Snort 2.9.4.1 Pkg 2.5.4 – Fix for SO rules version mismatch and failed startup

Supermule

ERMAL WE NEED YOU URGENTLY!!

dwood

Bill, that explanation was maybe my favourite post ever here.  While I make no claims on code prowess, I really appreciate the under-hood explanation of what's going on.  I used to try the variety of work-arounds that are normally offered up after debugging a package.  It's a lot more time efficient however to watch posts like yours, and enter back into debugging/testing contribution phase once it looks like things "should" work.  Again thanks to all for their efforts.

Cheers,
Dennis.

jonesr

@bmeeks:

Until my latest bug fix is incorporated into the binary build of Snort on pfSense,…......

Is it possible for us to apply this fix ourselves? If so I am sure we would all be very grateful if you could describe the solution for us.

Kind regards

cmb

I wasn't aware this needed a manual package build, I just kicked one off on both the 8.1 (2.0.x) package builders.

cmb

package build finished and is uploaded. Entirely untested, please try it out and report back.

th3r3isnospoon

@cmb:

package build finished and is uploaded. Entirely untested, please try it out and report back.

Thanks for everyone's hard work on this.  :)

I just tested out the latest build and it seems to have fixed the wan blocking problem.

Thanks!

-th3r3isnospoon

bmeeks

@cmb:

I wasn't aware this needed a manual package build, I just kicked one off on both the 8.1 (2.0.x) package builders.

Thanks!  When I submitted the Pull Request, I was also unaware that a manual build would be required.  Next time I will raise the flag for the manual rebuild of the binary.

Is there a reason the Snort package is different from the other packages with regards to the manual build?

Bill

vizavi

Just uninstall , then install package.
It looks like is working , I see same IPs blocked ,but WAN is OK so far.
(Snort 2.9.4.1 Pkg 2.5.4 , Emergingthreats rules only )
Thanks

cmb

@bmeeks:

Thanks!  When I submitted the Pull Request, I was also unaware that a manual build would be required.  Next time I will raise the flag for the manual rebuild of the binary.

Thanks, I'd appreciate that.

Otherwise we end up with chicken littles who somehow extrapolate the package not getting built as "the project is dying".  ::)

@bmeeks:

Is there a reason the Snort package is different from the other packages with regards to the manual build?

The 2.0.x packages aren't auto-built at all (AFAIK), I believe that only happens with PBIs. JimP is more authoritative on that subject and he's on vacation at the moment.

particleman

Thank you so much for the fix. Snort is up and working well

jonesr

It appears to be working for me as well, many thanks this is much appreciated.

gogol

Whatever I try, I cannot get it to work.

Mar 26 09:53:26	php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...
Mar 26 09:53:26	php: /snort/snort_interfaces.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
Mar 26 09:53:27	php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:42	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
Mar 26 09:53:42	kernel: em0: promiscuous mode enabled
Mar 26 09:58:25	kernel: pid 68798 (snort), uid 0: exited on signal 11
Mar 26 09:58:25	kernel: em0: promiscuous mode disabled

I am on the latest 2.1 snapshot, removed everything related to snort and started from scratch.
I have an alias Whitelist with some IP's in it, so I do not understand  the "Non ip() parameter passed" error.
And then the "signal 11 exit". Where should I look, because there is nog logging too?

bmeeks

@gogol:

Whatever I try, I cannot get it to work.

Mar 26 09:53:26	php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...
Mar 26 09:53:26	php: /snort/snort_interfaces.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
Mar 26 09:53:27	php: /snort/snort_interfaces.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:35	snort[68519]: Non ip() parameter passed with white list, skipping...
Mar 26 09:53:42	php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
Mar 26 09:53:42	kernel: em0: promiscuous mode enabled
Mar 26 09:58:25	kernel: pid 68798 (snort), uid 0: exited on signal 11
Mar 26 09:58:25	kernel: em0: promiscuous mode disabled

I am on the latest 2.1 snapshot, removed everything related to snort and started from scratch.
I have an alias Whitelist with some IP's in it, so I do not understand  the "Non ip() parameter passed" error.
And then the "signal 11 exit". Where should I look, because there is nog logging too?

Oops!  I only submitted the patch to the 2.0.x tree.  I believe the 2.1-BETA tree is a different Git repository.  I have been working solely in the 2.0.x tree so far as Snort goes.  I'm still new at this and not 100% familiar with the pfSense processes for user code submissions.  Let me see if I can get a fork of the 2.1-BETA repository and submit the same patches into that code branch for the pfSense guys to look at.

Bill

c0urier

That would be greatly appreciated =).

Could you tell us what and where to edit in the mean time?

bmeeks

@c0urier:

Could you tell us what and where to edit in the mean time?

Unfortunately it's not an editable change in the GUI.  The actual Snort binary code itself has to be modified and recompiled to incorporate the fix.  That's not possible on the firewall.

gogol

@bmeeks:

Oops!  I only submitted the patch to the 2.0.x tree.  I believe the 2.1-BETA tree is a different Git repository.  I have been working solely in the 2.0.x tree so far as Snort goes.  I'm still new at this and not 100% familiar with the pfSense processes for user code submissions.  Let me see if I can get a fork of the 2.1-BETA repository and submit the same patches into that code branch for the pfSense guys to look at.

Ah, now I understand ;) I will review my options.

cmb

This should be available in the 2.1 packages now as well. Again untested so please report back.

bmeeks

@cmb:

This should be available in the 2.1 packages now as well. Again untested so please report back.

Thanks cmb!

The error was mine guys.  When I posted the binary patch, I did not bump the version in the package config file; so the automated build process did not realize it needed to rebuild the binary.  Both the 2.0.2 and 2.1-BETA trees now have the updated Snort binary that fixes the whitelist parsing bug what was generating WAN IP blocks.  Folks on 2.1-BETA can now remove and reinstall Snort to get the WAN IP blocking fix.

Bill

DynamoHum

Confirmed working after full uninstall and re-install (simple re-install ontop of existing did not work) on :

2.0.2-RELEASE (i386)
built on Fri Dec 7 16:30:38 EST 2012
FreeBSD 8.1-RELEASE-p13

c0urier

I can confirmed it works on:
2.1-BETA1 (amd64)
built on Tue Mar 26 19:03:27 EDT 2013
FreeBSD 8.3-RELEASE-p6

After a uninstall and re-installation, go to Snort, save the configuration, update and start snort.