Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 289.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RonpfSR Offline
      RonpfS
      last edited by

      @ermal:

      Can you please test the latest package and see if it behaves better?

      I have 2.9.2.3 pkg v. 2.5.2  on Pfsense 2.0.1

      2.4.5-RELEASE-p1 (amd64)
      Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
      Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

      1 Reply Last reply Reply Quote 0
      • S Offline
        Supermule Banned
        last edited by

        Cant start Snort on the revised package….

        1 Reply Last reply Reply Quote 0
        • S Offline
          Supermule Banned
          last edited by

          Started but needed to enable SSL state preprocessor to get it going….

          1 Reply Last reply Reply Quote 0
          • bmeeksB Offline
            bmeeks
            last edited by

            @Supermule:

            Started but needed to enable SSL state preprocessor to get it going….

            Will take a look and submit a fix for this later.  Might be as late as Wednesday evening, though.  Have some personal matters to attend to today and tomorrow.

            1 Reply Last reply Reply Quote 0
            • S Offline
              Supermule Banned
              last edited by

              No worries mate :) Take your time. Its working and no errors. So not mission critical!

              1 Reply Last reply Reply Quote 0
              • RonpfSR Offline
                RonpfS
                last edited by

                Remove and Install latest v2.5.3

                Got this behind the install frame window

                Warning: file(/usr/local/etc/snort/rules/emerging-virus.rules): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 947 Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 953 
                
                

                Got this when I stop and started the snort interface

                22:55 mardi 22 janvier 2013
                Warning: file(/usr/local/etc/snort/rules/emerging-virus.rules): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 947 Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 953 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 129 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 130 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 131 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 132 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 133 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 136 
                
                

                However snort seems to be running fine.

                I cycle power on the DSL modem and it did not block the WAN IP. Its seems to behave ok.

                2.4.5-RELEASE-p1 (amd64)
                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                1 Reply Last reply Reply Quote 0
                • S Offline
                  Supermule Banned
                  last edited by

                  Can we get Snort to save blocked hosts that can survive a reboot??

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB Offline
                    bmeeks
                    last edited by

                    @Supermule:

                    Can we get Snort to save blocked hosts that can survive a reboot??

                    I can take a look at this.  I don't use that feature, and thus have never investigated it.  How are enabled/disabled rules holding up now?  Do your changes survive rule updates and restarts?

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB Offline
                      bmeeks
                      last edited by

                      @RonpfS:

                      Remove and Install latest v2.5.3

                      Got this behind the install frame window

                      Warning: file(/usr/local/etc/snort/rules/emerging-virus.rules): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 947 Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 953 
                      
                      

                      Got this when I stop and started the snort interface

                      22:55 mardi 22 janvier 2013
                      Warning: file(/usr/local/etc/snort/rules/emerging-virus.rules): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 947 Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 953 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 129 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 130 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 131 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 132 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 133 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 136 
                      
                      

                      I can add some more robust error checking to prevent this.  Did you by chance make any rule category changes during the uninstall/re-install process?  Just asking to help me better isolate where the problem might be.

                      Thanks,
                      Bill

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        Supermule Banned
                        last edited by

                        I havent had a rule update yet, so will revert back as soon as I have :)

                        @bmeeks:

                        @Supermule:

                        Can we get Snort to save blocked hosts that can survive a reboot??

                        I can take a look at this.  I don't use that feature, and thus have never investigated it.  How are enabled/disabled rules holding up now?  Do your changes survive rule updates and restarts?

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          Supermule Banned
                          last edited by

                          Snort doesnt respect whitelisted Alias on the WAN side. Got blocked out and had to use the back entrance :D

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            Supermule Banned
                            last edited by

                            And another thing….everytime I enable/disable a rule, it throws me back to the top of the page....that makes a lot of scrolling all the time!! Can it be changed somehow? So you either go back to where you were or not move at all?

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB Offline
                              bmeeks
                              last edited by

                              @Supermule:

                              And another thing….everytime I enable/disable a rule, it throws me back to the top of the page....that makes a lot of scrolling all the time!! Can it be changed somehow? So you either go back to where you were or not move at all?

                              I will try.  That one may be a bit difficult to pull off with the way PHP handles POST back with forms. I agree on it being a pain with scrolling.

                              1 Reply Last reply Reply Quote 0
                              • S Offline
                                Supermule Banned
                                last edited by

                                Thanks mate!! You are doing the PFSense community a big favor here!

                                Thank you :)

                                1 Reply Last reply Reply Quote 0
                                • S Offline
                                  Supermule Banned
                                  last edited by

                                  Dude…..Can you give me your account number so I can transfer some funds for your work? I would like to donate a little to your working efforts!

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB Offline
                                    bmeeks
                                    last edited by

                                    @Supermule:

                                    Dude…..Can you give me your account number so I can transfer some funds for your work? I would like to donate a little to your working efforts!

                                    Thank you for the offer, but I don't have one. I'm contributing my efforts gratis since I also use the product.  I made the changes originally for my own benefit, and decided to see if the community could benefit from them as well.

                                    I still have a few little quirks to clean up that some folks have identified.

                                    1 Reply Last reply Reply Quote 0
                                    • S Offline
                                      Supermule Banned
                                      last edited by

                                      Its always there if you need it ;)

                                      Have you considered the ability to sort all coloumns of the blocked IP's tab??

                                      So one can sort it on number, IP Alert description and time?

                                      And the same on the alerts tab?

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB Offline
                                        bmeeks
                                        last edited by

                                        @Supermule:

                                        Its always there if you need it ;)

                                        Have you considered the ability to sort all coloumns of the blocked IP's tab??

                                        So one can sort it on number, IP Alert description and time?

                                        And the same on the alerts tab?

                                        Yes on that, and also to sort the SIDs on the RULES tab.  Tried to pull that off to begin with, but the way PHP handles multidimension arrays and sorting was giving me fits.  Decided to put the changes out first to introduce the functionality, and then come back and add the bells and whistles.

                                        Bill

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeksB Offline
                                          bmeeks
                                          last edited by

                                          @RonpfS:

                                          Remove and Install latest v2.5.3

                                          Got this behind the install frame window

                                          Warning: file(/usr/local/etc/snort/rules/emerging-virus.rules): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 947 Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 953 
                                          
                                          

                                          Got this when I stop and started the snort interface

                                          22:55 mardi 22 janvier 2013
                                          Warning: file(/usr/local/etc/snort/rules/emerging-virus.rules): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 947 Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 953 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 129 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 130 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 131 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 132 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 133 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:947) in /usr/local/www/snort/snort_interfaces.php on line 136 
                                          
                                          

                                          However snort seems to be running fine.

                                          I cycle power on the DSL modem and it did not block the WAN IP. Its seems to behave ok.

                                          Update on this report:  I found the cause.  I was doing some poor error checking.  Basically what's happening is that upon package remove and re-install, the Rules directory is empty of all files, but your saved "selected categories" (which are really just the filenames with no content) are saved in the pfSense config.xml file.  So when you remove and re-install Snort with the "save configuration option" checked, it remembers your previous rule categories.

                                          Upon the first startup following the package re-installation, it tries to read those files to get the rule contents, but because a Rules update has not been done and the Rules directory is empty, it pops up the error you see.  This error will show different files for different folks depending on what rule categories they had previously enabled.

                                          I can add an easy fix for this to basically check that the files exist before trying to read them.  My mistake for not thinking of that to start with… :-[

                                          I am collecting up the fixes for these little glitches and will submit them to Ermal for an update.

                                          Bill

                                          1 Reply Last reply Reply Quote 0
                                          • S Offline
                                            Supermule Banned
                                            last edited by

                                            Damn nice!! Nothing more to say :)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.