Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.1 service fails overnight, unable to restart

    Scheduled Pinned Locked Moved pfSense Packages
    65 Posts 14 Posters 22.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      caustic386
      last edited by

      Since upgrading to 2.5.1, snort fails every night (I assume during rule update).  The only way to get it running again is a complete re-install of the package (including manual deletion of snort dirs left behind from uninstall).  Here's the error I'm getting:

      Jul 25 08:21:48 snort[60091]: FATAL ERROR: /usr/local/etc/snort/snort_56869_em0/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
      Jul 25 08:21:48 snort[60091]: FATAL ERROR: /usr/local/etc/snort/snort_56869_em0/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf
      Jul 25 08:21:48 snort[60091]: Initializing rule chains…
      Jul 25 08:21:48 snort[60091]: Initializing rule chains…

      Any suggestions?  This is a production install, so a reboot is difficult.

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        This should have been fixed already on latest code!

        1 Reply Last reply Reply Quote 0
        • C
          caustic386
          last edited by

          Package manager indicates I have the latest install.  Do you mean the dev package has the fix?

          1 Reply Last reply Reply Quote 0
          • K
            kilthro
            last edited by

            Mine has completed two auto updates since the latest package and have not received this error. Do you have snort and emerging rules enabled?

            1 Reply Last reply Reply Quote 0
            • D
              dwood
              last edited by

              Ermal, on fresh install (just now), this error comes up in in the interface's preprocessors tab GUI.  It displays just under Stream 5 category, Max Queued Bytes:

              Fatal error: Call to undefined function gettet() in /usr/local/www/snort/snort_preprocessors.php on line 225

              This cuts off the preprocessors normally selected here from display.

              cheers,

              1 Reply Last reply Reply Quote 0
              • C
                caustic386
                last edited by

                Correct, I have both sets installed and all categories activated, non-blocking mode.  I tried starting snort with no categories selected, but the same error occurred.

                1 Reply Last reply Reply Quote 0
                • V
                  vbentley
                  last edited by

                  There is a typographical error that occurs in two PHP files http://forum.pfsense.org/index.php/topic,51813.0.html

                  Trademark Attribution and Credit
                  pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

                  1 Reply Last reply Reply Quote 0
                  • S
                    SectorNine50
                    last edited by

                    Disabling the Sensitive Data Proprocessor got me up and running for the time being.  It seemed like it was fine until Snort updated it's rules on the 24th, or something.

                    1 Reply Last reply Reply Quote 0
                    • M
                      MediocreFred
                      last edited by

                      Upgraded to v2.5.1 yesterday. However, this morning, snort was not running. The last snort related entry in the system log is the snort ruleset update shortly after midnight.

                      I was able to restart snort.

                      This used to be a issue with the builds a month or so back - is this a regression issue now?

                      1 Reply Last reply Reply Quote 0
                      • C
                        caustic386
                        last edited by

                        @vbentley:

                        There is a typographical error that occurs in two PHP files http://forum.pfsense.org/index.php/topic,51813.0.html

                        Unfortunately this did not fix my issue, even after editing both files.

                        1 Reply Last reply Reply Quote 0
                        • C
                          caustic386
                          last edited by

                          FYI -

                          Turning off the sensitive data preprocessor on the affected interface seems to have resolved the problem.  I can restart the service by hand, I'll report back tomorrow after an automatic rule update.

                          1 Reply Last reply Reply Quote 0
                          • F
                            Fesoj
                            last edited by

                            caustic386,

                            which rule sets did you load? If your are using the ET rules only, have a look at http://forum.pfsense.org/index.php/topic,51725.msg276658.html#msg276658 .

                            Updating with Snort.org rules should not give any problems with the latest sources.

                            1 Reply Last reply Reply Quote 0
                            • C
                              caustic386
                              last edited by

                              Update:  The service still fails overnight, but I can restart it manually with ease.

                              Fesoj, I'm using both ET and Snort.  Will your fix still apply?

                              1 Reply Last reply Reply Quote 0
                              • F
                                Fesoj
                                last edited by

                                I'm using both ET and Snort.  Will your fix still apply?

                                No, it won't. I have currently 4 machines running. 1 has only the ET rules installed, the others have Snort.org and ET rules. The patch is currently needed for the first machine. The rest is running fine. I'd guess you still have old GUI sources on your machine (older than a couple of days).

                                1 Reply Last reply Reply Quote 0
                                • C
                                  caustic386
                                  last edited by

                                  I tried reinstalling the GUI components, but that broke the whole thing.  I reinstalled from scratch, but i'm guessing that put me back where I started (will fail overnight).

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    Fesoj
                                    last edited by

                                    caustic386,

                                    more could be broken. If you have a saved configuration from your latest working setup, you could reinstall the entire environment via Diagnostics: Backup/restore.

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      caustic386
                                      last edited by

                                      Unfortunately I'm in production, so that seems like a bad idea.  Is there a way to clean it all out by hand?

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        Cino
                                        last edited by

                                        failed on my box when after uninstall and reinstalling snort yesterday… had the normal sensitive data error this morning... I'll do it again and see what happens later today or tomorrow morning

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          dwood
                                          last edited by

                                          On AMD64, 2.0.1, Snort is working without issues so far, and updating (auto updating) providing I toggle the sensitive data preprocessor off.  This is the latest install as of Ermal's last change to fix the gettet typo.  Ccaustic…point 3 will clean up old snort bits after you uninstall.

                                          If you are installing Snort make sure you do the following:

                                          1.  Uninstall (if you have an older version, suggest you not toggle "save settings" to on.  In other words, start fresh.
                                          2.  Create an alias in pfsense to reflect your old whitelist.  You will select this alias in the snort whitelist tab later.
                                          3.  Run this command using Diagnostics -> Command Prompt:  find /* | grep -i snort | xargs rm -rv  (removes old snort references)
                                          4.  Install latest.  Likely for this version you'll want to make sure that senstive data preprocessor is not selected.  I've got all others on.
                                          5.  Monitor blocking and prepare to add quite a few exclusions!  This is the set I'm using pretty much copy/pasted from the suppression tab:

                                          # HTTP Inspect Errors
                                          suppress gen_id 120, sig_id 3
                                          suppress gen_id 120, sig_id 6
                                          suppress gen_id 120, sig_id 8
                                          suppress gen_id 120, sig_id 10
                                          #
                                          suppress gen_id 1, sig_id 2014819
                                          #
                                          # This event indicates that a portable executable file has been downloaded. 
                                          suppress gen_id 1, sig_id 15306
                                          #
                                          # This event indicates that Email Addresses have been observed in traffic on the protected network.
                                          suppress gen_id 138, sig_id 5
                                          #
                                          # This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines. 
                                          suppress gen_id 1, sig_id 1390
                                          #
                                          # FILE-IDENTIFY download of executable content - x-header  -> stops windows download
                                          suppress gen_id 1, sig_id 16313
                                          #
                                          # FILE-IDENTIFY download of executable content -> stops file downloads
                                          suppress gen_id 1, sig_id 11192
                                          #
                                          #"GPL SHELLCODE x86 NOOP"
                                          suppress gen_id 1, sig_id 648
                                          
                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            caustic386
                                            last edited by

                                            That's exactly the process i've been using, but so far fails every time during nightly updates.  I'll try one more time and report back tomorrow.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.