work?



  • did you tried to uninstall / reinstall snort package?



  • Yes, every single time.
    Just in case, I did it again. No luck.

    Pretty sure my messing around caused this, anyone knows which library contains the alert_pf plugin?



  • Try to uninstall again, then go ti console and remove any snort package or dependencie left behind.
    I think some post on this topic has a detailed info about this.



  • Locking this thread so it won't get hijacked over and over by numerous different issues, please start new threads instead.


Locked