Snort Stable 2.9.2.3 pkg v. 2.2 Failed



  • I tried to upgrade the snort and I got this message ::)…

    Checking for package installation…
    Downloading http://files.pfsense.org/packages/amd64/8/All/snort-2.9.2.3.tbz …  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/snort-2.9.2.3.tbz.
    of snort-2.9.2.3 failed!

    Any work around?

    2.0.1-RELEASE (amd64) built on Mon Dec 12 18:16:13 EST 2011  FreeBSD 8.1-RELEASE-p6



  • Got the same problem upgrading from  2.9.1 pkg v. 2.1.1  to 2.9.2.3 pkg v. 2.1.1 on pfSense 2.0.1 AMD64
    "snort installation failed"



  • Getting same error on i386 install.

    When you check the repositories, it seems the FreeBSD 8.1-Release directory is gone.

    Not sure how to modify the package, so now i dont have a snort install…  ::)



  • I had changed back to PFsense 1.2.3 (Standby box) as I can’t control torrents without snort!!



  • Got the same issue when I tried to upgrade Snort to : Stable 2.9.2.3 pkg v. 2.1.1 platform: 2.0

    Beginning package installation for snort...
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading snort and its dependencies... 
    Checking for package installation... 
     Downloading http://files.pfsense.org/packages/8/All/snort-2.9.2.3.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/snort-2.9.2.3.tbz.
    of snort-2.9.2.3 failed!
    
    Installation aborted.Backing up libraries... 
    Removing package...
    Starting package deletion for mysql-client-5.1.53...done.
    Starting package deletion for snort-2.9.2.3...done.
    Starting package deletion for perl-threaded-5.10.1_3...done.
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file snort.inc could not be found for inclusion.
    Deinstall commands... 
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    Cleaning up... Failed to install package.
    
    Installation halted.
    

    And it deleted the current install  😞



  • same here 😞



  • me also 😞



  • i just check github https://github.com/bsdperimeter/pfsense-packages/commit/868e1e048cae773da3b63b1d15b3e6340386df9c and and the binary was updated for the pfsense package… since packages are built custom for pfsense, they need to be compiled. Once its done, it will be located here: http://files.pfsense.org/packages/8/All/

    not sure when it will be built, that is a question for ermal



  • Same issue here.  At the least, please post instructions as to downloading and reinstalling previous version - FAST!





  • @borgotech:

    I found why … take a look here http://forum.pfsense.org/index.php/topic,50313.msg267699.html#msg267699.

    that isn’t the reason why, read my post from earlier



  • uuh yeah, would be great if the old version was still online to reinstall…



  • Also the same problem, should be a trivial fix by mods… sadly no rollback option so running w/o protection until fixed 😕



  • Here also same problem… Packages-tab where saying there was an update for snort.
    During upgrade old package removed and new one cant be downloaded…  :’(
    Have anyone already made a bug-report to staff?



  • I’m having the same issue,
    It seems that if you enter http://files.pfsense.org/packages/8/All/ in your browser, the file that pfsense is trying to get “snort-2.9.2.3.tbz” is not there. Though there is “Snort-2.9.2.tbz” and older versions.
    Are the URLS of these packages hard coded into pfsense or something?

    There has got to be a way to install it manually…



  • From another thread, I come to know that, snort-2.9.2.3.tbz is available here,

    amd64 is at http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/All/snort-2.9.2.3.tbz
    i386 is at http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/All/snort-2.9.2.3.tbz

    But, whether snort build updated to this link?

    I am managing the show with old box.



  • @zer0:

    There has got to be a way to install it manually…

    I agree.
    The only problem is all the correct dependencies with other packages.
    I think the easiest way is to change the index back so it’s possible to install the 2.9.2 version and put 2.9.2.3 only in when it’s really available.



  • @zer0:

    I’m having the same issue,
    It seems that if you enter http://files.pfsense.org/packages/8/All/ in your browser, the file that pfsense is trying to get “snort-2.9.2.3.tbz” is not there. Though there is “Snort-2.9.2.tbz” and older versions.
    Are the URLS of these packages hard coded into pfsense or something?

    There has got to be a way to install it manually…

    pfsense packages are hard coded… search the wiki and the forum for the reason why… but if you install package/port, it could install a file and can break pfsense. Snort-2.9.2.tbz GUI was never completed, it used a patches to communicate with pf i believe. I started a new topic request the dev to change the package so it would download the old binary until the new is built and is tested



  • Hiya,

    Is nayone getting this error;

    eginning package installation for snort…
    Downloading package configuration file… done.
    Saving updated package information… done.
    Downloading snort and its dependencies…
    Checking for package installation…
    Downloading http://files.pfsense.org/packages/amd64/8/All/barnyard2-1.9_2.tbz …  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/barnyard2-1.9_2.tbz.
    of barnyard2-1.9_2 failed!

    Installation aborted.Backing up libraries…
    Removing package…
    Starting package deletion for mysql-client-5.1.53…done.
    Starting package deletion for barnyard2-1.9_2…done.
    Starting package deletion for snort-2.9.2.3…done.
    Starting package deletion for perl-threaded-5.12.4_4…done.
    Removing snort components…
    Menu items… done.
    Services… done.
    Loading package instructions…
    Include file snort.inc could not be found for inclusion.
    Deinstall commands…
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions…done.
    Auxiliary files… done.
    Package XML… done.
    Configuration… done.
    Cleaning up… Failed to install package.

    Installation halted.

    Any help is welcome

    Cheers,

    Raj



  • From a thread I started about the same time as you…

    2.0.1-RELEASE (amd64)
    built on Mon Dec 12 18:43:51 EST 2011
    FreeBSD 8.1-RELEASE-p6

    In case the Snort devs do not know this. Or maybe it is just me?

    Installation of snort FAILED!
    
    Beginning package installation for snort...
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading snort and its dependencies... 
    Checking for package installation... 
     Downloading http://files.pfsense.org/packages/amd64/8/All/barnyard2-1.9_2.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/barnyard2-1.9_2.tbz.
    of barnyard2-1.9_2 failed!
    
    Installation aborted.Backing up libraries... 
    Removing package...
    Starting package deletion for mysql-client-5.1.53...done.
    Starting package deletion for barnyard2-1.9_2...done.
    Starting package deletion for snort-2.9.2.3...done.
    Starting package deletion for perl-threaded-5.12.4_4...done.
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file snort.inc could not be found for inclusion.
    Deinstall commands... 
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    Cleaning up... Failed to install package.
    
    Installation halted.
    

    Will try again later and report back.



  • Also as Cino points out…

    http://forum.pfsense.org/index.php/topic,50397.msg268281.html#msg268281

    @Cino:

    noticed that too. barnyard2-1.9_2.tbz isnt built yet… once its built, you should be good to go



  • you can download the package to your pfsense box from the pfsense repo using wget, then install with pkg_add (in my case it said it was already installed).  The downside to this option is it only installs the command line tools, not the web configuration interface.  To use it you will have to get familiar with the command-line options

    Also, as mentioned previously, it’s possible you might break something if you install from the standard freebsd repo.  I would guess that risk is minimized if you install from the pfsense repo, but still possible if you install something intended for a different version than what you’re using.

    My install was failing while trying to install a dependency, barnyard2. 
    Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.9_2.tbz …  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/barnyard2-1.9_2.tbz.
    of barnyard2-1.9_2 failed!





  • Its fixes so just reinstall.



  • Snort 2.9.2.3 pkg v. 2.2 installs fine without errors, but after setting it up and updating rule files I get an error when I try to start it:

    Snort HARD START For 62994_em0…

    I currently only have EM rules selected.

    2.0.1-RELEASE (amd64)
    built on Mon Dec 12 18:16:13 EST 2011
    FreeBSD 8.1-RELEASE-p6

    Edit:
    I tried to
    1. Remove package + find /* |grep snort -> made sure no snort files are left over.
    2. Rebooted pfsense
    3. Installed Snort + configured it
    4. Same error:  Snort HARD START For 37895_em0…

    I went through the same setup on a vm and I got it working without messing around with anything. Whats going on?



  • You are not showing your system log there.
    There will be the cause of that.

    I can expect missing pre processor.



  • Finally, it appears that the updated package files and the snort updates are in synch and are working.  However, the update seems to have broken the snort dashboard widget.  It is not updating, although selecting on its header does open the snort alerts window.  Tried removing and reinstalling the widget package to no effect.

    Can someone verify this issue?  Thanks.



  • @sronsen:

    Finally, it appears that the updated package files and the snort updates are in synch and are working.  However, the update seems to have broken the snort dashboard widget.  It is not updating, although selecting on its header does open the snort alerts window.  Tried removing and reinstalling the widget package to no effect.

    Can someone verify this issue?  Thanks.

    it has… with the recently changes made to the alert page, the widget would probably have to be redone from scratch because the alerts are now broken out by interface, each interface has its own alert file now…



  • I uninstalled snort when the install stopped working but my configurations saved across uninstalls. I installed it today and it went through fine. It loaded my previous configuration but no rules as expected (usually does this on updates). So i updated rules and disable and renable interface, checked all settings and enabled only one rule category to test. I get this error in syslog:

    Jun 13 17:42:12 snort[37197]: FATAL ERROR: ByteExtract variable ‘^Authorization\x3A\sBasic[ \t]+’ in rule [3:13308] is used before it is defined.
    Jun 13 17:42:12 snort[37197]: FATAL ERROR: ByteExtract variable '^Authorization\x3A\s
    Basic[ \t]+’ in rule [3:13308] is used before it is defined.

    Should i wipe all the configurations and start from scratch ?



  • To get this to work, I had to uninstall, then run the following:

    pkg_delete -f snort*
    find / -name snort

    and rm -rf anything that turned up.  Reinstalling with new package fixed it from there, running snort rules and ET.



  • Delete anything in this directory
    /usr/local/lib/snort/dynamicrules
    also uncheck any .so rules on your interfaces.

    Try to start snort



  • That has resolved the problem. thanks.



  • @ermal:

    You are not showing your system log there.
    There will be the cause of that.

    I can expect missing pre processor.

    Status -> Servies -> Hit start on Snort, Status -> System log -> Jun 14 00:23:18 SnortStartup[18693]: Snort HARD START For 37895_em0… -is the only line generated.

    If I try to run Snort from Services -> Snort -> Snort interfaces, I get two lines:

    Jun 14 00:32:11 SnortStartup[35943]: Interface Rule START for 0_37895_em0…
    Jun 14 00:32:11 SnortStartup[30175]: Toggle for 37895_em0…



  • services/snort
    click to edit the interface in question
    Select the Catagories tab
    Select the rules you want to use.

    Do not select any of the .so “shared objects rules” they will cause snort to crash.

    From your description it sounds like you don’t have any rules selected.



  • I have tried with and without rules enabled. Currently I have only EM rules installed and 2 of them selected. Still I don’t get anything useful on the system log.



  • On the Interface tab
    general you have enabled the interface correct?

    on the same tab under
    Choose the types of logs snort should create.
    you selected “Send alerts to main System logs”

    On the preprocessors tab you have enabled “performance statics for this interface”

    If all else fails you could try running this command from the console comand line although I do not think this is the problem

    pkg_add -f http://files.pfsense.org/packages/8/All/snort-2.9.2.3.tbz

    Then update your rules and try to start snort.



  • @ermal:

    Its fixes so just reinstall.

    It’s running here 2.0.1-RELEASE (amd64) and kept all previous settings. All that I did, after reinstall, was to update ET rules.



  • @caustic386:

    To get this to work, I had to uninstall, then run the following:

    pkg_delete -f snort*
    find / -name snort

    and rm -rf anything that turned up.  Reinstalling with new package fixed it from there, running snort rules and ET.

    This worked for me!
    Tnx



  • Has anyone else noticed on their Snort > Blocked (tab) that the ALERT DESCRIPTION next to each IP now says “N/A” instead of displaying a full description as it has in the past?

    I’ve confirmed under Snort > Global Settings, my Alert file description type = FULL.

    Is there any way to restore this functionality so that full alert description is listed?



  • I think it is now being shown under the Alerts/Interface tab.

    Have you noticed if the blocked ip’s are being removed in the time you have specified?


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy