Problem SNORT 2.9.1 pkg v. 2.1



  • I reinstalled SNORT to upgrade to version 2.9.1 v 2.1 which looks to be new as of today.

    I also subsequently removed (reset all settings) and reinstalled to try and resolve the error below.

    In all cases, I am getting this error:

    snort[[b]709]: FATAL ERROR: pf.conf => Table snort2c,kill don’t exists in packet filter

    I also noted that two new options were added in the IF settings tab:

    Kill states (on or off)
    Which ip to block (SRC, DESTINATION, BOTH)

    After removal/reinstallation, the options for “Which IP to block” have disappeared.

    Version 2.0.1-RELEASE (amd64)
    built on Mon Dec 12 18:16:13 EST 2011
    FreeBSD 8.1-RELEASE-p6

    You are on the latest version.
    Platform pfSense
    CPU Type Intel® Atom™ CPU 330 @ 1.60GHz
    Current: 999 MHz, Max: 1599 MHz



  • i checked github and it looks like there is going to be binary update for the package. Since the changes were made today, we have to wait at least till tomorrow for the binaries to be compiled. checking file.pfsense.org, the timestamp hasnt changed.

    @emarl i didn’t notice this before but the package states the ver is 2.9.1 but the binaries in the package are 2.9.0.5… checking files.pfsense.org, i dont see a package for 2.9.1 only pbi’s… there is 2.9.2 package tho… not that it really makes a difference but want to let you know



  • Thanks for the reply Cino 🙂

    I did observer that unchecking “block offenders” allows SNORT to start…however no point in spending any more time digging if a binary update is pending.

    Cheers,
    Dennis.



  • I am also having this issue.

    I unchecked block offenders, however, I still had to add ‘portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]’ in order to get Snort to start.

    As said above, the package says its ‘2.9.1 pkg v. 2.1’, but when you install it and open it it says its version ‘2.9.1 pkg v. 2.0.2’

    Looks like there is a few new features though.

    Also, WOW, it uses A LOT more memory now.  Just throwing that out there.

    Guess we’ll have to wait until tomorrow.

    -th3r3isnospoon



  • Updated to Snort 2.9.1 pkg v. 2.0.2

    Supprise Suprise,

    Same issue with this stable version of SNORT. When block offenders is checked, the SNORT service will not start.



  • We have EXACTLY the same issues - as soon as we try to “block hosts”, Snort fails to start.  There must be many many others around the world where their IDS security protection has just failed!!

    Does anyone have a precise date / time when the corrected version will be released and available to install on PFSENSE?

    Thanks!



  • In the meantime, does anyone know how to modify the snort2c table so that the updated snort can be made to work?



  • I have never been able to get the automatic rule update to function with any version.  I have always had to update the rules with a manual update.

    To be honest, Snort on PFSENSE worries me from a testing point of view.  We have used it for 2 years now and it’s nice when it works.  However, even the most basic testing would have found the current errors (especially that the product fails completely when it is set to “block hosts”).

    I hope they get this sorted soon!!



  • @trvsecurity:

    To be honest, Snort on PFSENSE worries me from a testing point of view. However, even the most basic testing would have found the current errors (especially that the product fails completely when it is set to “block hosts”).

    Indeed the pfsense Snort package has been having problems for several months.

    But keep in mind that most packages are not maintained by the pfsense core developers, so the quality control isn’t necessarily the same as the base system.

    I guess priorities are a matter of funding.



  • Offender blocking still offline as of 2:53 PM EST.



  • having the same problem……

    FATAL ERROR: pf.conf => Table snort2c,src,kill don’t exists in packet filter

    looks like the file pf.conf should be in /etc/pf.conf but I can’t seem to find it there on my pfsense box

    http://www.freebsd.org/doc/handbook/firewalls-pf.html
    http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

    if the file isnt where its supposed to be no wonder snort cant find the table…



  • the binaries didn’t build last night. I heard that they are being built now. We just have to wait until they are built.

    When it comes to snort, if you see a new version and don’t understand pfsense and freebsd that well, wait till there is an announcement or experience users confirming that it works before re-installing.

    other then barnyard, snort has been very stable for the last month… Once in a while it has to be restarted on my box but only when I’m doing heavy heavy bit-torrent downloading…



  • I’m wondering if it’s possible to make the package “publishing” via the GUI the last step?  In other words, remove the installation option entirely until the binaries and code etc. have been pushed to the update server?

    I check the packages regularly via the PF GUI, and if an update is there, tend to install it.  The downside is that in cases like this, you can’t go back and install the previous package.  That said, I remain very impressed with PF in general since pulling the pin on the previous routers.  Kudos to all in the chain.

    Cino, can you describe (with a link or two if possible 🙂 ) the process you used to check github?



  • or add automatic checksum comparison to the package manager, this would prevent this problem and any man-in-middle attacks



  • Check out the github site for pfsense. There u can see the old changes and new ones.



  • Cino, is there a newby guide to checking github for snort?  I had a look here but beyond that, no idea on what to do beyond that:  https://github.com/pfsense/pfsense



  • there isn’t and it would take me a while to make one…

    the changes where done here https://github.com/pfsense/pfsense-packages/commit/e4c13a5752c5f7b4947edbc4227b005cd333566d  You will have to manually edit the files… Remove what is in green and add what is in red… There is way to download the whole file it a few steps.

    see if this helps everyone:

    /usr/local/pkg/snort/snort.inc

    https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc

    /usr/local/www/snort/snort_interfaces_edit.php

    https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php



  • Thanks Cino, that did the trick !

    I can now turn on Snort blocking 🙂

    Here’s the steps for the Newbies…

    Exit shell and try things out. If all works, then go back to shell and remove the two backup copies of the files (ie. rm the .bk files )

    Curious if it works for others as well.

    @Cino:

    there isn’t and it would take me a while to make one…

    the changes where done here https://github.com/pfsense/pfsense-packages/commit/e4c13a5752c5f7b4947edbc4227b005cd333566d  You will have to manually edit the files… Remove what is in green and add what is in red… There is way to download the whole file it a few steps.

    see if this helps everyone:

    /usr/local/pkg/snort/snort.inc

    https://raw.github.com/pfsense/pfsense-packages/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort.inc

    /usr/local/www/snort/snort_interfaces_edit.php

    https://github.com/pfsense/pfsense-packages/raw/3b0730f14734da787f673bd81260f7c65f8c882e/config/snort/snort_interfaces_edit.php



  • I have just changed the two files you mention and the problem seems the same.  I am still getting the following error when I try to start Snort with “block offenders” on:

    snort[12668]: FATAL ERROR: pf.conf => Table snort2c, don’t exists in packet filter

    Any ideas?



  • binaries seem to be in but there are some issues…

    @emarl The GUI doesn’t have anything for the “Which ip to block” field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.

    log:

    
    Jan 26 20:27:50 	snort[52895]: FATAL ERROR: snort.conf => No option on which ip to block src/dst/both: Unknown error: 0
    Jan 26 20:27:50 	snort[52895]: FATAL ERROR: snort.conf => No option on which ip to block src/dst/both: Unknown error: 0
    
    

    conf line is missing the new option:

    
    output alert_pf: /usr/local/etc/snort/whitelist/MainWhiteList,snort2c,,
    
    

    Still have to manually add  the barnyard2 binary and add “portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]” under the advance

    Edit: If i have Kill States enabled, snort to start…

    
    	output alert_pf: /usr/local/etc/snort/whitelist/MainWhiteList,snort2c,,kill
    
    


  • When you say that the binaries are there, does  this mean that they will be used to install Snort in PFSENSE from the GUI?  I have just reinstalled Snort and I still get the old error:

    snort[48751]: FATAL ERROR: pf.conf => Table snort2c,kill don’t exists in packet filter

    I still still version 2.02 when it should be version 2.1 I think?



  • there is new timestamp, you can check here http://files.pfsense.org/packages/8/All/. Because the way my box is setup, i have to manually add binaries after using the package gui.



  • The first time I “upgraded” to the new 2.1 version of SNORT I had three options under “Which IP to block”… SRC, DEST. and BOTH.  They’re not there now.



  • @catfish99:

    Thanks Cino, that did the trick !

    I can now turn on Snort blocking 🙂

    Here’s the steps for the Newbies…

    Exit shell and try things out. If all works, then go back to shell and remove the two backup copies of the files (ie. rm the .bk files )

    Curious if it works for others as well.

    thanks catfish, i followed your instrustions and snort is working with the old gui!
    one thing to note is i went to services in the gui and stopped the snort service before everything else, then ran your instructions, checked ‘block offenders’, and started snort without problems



  • I completely uninstalled Snort and then reinstalled using the GUI.  While I still see the wrong version (v 2.02), I can start it with host blocking on and it works so progress is being made 🙂

    I agree that there is a prblem with the select box “Which ip to block” as this is empty.  I see no error generated by this as I think it defaults to SRC.

    The previous version of Snort didnt remove the blocked hosts after one hour (as I had configured it to do).  This is why I upgraded in the first place so I will wait for an hour and see if blocked hosts get removed! 🙂



  • cino/catfish…thanks.  The old gui with the two files copied in via your instructions works.

    Cheers,
    Dennis.



  • @trvsecurity:

    The previous version of Snort didnt remove the blocked hosts after one hour (as I had configured it to do).  This is why I upgraded in the first place so I will wait for an hour and see if blocked hosts get removed! 🙂

    if you go to the page where you select the time frame, when you save it; it should re-create the cron job.
    should look kinda like this: */5  *  *  *  *  root  /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c



  • Cino, did you mean add code that is in green and remove the red?

    You will have to manually edit the files… Remove what is in green and add what is in red… There is way to download the whole file it a few steps.



  • Hello

    I have tried all the above steps, but now I’m getting a new error message:

    snort[62529]: FATAL ERROR: Unable to open rules file “/usr/local/etc/snort/snort_47562_xl1//usr/local/etc/snort/snort_47562_xl1/reference.config”: No such file or directory.

    Any ideas?

    Thanks.



  • cino/catfish thanks a bunch. The two file updates worked on my end as well.



  • I have no idea how to see a cron job in PFSENSE (Im a Windows guy lol) - I activated SSH and tried to telnet on port 22 but I get a PROTOCOL MISMATCH error and no chance to login.  How do I see cron jobs? lol



  • @dwood my statement was correct…… the green are new and red is whats deleted… in this case, you want to go back so it would be the opposite.

    @torsurfer i’ve seen this before, cant remember the fix… did you update your rules? you have to update them for every re-install

    @trvsecurity i’ve a windows guy too but knowledge is power…lol… telenet client wont work since its SSH… search for putty… great tool and also winscp.  install the Cron package, add a menu to see it in the web interface.



  • @cino You’re right. Re-downloading the rules fixed the problem. Thanks!



  • Hi,
      I don’t understand why you can specify which IP to block (src, dst, both) only if your HomeNet is a “whitelists” and not a “netlist”.
    Can you pls tell me the reason?

    I see the “Which ip to block” select empty… Anyway, in this case what happens?

    Thanks,
    Michele



  • @Cino:

    binaries seem to be in but there are some issues…

    @emarl The GUI doesn’t have anything for the “Which ip to block” field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.

    Again is ermal.

    Fixed.



  • is it safe to use the gui package management to upgrade now?



  • @ermal:

    @Cino:

    binaries seem to be in but there are some issues…

    @emarl The GUI doesn’t have anything for the “Which ip to block” field under If Setting. Going to see if I can manually edit the conf file and see if I can get it to start when i have block offenders enabled.

    Again is ermal.

    Fixed.

    Hi Ermal,
      thanks for fixing. Unfortunately now when I start the service I get the errors:

    FATAL ERROR: pf.conf => Table snort2c,src,kill don’t exists in packet filter
    or
    FATAL ERROR: pf.conf => Table snort2c,dst,kill don’t exists in packet filter
    or
    FATAL ERROR: pf.conf => Table snort2c,both,kill don’t exists in packet filter

    depending on what option I set in the “Which ip to block” field of the interface…

    Thanks,
    Michele



  • @ccb056:

    is it safe to use the gui package management to upgrade now?

    I would wait a while…. I am doing my test on my secondary machine and I am having some trouble…



  • mdima,

    EDIT: it seems you nave installed old binary still on your system that is why you get the error



  • @ermal:

    mdima,
    your options tells that you do not have a table snort2c defined in your filter rules.
    Which should be by default hardcoded on pfSense rules.
    Can you check on /tmp/rules.debug that there is a <snort2c>table defined?</snort2c>

    Hi Ermal,
      thanks for your prompt answer.

    The table is defined in /tmp/rules.debug (“table <snort2c>” at line 15) and I can also see it in the Diagnostic->Tables page…

    Thanks,
    Michele</snort2c>


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy