Snort 2.9.2.3 pkg v. 2.5.4 rules EOL



  • Hello,
    Right now on pfsense 2.0.2 package "Snort 2.9.2.3 pkg v. 2.5.4" use snort.org rules 2.9.2.3 which is EOL from 2013-02-28.
    It is not available newer snort package from pfsense, why? I found that pfsense developer pulled request to update pfSense snort to 2.9.4 http://bit.ly/WW0tnV  but then he closed request at February 06, 2013.

    When it will be available snort package from pfsense which will work with rule from snort.org version 2.9.3.1 or 2.9.4.0 ??



  • "Snort 2.9.2.3 is now EOL for rule support. This means we will no longer be releasing updates for this version of the rule engine. "

    I consider this to be rather important.  Can anybody comment on when the package will be updated to a supported version of Snort?

    Thanks



  • There was a Github Pull Request back in late December by a developer to upgrade the Snort binary package to 2.9.4.  However, I see now that request has been closed by the same developer.

    I made changes to the GUI part of the Snort package (the PHP files) back in January 2013 to add the new features for flowbit resolution and the VRT IPS Policy selections.  Several other fixes and additions were also in that set of changes.  However, I did not make any changes to the binary part of the package (the Snort executable itself) because I am not familiar with the package build process on pfSense.

    In my searching this weekend I did locate an updated "port" on FreeBSD of the Snort 2.9.4 binary.  None of the changes I made to the GUI should be impacted by a 2.9.4 update for the underlying binary.  So if someone knows how to incorporate the new Snort 2.9.4 binary port into the pfSense package, we should be good to go.

    Bill



  • I sure hope 2.9.4 will be available for soon.



  • Good news!  One of the pfSense developers (Ermal) has agreed to upgrade the Snort binary to the 2.9.4 port for FreeBSD.  So in the near future there should be an updated Snort package.

    Bill



  • Thanks a lot bmeeks. I hope that "near future" will be soon :) It will be grate to have some info from developers.



  • Waiting with fingers crossed :)



  • Is there a simple method of updating the already installed package with a newer binary ?



  • Great! Many, many thanks to all contributors!!!
    Does Ermal already have an idea how long it will approximately take?
    Thanks again and again!!!



  • @drewy:

    Is there a simple method of updating the already installed package with a newer binary ?

    Well, if you compiled the binary with the third-party Spoink patches applied and all required dependencies for FreeBSD 8.1, then "yes".  The GUI code should run fine with 2.9.4.x Snort binaries.

    Bill



  • I upgraded the port to 2.9.4.1 so that should be ok now.



  • @ermal:

    I upgraded the port to 2.9.4.1 so that should be ok now.

    I tried to install the new version and it won't upgrade.  The installation aborts.

    I just restored from a backup that I made prior to trying the new version and now my dashboard is missing a lot of info and Snort is seems like it is 1/2 installed.

    Under the package manager Snort is listed, but in the services menu it is not.

    If I try to uninstall snort this is all that happens:
    Removing snort components…
    Menu items... done.
    Services... done.
    Loading package instructions...

    And then it just sits there....

    Almost seems all the new updates are not uploaded yet in order to upgrade?

    Wish I didn't try it yet.... :-/

    -th3r3isnospoon



  • Here is what happens when I try to download the new version:

    Beginning package installation for snort...
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading snort and its dependencies... 
    Checking for package installation... 
     Downloading http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.68.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/mysql-client-5.1.68.tbz.
    of mysql-client-5.1.68 failed!
    
    Installation aborted.Backing up libraries... 
    Removing package...
    Starting package deletion for mysql-client-5.1.68...done.
    Starting package deletion for barnyard2-1.12...done.
    Starting package deletion for libnet11-1.1.6_1,1...done.
    Skipping package deletion for libdnet-1.11_3 because it is a dependency.
    Skipping package deletion for libpcap-1.3.0 because it is a dependency.
    Starting package deletion for daq-2.0.0...done.
    Starting package deletion for snort-2.9.4.1...done.
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file snort.inc could not be found for inclusion.
    Deinstall commands... 
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    Cleaning up... Failed to install package.
    
    Installation halted.
    

    -th3r3isnospoon



  • I was able to install the new version, but when I try to start up snort I get:

    snort[75049]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.


  • Rebel Alliance Developer Netgate

    fixed now.

    As with previous snort binary upgrades, make sure you uninstall completely and then reinstall to ensure you have the correct set of files/packages.



  • Awesome, I got Snort installed now, thanks!

    It won't start when balanced or security is enabled for the rules under Snort settings.  This is what I get:

    Mar 21 18:16:34 	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
    Mar 21 18:17:09 	check_reload_status: Syncing firewall
    Mar 21 18:17:11 	php: /snort/snort_rulesets.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
    Mar 21 18:17:11 	php: /snort/snort_rulesets.php: Resolving and auto-enabling flowbit required rules for WAN...
    Mar 21 18:17:22 	php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...
    Mar 21 18:17:23 	php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
    Mar 21 18:17:23 	php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
    Mar 21 18:17:26 	snort[15764]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
    Mar 21 18:17:26 	snort[15764]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
    Mar 21 18:17:26 	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
    

    Any ideas?

    Thanks,

    -th3r3isnospoon



  • @th3r3isnospoon:

    Awesome, I got Snort installed now, thanks!

    It won't start when balanced or security is enabled for the rules under Snort settings.  This is what I get:

    Mar 21 18:16:34 	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
    Mar 21 18:17:09 	check_reload_status: Syncing firewall
    Mar 21 18:17:11 	php: /snort/snort_rulesets.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
    Mar 21 18:17:11 	php: /snort/snort_rulesets.php: Resolving and auto-enabling flowbit required rules for WAN...
    Mar 21 18:17:22 	php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...
    Mar 21 18:17:23 	php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
    Mar 21 18:17:23 	php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
    Mar 21 18:17:26 	snort[15764]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
    Mar 21 18:17:26 	snort[15764]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
    Mar 21 18:17:26 	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
    

    Any ideas?

    Thanks,

    -th3r3isnospoon

    Hello

    I had this problem in a machine that had Snort worked again, but in a new installed one today it worked at first, so i went to investigate this and got it working again this way:

    First, i removed Snort from GUI as jimp said before and reinstalled it. No luck

    Then i removed again from the GUI and ssh into the pfSense box and searched for remaining Snort related packages and found this:

    pkg_info | grep -i snort

    barnyard2-1.9_2    An output system for Snort or Suricata that parses unified2 
    daq-0.6.2          Data Acquisition abstraction library for snort 2.9+
    snort-2.9.0.5_1    Lightweight network intrusion detection system
    snort-2.9.2.3      Lightweight network intrusion detection system

    So i removed them (got a lot of errors about files/directories that don't exists, but they dissapeared from pkg_info). The daq is removed at the end because a dependencies problem if removed before snort packages.

    pkg_delete barnyard2-1.9_2
    pkg_delete snort-2.9.0.5_1
    pkg_delete snort-2.9.2.3
    pkg_delete daq-0.6.2

    Then installed again Snort from GUI and no luck again, so uninstalled again, returned to the shell and removed the files that remained in dynamic rules:

    ls -la /usr/local/lib/snort/dynamicrules
    total 2912
    drwxr-xr-x  2 root  wheel    1024 Mar 22 21:14 .
    drwxr-xr-x  3 root  wheel    512 Mar 22 21:17 ..
    -rwxr-xr-x  1 root  wheel  215070 Mar 21 06:06 bad-traffic.so
    -rwxr-xr-x  1 root  wheel  35048 Mar 21 06:06 chat.so
    -rwxr-xr-x  1 root  wheel  289620 Mar 21 06:06 dos.so
    -rwxr-xr-x  1 root  wheel  415191 Mar 21 06:06 exploit.so
    -rwxr-xr-x  1 root  wheel  35957 Mar 21 06:06 icmp.so
    -rwxr-xr-x  1 root  wheel  38334 Mar 21 06:06 imap.so
    -rwxr-xr-x  1 root  wheel  271491 Mar 21 06:06 misc.so
    -rwxr-xr-x  1 root  wheel  57845 Mar 21 06:06 multimedia.so
    -rwxr-xr-x  1 root  wheel  194032 Mar 21 06:06 netbios.so
    -rwxr-xr-x  1 root  wheel  34118 Mar 21 06:06 nntp.so
    -rwxr-xr-x  1 root  wheel  32907 Mar 21 06:06 p2p.so
    -rwxr-xr-x  1 root  wheel  120708 Mar 21 06:06 smtp.so
    -rwxr-xr-x  1 root  wheel  57449 Mar 21 06:06 snmp.so
    -rwxr-xr-x  1 root  wheel  67883 Mar 21 06:06 specific-threats.so
    -rwxr-xr-x  1 root  wheel  44049 Mar 21 06:06 web-activex.so
    -rwxr-xr-x  1 root  wheel  821935 Mar 21 06:06 web-client.so
    -rwxr-xr-x  1 root  wheel  35336 Mar 21 06:06 web-iis.so
    -rwxr-xr-x  1 root  wheel  62244 Mar 21 06:06 web-misc.so

    So,

    rm -rf /usr/local/lib/snort/dynamicrules

    Installed again from GUI, and voila! it is working.

    Hope this helps someone and helps to fix the reinstall process.

    Best,



  • Nice josemaX  ;D

    I actually got my Snort to work as well.

    I reinstalled the whole thing this past afternoon and it now its working flawlessly :)

    -th3r3isnospoon



  • Thanks, this fixed my issue too.

    Looks like over the time it can accumulate "trash" from update to update.  :'(



  • @josemaX:

    Then installed again Snort from GUI and no luck again, so uninstalled again, returned to the shell and removed the files that remained in dynamic rules:

    ls -la /usr/local/lib/snort/dynamicrules
    total 2912
    drwxr-xr-x  2 root  wheel    1024 Mar 22 21:14 .
    drwxr-xr-x  3 root  wheel     512 Mar 22 21:17 ..
    -rwxr-xr-x  1 root  wheel  215070 Mar 21 06:06 bad-traffic.so
    -rwxr-xr-x  1 root  wheel   35048 Mar 21 06:06 chat.so
    -rwxr-xr-x  1 root  wheel  289620 Mar 21 06:06 dos.so
    -rwxr-xr-x  1 root  wheel  415191 Mar 21 06:06 exploit.so
    -rwxr-xr-x  1 root  wheel   35957 Mar 21 06:06 icmp.so
    -rwxr-xr-x  1 root  wheel   38334 Mar 21 06:06 imap.so
    -rwxr-xr-x  1 root  wheel  271491 Mar 21 06:06 misc.so
    -rwxr-xr-x  1 root  wheel   57845 Mar 21 06:06 multimedia.so
    -rwxr-xr-x  1 root  wheel  194032 Mar 21 06:06 netbios.so
    -rwxr-xr-x  1 root  wheel   34118 Mar 21 06:06 nntp.so
    -rwxr-xr-x  1 root  wheel   32907 Mar 21 06:06 p2p.so
    -rwxr-xr-x  1 root  wheel  120708 Mar 21 06:06 smtp.so
    -rwxr-xr-x  1 root  wheel   57449 Mar 21 06:06 snmp.so
    -rwxr-xr-x  1 root  wheel   67883 Mar 21 06:06 specific-threats.so
    -rwxr-xr-x  1 root  wheel   44049 Mar 21 06:06 web-activex.so
    -rwxr-xr-x  1 root  wheel  821935 Mar 21 06:06 web-client.so
    -rwxr-xr-x  1 root  wheel   35336 Mar 21 06:06 web-iis.so
    -rwxr-xr-x  1 root  wheel   62244 Mar 21 06:06 web-misc.so

    So,

    rm -rf /usr/local/lib/snort/dynamicrules

    Installed again from GUI, and voila! it is working.

    Hope this helps someone and helps to fix the reinstall process.

    Best,

    Awesome josemaX !


  • Banned

    The weird part is that pfsense/Snort acts like Windows since the accumulated trash doesnt get deleted when packages are removed or reinstalled!



  • @Supermule:

    The weird part is that pfsense/Snort acts like Windows since the accumulated trash doesnt get deleted when packages are removed or reinstalled!

    Have to agree with you on that part. Wintendo.



  • The problem with is that snort is a really bad package in general.
    When you reinstall you complain that your rules were there and you want them on the other side
    you complain that the old craft is being kept there!

    I will give a look to find the compromise but for now its a bit of solution needed.



  • josemaX,

    Your fix totally worked for me. Thanks!



  • I'm glad that i could help you.  :D

    Best,


Log in to reply