Upgrade Snort ASAP
-
A major flaw has been found in Snort.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=197007393&cid=ChannelWebNews
Everyone please update to the Latest snort version: 2.6.1.3_2
Process to upgrade:
1. Reinstall the package: Go to System->Packages. Click the Installed Packages tab, then click the reinstall button to the right of the Snort package.
2. Download the rules: Go to Services->Snort and click the the Update Rules Tab. The rules will be downloaded now.
3. Save rule categories: click the Snort Categories tab, select the rules you wish to use, and click save.
4. Save snort settings: click the Snort Settings tab, make sure your settings are what you desire, then click save.Snort should now successfully boot up. If you have any troubles related to the upgrade please let us know.
-
Yeah, slight problem. Now snort won't load at all. Service won't run, and there are no logs about it in the system either. I click 'start service' and it says it starts, but in the services status area it shows it not running.
I have the latest snapshot (2-18), and have never had problems with snort before this new version. The previous version I had was…. well, I don't remember what # it was but it was right before this new one ::)
Tried re-installing packages and XML, uninstalling and reinstalling from scratch, rebooting, and even reinstalling PFsense itself (I do so love my Snort!). Any suggestions?
-
Reinstall SNORT. It was just fixed a few moments ago.
-
Didn't work. Did they change the version name to a new one with the fix? Because I still have 2.6.1.3_2 from a few hours ago when I had the problems.
I suppose another re-install of PFsense would be in order…. -
No. It should be working. I've installed it twice successfully on two different machines. I know sullrich was able to install it successfully as well. Make sure you are redownloading the rules, saving the rule categories, and then saving your settings. You may have done this in the past, but each time you reinstall snort these must be done.
-
it REALLY works !
I installed at all my 3 systems… but I deleted it before on my systems and then reinstalled... so there are no packages left when looking at the shell by using pkg_info
-
it REALLY works !
I installed at all my 3 systems… but I deleted it before on my systems and then reinstalled... so there are no packages left when looking at the shell by using pkg_info
Good to hear I'm not going crazy :).
-
I've updated Snort again. The changes I made will now automatically insert the WAN Gateway, DNS servers, and loopback address into your whitelist. This change will prevent issues with RRD graphs, DNS lookups and ftp-helper. I also modified the portscan detection so it should function properly now.
Please reinstall using the procedures listed above and test it out :).
-
;D
really cool !
I love you for that ::)
Now it really works like a charm 8)
-
Now it really works like a charm 8)
Couldn't agree more - Great work, thanks sdale :)
-
I finally got my Snort to work, but had to uninstall and reinstall PFsense again. I tried everything else you suggested, but perhaps I installed/uninstalled snort too many times because it was giving me some errors. So, format/reload and it worked for a bit.
then it shut down again and won't start up unless I keep pestering it to start over and over. Takes it about 30 minutes to go again. No logs on it, oddly enough.
Perhaps I'm using too much memory for this version? I have about 460mb ram (pc133) on a 777mhz celeron bastard box. Only using 10-20% at any given time. Using AC-sparsebands, and loading up all but 2 rulesets on startup. Didn't have problems before. I've trimmed it down to loading 5 rulesets but it still randomly stops and won't start again. I'll keep tinkering and see if I can figure it out on my own.
-
Sounds like memory issues to me. Try to disable some rules or test with only few rules enabled just to confirm this assumption.
-
I uninstalled it and reinstalled it yet again…. and now it works fine (for now) going on an hour without messing up. I have all the rulesets enabled and AC-sparcebands, same setup i had last time.
So, I'm chalking it up to gremlins. That and the fact that Comcast scans me about a trillion times a day :p Probably testing out that exploit on their customers..... jerks.
Thanks for your help.
-
I would not advise running all rulesets with only 460 Ram. That might be part of your problem. If Snort starts eating up a lot of memory, processes will start to be killed, including snort. I have 1gig and having all rulesets checked pushes me over 600mb.
-
hmmm My upgraded snort instance runnig fine until today morning, that I saw in my logs
Feb 23 07:23:17 snort[45790]: FATAL ERROR: Unable to allocate memory! (7566277 bytes in use) Feb 23 07:23:17 snort[45790]: FATAL ERROR: Unable to allocate memory! (7566277 bytes in use) Feb 23 07:13:20 snort2c[45793]: attack detected non-whitelisted ip: 86.97.202.41 blocked !:-
Does anybody experienced this? -
crazy… when looking at >STATUS >SERVICES snort seems to be stopped... ?
when starting it with the button it tells me to be started and the status still tells me snort to be stopped...
cosmetic error or serious bug ?
When starting in in the CLI it tells me in the last lines:
ERROR: /usr/local/etc/snort/snort.conf(xx) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Fatal Error, Quitting..What has happened ?
It's the same error on all my 2 local systems…
Seems to have something to do with the xxx-sample-files in /usr/local/etc/snort/ because snort cannot find the xxx.map-files, because they are NOT present... only the samples...
I have no idea how they are generated, but perhaps it helps ?You can get it running MANUALLY FROM THE CLI by changing manually in /usr/local/etc/snort/snort.conf
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 to preprocessor http_inspect: global iis_unicode_map unicode.map-sample 1252
include classification.config-sample to include classification.config-sample
include reference.config-sample to include reference.config-sampleor just rename the files above…
-
crazy… when looking at >STATUS >SERVICES snort seems to be stopped... ?
when starting it with the button it tells me to be started and the status still tells me snort to be stopped...
cosmetic error or serious bug ?
When starting in in the CLI it tells me in the last lines:
ERROR: /usr/local/etc/snort/snort.conf(xx) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Fatal Error, Quitting..What has happened ?
It's the same error on all my 2 local systems…
Seems to have something to do with the xxx-sample-files in /usr/local/etc/snort/ because snort cannot find the xxx.map-files, because they are NOT present... only the samples...
I have no idea how they are generated, but perhaps it helps ?You can get it running MANUALLY FROM THE CLI by changing manually in /usr/local/etc/snort/snort.conf
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 to preprocessor http_inspect: global iis_unicode_map unicode.map-sample 1252
include classification.config-sample to include classification.config-sample
include reference.config-sample to include reference.config-sampleor just rename the files above…
That is wierd. Never had that trouble. Reinstall Snort and those files will be regenerated.
-
yes !
looking better :-) -
Hi , just upgraded but snort wont start? when i'm trying to start it form comandline "snort -d" i get this error msg :
ERROR: /usr/local/etc/snort/snort.conf(42) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Fatal Error, Quitting..Is it a minor bug ??
-
Configure it first…
-
Configure it first…
I reinstalled the pakage , and when i looked at the settings it semed like it was configured ( aka: all settings was the same as before )
after i read your answer i just hit the save button aka resaving the configuration and now it works :-)Thank you for superb support :-)