Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 289.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      breusshe
      last edited by

      @breusshe:

      Just did the reinstall.  I get this error:

      FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

      The funny part is I'm not even using bad-traffic.so.  Not sure why it is even loading.

      Uninstall and wipe of config, then reinstall seems to have fixed this.  Not sure what was causing it.  But, snort starts up just fine now.  Just waiting to see if I can catch alerts.

      1 Reply Last reply Reply Quote 0
      • F Offline
        Fesoj
        last edited by

        This is just inquiring on how to do updates in an economical way.

        In emergency situations one could always update from github (github.com/bsdperimeter/pfsense-packages).

        The regular package updates seem to come from  http://files.pfsense.com/packages/8/All/, but it takes some time after updating the repository before the regular package update has the latest version (hours?). Since not every package update is accompanied by a change of the version string, it is rather difficult to see, whether the advertised updates from the forum are going to be installed or not. Currently snort-2.9.2.3-i386.pbi is still from yesterday 2012-Jul-15 21:11:02, so a regular update (System: Packages:) doesn't really update anything. It looks to me that some of the recent messages can be explained by this setup.

        It's not about making things faster, but to know when the update will actually be available. I wouldn't mind having a 4 digit version string for the package. Another method would be to base the update on the associated md5 hashes.

        Am I here off base, or does this remark that make some sense?

        1 Reply Last reply Reply Quote 0
        • C Offline
          Cino
          last edited by

          @breusshe:

          @breusshe:

          Just did the reinstall.  I get this error:

          FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

          The funny part is I'm not even using bad-traffic.so.  Not sure why it is even loading.

          Uninstall and wipe of config, then reinstall seems to have fixed this.  Not sure what was causing it.  But, snort starts up just fine now.  Just waiting to see if I can catch alerts.

          i figured out what is causing this.. ermal submitted a change based on what is left on our system when you uninstall snort https://github.com/bsdperimeter/pfsense-packages/commit/380d7cbe464a271c47fa57d4a890e1d61019fd08  I told him about this morning. These files are linked files to the pbi folders.. You we are doing a reinstall/reinstall gui.. Its removing the linked files.. Because how pbi's behave with the pfsense package manager… I recommend that you uninstall a package then install it when you doing an upgraded.. I recommend this because if you select to re-install the package, some reason or another, the pbi binary isn't re-installed.... Now this is behavior on pfSense 2.1.. 2.0.1, i would do the same thing

          1 Reply Last reply Reply Quote 0
          • C Offline
            Cino
            last edited by

            @Fesoj:

            This is just inquiring on how to do updates in an economical way.

            In emergency situations one could always update from github (github.com/bsdperimeter/pfsense-packages).

            The regular package updates seem to come from  http://files.pfsense.com/packages/8/All/, but it takes some time after updating the repository before the regular package update has the latest version (hours?). Since not every package update is accompanied by a change of the version string, it is rather difficult to see, whether the advertised updates from the forum are going to be installed or not. Currently snort-2.9.2.3-i386.pbi is still from yesterday 2012-Jul-15 21:11:02, so a regular update (System: Packages:) doesn't really update anything. It looks to me that some of the recent messages can be explained by this setup.

            It's not about making things faster, but to know when the update will actually be available. I wouldn't mind having a 4 digit version string for the package. Another method would be to base the update on the associated md5 hashes.

            Am I here off base, or does this remark that make some sense?

            Whentever changes are made to github.com/bsdperimeter/pfsense-packages, you are able to get them within 5 minutes or less(I think its real-time).. Binaries are a different story… jimp has a builder that builds them base on what changes happen to github.com/bsdperimeter/pfsense-tools... Not sure if its a auto or manual process for them to move the files over to files.pfsense.org

            as far as seeing a package update within the package manager. that is up to the maintainer to increase the version number of the package.

            pfsense team, correct me if i'm wrong on this

            1 Reply Last reply Reply Quote 0
            • D Offline
              dwood
              last edited by

              Same thing here..had to remove 2.5.0.  WAN IP x.x.x.0 network was being blocked.  PFsense log than alerted on WAN down, and removed it from routing group (dual wan).

              Cheers,
              Dennis.

              1 Reply Last reply Reply Quote 0
              • M Offline
                mschiek01
                last edited by

                Snort was running with preproc active a rules update was processed and snort stopped with the following error.

                Jul 16 20:56:27 php: /snort/snort_download_rules.php: Snort has restarted with your new set of rules…
                Jul 16 20:56:26 snort[25975]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
                Jul 16 20:56:26 snort[25975]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
                Jul 16 20:56:26 snort[25975]: Initializing rule chains…
                Jul 16 20:56:26 snort[25975]: Initializing rule chains…
                Jul 16 20:56:26 snort[25975]: +++++++++++++++++++++++++++++++++++++++++++++++++++
                Jul 16 20:56:26 snort[25975]: +++++++++++++++++++++++++++++++++++++++++++++++++++

                1 Reply Last reply Reply Quote 0
                • J Offline
                  joako
                  last edited by

                  Same here.

                  However mine seems to be caused by an invalid snort.conf. This can not be fixed by hand because it's deleted and regenerated each time snort is run.

                  snort[55098]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_21199_em0//usr/local/etc/snort/preproc_rules/sensitive-data.rules/": No such file or directory.

                  include $PREPROC_RULE_PATH/sensitive-data.rules**/**

                  UPDATE: Cleared it up with package reinstall and of course re-download rules. Working as before.

                  1 Reply Last reply Reply Quote 0
                  • E Offline
                    eri--
                    last edited by

                    @dwood:

                    Same thing here..had to remove 2.5.0.  WAN IP x.x.x.0 network was being blocked.  PFsense log than alerted on WAN down, and removed it from routing group (dual wan).

                    Cheers,
                    Dennis.

                    As i put in the other thread.
                    There is an issue that was solved with blocking not parsing correctly the whitelist.
                    Just re-install the binary.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      digdug3
                      last edited by

                      Sometimes the alerts go wrong and give you a N/A in the blocked tab

                      Clipboard01.jpg
                      Clipboard01.jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • C Offline
                        Cino
                        last edited by

                        @mschiek01:

                        Snort was running with preproc active a rules update was processed and snort stopped with the following error.

                        Jul 16 20:56:27 php: /snort/snort_download_rules.php: Snort has restarted with your new set of rules…
                        Jul 16 20:56:26 snort[25975]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
                        Jul 16 20:56:26 snort[25975]: FATAL ERROR: /usr/local/etc/snort/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
                        Jul 16 20:56:26 snort[25975]: Initializing rule chains…
                        Jul 16 20:56:26 snort[25975]: Initializing rule chains…
                        Jul 16 20:56:26 snort[25975]: +++++++++++++++++++++++++++++++++++++++++++++++++++
                        Jul 16 20:56:26 snort[25975]: +++++++++++++++++++++++++++++++++++++++++++++++++++

                        woke up to the same error this this morning. i looked in the preprocessor.rules file and commented the line and turned off sensitive data..

                        a google search states its because of sensitive data not being not being turned on… i have it on for testing and have 2 rules suppress. strange.....

                        
                        alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; )
                        
                        

                        EDIT: manual update (after removing the md5 files), and I dont have the above issue with sensitive data on… going to copy the rules over to my pc and compare them when/if this happens again

                        1 Reply Last reply Reply Quote 0
                        • F Offline
                          Fesoj
                          last edited by

                          I installed the latest version and snort is running fine, but there might be an issue with the perl package that affects other packages.

                          During the last 2 weeks I removed and installed the snort package only. After one of the latest updates the perl files were gone, but pkg_info still reported about 2 perl packages installed. I noticed the missing files by the failure of other packages (e.g. lightsquid). After forcing a reinstall (pkg_add -f) of the latest perl package everything worked again as expected.

                          I am not sure whether this odd behavior is due to the snort package, but if you find that some things don't work any more, check for the existence of the perl package (and the system log).

                          1 Reply Last reply Reply Quote 0
                          • C Offline
                            Cino
                            last edited by

                            @Fesoj:

                            I installed the latest version and snort is running fine, but there might be an issue with the perl package that affects other packages.

                            During the last 2 weeks I removed and installed the snort package only. After one of the latest updates the perl files were gone, but pkg_info still reported about 2 perl packages installed. I noticed the missing files by the failure of other packages (e.g. lightsquid). After forcing a reinstall (pkg_add -f) of the latest perl package everything worked again as expected.

                            I am not sure whether this odd behavior is due to the snort package, but if you find that some things don't work any more, check for the existence of the perl package (and the system log).

                            are you running 2.0.x? If so, here is why(i think anyways) https://github.com/bsdperimeter/pfsense-packages/commit/90a78d1150d6cf90b9fb60c2237d8c12b112c7d0. its been removed from the package.

                            with 2.1 being pbi packages, its alittle different

                            1 Reply Last reply Reply Quote 0
                            • F Offline
                              Fesoj
                              last edited by

                              Cino,

                              yes, I am running 2.0.1.

                              bump version to 2.5.0 and remove perl from build requirments since it…

                              The extracts from snort.inc don't show what happens to those perl files, but the title seems to point to the villain.

                              Anyway, pkg_add -f remedies the situation.

                              1 Reply Last reply Reply Quote 0
                              • B Offline
                                breusshe
                                last edited by

                                @Cino:

                                EDIT: manual update (after removing the md5 files), and I dont have the above issue with sensitive data on… going to copy the rules over to my pc and compare them when/if this happens again

                                I can confirm this solution.  I deleted the MD5 files from /usr/local/etc/snort, turned on sensitive data, ran the rules update manually, and snort started right up.  I'll post if thise problem repeats itself in the next day or two.

                                1 Reply Last reply Reply Quote 0
                                • marcellocM Offline
                                  marcelloc
                                  last edited by

                                  @Fesoj:

                                  Anyway, pkg_add -f remedies the situation.

                                  That because snort uninstalled perl on last update. As you have two other packages that requires perl, if you uninstall one of them, the other will break too.

                                  To workaround the pkg_add step, just reinstall a package that requires perl.

                                  att,
                                  Marcello Coutinho

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • F Offline
                                    Fesoj
                                    last edited by

                                    Marcello,

                                    To workaround the pkg_add step, just reinstall a package that requires perl.

                                    that's what I tried first && this didn't work. The perl files were gone, but pkg_info still reported about perl being installed. Therefore reinstalling s.th. like Lightsquid does not trigger a reinstall of perl.

                                    1 Reply Last reply Reply Quote 0
                                    • C Offline
                                      Cino
                                      last edited by

                                      not sure if its because of the new binary or this change https://github.com/bsdperimeter/pfsense-packages/commit/e2618ca4b906460455f1f778718ed9e9825d7085 but after uninstall-install around 12pm est, snort is blocking my wan ip address now. its in the HOME_NET… So i'm not sure what is going on... I dont have it on my whitelist, which i'm  adding now and see what happens

                                      EDIT: Its blocking my WAN IP with it in the whitelist also...

                                      anyway the previous binary can be put back?  ;D well if other users can confirm my findings

                                      1 Reply Last reply Reply Quote 0
                                      • F Offline
                                        Fesoj
                                        last edited by

                                        Cino,

                                        I do not have any problems with bogus blockings (and I tested new version quit a lot today), but my pfSense box is not an edge router and the "WAN" side has a static address that showed up automatically in the default HOME_NET.

                                        1 Reply Last reply Reply Quote 0
                                        • E Offline
                                          eri--
                                          last edited by

                                          Cino,

                                          please either snort config or snort package xml on config.xml?

                                          1 Reply Last reply Reply Quote 0
                                          • D Offline
                                            dwood
                                            last edited by

                                            Ermal, I've been uninstalling Snort, running the command "find /* | grep -i snort | xargs rm -rv" then reinstalling.  I have to assume that this process would always replace the binary files?

                                            I haven't reinstalled since yesterday in the site that's best for testing (live site!) so not sure if a reinstall will fix the WAN blocking…

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.