Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.4 rules EOL

    Scheduled Pinned Locked Moved pfSense Packages
    25 Posts 15 Posters 10.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kwiatekmkw
      last edited by

      Hello,
      Right now on pfsense 2.0.2 package "Snort 2.9.2.3 pkg v. 2.5.4" use snort.org rules 2.9.2.3 which is EOL from 2013-02-28.
      It is not available newer snort package from pfsense, why? I found that pfsense developer pulled request to update pfSense snort to 2.9.4 http://bit.ly/WW0tnV  but then he closed request at February 06, 2013.

      When it will be available snort package from pfsense which will work with rule from snort.org version 2.9.3.1 or 2.9.4.0 ??

      1 Reply Last reply Reply Quote 0
      • P
        priller
        last edited by

        "Snort 2.9.2.3 is now EOL for rule support. This means we will no longer be releasing updates for this version of the rule engine. "

        I consider this to be rather important.  Can anybody comment on when the package will be updated to a supported version of Snort?

        Thanks

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          There was a Github Pull Request back in late December by a developer to upgrade the Snort binary package to 2.9.4.  However, I see now that request has been closed by the same developer.

          I made changes to the GUI part of the Snort package (the PHP files) back in January 2013 to add the new features for flowbit resolution and the VRT IPS Policy selections.  Several other fixes and additions were also in that set of changes.  However, I did not make any changes to the binary part of the package (the Snort executable itself) because I am not familiar with the package build process on pfSense.

          In my searching this weekend I did locate an updated "port" on FreeBSD of the Snort 2.9.4 binary.  None of the changes I made to the GUI should be impacted by a 2.9.4 update for the underlying binary.  So if someone knows how to incorporate the new Snort 2.9.4 binary port into the pfSense package, we should be good to go.

          Bill

          1 Reply Last reply Reply Quote 0
          • B
            bwong3351
            last edited by

            I sure hope 2.9.4 will be available for soon.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              Good news!  One of the pfSense developers (Ermal) has agreed to upgrade the Snort binary to the 2.9.4 port for FreeBSD.  So in the near future there should be an updated Snort package.

              Bill

              1 Reply Last reply Reply Quote 0
              • K
                kwiatekmkw
                last edited by

                Thanks a lot bmeeks. I hope that "near future" will be soon :) It will be grate to have some info from developers.

                1 Reply Last reply Reply Quote 0
                • D
                  drewy
                  last edited by

                  Waiting with fingers crossed :)

                  1 Reply Last reply Reply Quote 0
                  • D
                    drewy
                    last edited by

                    Is there a simple method of updating the already installed package with a newer binary ?

                    1 Reply Last reply Reply Quote 0
                    • M
                      maex
                      last edited by

                      Great! Many, many thanks to all contributors!!!
                      Does Ermal already have an idea how long it will approximately take?
                      Thanks again and again!!!

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @drewy:

                        Is there a simple method of updating the already installed package with a newer binary ?

                        Well, if you compiled the binary with the third-party Spoink patches applied and all required dependencies for FreeBSD 8.1, then "yes".  The GUI code should run fine with 2.9.4.x Snort binaries.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • E
                          eri--
                          last edited by

                          I upgraded the port to 2.9.4.1 so that should be ok now.

                          1 Reply Last reply Reply Quote 0
                          • T
                            th3r3isnospoon
                            last edited by

                            @ermal:

                            I upgraded the port to 2.9.4.1 so that should be ok now.

                            I tried to install the new version and it won't upgrade.  The installation aborts.

                            I just restored from a backup that I made prior to trying the new version and now my dashboard is missing a lot of info and Snort is seems like it is 1/2 installed.

                            Under the package manager Snort is listed, but in the services menu it is not.

                            If I try to uninstall snort this is all that happens:
                            Removing snort components…
                            Menu items... done.
                            Services... done.
                            Loading package instructions...

                            And then it just sits there....

                            Almost seems all the new updates are not uploaded yet in order to upgrade?

                            Wish I didn't try it yet.... :-/

                            -th3r3isnospoon

                            1 Reply Last reply Reply Quote 0
                            • T
                              th3r3isnospoon
                              last edited by

                              Here is what happens when I try to download the new version:

                              Beginning package installation for snort...
                              Downloading package configuration file... done.
                              Saving updated package information... done.
                              Downloading snort and its dependencies... 
                              Checking for package installation... 
                               Downloading http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.68.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/mysql-client-5.1.68.tbz.
                              of mysql-client-5.1.68 failed!
                              
                              Installation aborted.Backing up libraries... 
                              Removing package...
                              Starting package deletion for mysql-client-5.1.68...done.
                              Starting package deletion for barnyard2-1.12...done.
                              Starting package deletion for libnet11-1.1.6_1,1...done.
                              Skipping package deletion for libdnet-1.11_3 because it is a dependency.
                              Skipping package deletion for libpcap-1.3.0 because it is a dependency.
                              Starting package deletion for daq-2.0.0...done.
                              Starting package deletion for snort-2.9.4.1...done.
                              Removing snort components...
                              Menu items... done.
                              Services... done.
                              Loading package instructions...
                              Include file snort.inc could not be found for inclusion.
                              Deinstall commands... 
                              Not executing custom deinstall hook because an include is missing.
                              Removing package instructions...done.
                              Auxiliary files... done.
                              Package XML... done.
                              Configuration... done.
                              Cleaning up... Failed to install package.
                              
                              Installation halted.
                              

                              -th3r3isnospoon

                              1 Reply Last reply Reply Quote 0
                              • F
                                fragged
                                last edited by

                                I was able to install the new version, but when I try to start up snort I get:

                                snort[75049]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  fixed now.

                                  As with previous snort binary upgrades, make sure you uninstall completely and then reinstall to ensure you have the correct set of files/packages.

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    th3r3isnospoon
                                    last edited by

                                    Awesome, I got Snort installed now, thanks!

                                    It won't start when balanced or security is enabled for the rules under Snort settings.  This is what I get:

                                    Mar 21 18:16:34 	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                                    Mar 21 18:17:09 	check_reload_status: Syncing firewall
                                    Mar 21 18:17:11 	php: /snort/snort_rulesets.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
                                    Mar 21 18:17:11 	php: /snort/snort_rulesets.php: Resolving and auto-enabling flowbit required rules for WAN...
                                    Mar 21 18:17:22 	php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...
                                    Mar 21 18:17:23 	php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
                                    Mar 21 18:17:23 	php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
                                    Mar 21 18:17:26 	snort[15764]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
                                    Mar 21 18:17:26 	snort[15764]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
                                    Mar 21 18:17:26 	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                                    

                                    Any ideas?

                                    Thanks,

                                    -th3r3isnospoon

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      josemaX
                                      last edited by

                                      @th3r3isnospoon:

                                      Awesome, I got Snort installed now, thanks!

                                      It won't start when balanced or security is enabled for the rules under Snort settings.  This is what I get:

                                      Mar 21 18:16:34 	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                                      Mar 21 18:17:09 	check_reload_status: Syncing firewall
                                      Mar 21 18:17:11 	php: /snort/snort_rulesets.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
                                      Mar 21 18:17:11 	php: /snort/snort_rulesets.php: Resolving and auto-enabling flowbit required rules for WAN...
                                      Mar 21 18:17:22 	php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...
                                      Mar 21 18:17:23 	php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
                                      Mar 21 18:17:23 	php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
                                      Mar 21 18:17:26 	snort[15764]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
                                      Mar 21 18:17:26 	snort[15764]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
                                      Mar 21 18:17:26 	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                                      

                                      Any ideas?

                                      Thanks,

                                      -th3r3isnospoon

                                      Hello

                                      I had this problem in a machine that had Snort worked again, but in a new installed one today it worked at first, so i went to investigate this and got it working again this way:

                                      First, i removed Snort from GUI as jimp said before and reinstalled it. No luck

                                      Then i removed again from the GUI and ssh into the pfSense box and searched for remaining Snort related packages and found this:

                                      pkg_info | grep -i snort

                                      barnyard2-1.9_2    An output system for Snort or Suricata that parses unified2 
                                      daq-0.6.2          Data Acquisition abstraction library for snort 2.9+
                                      snort-2.9.0.5_1    Lightweight network intrusion detection system
                                      snort-2.9.2.3      Lightweight network intrusion detection system

                                      So i removed them (got a lot of errors about files/directories that don't exists, but they dissapeared from pkg_info). The daq is removed at the end because a dependencies problem if removed before snort packages.

                                      pkg_delete barnyard2-1.9_2
                                      pkg_delete snort-2.9.0.5_1
                                      pkg_delete snort-2.9.2.3
                                      pkg_delete daq-0.6.2

                                      Then installed again Snort from GUI and no luck again, so uninstalled again, returned to the shell and removed the files that remained in dynamic rules:

                                      ls -la /usr/local/lib/snort/dynamicrules
                                      total 2912
                                      drwxr-xr-x  2 root  wheel    1024 Mar 22 21:14 .
                                      drwxr-xr-x  3 root  wheel    512 Mar 22 21:17 ..
                                      -rwxr-xr-x  1 root  wheel  215070 Mar 21 06:06 bad-traffic.so
                                      -rwxr-xr-x  1 root  wheel  35048 Mar 21 06:06 chat.so
                                      -rwxr-xr-x  1 root  wheel  289620 Mar 21 06:06 dos.so
                                      -rwxr-xr-x  1 root  wheel  415191 Mar 21 06:06 exploit.so
                                      -rwxr-xr-x  1 root  wheel  35957 Mar 21 06:06 icmp.so
                                      -rwxr-xr-x  1 root  wheel  38334 Mar 21 06:06 imap.so
                                      -rwxr-xr-x  1 root  wheel  271491 Mar 21 06:06 misc.so
                                      -rwxr-xr-x  1 root  wheel  57845 Mar 21 06:06 multimedia.so
                                      -rwxr-xr-x  1 root  wheel  194032 Mar 21 06:06 netbios.so
                                      -rwxr-xr-x  1 root  wheel  34118 Mar 21 06:06 nntp.so
                                      -rwxr-xr-x  1 root  wheel  32907 Mar 21 06:06 p2p.so
                                      -rwxr-xr-x  1 root  wheel  120708 Mar 21 06:06 smtp.so
                                      -rwxr-xr-x  1 root  wheel  57449 Mar 21 06:06 snmp.so
                                      -rwxr-xr-x  1 root  wheel  67883 Mar 21 06:06 specific-threats.so
                                      -rwxr-xr-x  1 root  wheel  44049 Mar 21 06:06 web-activex.so
                                      -rwxr-xr-x  1 root  wheel  821935 Mar 21 06:06 web-client.so
                                      -rwxr-xr-x  1 root  wheel  35336 Mar 21 06:06 web-iis.so
                                      -rwxr-xr-x  1 root  wheel  62244 Mar 21 06:06 web-misc.so

                                      So,

                                      rm -rf /usr/local/lib/snort/dynamicrules

                                      Installed again from GUI, and voila! it is working.

                                      Hope this helps someone and helps to fix the reinstall process.

                                      Best,

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        th3r3isnospoon
                                        last edited by

                                        Nice josemaX  ;D

                                        I actually got my Snort to work as well.

                                        I reinstalled the whole thing this past afternoon and it now its working flawlessly :)

                                        -th3r3isnospoon

                                        1 Reply Last reply Reply Quote 0
                                        • G
                                          Gradius
                                          last edited by

                                          Thanks, this fixed my issue too.

                                          Looks like over the time it can accumulate "trash" from update to update.  :'(

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            c0urier
                                            last edited by

                                            @josemaX:

                                            Then installed again Snort from GUI and no luck again, so uninstalled again, returned to the shell and removed the files that remained in dynamic rules:

                                            ls -la /usr/local/lib/snort/dynamicrules
                                            total 2912
                                            drwxr-xr-x  2 root  wheel    1024 Mar 22 21:14 .
                                            drwxr-xr-x  3 root  wheel     512 Mar 22 21:17 ..
                                            -rwxr-xr-x  1 root  wheel  215070 Mar 21 06:06 bad-traffic.so
                                            -rwxr-xr-x  1 root  wheel   35048 Mar 21 06:06 chat.so
                                            -rwxr-xr-x  1 root  wheel  289620 Mar 21 06:06 dos.so
                                            -rwxr-xr-x  1 root  wheel  415191 Mar 21 06:06 exploit.so
                                            -rwxr-xr-x  1 root  wheel   35957 Mar 21 06:06 icmp.so
                                            -rwxr-xr-x  1 root  wheel   38334 Mar 21 06:06 imap.so
                                            -rwxr-xr-x  1 root  wheel  271491 Mar 21 06:06 misc.so
                                            -rwxr-xr-x  1 root  wheel   57845 Mar 21 06:06 multimedia.so
                                            -rwxr-xr-x  1 root  wheel  194032 Mar 21 06:06 netbios.so
                                            -rwxr-xr-x  1 root  wheel   34118 Mar 21 06:06 nntp.so
                                            -rwxr-xr-x  1 root  wheel   32907 Mar 21 06:06 p2p.so
                                            -rwxr-xr-x  1 root  wheel  120708 Mar 21 06:06 smtp.so
                                            -rwxr-xr-x  1 root  wheel   57449 Mar 21 06:06 snmp.so
                                            -rwxr-xr-x  1 root  wheel   67883 Mar 21 06:06 specific-threats.so
                                            -rwxr-xr-x  1 root  wheel   44049 Mar 21 06:06 web-activex.so
                                            -rwxr-xr-x  1 root  wheel  821935 Mar 21 06:06 web-client.so
                                            -rwxr-xr-x  1 root  wheel   35336 Mar 21 06:06 web-iis.so
                                            -rwxr-xr-x  1 root  wheel   62244 Mar 21 06:06 web-misc.so

                                            So,

                                            rm -rf /usr/local/lib/snort/dynamicrules

                                            Installed again from GUI, and voila! it is working.

                                            Hope this helps someone and helps to fix the reinstall process.

                                            Best,

                                            Awesome josemaX !

                                            pfsense: 2.1.5-RELEASE, AMD64
                                            Running on: MB/CPU: ASUS P8H77-I / Core i3-2120T | MEM: 8GB DDR3 | HDD: WD Blue 120GB 2.5" SATA | WAN/LAN: Fujitsu D2735-2 – Intel® chip 82576NS | WLAN: Realtek® 8111F PCIe | Connection: 1000/1000Mbit (Bredband2.com)
                                            [/U

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.