Snort and Interface Enable/Disable
-
@onhel:
Enabling an interface kicks off this error but System Logs show Initialization Complete and the Interface in fact does Enable.
Warning: is_dir() expects parameter 1 to be string, array given in /usr/local/pkg/snort/snort.inc on line 924 Warning: is_file() expects parameter 1 to be string, array given in /usr/local/pkg/snort/snort.inc on line 926 Warning: is_dir() expects parameter 1 to be string, array given in /usr/local/pkg/snort/snort.inc on line 924 Warning: is_file() expects parameter 1 to be string, array given in /usr/local/pkg/snort/snort.inc on line 926 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:924) in /usr/local/www/snort/snort_interfaces.php on line 129 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:924) in /usr/local/www/snort/snort_interfaces.php on line 130 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:924) in /usr/local/www/snort/snort_interfaces.php on line 131 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:924) in /usr/local/www/snort/snort_interfaces.php on line 132 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:924) in /usr/local/www/snort/snort_interfaces.php on line 133 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:924) in /usr/local/www/snort/snort_interfaces.php on line 136
I think I have found and fixed the errors toward the bottom of your post related to "…headers already sent...". I accidentally moved a section of HTML code into the wrong place in a file. At least I think that's the cause. The file package I just sent you via e-mail will hopefully fix the "…headers already sent..." messages.
As for the Rule Update warning, I will check that one out. I made a last minute change late last night that I might not have thoroughly checked out.
– UPDATE --
I found the problem with the warnings about strings and arrays. It's an easy fix. I'm still new to PHP coding, and I made a newbie mistake by not testing the variable type before passing it to some PHP functions.Bill
-
@onhel:
In testing the memcap setting, the most surefire way I know to trigger the "S5: Pruned 5 sessions from cache for memcap" error was to run a speedtest and max out my bandwidth. I have a 50/5 connection so your recommendation of a 32MB Stream5 memcap was still setting off that error. I raised it to 134217728 (128MB) since I have a lot of free memory and that error is now gone. :)
There is a stream5 configuration parameter available called
prune_log_max [bytes]Setting this to zero is supposed to suppress the logging of those "pruned session" messages. However, I could not get it to work, so I did not include it in my changes. This parameter is designed to set the threshold of logging the pruned messages.
-
Well its definitely gone now that the memcap is above my bandwidth. I always assumed that the memcap should at least be able to deal with the bandwidth coming in as a buffer so being able to set it now is a plus.
-
Ok, so far so good. No errors, no problems and running smooth. Looking at the below pic, Snort Rules Tab, Rule Changed By User, very nice.
-
@onhel:
Ok, so far so good. No errors, no problems and running smooth. Looking at the below pic, Snort Rules Tab, Rule Changed By User, very nice.
Good to hear. Running well so far for me as well on my test machines.
I added the special color-coding for the disablesid and enablesid changes made by the user because I thought at some point down the road folks might want to be able to quickly tell which rules they toggled to enabled or disabled from their default state. There are two small buttons at the top of the page on the right to let you "reset to defaults" the currently selected rule category, or "reset all" to reset all the rules in all categories to defaults. These two buttons just remove all your enablesid/disablesid changes for either the selected category, or all categories, (depending on which button you click).
SID enable/disable modifications should now persist across rule updates and Snort instance stops and starts. Maybe some of the other posters in this thread complaing about this bug will contact me via PM and I can provide them the files to test with so they can test the persistence of enablesid/disablesid changes in this new code.
-
Will do! Very busy at ATM!
-
Package of snort has been update with changes proposed.
If you would like to test just reinstall snort. -
YOU are the CHAMP Ermal!!
-
I get this error….
-
More errors….I uninstalled package and reinstalled to see if it fixed the unicode error reported in the previous post.
It resulted in this...
Stuck on auto-enabling flowbits and error line 375 in /usr/local/pkg/snort/snort_check_for_rule_updates.php on line 375
-
Have you gotten past this error yet, Super?
I'm still running Bill's code without any errors and now that the actual Snort package has been updated, I'm reluctant to upgrade if its going to be a showstopper.
I think a new thread should be started with the appropriate Testing Snort 2.9.2.3 pkg v. 2.5.3 as a title.
-
I deleted the package completely and installed again.
The unicode error went away and SSL_State emerged.
I checked the SSL_State preprocessor and it runs fine! Without the checkbox checked, it crashes…
-
Updated the package to 2.5.3 via Webgui and gets the unicode map file error again!!!!!!
So basically have to do a manual uninstall and install again since it apparently is not able to update the package.
Not good…. Something is wrong in the package building section of events.
Production remains on 2.5.2 until this is resolved.
-
DONT UPGRADE THE PACKAGE TO 2.5.3!!!!!!!!!!!!!!!!!!!!
Even a fresh install triggers the rule_updates.php error!!!
So currently running the testbox WITHOUT snort….!
-
Reinstall resolved the issue
-
Have you changed it Ermal???
Both reinstall and fresh install is not working!
-
The error in the Updates tab is due to a small change made to preface all the new function names in the code with "snort_". Ermal patched these up just before release to add the prefix, and it looks like one call in the UPDATES tab code got missed. It's looking for the old function name of "build_sig_msg_map()" instead of the patched up name of "snort_build_sid_msg_map()".
It's an easy fix, and hopefully Ermal can push it out shortly.
Bill
-
Thanks Bill!!
-
Yes i fixed but it takes about 30 minutes for the package code to sync.
-
Thanks all for fixing the update error, I will fix it tonight when I get home.
