SNORT backup solution
-
Perhaps somehow related to the recent package problem? The packages didn't restore and that part of the config got wiped? Just a SWAG.
Diagnostics - Backup/Restore - Reinstall Packages does nothing useful
https://forum.pfsense.org/index.php?topic=74170.0packages.pfsense.org down
https://forum.pfsense.org/index.php?topic=74167.0I just loaded pfs on the virgin drive, then restored the most recent config backup. The packages downloaded and the config for all the packages was there.
-
Hi!
I can't confirm for sure, but I think there was a recent issue with snort re-install (I had problem). I could be because I saved config before before snort was upgraded to the latest package (2.9.5.5 or earlier was installed).
When config was imported on another system, latest version (2.9.5.6) was installed, but could not even start because of corrupted config.
Unfortunately, I already wiped out and re-configured (manually) the system, which had this problem.
Also - isn't there an issue restoring x86 config to amd64 system? -
Hi!
I can't confirm for sure, but I think there was a recent issue with snort re-install (I had problem). I could be because I saved config before before snort was upgraded to the latest package (2.9.5.5 or earlier was installed).
When config was imported on another system, latest version (2.9.5.6) was installed, but could not even start because of corrupted config.
Unfortunately, I already wiped out and re-configured (manually) the system, which had this problem.
Also - isn't there an issue restoring x86 config to amd64 system?The Snort configuration section changed significantly with the release of the v3.0.0 package late last year. So if you have a configuration from an earlier v2.x package version, there may be some issues trying to run with that. I'm talking more about the GUI package version than the binary version.
It would be a good idea to always make a configuration backup when upgrading Snort or any other packages to make sure the most current setup is saved.
Bill
-
Hi!
That were Snort versions in my post above. Corresponding package versions were 3.0.2 -> 3.0.4.
Also - on one of the installs I remember upgrading Snort, but Package Manager stil showing me that upgrade is available…
-
Hi!
That were Snort versions in my post above. Corresponding package versions were 3.0.2 -> 3.0.4.
Also - on one of the installs I remember upgrading Snort, but Package Manager stil showing me that upgrade is available…
The changes in the configuration from 3.0.2 to 3.0.4 were very minor and should not have caused Snort to not start. There was a short-lived "oops" with one of the updates where a string did not get updated properly in the package file and that caused an update to not register properly, but that was fixed within a couple of days if I recall correctly.
Bill
-
Ok, that explains why it still shows as an update even after i updated it. No biggie.
As for configuration restore issue - no idea what happened exactly, but one problem I had was that interfaces where different between old and new servers - em0 was WAN on old one and em1 was WAN on new one.
I found that I had to edit backup xml file to match new machine before restore.
The other issue was that Snort completely refused to download updates.As I said, I solved all of this by rebuilding the box and reconfiguring everything manually. Got a much cleaner system then the original one anyway.
-
Thanks for all the replies.
I've had other fish to fry at other sites so this issue was put on the back burner.
I suspect the problem may be related to trying to restore a config from the previous version of SNORT.
Whatever the case, I will test this in my lab before applying any new SNORT updates.
And I concur that all other packages I use restore just fine to a fresh install (bare metal and VM). That's one of many things I've been doing in the last 72 hours.
-
Ok, that explains why it still shows as an update even after i updated it. No biggie.
As for configuration restore issue - no idea what happened exactly, but one problem I had was that interfaces where different between old and new servers - em0 was WAN on old one and em1 was WAN on new one.
I found that I had to edit backup xml file to match new machine before restore.
The other issue was that Snort completely refused to download updates.As I said, I solved all of this by rebuilding the box and reconfiguring everything manually. Got a much cleaner system then the original one anyway.
Yes, changes in interface names will confuse Snort. It uses the name to distinguish interfaces. So a change from say "em0" to "le1" would sort of blow Snort's mind since the configuration no longer matches reality.
I assume you are talking about rule updates with the updates download issue. If so, that could be because the Snort VRT folks tie rule versions to specific Snort binary versions. This is completely out of the control of the Snort package on pfSense. The VRT make it so that say the 2.9.5.5 version of Snort cannot use any rules from the VRT except 2.9.5.5 rules. You can't use 2.9.5.6, nor can you use 2.9.5.3, as examples. They also stop supporting older rule versions over time. Each version of Snort and its matching rules have finite lifetimes. You may already know all of this, and if so, ignore this post. But I mention it just in case. There have been other users that were not aware of the version number lock-ins between the binary and the rules package and wondered why their Snort install would not show the latest rule versions as posted on the Snort VRT web site.
Bill
-
I assume you are talking about rule updates with the updates download issue. If so, that could be because the Snort VRT folks tie rule versions to specific Snort binary versions. This is completely out of the control of the Snort package on pfSense.
Yes, I am talking about rule download issue. But I wonder how this breaks during restore? It should be downloading rules for whatever version of Snort initiated said download, right? Regardless of what version the restored config was… It restored my oinkmastercode and tried to download something but then complained that checksum was wrong.
If no one else is suffering this, it might be not important to spend your time on, really. Thank you for you work on this package, Bill. -
I assume you are talking about rule updates with the updates download issue. If so, that could be because the Snort VRT folks tie rule versions to specific Snort binary versions. This is completely out of the control of the Snort package on pfSense.
Yes, I am talking about rule download issue. But I wonder how this breaks during restore? It should be downloading rules for whatever version of Snort initiated said download, right? Regardless of what version the restored config was… It restored my oinkmastercode and tried to download something but then complained that checksum was wrong.
If no one else is suffering this, it might be not important to spend your time on, really. Thank you for you work on this package, Bill.I will take a look at this by playing around in a virtual machine. It will be a week or two before I have some time, though. Trying to get the next Snort update out the door and also will be away on a family trip for a week.
Bill
