Snort 2.9.4.1 Pkg 2.5.4 – Fix for SO rules version mismatch and failed startup


  • Banned

    ERMAL WE NEED YOU URGENTLY!!



  • Bill, that explanation was maybe my favourite post ever here.  While I make no claims on code prowess, I really appreciate the under-hood explanation of what's going on.  I used to try the variety of work-arounds that are normally offered up after debugging a package.  It's a lot more time efficient however to watch posts like yours, and enter back into debugging/testing contribution phase once it looks like things "should" work.  Again thanks to all for their efforts.

    Cheers,
    Dennis.



  • @bmeeks:

    Until my latest bug fix is incorporated into the binary build of Snort on pfSense,…......

    Is it possible for us to apply this fix ourselves? If so I am sure we would all be very grateful if you could describe the solution for us.

    Kind regards



  • I wasn't aware this needed a manual package build, I just kicked one off on both the 8.1 (2.0.x) package builders.



  • package build finished and is uploaded. Entirely untested, please try it out and report back.



  • @cmb:

    package build finished and is uploaded. Entirely untested, please try it out and report back.

    Thanks for everyone's hard work on this.  :)

    I just tested out the latest build and it seems to have fixed the wan blocking problem.

    Thanks!

    -th3r3isnospoon



  • @cmb:

    I wasn't aware this needed a manual package build, I just kicked one off on both the 8.1 (2.0.x) package builders.

    Thanks!  When I submitted the Pull Request, I was also unaware that a manual build would be required.  Next time I will raise the flag for the manual rebuild of the binary.

    Is there a reason the Snort package is different from the other packages with regards to the manual build?

    Bill



  • Just uninstall , then install package.
    It looks like is working , I see same IPs blocked ,but WAN is OK so far.
    (Snort 2.9.4.1 Pkg 2.5.4 , Emergingthreats rules only )
    Thanks



  • @bmeeks:

    Thanks!  When I submitted the Pull Request, I was also unaware that a manual build would be required.  Next time I will raise the flag for the manual rebuild of the binary.

    Thanks, I'd appreciate that.

    Otherwise we end up with chicken littles who somehow extrapolate the package not getting built as "the project is dying".  ::)

    @bmeeks:

    Is there a reason the Snort package is different from the other packages with regards to the manual build?

    The 2.0.x packages aren't auto-built at all (AFAIK), I believe that only happens with PBIs. JimP is more authoritative on that subject and he's on vacation at the moment.



  • Thank you so much for the fix. Snort is up and working well



  • It appears to be working for me as well, many thanks this is much appreciated.



  • Whatever I try, I cannot get it to work.

    Mar 26 09:53:26	php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...
    Mar 26 09:53:26	php: /snort/snort_interfaces.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
    Mar 26 09:53:27	php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:42	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
    Mar 26 09:53:42	kernel: em0: promiscuous mode enabled
    Mar 26 09:58:25	kernel: pid 68798 (snort), uid 0: exited on signal 11
    Mar 26 09:58:25	kernel: em0: promiscuous mode disabled
    

    I am on the latest 2.1 snapshot, removed everything related to snort and started from scratch.
    I have an alias Whitelist with some IP's in it, so I do not understand  the "Non ip() parameter passed" error.
    And then the "signal 11 exit". Where should I look, because there is nog logging too?



  • @gogol:

    Whatever I try, I cannot get it to work.

    Mar 26 09:53:26	php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...
    Mar 26 09:53:26	php: /snort/snort_interfaces.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
    Mar 26 09:53:27	php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
    Mar 26 09:53:42	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
    Mar 26 09:53:42	kernel: em0: promiscuous mode enabled
    Mar 26 09:58:25	kernel: pid 68798 (snort), uid 0: exited on signal 11
    Mar 26 09:58:25	kernel: em0: promiscuous mode disabled
    

    I am on the latest 2.1 snapshot, removed everything related to snort and started from scratch.
    I have an alias Whitelist with some IP's in it, so I do not understand  the "Non ip() parameter passed" error.
    And then the "signal 11 exit". Where should I look, because there is nog logging too?

    Oops!  I only submitted the patch to the 2.0.x tree.  I believe the 2.1-BETA tree is a different Git repository.  I have been working solely in the 2.0.x tree so far as Snort goes.  I'm still new at this and not 100% familiar with the pfSense processes for user code submissions.  Let me see if I can get a fork of the 2.1-BETA repository and submit the same patches into that code branch for the pfSense guys to look at.

    Bill



  • That would be greatly appreciated =).

    Could you tell us what and where to edit in the mean time?



  • @c0urier:

    Could you tell us what and where to edit in the mean time?

    Unfortunately it's not an editable change in the GUI.  The actual Snort binary code itself has to be modified and recompiled to incorporate the fix.  That's not possible on the firewall.



  • @bmeeks:

    Oops!  I only submitted the patch to the 2.0.x tree.  I believe the 2.1-BETA tree is a different Git repository.  I have been working solely in the 2.0.x tree so far as Snort goes.  I'm still new at this and not 100% familiar with the pfSense processes for user code submissions.  Let me see if I can get a fork of the 2.1-BETA repository and submit the same patches into that code branch for the pfSense guys to look at.

    Ah, now I understand ;) I will review my options.



  • This should be available in the 2.1 packages now as well. Again untested so please report back.



  • @cmb:

    This should be available in the 2.1 packages now as well. Again untested so please report back.

    Thanks cmb!

    The error was mine guys.  When I posted the binary patch, I did not bump the version in the package config file; so the automated build process did not realize it needed to rebuild the binary.  Both the 2.0.2 and 2.1-BETA trees now have the updated Snort binary that fixes the whitelist parsing bug what was generating WAN IP blocks.  Folks on 2.1-BETA can now remove and reinstall Snort to get the WAN IP blocking fix.

    Bill



  • Confirmed working after full uninstall and re-install (simple re-install ontop of existing did not work) on :

    2.0.2-RELEASE (i386)
    built on Fri Dec 7 16:30:38 EST 2012
    FreeBSD 8.1-RELEASE-p13



  • I can confirmed it works on:
    2.1-BETA1 (amd64)
    built on Tue Mar 26 19:03:27 EDT 2013
    FreeBSD 8.3-RELEASE-p6

    After a uninstall and re-installation, go to Snort, save the configuration, update and start snort.



  • I am still having signal 11 exits on my system as soon as I enable the "http_inspect" preprocessor. Without it I can run snort longer than 10 minutes ;)
    System:
    2.1-BETA1 (i386)
    built on Tue Mar 26 06:16:08 EDT 2013
    snort 2.9.4.1 pkg 2.5.4

    I did some testing like:```
    /usr/local/bin/snort -T -c /usr/local/etc/snort/my_snort_sensor/snort.conf

    
    The previous package worked fine. Can I install that again and how?


  • Hi all,

    I've just installed Snort for the first time and seems like (based on my ini) the issue in post 1 is fixed. However, when I update rules I'm not sure it's actually installing them properly. I hit Update Rules, and afterwords I see:

    INSTALLED SIGNATURE RULESET
    
    SNORT.ORG >>>   N/A
    EMERGINGTHREATS.NET >>>   1d5323d8a461c52ada90fa1cd29cf540
    

    And the button to view the log is grayed out. Also, I have no Rules tab like in the Wiki, which I'm assuming is because of the N/A above.

    System log (it had been more than 15 minutes since the last attempt to update):

    Mar 27 09:29:30	php: /snort/snort_download_rules.php: The Rules update has finished...
    Mar 27 09:29:30	php: /snort/snort_download_rules.php: Emerging threat rules are up to date...
    Mar 27 09:29:29	php: /snort/snort_download_rules.php: Please wait... You may only check for New Rules every 15 minutes...
    Mar 27 09:29:29	php: /snort/snort_download_rules.php: Snort MD5 Attempts: 5
    

    Any idea what I'm doing wrong?

    Thanks,
    Ben



  • @Fmstrat:

    Hi all,

    I've just installed Snort for the first time and seems like (based on my ini) the issue in post 1 is fixed. However, when I update rules I'm not sure it's actually installing them properly. I hit Update Rules, and afterwords I see:

    INSTALLED SIGNATURE RULESET
    
    SNORT.ORG >>>   N/A
    EMERGINGTHREATS.NET >>>   1d5323d8a461c52ada90fa1cd29cf540
    

    And the button to view the log is grayed out. Also, I have no Rules tab like in the Wiki, which I'm assuming is because of the N/A above.

    System log (it had been more than 15 minutes since the last attempt to update):

    Mar 27 09:29:30	php: /snort/snort_download_rules.php: The Rules update has finished...
    Mar 27 09:29:30	php: /snort/snort_download_rules.php: Emerging threat rules are up to date...
    Mar 27 09:29:29	php: /snort/snort_download_rules.php: Please wait... You may only check for New Rules every 15 minutes...
    Mar 27 09:29:29	php: /snort/snort_download_rules.php: Snort MD5 Attempts: 5
    

    Any idea what I'm doing wrong?

    Thanks,
    Ben

    Same thing here!



  • You're not doing anything wrong, Snort is working as it should for the current moment.

    The reason it says N/A for the Snort.org Ruleset is because the current pfSense Snort package is at 2.9.4.1 which just came out in March but until the 30 day black out period ends for free, registered users, you wont be able to download any Snort rules for that package version.  Only current way to download rules for 2.9.4.1 is to be a paid VRT Subscriber.  April is almost here so I'm patiently waiting.

    The Update Log has always been greyed out.  A future feature that has yet been implemented, I'm assuming.

    The Rules Tab will show if you hit the Edit Interface button while in the Snort Interfaces Tab.



  • @AhnHEL:

    You're not doing anything wrong, Snort is working as it should for the current moment.

    The reason it says N/A for the Snort.org Ruleset is because the current pfSense Snort package is at 2.9.4.1 which just came out in March but until the 30 day black out period ends for free, registered users, you wont be able to download any Snort rules for that package version.  Only current way to download rules for 2.9.4.1 is to be a paid VRT Subscriber.  April is almost here so I'm patiently waiting.

    The Update Log has always been greyed out.  A future feature that has yet been implemented, I'm assuming.

    Thanks for the info, I did notice that the update log has always been greyed out too! Never knew why though, thanks again.



  • @AhnHEL:

    You're not doing anything wrong, Snort is working as it should for the current moment.

    The reason it says N/A for the Snort.org Ruleset is because the current pfSense Snort package is at 2.9.4.1 which just came out in March but until the 30 day black out period ends for free, registered users, you wont be able to download any Snort rules for that package version.  Only current way to download rules for 2.9.4.1 is to be a paid VRT Subscriber.  April is almost here so I'm patiently waiting.

    The Update Log has always been greyed out.  A future feature that has yet been implemented, I'm assuming.

    The Rules Tab will show if you hit the Edit Interface button while in the Snort Interfaces Tab.

    Perfect answer, thank you.



  • All seems to be working just great now.  Updates (paid subscription) are good. Thanks again Bill :-)



  • Just uninstalled and reinstalled Snort 2.9.4.1 pkg v. 2.5.4 on pfSense 2.1-BETA1 (amd64) built on Fri Mar 29 14:58:31 EDT 2013
    I am a Sourcefire VRT Certified Premium Rules paid subscriber but the update still says N/A for the Snort.org Ruleset when I update the rules.



  • I too am a paid subscriber and am seeing the "N/A" for Snort.org rules as well.  I'm going to remove snort and all configuration files and re-add to see if it makes any difference.

    David



  • I jusat signed up for VRT rules and cannot get them to install after a reinstall and reconfiguration of snort. I'm currently running 2.0.2-RELEASE (amd64).

    Edit: The issue may lie with my Snort account. I was unable to manually pull 2.9.4.1 rules with my Oinkmaster URL; I got an error saying I was not a subscriber, though I can manually download the 2.9.4.1 rules. I was able to pull 2.9.4.0 via Oinkmaster URL.

    Edit 2: All problems with my account are cleared and I still cannot automatically download Snort 2.9.4.1 rules.

    Edit 3: I had to change {$oinkid} in snort_check_for_rule_updates.php with my actual Oinkid. Then it worked.



  • snortrules-snapshot-2941.tar.gz is available to registered (as opposed to pay) users now


  • Banned

    Didnt that get updated via the GUI??

    @DigitalDeviant:

    I jusat signed up for VRT rules and cannot get them to install after a reinstall and reconfiguration of snort. I'm currently running 2.0.2-RELEASE (amd64).

    Edit: The issue may lie with my Snort account. I was unable to manually pull 2.9.4.1 rules with my Oinkmaster URL; I got an error saying I was not a subscriber, though I can manually download the 2.9.4.1 rules. I was able to pull 2.9.4.0 via Oinkmaster URL.

    Edit 2: All problems with my account are cleared and I still cannot automatically download Snort 2.9.4.1 rules.

    Edit 3: I had to change {$oinkid} in snort_check_for_rule_updates.php with my actual Oinkid. Then it worked.



  • @Supermule:

    Didnt that get updated via the GUI??

    @DigitalDeviant:

    I jusat signed up for VRT rules and cannot get them to install after a reinstall and reconfiguration of snort. I'm currently running 2.0.2-RELEASE (amd64).

    Edit: The issue may lie with my Snort account. I was unable to manually pull 2.9.4.1 rules with my Oinkmaster URL; I got an error saying I was not a subscriber, though I can manually download the 2.9.4.1 rules. I was able to pull 2.9.4.0 via Oinkmaster URL.

    Edit 2: All problems with my account are cleared and I still cannot automatically download Snort 2.9.4.1 rules.

    Edit 3: I had to change {$oinkid} in snort_check_for_rule_updates.php with my actual Oinkid. Then it worked.

    I haven't had time to troubleshoot any further. I have confirmed I have the right Oikcode in the GUI. Unless I change it in both spots it wound download the MD5 or rules. I don't have the exact errors from the system logs but it seemed like the download link was wrong so I'm guessing that it's not getting the Oinkcode variable. Troubleshooting time is minimal so any ideas on how to proceed would be appreciated.


Log in to reply