Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort on 2.2

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    16 Posts 7 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darkytoo
      last edited by

      Snort is not working.  Any ideas?

      pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_smtp_preproc file. Snort might error out!
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ssl_preproc file. Snort might error out!
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_sip_preproc file. Snort might error out!
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ssh_preproc file. Snort might error out!
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_dce2_preproc file. Snort might error out!
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_dns_preproc file. Snort might error out!
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_pop_preproc file. Snort might error out!
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_imap_preproc file. Snort might error out!
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
      Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/preproc_rules/sensitive-data.rules: No such file or directory'
      Apr 22 21:40:21 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
      Apr 22 21:40:21 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
      Apr 22 21:40:22 pfSense check_reload_status: Syncing firewall
      Apr 22 21:40:24 pfSense check_reload_status: Syncing firewall
      Apr 22 21:40:25 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(hn0)…
      Apr 22 21:40:27 pfSense kernel: pid 94504 (sh), uid 0: exited on signal 11 (core dumped)
      Apr 22 21:40:27 pfSense kernel: pid 94485 (.pbirun), uid 0: exited on signal 11 (core dumped)
      Apr 22 21:40:27 pfSense php-fpm[70913]: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 46163 -D -q -l /var/log/snort/snort_hn046163 –pid-path /var/run --nolock-pidfile -G 46163 -c /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/snort.conf -i hn0' returned exit code '139', the output was ''

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @darkytoo:

        Snort is not working.  Any ideas?

        pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_smtp_preproc file. Snort might error out!
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ssl_preproc file. Snort might error out!
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_sip_preproc file. Snort might error out!
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_ssh_preproc file. Snort might error out!
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_dce2_preproc file. Snort might error out!
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_dns_preproc file. Snort might error out!
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_pop_preproc file. Snort might error out!
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: Could not find the libsf_imap_preproc file. Snort might error out!
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
        Apr 22 21:40:20 pfSense php-fpm[70913]: /snort/snort_interfaces.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/preproc_rules/sensitive-data.rules: No such file or directory'
        Apr 22 21:40:21 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
        Apr 22 21:40:21 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
        Apr 22 21:40:22 pfSense check_reload_status: Syncing firewall
        Apr 22 21:40:24 pfSense check_reload_status: Syncing firewall
        Apr 22 21:40:25 pfSense php-fpm[70913]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(hn0)…
        Apr 22 21:40:27 pfSense kernel: pid 94504 (sh), uid 0: exited on signal 11 (core dumped)
        Apr 22 21:40:27 pfSense kernel: pid 94485 (.pbirun), uid 0: exited on signal 11 (core dumped)
        Apr 22 21:40:27 pfSense php-fpm[70913]: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 46163 -D -q -l /var/log/snort/snort_hn046163 –pid-path /var/run --nolock-pidfile -G 46163 -c /usr/pbi/snort-amd64/etc/snort/snort_46163_hn0/snort.conf -i hn0' returned exit code '139', the output was ''

        The package is currently broken for 2.2 snapshots.  The installation paths for PBI installs are different in 2.2 than previous pfSense versions.  Snort is not able to "locate" its configuration files – hence the weird errors.  I have been busy with some other updates and have not had a chance to look into this in more detail.  I will bump it up on my radar.

        As a point of reference for me, are any of the other PBI package installs working on 2.2?  They should all be afflicted with the same PBI-install path issues.

        Bill

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          I fixed up bandwidthd for 2.2 which had "finding library issues".
          Look here: https://forum.pfsense.org/index.php?topic=75762.0
          and once we get an idea of what has changed generally, then maybe there will be a more generic way for the package system itself to work this out, rather than having to add code for the "2.2 and up" case to every package with a PBI.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @phil.davis:

            I fixed up bandwidthd for 2.2 which had "finding library issues".
            Look here: https://forum.pfsense.org/index.php?topic=75762.0
            and once we get an idea of what has changed generally, then maybe there will be a more generic way for the package system itself to work this out, rather than having to add code for the "2.2 and up" case to every package with a PBI.

            Thanks Phil!  In my poking around last night troubleshooting I stumbled upon the LD_LIBRARY_PATH issue as well.  I had previously noticed the extra "local" in the PBI paths.  I was able to get Snort running on the latest 2.2-ALPHA snapshot, but not without manually hacking some of the paths.

            Like you mentioned, I am reticent to add too much extra version checking and path fixing to the GUI code until I'm sure this is the "new normal" for 2.2 and above.  I sent an e-mail to some of the Core Team guys a few weeks ago about the path issue, but have not heard anything back.  I guess they are all quite busy with the 2.2 prep.

            EDIT:  found this post from jimp after I posted the reply above:  https://forum.pfsense.org/index.php?topic=75506.msg413300#msg413300  Possibly some good news here.  I will test on my VMs to see what changed.

            Bill

            1 Reply Last reply Reply Quote 0
            • D
              darkytoo
              last edited by

              I just tried this today, updated to latest release for today (the 24th) and I get the same errors. I did also re-install snort, no affect.  I've also noticed on 2.2 that I can't download the snort VRT rules with a valid oinkcode.  I event signed up for a new account and tested manually downloading them, but I get a 403 error in the GUI, wonder if that's related to the pbi issue?

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @darkytoo:

                I just tried this today, updated to latest release for today (the 24th) and I get the same errors. I did also re-install snort, no affect.  I've also noticed on 2.2 that I can't download the snort VRT rules with a valid oinkcode.  I event signed up for a new account and tested manually downloading them, but I get a 403 error in the GUI, wonder if that's related to the pbi issue?

                Possible that it is.  There is also a problem (or was last night) with Snort finding its shared libraries.  The PBI configuration is definitely changed from 2.1 and earlier pfSense versions.

                I have a 2.2 VM and access to the -tools repo, so I will work on Snort and see what it takes to get it working reliably on 2.2.  Give me a day or so to finish up something with Suricata and then I can concentrate on this problem.

                Bill

                1 Reply Last reply Reply Quote 0
                • D
                  darkytoo
                  last edited by

                  @bmeeks:

                  @darkytoo:

                  I just tried this today, updated to latest release for today (the 24th) and I get the same errors. I did also re-install snort, no affect.  I've also noticed on 2.2 that I can't download the snort VRT rules with a valid oinkcode.  I event signed up for a new account and tested manually downloading them, but I get a 403 error in the GUI, wonder if that's related to the pbi issue?

                  Possible that it is.  There is also a problem (or was last night) with Snort finding its shared libraries.  The PBI configuration is definitely changed from 2.1 and earlier pfSense versions.

                  I have a 2.2 VM and access to the -tools repo, so I will work on Snort and see what it takes to get it working reliably on 2.2.  Give me a day or so to finish up something with Suricata and then I can concentrate on this problem.

                  Bill

                  I just tried this again since there has been 3 snapshots and a new version of snort, still no go.  What's really weird is a also get a 403 forbidden when trying to update the snort vrt rules, even with a valid oinkcode and verifying I can download the files manually.

                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_smtp_preproc file. Snort might error out!
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_ssl_preproc file. Snort might error out!
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_sip_preproc file. Snort might error out!
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_ssh_preproc file. Snort might error out!
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_dce2_preproc file. Snort might error out!
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_dns_preproc file. Snort might error out!
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_pop_preproc file. Snort might error out!
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: Could not find the libsf_imap_preproc file. Snort might error out!
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: …
                  May 1 13:16:39 php-fpm[37064]: /snort/snort_rulesets.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/pbi/snort-amd64/etc/snort/snort__/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/pbi/snort-amd64/etc/snort/snort__/preproc_rules/sensitive-data.rules: No such file or directory'
                  May 1 13:16:41 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: …
                  May 1 13:16:41 php-fpm[37064]: /snort/snort_rulesets.php: [Snort] Building new sig-msg.map file for …
                  May 1 13:17:10 kernel: pid 58227 (sh), uid 0: exited on signal 11 (core dumped)
                  May 1 13:17:10 kernel: pid 57632 (.pbirun), uid 0: exited on signal 11 (core dumped)
                  May 1 13:17:15 kernel: pid 59100 (sh), uid 0: exited on signal 11 (core dumped)
                  May 1 13:17:16 kernel: pid 58568 (.pbirun), uid 0: exited on signal 11 (core dumped)
                  May 1 13:17:22 kernel: pid 59693 (sh), uid 0: exited on signal 11 (core dumped)
                  May 1 13:17:22 kernel: pid 59231 (.pbirun), uid 0: exited on signal 11 (core dumped)
                  May 1 13:17:23 check_reload_status: Syncing firewall
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_smtp_preproc file. Snort might error out!
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_ssl_preproc file. Snort might error out!
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_sip_preproc file. Snort might error out!
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_ssh_preproc file. Snort might error out!
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_dce2_preproc file. Snort might error out!
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_dns_preproc file. Snort might error out!
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_pop_preproc file. Snort might error out!
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: Could not find the libsf_imap_preproc file. Snort might error out!
                  May 1 13:17:23 php-fpm[51049]: /snort/snort_interfaces_edit.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
                  May 1 13:17:23 check_reload_status: Syncing firewall
                  May 1 13:17:24 kernel: pid 62702 (sh), uid 0: exited on signal 11 (core dumped)
                  May 1 13:17:24 kernel: pid 62012 (.pbirun), uid 0: exited on signal 11 (core dumped)

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    Yes, Snort and most (if not all) packages with PBI components are broken on 2.2.  It has to do with some problems and configuration changes the team is still working on with the PBI infrastructure in 2.2.

                    Once the Core Team declares the PBI infrastructure for 2.2 is "done", I will examine the Snort package and make any changes necessary to get it working on 2.2.  I will post a note when that is done.  Until then, consider Snort and Suricata both "broken" on the 2.2 snapshots.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • Raul RamosR
                      Raul Ramos
                      last edited by

                      Hi

                      <bump>This taking time. I like to test this ;). Suricata woks but no go with pppoe</bump>

                      Thanks

                      pfSense:
                      ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                      Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                      NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        Are there news on Snort for 2.2? Still broken?

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          Snort and Suricata both are working in 2.2.

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • ?
                            Guest
                            last edited by

                            Many, many thanx for the reply, then I have to try again to make it work with the nano  image (do I have to enter an alternative source for the package?)…

                            And many thanx for replying, although I'm not at GOLD member, did not send money to whoever at pfSense or elsewhere in the world, but simply asked a question on a forum for an open-source software…

                            1 Reply Last reply Reply Quote 0
                            • Raul RamosR
                              Raul Ramos
                              last edited by

                              Hi

                              Working file but Suricata still doesn't support PPPoE interfaces yet.

                              pfSense:
                              ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                              Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                              NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks
                                last edited by

                                @mais_um:

                                Hi

                                Working file but Suricata still doesn't support PPPoE interfaces yet.

                                Correct.  PPPoE support is a limitation within the Suricata binary itself and will require a patch.  It is actually not supported on any FreeBSD derivative at this point (by Suricata, I mean).  I plan to look into what it would take to create the required patch and then port it upstream into the Suricata source code tree.

                                Bill

                                1 Reply Last reply Reply Quote 0
                                • W
                                  Wolf666
                                  last edited by

                                  @bmeeks:

                                  @mais_um:

                                  Hi

                                  Working file but Suricata still doesn't support PPPoE interfaces yet.

                                  Correct.  PPPoE support is a limitation within the Suricata binary itself and will require a patch.  It is actually not supported on any FreeBSD derivative at this point (by Suricata, I mean).  I plan to look into what it would take to create the required patch and then port it upstream into the Suricata source code tree.

                                  Bill

                                  Hi Bill,

                                  is it confirmed that the following changes make Suricata works with PPPoE?

                                  suricata.yaml:

                                  pcap:
                                    - interface: physical interface (ie. em0, igb0 etc etc)    
                                      checksum-checks: auto
                                      promisc: yes
                                  

                                  Thanks

                                  Modem Draytek Vigor 130
                                  pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
                                  Switch Cisco SG350-10
                                  AP Netgear R7000 (Stock FW)
                                  HTPC Intel NUC5i3RYH
                                  NAS Synology DS1515+
                                  NAS Synology DS213+

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by

                                    @Wolf666:

                                    @bmeeks:

                                    @mais_um:

                                    Hi

                                    Working file but Suricata still doesn't support PPPoE interfaces yet.

                                    Correct.  PPPoE support is a limitation within the Suricata binary itself and will require a patch.  It is actually not supported on any FreeBSD derivative at this point (by Suricata, I mean).  I plan to look into what it would take to create the required patch and then port it upstream into the Suricata source code tree.

                                    Bill

                                    Hi Bill,

                                    is it confirmed that the following changes make Suricata works with PPPoE?

                                    suricata.yaml:

                                    pcap:
                                      - interface: physical interface (ie. em0, igb0 etc etc)    
                                        checksum-checks: auto
                                        promisc: yes
                                    

                                    Thanks

                                    No, this is not an officially sanctioned fix.  While Suricata will then not complain, it can still get confused by the PPPoE frame header that will be present.  It will work sort of, but not 100% correctly.  What this does is tell Suricata to treat the PPPoE data link as a physical Ethernet interface.  Physical Ethernet interfaces are not expected to contain PPPoE frame headers, so they can confuse Suricata.

                                    Bill

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.