Snort Won't Start After Upgrade
-
I have an idea…and this comment isn't directed toward anyone in particular...Why don't we stop the griping, whining and bitching and just let the dev's do their magic. No amount of complaining is gonna make a difference. It is what it is and none of us can do anything about it unless you're willing to back up your complaints and put your money where your mouth is with a bounty. Unfortunately, I can't afford to donate to the cause. So let's just be patient. I'm just gonna sit back and wait for snort to reappear on the package list.
Regards,
Jon -
@nipstech:
I have an idea…and this comment isn't directed toward anyone in particular...Why don't we stop the griping, whining and bitching and just let the dev's do their magic. No amount of complaining is gonna make a difference. It is what it is and none of us can do anything about it unless you're willing to back up your complaints and put your money where your mouth is with a bounty. Unfortunately, I can't afford to donate to the cause. So let's just be patient. I'm just gonna sit back and wait for snort to reappear on the package list.
Regards,
Jon+1
-
@nipstech:
I have an idea…and this comment isn't directed toward anyone in particular...Why don't we stop the griping, whining and bitching and just let the dev's do their magic. No amount of complaining is gonna make a difference. It is what it is and none of us can do anything about it unless you're willing to back up your complaints and put your money where your mouth is with a bounty. Unfortunately, I can't afford to donate to the cause. So let's just be patient. I'm just gonna sit back and wait for snort to reappear on the package list.
Regards,
JonI would like to know why thye played with snort when it work fine with zero problems .Now we have guy telling us to keep our mouths shut!!! Why should we !!!!! Plus it is on the package list NOT WORKING why is it they not working …....
-
@nipstech:
I have an idea…and this comment isn't directed toward anyone in particular...Why don't we stop the griping, whining and bitching and just let the dev's do their magic. No amount of complaining is gonna make a difference. It is what it is and none of us can do anything about it unless you're willing to back up your complaints and put your money where your mouth is with a bounty. Unfortunately, I can't afford to donate to the cause. So let's just be patient. I'm just gonna sit back and wait for snort to reappear on the package list.
Regards,
JonThe problem is some of us work for organisations that mandate the use of IDS/IPS and basically I've had to shut PFSense down and stop all testing and go back to running full FreeBSD installs with snort. If we had some idea of the problem I'm sure some of us on here have the skills to assist.
-
Agreed!
I also posted a comment regarding the status of SNORT. All it would take is for the developer to post a quick update with an ETA. This will stop all the posts, BUT… NOTHING!
Just my 10c
-
My point of view is a bit different.
pfSense is an amazingly competent product that's available for free. The folks who've created this product are trying to turn it into a full-time gig by selling consulting and books, but for the most part we're seeing the contributions of volunteers. Which includes the guy doing Snort integration. I'd guess he's got a life outside of pfSense and his contributions here, and I'm sure he'll get things running again when he's able.
If you need and IDS up and running as part of your firewall distribution then you can get that. Cisco, SonicWALL, and Juniper all have IDS systems you can subscribe to, for instance. Of course, they're all quite expensive and run on pricey, proprietary hardware that requires upgrades every few years. If you need it though, you can have it in-hand tomorrow. For my needs I'd be looking at something like $3,000 for a SonicWALL 2400 with IDS and one year of maintenance, with $510 annually for the IDS renewal and $300 for the service contract extension. Juniper is more, and Cisco is way more.
Instead I'm running on a $700 netgate solid state device with (currently non-functional) Snort. I bought the documentation book for 1.2, and I'll buy the next one. I sent the developer of the Snort package $50 with a note of thanks. And I'm willing to be patient.
This is open source. You can build it yourself, or you can wait for the guy who's devoting his time to solving your business problems to get the work complete, or you can pay for a service contract (possibly for another product.)
-
Or post a bounty to get snort working if it's that important for the business. I'm sure it'll help things along alot quicker.
Otherwise I'd be happy to wait.
Darkk
-
Personally I think snort should be part of the main package. To me pfsense is the main release + squid + squidguard + snort. I just believe that part of the main development should be those packages integrated into the release.
Beyond that, if this package is so critical to so many, why has nobody put up a bounty like others suggested. I am also sure that the amount contributed to the snort developer is probably peanuts compared to the time he's put into this package. I am sure more of an incentive to keep it going would not hurt.
As just a home user I've donated my $50 in the past (and probably should do more when the next release comes out), as well as offered money for bounties when I can. For people complaining that their company need it, I think the amount should be much more. Your business is operating on free software, contribute to it, or it will stop being developed. Complain when you have to spend thousands on proprietary software with yearly fees, instead of living off free software. It's not really free, as the developers spend their time working on it for nothing. Donated a few dollars per year, it's worth the rewards when you get software like pfsense (watch the other distros with no support fall off over the years or move strictly into pay systems and you will know how good this really is).That's all I have to say on the topic….
-
Update….
I am pretty much done with every thing, GUI wise. New snort binaries are building right now, that is a relief.
Only 2 things left to do...
1. create snortsam GUI.
2. create snortsam/snort/barnyard2 startup scripts.
I been stuck on creating a way to manage the snortsam block sid rule sets and saving user changes to said blocked sids.
You guys/girls have to realize there are 30,000 snort/emeging rule block sids and I have to make sure your saved settings are saved and displayed correctly as fast as possible.Side note: I am always happy when you guys care enough to complain. Makes me feel my work on the GUI and the forums is useful to you.
I understand you guys bothered, but snort is working on pfsense 1.2.3 and the removal of the old snort version from 2.0 could not be helped.
Moreover, I understand the urgency and I am working as fast as possible with the limited amount of time I have. (personal life, work, paid projects etc...)I am not giving you an a date on release to beta, just know I am close.
follow my progress
https://github.com/robiscoolThanks
Robert -
Hi Robert.
Actually, it is very true what you say. The reason people (including myself!) are complaining is because your work is so very important in the entire release of pfSense that without your contribution, the firewall is reasoned lacking. (In other words, without Snort, pfSense just won't do!)I thank you for your update. I believe most people (if not all) have been put to rest seeing that you are putting so much effort into Snort.
Kind regards
Aubrey Kloppers
Cape Town
South Africa -
Robert,
Keep up the good work man! From what i've seen, the new package looks really awesome! Looking forward to beta testing when that time comes..
-
Awesome!! Looking forward to it.
Darkk
-
I am glad my standby utm software still works on my hardware . I hope you guys tell us when the beta is ready to go ..
-
Segfaults for me on an AMD64 box when started from a shell .. looks as if progress is being made though, keep @ it Jamesdean ;)
-
We need to be able to dedicate more of our core developer resources to clean this up and keep it working, as is it's largely just Rob's volunteer efforts, where the base system is largely done by people on our payroll (who, no offense to Rob, are far more experienced developers). What gets done by our core developers is largely what people are willing to pay for, and it's been years since we've had anyone interested in paying for Snort work. I've dedicated 10 hours of Ermal's time (with no funding, as a favor to a partner) to cleaning up bugs and bad code in the Snort package this week, which has lead to this massive clean up today, with more work to be done on it tomorrow.
https://github.com/bsdperimeter/pfsense-packages/commit/c8b7c369d1b391fc687e4ad09ee156dbec37043aThat's not going to leave things in perfect shape (there are other improvements I'd like to see), but it will at least be much better. That's limited to the main snort package, not snort-dev, which Rob can continue to do whatever he wants with, but nothing will be merged back into the main snort package from now on without review and merge approval to keep things sane.
If anyone can dedicate some money to furthering our efforts here, please contact me (cmb at pfsense dot org). I'd love to get more of our resources on it, but we also have to make payroll so we're limited in what we can do because we want to do it.
-
@cmb:
We need to be able to dedicate more of our core developer resources to clean this up and keep it working, as is it's largely just Rob's volunteer efforts, where the base system is largely done by people on our payroll (who, no offense to Rob, are far more experienced developers). What gets done by our core developers is largely what people are willing to pay for, and it's been years since we've had anyone interested in paying for Snort work. I've dedicated 10 hours of Ermal's time (with no funding, as a favor to a partner) to cleaning up bugs and bad code in the Snort package this week, which has lead to this massive clean up today, with more work to be done on it tomorrow.
https://github.com/bsdperimeter/pfsense-packages/commit/c8b7c369d1b391fc687e4ad09ee156dbec37043aThat's not going to leave things in perfect shape (there are other improvements I'd like to see), but it will at least be much better. That's limited to the main snort package, not snort-dev, which Rob can continue to do whatever he wants with, but nothing will be merged back into the main snort package from now on without review and merge approval to keep things sane.
If anyone can dedicate some money to furthering our efforts here, please contact me (cmb at pfsense dot org). I'd love to get more of our resources on it, but we also have to make payroll so we're limited in what we can do because we want to do it.
funny I just checked github to see what updates are out there and Ermal has been busy!! I see the old snort package is enable… Who is going to be the brave soul and try it? Well i gave it shot and it installed on my system but it couldn't download the rules from snort.org
Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 859
I guess i should wait until the devs say its good to go.
going to see if i can manually download them
-
@cmb is right snort should be maintained by the core paid developers. My work on snort package will stop immediately and will move my code to a package called Orion.
I have really enjoyed giving my free time and code to the pfSense snort community. I hope people continue to enjoy my GUI I have built and code I have donated.
Those of you that expect the Old snort gui to return dont worry, 90% of my snort 1.2.3 code will not change for 2.0.My snort 2.0 package I was working on will become Orion IDS package and will likely become private for paid supporters. This will help me give my full attention to this package.
I think I have a base now that can support me to work on this package on a limited part time.Moreover, this should give me the freedom to add features as fast as possible.
Robert
-
I just made some other changes that should make it behave better in regards to rule downloading.
I couldn't test with snort.org since it was slow and did not have an account to test with.
-
This makes sense if i'm reading this last couple of post correctly. Snort being maintained my the core dev team.. If users want more then a basic Snort package… They have the option to pay for the Orion IDS.
@Ermal I'll give it a shot but you are right! Snort.org is really slow today... My manual updating from the cmd failed due to timeouts
-
Snorts site is timing out so i can't test. emergingnet rules downloaded with no problems.
When I tried to start snort on my WAN interface, this is the error i received:
Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 92 Warning: fopen(/usr/local/etc/snort/suppress/): failed to open stream: Is a directory in /usr/local/pkg/snort/snort.inc on line 1184 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 192 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 193 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 194 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 195 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 196 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 197
This is in my system log:
Aug 2 13:20:31 php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing. Aug 2 13:20:31 php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.
I don't know if this is relate to adding snort or my mornings gitsync but when i look at my system log i get the below errors. I'm able to see the system log tho but this is at the header of the page. Also, none of the other tabs are showing this error(firewall,dhcp,openvpn)
Warning: Unknown: GC cache entry '/usr/local/www/guiconfig.inc' (dev=109 ino=801962) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/usr/local/www/csrf/csrf-magic.php' (dev=109 ino=801951) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/xmlparse.inc' (dev=109 ino=7301225) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/util.inc' (dev=109 ino=7301219) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.defs.inc' (dev=109 ino=7301206) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.inc' (dev=109 ino=7301205) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv/user.priv.inc' (dev=109 ino=7301204) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/notices.inc' (dev=109 ino=7301195) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/led.inc' (dev=109 ino=7301192) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/IPv6.inc' (dev=109 ino=7301190) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/globals.inc' (dev=109 ino=7301185) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/crypt.inc' (dev=109 ino=7301178) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.lib.inc' (dev=109 ino=7301176) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.gui.inc' (dev=109 ino=7301175) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/authgui.inc' (dev=109 ino=7301168) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/auth.inc' (dev=109 ino=7301167) was on gc-list for 3659 seconds in Unknown on line 0 Warning: session_start(): Cannot send session cache limiter - headers already sent in /etc/inc/auth.inc on line 1260 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 47 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 51
Now i'm asking for too much, could it be possible to add a index.php in the root of the snort www directory with the below code? So when i click on the pfSense image in the upper left corner, it brings back to the main dashboard page instead of page no found.
EDIT: The permissions are wrong on the /usr/local/etc/rc.d/snort.sh file I believe. Its currently 644, should 755. i tried to manually start snort using the snort.sh but i think there is an syntax error with the interface
[2.1-DEVELOPMENT][root@]/root/custom(7): /usr/local/etc/rc.d/snort.sh start ls: /tmp/snort.sh.pid: No such file or directory ls: /tmp/snort.sh.pid: No such file or directory rm: /var/run/snort_7758_em3.pid: No such file or directory rm: /var/run/snort_7758_em3.pid.lck: No such file or directory [2.1-DEVELOPMENT][root@]/root/custom(8): usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file target_file cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file ... target_directory