Missing snort.sh



  • Hi there

    If I try to install snort the service doesn't start because of the missing snort.sh script in /usr/local/etc/rc.d/.

    Reinstalls or complete deinstall an install processes doesn't help at all.

    I found a thread in the forum with an selfmade snort.sh script. The problem is that I can't stop the service with this script.

    Can somebody send me the original snort.sh file (amd64) ?  :)

    Thanks for your help

    regards

    supermega


  • Banned

    It seems that the implementation of Snort is suffering a tthe moment and a lot of issues still remain with the integration into the GUI.



  • @supermega:

    I found a thread in the forum with an selfmade snort.sh script. The problem is that I can't stop the service with this script.

    Can somebody send me the original snort.sh file (amd64) ?  :)

    I would not do that. As most files on a pfSense box, this file is dynamically generated based on your settings and is different on each box. Did you start from scratch? Deinstall snort WITHOUT saving your settings? In the terminal after the deinstallation do the command:

    find / -name snort
    

    and most of the times you find

    
    /usr/local/www/snort
    /usr/local/pkg/snort
    /usr/local/bin/snort
    /usr/local/etc/snort
    /usr/local/lib/snort
    /var/log/snort
    

    then

    rm -rf /usr/local/www/snort
    rm -rf /usr/local/pkg/snort
    rm -rf /usr/local/bin/snort
    rm -rf /usr/local/etc/snort
    rm -rf /usr/local/lib/snort
    rm -rf /var/log/snort
    


  • Hi gogol

    I try that out without any success. The service still doesn't start (no logs available).

    Is there a possibility to start the process that generates the snort.sh from cli ?

    regards

    supermega



  • @supermega:

    Hi gogol

    I try that out without any success. The service still doesn't start (no logs available).

    Is there a possibility to start the process that generates the snort.sh from cli ?

    regards

    supermega

    If you have a 2.1-BETA platform, the Snort install is now "PBI-compliant".  It auto-detects the platform and installs accordingly.  As such, all the files for Snort are in /usr/pbi/snort-{arch} where {arch} is either i386 or amd64 depending on your chosen install image.

    All starting and stopping of Snort should be done from the GUI.  Go to the Snort Interfaces tab and click the icons there to start/stop Snort.

    It is true there is currently a known issue with Snort not restarting sometimes after an automatic rules update.  There should be a fix for that issued soon.

    The other issue that has tripped up a lot of folks using Snort is the linkage between the preprocessors and the text rules.  Many of the rules have rule options, content modifier tags or metadata tags that only have meaning when certain preprocessors are enabled.  For example, there are two rule options that must have the SSL_Preprocessor enabled in order for them to function.  If that preprocessor is not enabled, then Snort will die on startup with a FATAL ERROR in the system log when parsing any text rules with either of the two SSL options in them.  To prevent the startup error you have to either enable the preprocessor, or disable all the rules that contain either of those two SSL rule options.  There are many other such preprocessor dependencies throughout the rule sets of both VRT and ET.  The old behavior of Snort on pfSense was to go behind your back and disable any and all rules automatically that needed preprocessors you had not enabled.  That let Snort start up, but at the cost of much less security.  For example, if you disable all the preprocessors and startup with most of the rule categories enabled, that old process would disable nearly 3000 rules behind your back.  Not a good thing in my view.  So this latest version changes how that works.  Users can still consciously select the old behavior on the Preprocessors tab by checking a box.  But if the box is not checked, Snort will not auto-disable rules for you, and instead you have to enable the necessary preprocessors. From reading some prior posts here on the forum, this preprocessor and rule dependency has tripped up some folks.  That's understandable for new Snort users.

    Related to those pesky preprocessors is the fact rules can get enabled or disabled in the rule sets by the Snort VRT and Emerging Threats guys during updates.  That can suddenly cause Snort to fail on restart following the rule update because of preprocessor dependencies (a previously disabled rule suddenly got enabled again).  The best way to handle preprocessors in my view is to just enable pretty much all of them.  The only three I do not run are Sensitive-Data and the two SCADA protocol preprocessors.

    So a lot of explanation to say there are a few ways to shoot yourself in the foot with Snort in the configuration of it.  Make sure your understand how the preprocessors and text rules relate to each other.

    Bill



  • Hi guys

    I just set "HTTP server flow depth" = "0" in the preprocessors tab in the interface and snort starting without any errors  ;D ;D

    Thanks for the informations bmeeks

    regards

    supermega



  • @supermega:

    Hi guys

    I just set "HTTP server flow depth" = "0" in the preprocessors tab in the interface and snort starting without any errors  ;D ;D

    Thanks for the informations bmeeks

    regards

    supermega

    That's one way of doing it, but you should also be able to check the box in the HTTP_INSPECT options section that says "Disable HTTP_INSPECT Alerts".  That will stop alerts from HTTP_INSPECT but still let it normalize HTTP data for all the rules that need the data normalized to work correctly.

    I set the Server Flow Depth and Client Flow Depth the max recommended values and have no problems.  Those numbers are 65,535 for SERVER FLOW and 1460 for CLIENT FLOW.

    Bill



  • All I can say is: listen to Bill! ;)

    Glad you solved it.


Log in to reply