Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.5.5 pkg v3.0.1 Update – Minor bug fixes

    Scheduled Pinned Locked Moved pfSense Packages
    65 Posts 11 Posters 18.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      Snort 2.9.5.5 pkg v3.0.1
      Change Log

      This Snort package update is a minor bug fix release only. No new features are added.

      Bug Fixes

      • Removed dependence on session variables in the Alias selection code associated with multi-engine configurations on the PREPROCESSORS tab. Also changed the way the referrer was transferred to the Alias selection page. This should fix issues on some browsers when returning to the original calling page with selected aliases.

      • Ensure reasonable defaults are set for the new SDF (Sensitive Data) preprocessor options introduced in version 3.0.0 of the package. Formerly, if the new values were not set and users had the SDF preprocessor enabled, Snort would error out on startup.

      • Updated the valid FTP server commands in the snort.conf file to match the latest defaults posted at http://www.snort.org/vrt/snort-conf-configurations/. Also added the MFMT command as a valid FTP command per user request.

      Bill

      1 Reply Last reply Reply Quote 0
      • F
        fragged
        last edited by

        Umm.. After the 3.0.0 update I now see "snort" as installed package with no version information and "Snort" as an available package with version 3.0.1? How do I get the package manager to see that I do indeed have Snort 3.0.0 installed right now?

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @fragged:

          Umm.. After the 3.0.0 update I now see "snort" as installed package with no version information and "Snort" as an available package with version 3.0.1? How do I get the package manager to see that I do indeed have Snort 3.0.0 installed right now?

          Yeah, this will be fixed in a moment I hope.  I used "Snort" in the package name instead of "snort" with lowercase.  I've posted the fix and am waiting for one of the Core Team guys to quickly merge it.

          For now I will remove the update notice and repost when the fix is posted.

          Sorry,
          Bill

          1 Reply Last reply Reply Quote 0
          • F
            fragged
            last edited by

            Works now :)

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @fragged:

              Works now :)

              Yep.  Thanks to jimp who saved the day for me with an emergency merge.

              Bill

              1 Reply Last reply Reply Quote 0
              • D
                digdug3
                last edited by

                It also looks like my Snort interfaces now start much faster?!

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @digdug3:

                  It also looks like my Snort interfaces now start much faster?!

                  That could be a 2.9.5.5 Snort binary benefit.  There is really nothing that changed in the GUI code that should impact that.  I noticed that my interfaces also seem to start faster.  Of course I also recently updated my hardware from an Atom to an Intel i3 3.3 GHz processor, so that may also have a lot to do with it on my end.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • C
                    cappiz
                    last edited by

                    Hi,

                    when installing this package I get this error:

                    snort[44829]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-amd64/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-amd64/lib/snort/dynamicengine/libsf_engine.so" version 1.17.

                    I have tried to uninstall, reboot and install several times with no luck.

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @cappiz:

                      Hi,

                      when installing this package I get this error:

                      snort[44829]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-amd64/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-amd64/lib/snort/dynamicengine/libsf_engine.so" version 1.17.

                      I have tried to uninstall, reboot and install several times with no luck.

                      This generally indicates an old copy of the shared object rules around someplace.  I'm surprised because this shouldn't happen on 2.1 pfSense with PBI.  Tell me if this was originally a 2.0.x box upgraded to 2.1.

                      As for the fix, try these steps.

                      • Remove the Snort package by clicking the X icon beside the Snort package on the Installed Packages tab.

                      • When the package deletion completes, open a console session to the firewall and exit to the shell prompt.  Type the command rm -rf /usr/local/lib/snort

                      • Now install Snort again by going to Available Packages and choosing it.

                      If you still have trouble, then gather some troubleshooting information for me.  From a console session, issue the command:

                      snort -V
                      

                      and tell me what version it prints.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • F
                        fragged
                        last edited by

                        Snort Alerts list doesn't show entries from 1.1.2014 at the top. When clicking on the Date column to sort by date, the alerts from today show up at the top again. Bug or by design?

                        1 Reply Last reply Reply Quote 0
                        • S
                          Supermule Banned
                          last edited by

                          It does here on all firewalls. (show entries from 01/01/14)

                          Running 2.0.3 with the latest Snort.

                          1 Reply Last reply Reply Quote 0
                          • AhnHELA
                            AhnHEL
                            last edited by

                            Same here "fragged" on 2.1 x64.  I'm sure within the next day all will be fine.

                            AhnHEL (Angel)

                            1 Reply Last reply Reply Quote 0
                            • F
                              fragged
                              last edited by

                              On a closer look no matter how I arrange by date, it's always backwards for 2014 vs 2013. Must be a bug in the sorting piece of code or something.

                              1 Reply Last reply Reply Quote 0
                              • P
                                priller
                                last edited by

                                … and the problem flows through to the Dashboard Widget, resulting in the most current alerts not being displayed.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Supermule Banned
                                  last edited by

                                  As said….not an issue on 2.0.3 for me.

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by

                                    @fragged:

                                    On a closer look no matter how I arrange by date, it's always backwards for 2014 vs 2013. Must be a bug in the sorting piece of code or something.

                                    I checked on my production firewall and indeed the default sort appears to be putting the December 31, 2013 events above the January 2014 events.  However, you can click the DATE column header on the Alerts tab and sort the alerts so the January 01, 2014 events are at the top.  See the screenshot below showing the sorted list.  This is from a 2.1-RELEASE pfSense firewall.

                                    Bill

                                    Alerts_2014.jpg
                                    Alerts_2014.jpg_thumb

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Supermule Banned
                                      last edited by

                                      On 2.0.3 it seems fine Bill.

                                      snort_alert_widget_sorting.jpg
                                      snort_alert_widget_sorting.jpg_thumb

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by

                                        @Supermule:

                                        On 2.0.3 it seems fine Bill.

                                        OK.  I just edited/replaced my original reply above with updated info.  I will check the Dashboard Widget next on 2.1.

                                        Bill

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks
                                          last edited by

                                          OK, found a "sort of fix" for the Snort Alerts Dashboard Widget.  It keys off the "sort setting" for the System Log.  If you have your system log entries displaying in reverse order, then the Snort Alerts Widget sorts the same way.  If you toggle System Log entries to display in "normal order", then the Snort Alerts Widget sorts correctly.

                                          The problem here is, I think, in the sorting logic of the System Log.  When toggled to display in "reverse" (that is, newest entries displayed first), it sorts the leading zero improperly in the timestamp.  The same problem is copied over into the Snort Widget code by the original author.

                                          Bill

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            Supermule Banned
                                            last edited by

                                            The log in Snort on the alerts table has the problem even on 2.0.3.

                                            The widget doesnt.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.