Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.3.0 Issue Thread

    Scheduled Pinned Locked Moved pfSense Packages
    22 Posts 8 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cino
      last edited by

      Couple of issues i've noticed that are still pending but figured I would start a new thread.

      Snort GUI:
      The Status Icon shows is Snort is running but Red/Green status has been removed. Can this be brought back? It was really the only way you can tell if barnyard2 was running or not.

      Alerts Page:
      Doesn't display Alert Description. Their was a patch for the last version but it doesn't work with the latest changes
      Please add this patch http://forum.pfsense.org/index.php/topic,51168.msg274405.html#msg274405

      Interface GUI:
      Please add the light grey background.. White is blinding

      Suppress List:
      Page is not saving and my first line puts a double tab from my old settings I had. Missing Snort Menu tab, have to go back to Services:Snort
      adding a rule to the supress-list (or simply save the list) adds a space at the first line. So the first line is walking to the right side
      font size is too small to read

      Cron Job Issue:
      After every install/reinstall, you have to save the Global Settings and Interface page (with Blocked Enabled) for the Cron job to be created. Is there a way to fix it so the package does a check automatically to see if that setting is set?

      barnyard2:
      Doesn't start on system reboot, have to manually stop and start within Snort GUI.. Stopping doesn't kill barnyard2 process, starts another one up when you restart
      Services GUI kills all snort/barnyard2 processes but doesn't start barnyard2 process when you restart or start

      P.S Will Snort 2.3.x have IPv6 support or will that be 3.x that Robert is working on?

      As always, thank you for your working :-)

      1 Reply Last reply Reply Quote 0
      • M
        miles267
        last edited by

        Wow.  Just when I said I'd never update snort again, I went and updated to 2.3.0 and not it won't even start:

        snort[53318]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(154) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.

        Is there no QA done on these releases? ;-)

        1 Reply Last reply Reply Quote 0
        • Z
          zinger
          last edited by

          @miles267:

          snort[53318]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(154) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.

          Same issue, enabling the http_inspect prep-processor adds a line like:

          
          preprocessor http_inspect: global /usr/local/etc/snort, iis_unicode_map unicode.map 1252 
          
          

          And snort fails to load with error:
          snort[44013]: FATAL ERROR: /usr/local/etc/snort/snort_xxx/snort.conf(xxx) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Fixed apart IPv6 for now.

            1 Reply Last reply Reply Quote 0
            • C
              Cino
              last edited by

              @zinger:

              @miles267:

              snort[53318]: FATAL ERROR: /usr/local/etc/snort/snort_9414_em2/snort.conf(154) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.

              Same issue, enabling the http_inspect prep-processor adds a line like:

              
              preprocessor http_inspect: global /usr/local/etc/snort, iis_unicode_map unicode.map 1252 
              
              

              And snort fails to load with error:
              snort[44013]: FATAL ERROR: /usr/local/etc/snort/snort_xxx/snort.conf(xxx) => Invalid keyword '/usr/local/etc/snort,' for 'global' configuration.

              same issue here

              quick fix for now:

              change file /usr/local/pkg/snort/snort.inc
              line 1555

              preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
              

              line 1614

              preprocessor ftp_telnet: global \
              

              a couple minutes testing: barnyard2 has 3 instances running, blocked page doesn't have descriptions, and only the icon shows if snort is running. Interface page has the grey background, but what happen to the suppress page? the font is really tiny (at least to me), and there is a space on the first line that I can't seem to remove after save but I am able to save new lines.

              I only did a couple of minutes of testing. I'll go thru everything sometime tomorrow and report back… Thanks again

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                Missed those.
                I am not sure about the small font all looks good to me?

                Or you mean inised the textarea?

                1 Reply Last reply Reply Quote 0
                • F
                  fragged
                  last edited by

                  @ermal:

                  Missed those.
                  I am not sure about the small font all looks good to me?

                  Or you mean inised the textarea?

                  Inside the textarea/textbox in the Suppression list edit page. It's now set to

                  
                  .formpre {
                      font-family: Courier New,Courier,monospaced;
                      font-size: 10px;
                  }
                  
                  

                  It used to be

                  
                  .formpre {
                      font-family: arial;
                      font-size: 1.1em;
                  }
                  
                  

                  ..I think.

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cino
                    last edited by

                    looking at lot better.. uninstalled, removed any trace of snort on the hard-drive… installed... updated rules and guess what, it started with no errors =D

                    I think I found what the issue is with barnyard2 not stopping.. It doesn't stop for anything now.. Its creating a PID file this: barnyard2_39737_em339737.pid when I think the code is looking to stop barnyard2_em339737.pid. I think the PID file should be 'barnyard2_em3_39737.pid'

                    I'll do some more testing later but hopefully other users will report there findings.

                    thanks again!!!

                    1 Reply Last reply Reply Quote 0
                    • E
                      eri--
                      last edited by

                      I think i found the issue with barnyard2 pid file.
                      Just re-install snort after 15 minutes and check it out.

                      Thank you for the testing.
                      But after this cleanup more things are manageable with less effort.

                      1 Reply Last reply Reply Quote 0
                      • C
                        Cino
                        last edited by

                        That did it for barnyard2! Able to stop and start via Snort GUI and Services. Haven't tried a reboot yet.. But since Services uses /usr/local/etc/rc.d/snort.sh as well, I would think it would work also.

                        I'll have to do a deep drive later but I think its all small stuff..but..

                        I see now on the Snort Interface page, Barnyard2 is shaded Red when its turn off and White when its enabled. Could it be Green when its enabled? Also, can we do the same for the Interface also? Don't know if it should go under 'If' or 'Snort' columns. It was under 'If' but to keep it the same as barnyard2, i would put it under 'Snort'…idk.. you decide on what is easier and looks more functionally.

                        thankyou for getting barnyard2 working correctly..

                        1 Reply Last reply Reply Quote 0
                        • D
                          digdug3
                          last edited by

                          Tested upgrading from v2.2.4 to v2.3.0 on AMD64 works without any problems.
                          As soon as everything works I will upgrade my production machine from Snort 2.9.1 pkg v. 2.1.1 (AMD64) to this version.

                          As Cino said, I too would prefer green/red colors, just like the stop and play buttons.

                          1 Reply Last reply Reply Quote 0
                          • 1
                            10101000
                            last edited by

                            Aside from the problems listed in the original post, version 2.3.0 is running smoothly for myself. For a quick "blocked alerts description" fix see post 274405.

                            Thanks for the hard work Ermal!

                            1 Reply Last reply Reply Quote 0
                            • C
                              Cino
                              last edited by

                              I've crossed out what has been resolved on the first post and added some…

                              @10101000 your patch worked for me.. thank you

                              1 Reply Last reply Reply Quote 0
                              • D
                                digdug3
                                last edited by

                                Cron Job Issue:
                                After every install/reinstall, you have to save the Global Settings and Interface page (with Blocked Enabled) for the Cron job to be created. Is there a way to fix it so the package does a check automatically to see if that setting is set?

                                Maybe -if- the Global settings was saved, after an update of the package, automatically updates the rules before starting Snort.

                                1 Reply Last reply Reply Quote 0
                                • F
                                  Fesoj
                                  last edited by

                                  If you have more than a single snort interface running, only the message of the 1st instance can be cleared (already described somewhere else). I noticed some code changes in snort_alert.php, but the code does not work correctly.

                                  It looks as if the state of the settings are not properly maintained. $instanceid does receive the correct value, but after hitting the clear-button the value is back to its default value 0 before the clear action gets executed, so other interfaces never get a chance to get rid of their messages (to study this behavior I am dumping some diagnostics into a temporary file).

                                  Not being familiar with php, I'd say the problem is due to the way php scripts get initialized and executed and after hitting a button like "Clear", your're essentially back to a fresh page. With the proper knowledge this can probably be fixed easily.

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    Fesoj
                                    last edited by

                                    With this version the Emerging Threats rules are working for me, but the Snort rules don't.

                                    I did some tests with the p2p rules, and the Snort rules neither generated alerts nor did blocking work.

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      eri--
                                      last edited by

                                      In 2.4.0 all these issues should be solved apart the colors in the interface page

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        Fesoj
                                        last edited by

                                        See http://forum.pfsense.org/index.php/topic,51375.msg274556.html#msg274556

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          Cino
                                          last edited by

                                          on and off snort does quits when it tries to block an IP

                                          
                                          Jul 11 14:24:32 	snort[22453]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
                                          Jul 11 14:24:32 	snort[22453]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device
                                          
                                          
                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            eri--
                                            last edited by

                                            That is rather awkward.
                                            Can you identify the line that caused that? In alerts?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.