Snort 2.9.6.0 pkg v3.0.8 Update – Release Notes
-
Snort Package Update – Bug Fix
An update for Snort has been posted to correct a bug introduced in the previous version. When changing the blocked host interval, Snort would create a new cron task for the updated interval instead of editing the interval of the existing cron task. This resulted in multiple cron tasks being created, all with differing intervals for clearing the blocked hosts table. This has been fixed.
For this update, there is no need to remove and reinstall Snort. Just click the XML icon to reinstall the GUI components.
The bug could impact any user who changed the interval for removing blocked hosts. If you have not changed that parameter since last updating, you should not have been impacted. To see if you may be a victim of this bug, go to Diagnostics…Edit File from the pfSense menu and browse to the file /etc/crontab. View the contents of the file (don't change anything!) and look for the following line of text in the tasks:
/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
Yours may have a different number than 3600. The number is the time, in seconds, an IP address has to have seen no traffic before being cleared.
If you have only a single line similar to the one above, you are OK. If you have more than one existence of the line above (for example, the exact same line but with differing values after the "-t" parameter), then you are a victim of the bug. Count the number of times you see that same task. You will use that count below to remove them.
To clear the extra bogus cron tasks, go back to Snort and open the Global Settings tab. Scroll down to the General Settings area and change the interval for removing blocked hosts to NEVER. Now click SAVE once for each instance of the cron task you counted above. Each click will remove one line. When finished, reset the interval to the value you desire and click SAVE once more.
Go back to Diagnostics…Edit File, open /etc/crontab, and insure only a single instance of the task is now there. Remember, you are only interested in tasks containing the phrase "snort2c". Ignore the other "expiretable" tasks.
Bill