Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Upgrade Snort ASAP

    pfSense Packages
    8
    21
    10125
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yoda715 last edited by

      A major flaw has been found in Snort.

      http://www.channelweb.com/sections/allnews/article.jhtml?articleId=197007393&cid=ChannelWebNews

      Everyone please update to the Latest snort version: 2.6.1.3_2

      Process to upgrade:
      1. Reinstall the package: Go to System->Packages. Click the Installed Packages tab, then click the reinstall button to the right of the Snort package.
      2. Download the rules: Go to Services->Snort and click the the Update Rules Tab. The rules will be downloaded now.
      3. Save rule categories: click the Snort Categories tab, select the rules you wish to use, and click save.
      4. Save snort settings:  click the Snort Settings tab, make sure your settings are what you desire, then click save.

      Snort should now successfully boot up. If you have any troubles related to the upgrade please let us know.

      1 Reply Last reply Reply Quote 0
      • K
        keithdrone last edited by

        Yeah, slight problem.  Now snort won't load at all.  Service won't run, and there are no logs about it in the system either.  I click 'start service' and it says it starts, but in the services status area it shows it not running.

        I have the latest snapshot (2-18), and have never had problems with snort before this new version.  The previous version I had was…. well, I don't remember what # it was but it was right before this new one  ::)

        Tried re-installing packages and XML, uninstalling and reinstalling from scratch, rebooting, and even reinstalling PFsense itself (I do so love my Snort!).  Any suggestions?

        1 Reply Last reply Reply Quote 0
        • S
          sullrich last edited by

          Reinstall SNORT.  It was just fixed a few moments ago.

          1 Reply Last reply Reply Quote 0
          • K
            keithdrone last edited by

            Didn't work.  Did they change the version name to a new one with the fix?  Because I still have 2.6.1.3_2 from a few hours ago when I had the problems.
            I suppose another re-install of PFsense would be in order….

            1 Reply Last reply Reply Quote 0
            • Y
              yoda715 last edited by

              No. It should be working. I've installed it twice successfully on two different machines. I know sullrich was able to install it successfully as well. Make sure you are redownloading the rules, saving the rule categories, and then saving your settings. You may have done this in the past, but each time you reinstall snort these must be done.

              1 Reply Last reply Reply Quote 0
              • T
                trendchiller last edited by

                it REALLY works !

                I installed at all my 3 systems… but I deleted it before on my systems and then reinstalled... so there are no packages left when looking at the shell by using pkg_info

                1 Reply Last reply Reply Quote 0
                • Y
                  yoda715 last edited by

                  @trendchiller:

                  it REALLY works !

                  I installed at all my 3 systems… but I deleted it before on my systems and then reinstalled... so there are no packages left when looking at the shell by using pkg_info

                  Good to hear I'm not going crazy :).

                  1 Reply Last reply Reply Quote 0
                  • Y
                    yoda715 last edited by

                    I've updated Snort again. The changes I made will now automatically insert the WAN Gateway, DNS servers, and loopback address into your whitelist. This change will prevent issues with RRD graphs, DNS lookups and ftp-helper. I also modified the portscan detection so it should function properly now.

                    Please reinstall using the procedures listed above and test it out :).

                    1 Reply Last reply Reply Quote 0
                    • T
                      trendchiller last edited by

                      ;D

                      really cool !

                      I love you for that  ::)

                      Now it really works like a charm  8)

                      1 Reply Last reply Reply Quote 0
                      • P
                        PC_Arcade last edited by

                        @trendchiller:

                        Now it really works like a charm  8)

                        Couldn't agree more - Great work, thanks sdale :)

                        1 Reply Last reply Reply Quote 0
                        • K
                          keithdrone last edited by

                          I finally got my Snort to work, but had to uninstall and reinstall PFsense again.   I tried everything else you suggested, but perhaps I installed/uninstalled snort too many times because it was giving me some errors.  So, format/reload and it worked for a bit.

                          then it shut down again and won't start up unless I keep pestering it to start over and over.  Takes it about 30 minutes to go again.   No logs on it, oddly enough.

                          Perhaps I'm using too much memory for this version?  I have about 460mb ram (pc133) on a 777mhz celeron bastard box.  Only using 10-20% at any given time.  Using AC-sparsebands, and loading up all but 2 rulesets on startup.  Didn't have problems before.   I've trimmed it down to loading 5 rulesets but it still randomly stops and won't start again.   I'll keep tinkering and see if I can figure it out on my own.

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba last edited by

                            Sounds like memory issues to me. Try to disable some rules or test with only few rules enabled just to confirm this assumption.

                            1 Reply Last reply Reply Quote 0
                            • K
                              keithdrone last edited by

                              I uninstalled it and reinstalled it yet again…. and now it works fine (for now) going on an hour without messing up.  I have all the rulesets enabled and AC-sparcebands, same setup i had last time.

                              So, I'm chalking it up to gremlins.    That and the fact that Comcast scans me about a trillion times a day :p  Probably testing out that exploit on their customers..... jerks.

                              Thanks for your help.

                              1 Reply Last reply Reply Quote 0
                              • Y
                                yoda715 last edited by

                                I would not advise running all rulesets with only 460 Ram. That might be part of your problem. If Snort starts eating up a lot of memory, processes will start to be killed, including snort. I have 1gig and having all rulesets checked pushes me over 600mb.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mbedyn last edited by

                                  hmmm My upgraded snort instance runnig fine until today morning, that I saw in my logs

                                  Feb 23 07:23:17 	snort[45790]: FATAL ERROR: Unable to allocate memory! (7566277 bytes in use)
                                  Feb 23 07:23:17 	snort[45790]: FATAL ERROR: Unable to allocate memory! (7566277 bytes in use)
                                  Feb 23 07:13:20 	snort2c[45793]: attack detected non-whitelisted ip: 86.97.202.41 blocked !
                                  

                                  :-
                                  Does anybody experienced this?

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    trendchiller last edited by

                                    crazy… when looking at >STATUS >SERVICES snort seems to be stopped... ?

                                    when starting it with the button it tells me to be started and the status still tells me snort to be stopped...

                                    cosmetic error or serious bug ?

                                    When starting in in the CLI it tells me in the last lines:

                                    ERROR: /usr/local/etc/snort/snort.conf(xx) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
                                    Fatal Error, Quitting..

                                    What has happened ?

                                    It's the same error on all my 2 local systems…

                                    Seems to have something to do with the xxx-sample-files in /usr/local/etc/snort/ because snort cannot find the xxx.map-files, because they are NOT present... only the samples...
                                    I have no idea how they are generated, but perhaps it helps ?

                                    You can get it running MANUALLY FROM THE CLI by changing manually in /usr/local/etc/snort/snort.conf
                                    preprocessor http_inspect: global iis_unicode_map unicode.map 1252 to preprocessor http_inspect: global iis_unicode_map unicode.map-sample 1252
                                    include classification.config-sample to include classification.config-sample
                                    include reference.config-sample to include reference.config-sample

                                    or just rename the files above…

                                    1 Reply Last reply Reply Quote 0
                                    • Y
                                      yoda715 last edited by

                                      @trendchiller:

                                      crazy… when looking at >STATUS >SERVICES snort seems to be stopped... ?

                                      when starting it with the button it tells me to be started and the status still tells me snort to be stopped...

                                      cosmetic error or serious bug ?

                                      When starting in in the CLI it tells me in the last lines:

                                      ERROR: /usr/local/etc/snort/snort.conf(xx) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
                                      Fatal Error, Quitting..

                                      What has happened ?

                                      It's the same error on all my 2 local systems…

                                      Seems to have something to do with the xxx-sample-files in /usr/local/etc/snort/ because snort cannot find the xxx.map-files, because they are NOT present... only the samples...
                                      I have no idea how they are generated, but perhaps it helps ?

                                      You can get it running MANUALLY FROM THE CLI by changing manually in /usr/local/etc/snort/snort.conf
                                      preprocessor http_inspect: global iis_unicode_map unicode.map 1252 to preprocessor http_inspect: global iis_unicode_map unicode.map-sample 1252
                                      include classification.config-sample to include classification.config-sample
                                      include reference.config-sample to include reference.config-sample

                                      or just rename the files above…

                                      That is wierd. Never had that trouble. Reinstall Snort and those files will be regenerated.

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        trendchiller last edited by

                                        yes !
                                        looking better :-)

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          Klexx last edited by

                                          Hi , just upgraded but snort wont start?  when i'm trying to start it form comandline "snort -d" i get this error msg :

                                          ERROR: /usr/local/etc/snort/snort.conf(42) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
                                          Fatal Error, Quitting..

                                          Is it a minor bug ??

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            sullrich last edited by

                                            Configure it first…

                                            1 Reply Last reply Reply Quote 0
                                            • K
                                              Klexx last edited by

                                              @sullrich:

                                              Configure it first…

                                              I reinstalled the pakage , and when i looked at the settings it semed like it was configured ( aka: all settings was the same as before )
                                              after i read your answer i just hit the save button  aka resaving the configuration and now it works :-)

                                              Thank you for superb support :-)

                                              1 Reply Last reply Reply Quote 0
                                              • First post
                                                Last post