Snort on 2.2

darkytoo

Snort is not working.  Any ideas?

pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_smtp_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ssl_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_sip_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ssh_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_dce2_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_dns_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_pop_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_imap_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/preproc_rules/sensitive-data.rules: No such file or directory'
Apr 22 21:40:21 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 22 21:40:21 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 22 21:40:22 pfSense check_reload_status: Syncing firewall
Apr 22 21:40:24 pfSense check_reload_status: Syncing firewall
Apr 22 21:40:25 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(hn0)…
Apr 22 21:40:27 pfSense kernel: pid 94504 (sh), uid 0: exited on signal 11 (core dumped)
Apr 22 21:40:27 pfSense kernel: pid 94485 (.pbirun), uid 0: exited on signal 11 (core dumped)
Apr 22 21:40:27 pfSense php-fpm[70913]: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 46163 -D -q -l /var/log/snort/snort_hn046163 –pid-path /var/run --nolock-pidfile -G 46163 -c /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/snort.conf -i hn0' returned exit code '139', the output was ''

bmeeks

@darkytoo:

Snort is not working.  Any ideas?

pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_smtp_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ssl_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_sip_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ssh_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_dce2_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_dns_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_pop_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_imap_preproc file. Snort might error out!
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/preproc_rules/sensitive-data.rules: No such file or directory'
Apr 22 21:40:21 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 22 21:40:21 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
Apr 22 21:40:22 pfSense check_reload_status: Syncing firewall
Apr 22 21:40:24 pfSense check_reload_status: Syncing firewall
Apr 22 21:40:25 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(hn0)…
Apr 22 21:40:27 pfSense kernel: pid 94504 (sh), uid 0: exited on signal 11 (core dumped)
Apr 22 21:40:27 pfSense kernel: pid 94485 (.pbirun), uid 0: exited on signal 11 (core dumped)
Apr 22 21:40:27 pfSense php-fpm[70913]: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 46163 -D -q -l /var/log/snort/snort_hn046163 –pid-path /var/run --nolock-pidfile -G 46163 -c /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/snort.conf -i hn0' returned exit code '139', the output was ''

The package is currently broken for 2.2 snapshots.  The installation paths for PBI installs are different in 2.2 than previous pfSense versions.  Snort is not able to "locate" its configuration files – hence the weird errors.  I have been busy with some other updates and have not had a chance to look into this in more detail.  I will bump it up on my radar.

As a point of reference for me, are any of the other PBI package installs working on 2.2?  They should all be afflicted with the same PBI-install path issues.

Bill

phil.davis

I fixed up bandwidthd for 2.2 which had "finding library issues".
Look here: https://forum.pfsense.org/index.php?topic=75762.0
and once we get an idea of what has changed generally, then maybe there will be a more generic way for the package system itself to work this out, rather than having to add code for the "2.2 and up" case to every package with a PBI.

bmeeks

@phil.davis:

I fixed up bandwidthd for 2.2 which had "finding library issues".
Look here: https://forum.pfsense.org/index.php?topic=75762.0
and once we get an idea of what has changed generally, then maybe there will be a more generic way for the package system itself to work this out, rather than having to add code for the "2.2 and up" case to every package with a PBI.

Thanks Phil!  In my poking around last night troubleshooting I stumbled upon the LD_LIBRARY_PATH issue as well.  I had previously noticed the extra "local" in the PBI paths.  I was able to get Snort running on the latest 2.2-ALPHA snapshot, but not without manually hacking some of the paths.

Like you mentioned, I am reticent to add too much extra version checking and path fixing to the GUI code until I'm sure this is the "new normal" for 2.2 and above.  I sent an e-mail to some of the Core Team guys a few weeks ago about the path issue, but have not heard anything back.  I guess they are all quite busy with the 2.2 prep.

EDIT:  found this post from jimp after I posted the reply above:  https://forum.pfsense.org/index.php?topic=75506.msg413300#msg413300  Possibly some good news here.  I will test on my VMs to see what changed.

Bill

darkytoo

I just tried this today, updated to latest release for today (the 24th) and I get the same errors. I did also re-install snort, no affect.  I've also noticed on 2.2 that I can't download the snort VRT rules with a valid oinkcode.  I event signed up for a new account and tested manually downloading them, but I get a 403 error in the GUI, wonder if that's related to the pbi issue?

bmeeks

@darkytoo:

I just tried this today, updated to latest release for today (the 24th) and I get the same errors. I did also re-install snort, no affect.  I've also noticed on 2.2 that I can't download the snort VRT rules with a valid oinkcode.  I event signed up for a new account and tested manually downloading them, but I get a 403 error in the GUI, wonder if that's related to the pbi issue?

Possible that it is.  There is also a problem (or was last night) with Snort finding its shared libraries.  The PBI configuration is definitely changed from 2.1 and earlier pfSense versions.

I have a 2.2 VM and access to the -tools repo, so I will work on Snort and see what it takes to get it working reliably on 2.2.  Give me a day or so to finish up something with Suricata and then I can concentrate on this problem.

Bill

darkytoo

@bmeeks:

@darkytoo:

I just tried this today, updated to latest release for today (the 24th) and I get the same errors. I did also re-install snort, no affect.  I've also noticed on 2.2 that I can't download the snort VRT rules with a valid oinkcode.  I event signed up for a new account and tested manually downloading them, but I get a 403 error in the GUI, wonder if that's related to the pbi issue?

Possible that it is.  There is also a problem (or was last night) with Snort finding its shared libraries.  The PBI configuration is definitely changed from 2.1 and earlier pfSense versions.

I have a 2.2 VM and access to the -tools repo, so I will work on Snort and see what it takes to get it working reliably on 2.2.  Give me a day or so to finish up something with Suricata and then I can concentrate on this problem.

Bill

I just tried this again since there has been 3 snapshots and a new version of snort, still no go.  What's really weird is a also get a 403 forbidden when trying to update the snort vrt rules, even with a valid oinkcode and verifying I can download the files manually.

May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_smtp_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_ssl_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_sip_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_ssh_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_dce2_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_dns_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_pop_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_imap_preproc file. Snort might error out!
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: …
May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort__/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort__/preproc_rules/sensitive-data.rules: No such file or directory'
May 1 13:16:41 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: …
May 1 13:16:41 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for …
May 1 13:17:10 kernel: pid 58227 (sh), uid 0: exited on signal 11 (core dumped)
May 1 13:17:10 kernel: pid 57632 (.pbirun), uid 0: exited on signal 11 (core dumped)
May 1 13:17:15 kernel: pid 59100 (sh), uid 0: exited on signal 11 (core dumped)
May 1 13:17:16 kernel: pid 58568 (.pbirun), uid 0: exited on signal 11 (core dumped)
May 1 13:17:22 kernel: pid 59693 (sh), uid 0: exited on signal 11 (core dumped)
May 1 13:17:22 kernel: pid 59231 (.pbirun), uid 0: exited on signal 11 (core dumped)
May 1 13:17:23 check_reload_status: Syncing firewall
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_smtp_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_ssl_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_sip_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_ssh_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_dce2_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_dns_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_pop_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_imap_preproc file. Snort might error out!
May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
May 1 13:17:23 check_reload_status: Syncing firewall
May 1 13:17:24 kernel: pid 62702 (sh), uid 0: exited on signal 11 (core dumped)
May 1 13:17:24 kernel: pid 62012 (.pbirun), uid 0: exited on signal 11 (core dumped)

bmeeks

Yes, Snort and most (if not all) packages with PBI components are broken on 2.2.  It has to do with some problems and configuration changes the team is still working on with the PBI infrastructure in 2.2.

Once the Core Team declares the PBI infrastructure for 2.2 is "done", I will examine the Snort package and make any changes necessary to get it working on 2.2.  I will post a note when that is done.  Until then, consider Snort and Suricata both "broken" on the 2.2 snapshots.

Bill

Raul Ramos

Hi

<bump>This taking time. I like to test this ;). Suricata woks but no go with pppoe</bump>

Thanks

Guest

Are there news on Snort for 2.2? Still broken?

BBcan177

Snort and Suricata both are working in 2.2.

Guest

Many, many thanx for the reply, then I have to try again to make it work with the nano  image (do I have to enter an alternative source for the package?)…

And many thanx for replying, although I'm not at GOLD member, did not send money to whoever at pfSense or elsewhere in the world, but simply asked a question on a forum for an open-source software…

Raul Ramos

Hi

Working file but Suricata still doesn't support PPPoE interfaces yet.

bmeeks

@mais_um:

Hi

Working file but Suricata still doesn't support PPPoE interfaces yet.

Correct.  PPPoE support is a limitation within the Suricata binary itself and will require a patch.  It is actually not supported on any FreeBSD derivative at this point (by Suricata, I mean).  I plan to look into what it would take to create the required patch and then port it upstream into the Suricata source code tree.

Bill

Wolf666

@bmeeks:

@mais_um:

Hi

Working file but Suricata still doesn't support PPPoE interfaces yet.

Correct.  PPPoE support is a limitation within the Suricata binary itself and will require a patch.  It is actually not supported on any FreeBSD derivative at this point (by Suricata, I mean).  I plan to look into what it would take to create the required patch and then port it upstream into the Suricata source code tree.

Bill

Hi Bill,

is it confirmed that the following changes make Suricata works with PPPoE?

suricata.yaml:

pcap:
  - interface: physical interface (ie. em0, igb0 etc etc)    
    checksum-checks: auto
    promisc: yes

Thanks

bmeeks

@Wolf666:

@bmeeks:

@mais_um:

Hi

Working file but Suricata still doesn't support PPPoE interfaces yet.

Correct.  PPPoE support is a limitation within the Suricata binary itself and will require a patch.  It is actually not supported on any FreeBSD derivative at this point (by Suricata, I mean).  I plan to look into what it would take to create the required patch and then port it upstream into the Suricata source code tree.

Bill

Hi Bill,

is it confirmed that the following changes make Suricata works with PPPoE?

suricata.yaml:

pcap:
  - interface: physical interface (ie. em0, igb0 etc etc)    
    checksum-checks: auto
    promisc: yes

Thanks

No, this is not an officially sanctioned fix.  While Suricata will then not complain, it can still get confused by the PPPoE frame header that will be present.  It will work sort of, but not 100% correctly.  What this does is tell Suricata to treat the PPPoE data link as a physical Ethernet interface.  Physical Ethernet interfaces are not expected to contain PPPoE frame headers, so they can confuse Suricata.

Bill