Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 289.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kilthro
      last edited by

      Ermal,
      I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.

      1 Reply Last reply Reply Quote 0
      • S Offline
        Supermule Banned
        last edited by

        I get these errors when trying to change the ports of "Home NET"

        Define_servers.jpg
        Define_servers.jpg_thumb
        Define_servers2.jpg
        Define_servers2.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • S Offline
          Supermule Banned
          last edited by

          First of all….

          I get these false positives even if I have created them in the Suppress lists!!

          Alerts.jpg
          Alerts.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • S Offline
            Supermule Banned
            last edited by

            Suppress list is here….

            Tell me why Snort doesnt respect it..........  :-\

            suppresslist.jpg
            suppresslist.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • E Offline
              eri--
              last edited by

              You need to have an alias cannot put ports there.

              I wild guess about the suppression is a missing revision?

              1 Reply Last reply Reply Quote 0
              • E Offline
                eri--
                last edited by

                @kilthro:

                Ermal,
                I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.

                Can you check /etc/crontab if it has the entries for snort?

                I pushed a fix which should help here.
                Just resave yor settings on Global tab.

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kilthro
                  last edited by

                  @ermal:

                  @kilthro:

                  Ermal,
                  I checked again today and I am not seeing anything in the sys log about the auto update running or not running. If I run manual update i see the entries. Also I have removed blocked hosts after 6 hours and snort hasnt been doing that. I just changed it to three and restarted the service to see if something was glitched. Will monitor to see if that is working properly. Not sure if its isolated to just my setup or not. Just wanted to mention it to see if anyone else has had the issue.

                  Can you check /etc/crontab if it has the entries for snort?

                  I pushed a fix which should help here.
                  Just resave yor settings on Global tab.

                  Here is what cron is showing. Looks like no time settings are entered. Looks like the remove host is doing the same thing as its blank too.. May explain why they arent being removed like they should.

                  cron.jpg
                  cron.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    kilthro
                    last edited by

                    I am not seeing the update on the dashboard… Guess it takes a while to recognize.. Will check back on it.. What version number is it up to now?

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      Supermule Banned
                      last edited by

                      @ermal:

                      You need to have an alias cannot put ports there.

                      I wild guess about the suppression is a missing revision?

                      Why an alias when the specific ports are needed??

                      By the way, running on 2.5.4 so unless package has been updated, then I am on the latest revision.

                      1 Reply Last reply Reply Quote 0
                      • E Offline
                        eri--
                        last edited by

                        No the version has not been bumped since some small fixes will come still.
                        When those are finished ti will be bumped.

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          Supermule Banned
                          last edited by

                          Thx Ermal!

                          1 Reply Last reply Reply Quote 0
                          • P Offline
                            Phoenix912
                            last edited by

                            Hi,

                            I have the issue with the lib mysql.18 which I was able to correct with pkg_add -v -f -F http://files.pfsense.org/packages/8/All/mysql-client-5.5.29.tbz

                            But when I reboot my VM, I have to do the command again, because snort won't start with my interfaces.
                            It is very weird because before rebooting everything was working perfectly fine, alerts were there, all interfaces were enabled…

                            Anyone has an idea ?

                            Thanks in advance

                            1 Reply Last reply Reply Quote 0
                            • P Offline
                              Phoenix912
                              last edited by

                              It seems very weird because if I create a folder, after rebooting it is still there, but a modifications like the package is not working.

                              I suppose pfsense or Freebsd is blocking my modifications, is it possible to force the modification or disable the thing which is unabling me to saves changes ?

                              Thanks in advance

                              1 Reply Last reply Reply Quote 0
                              • S Offline
                                Supermule Banned
                                last edited by

                                Are we seeing the end of this when Ermal/Bmeeks committed the last changes or do we have to wait until the package is bumped to 2.5.5??? So far running fine here, but havent upgraded to the last snaps from Ermal. Running the changed files from Bmeeks.

                                1 Reply Last reply Reply Quote 0
                                • K Offline
                                  kilthro
                                  last edited by

                                  I have the latest downloaded and installed and everything seems to be working just fine here.

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB Offline
                                    bmeeks
                                    last edited by

                                    @Supermule:

                                    Are we seeing the end of this when Ermal/Bmeeks committed the last changes or do we have to wait until the package is bumped to 2.5.5??? So far running fine here, but havent upgraded to the last snaps from Ermal. Running the changed files from Bmeeks.

                                    The "big pieces" for this update cycle are done, I think.  My main focus was getting auto-flowbit resolution working and integrating the VRT Policy rules selection.  Along with those main goals were some incidental fixes like the stream5 preprocessor memcap setting and some items related to http_inspect.  At Ermal's request, the last change was some code to automatically scan for and disable any rules in the selected rule sets that depended on disabled preprocessors.  This is necessary because certain preprocessor-dependent rule options (such as the ssl_state and ssl_version options associated with the SSL preprocessor) will cause Snort to error out and not start if the associated preprocessor is not enabled.

                                    In my view, the next "big piece" is to update to the latest 2.4.x Snort binary.  I am not ready to jump out there and start that project on my own, though.  Still not experienced enough with the pfSense/BSD platform and its package building tools.

                                    Bill

                                    1 Reply Last reply Reply Quote 0
                                    • F Offline
                                      fragged
                                      last edited by

                                      I'm still seeing a minor oddity when updating to a new snapshot of 2.1 and snort being re-installed during the reboot. When pfSense is all up and running, snort would show as running and presumably does have some rules to use, but the updates tab shows no rules installed. I have the "Keep snort settings after deinstall" option checked.

                                      So in summary:
                                      Snort re-installs fine
                                      Snort is blocking offenders after re-install
                                      But Updates tab shows no rules installed

                                      Also the "Update log" button seems to still be broken. It's not inactive / greyed out anymore, but it doesn't do anything when clicked.

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB Offline
                                        bmeeks
                                        last edited by

                                        @fragged:

                                        Also the "Update log" button seems to still be broken. It's not inactive / greyed out anymore, but it doesn't do anything when clicked.

                                        This is a problem that likely can be fixed, and I will take a look at getting the button working.  One small complication here is that the Update Log is only created when the automatic update cron job runs.  The log is not created during a manual update.  Basically what happens currently is the console output of the cron job rule update is redirected to a file in the /tmp/ directory.

                                        1 Reply Last reply Reply Quote 0
                                        • D Offline
                                          daehnomel
                                          last edited by

                                          Help! Snort will not start from the webgui after update to pfsense 2.02, currently running snort 2.9.2.3 pkg v. 2.5.4.  GUI reports service is stopped so I attempt to restart and it just stays stopped.  Individual interfaces respond similarly.  I have tried reinstalling snort as well, no dice.  I tried suggestions on this thread as well to no avail : http://forum.pfsense.org/index.php?topic=58175.0 .  Snort seems to start by simply typing "snort" in shell but webgui doesn't respond.  Any suggestions would be appreciated. BTW, I have read the thread and it seems this problem is ongoing, is it just best to wait for version 2.5.5?  Is snort really running and just not reported in the GUI?  Thanks in advance for your help.

                                          1 Reply Last reply Reply Quote 0
                                          • T Offline
                                            tritron
                                            last edited by

                                            Did you look at your log? You shuold post error messages you are getting in log. Snort works fine fine with 2.1

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.