Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disabled snort, now settings are blown away

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfSensible
      last edited by

      I have Snort 2.9.6.0 pkg v3.0.8 installed.  A few days ago I disabled snort so I could troubleshoot the network without the extra overhead.  When I tried to enable snort this morning all the settings are GONE.

      Everything was set back to the defaults.  I checked the config file backup and the settings are not saved there.  This cannot be right.  Is there some way to get the settings back?

      WARNING… if you try to  this it most likely will destroy your settings.  To verify the problem I enabled snort again, made some changes, saved them, disabled snort, saved and again the settings are gone.

      The NSA is a terrorist organization that must be stopped.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        I had this happen to me once before. Unless you made a backup of the pfSense config I don't think you can get it back.

        When the interface is disabled, it seems to clear the settings even with the "Keep settings after deinstall".

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • P
          pfSensible
          last edited by

          @BBcan17:

          I had this happen to me once before. Unless you made a backup of the pfSense config I don't think you can get it back.

          When the interface is disabled, it seems to clear the settings even with the "Keep settings after deinstall".

          Actually I did make a backup of the config - the problem is I don't see any snort settings in the config, so restoring that config would most likely have no effect.

          The NSA is a terrorist organization that must be stopped.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            You might have to look older backups before you disabled the Snort interface.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @pfSensible:

              I have Snort 2.9.6.0 pkg v3.0.8 installed.  A few days ago I disabled snort so I could troubleshoot the network without the extra overhead.  When I tried to enable snort this morning all the settings are GONE.

              Everything was set back to the defaults.  I checked the config file backup and the settings are not saved there.  This cannot be right.  Is there some way to get the settings back?

              WARNING… if you try to  this it most likely will destroy your settings.  To verify the problem I enabled snort again, made some changes, saved them, disabled snort, saved and again the settings are gone.

              Did you disable or delete the Snort interface?  I just tried this in a VM using the version listed.  If I disable the interface, all the rules and preprocessor settings remained.  The only things that got reset to defaults were some of the settings on the INTERFACE SETTINGS tab itself.  I will fix that in the next update, but in the meantime there should only be a few checkboxes to reset.

              Bill

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                The fix for this problem has been incorporated in the latest Snort package update Pull Request posted for review and approval by the pfSense Core Team.

                Here is the link to the request: https://github.com/pfsense/pfsense-packages/pull/661

                Bill

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  @bmeeks:

                  Did you disable or delete the Snort interface?  I just tried this in a VM using the version listed.  If I disable the interface, all the rules and preprocessor settings remained.  The only things that got reset to defaults were some of the settings on the INTERFACE SETTINGS tab itself.  I will fix that in the next update, but in the meantime there should only be a few checkboxes to reset.

                  For me, this occured a while ago (was a disable) , but I seem to remember that it also wiped the Pre-Processor settings. In particular if you added "Engine Names" and "Bind-To Address Alias" settings.

                  I don't have a VM to try this on, and don't really want to try this on one of my live machines  :)

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfSensible
                    last edited by

                    The problem is that I don't know exactly which settings were reset, only that some were.  Everthing on the main settings tab seems to have been reset.

                    The problem is that since it has been months since I configured snort I cannot remember how I set it up.  As I already stated the settings are NOT SAVED in the config.xml file - of course I looked in a backup version that had snort enabled.  I need to take better notes.

                    Regardless it sounds like bmeeks has it under control - I will wait until the next release before configuring & enabling it again.

                    The NSA is a terrorist organization that must be stopped.

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @BBcan17:

                      @bmeeks:

                      Did you disable or delete the Snort interface?  I just tried this in a VM using the version listed.  If I disable the interface, all the rules and preprocessor settings remained.  The only things that got reset to defaults were some of the settings on the INTERFACE SETTINGS tab itself.  I will fix that in the next update, but in the meantime there should only be a few checkboxes to reset.

                      For me, this occured a while ago (was a disable) , but I seem to remember that it also wiped the Pre-Processor settings. In particular if you added "Engine Names" and "Bind-To Address Alias" settings.

                      I don't have a VM to try this on, and don't really want to try this on one of my live machines  :)

                      I made some other changes a couple of revs back that should have had the side-effect of fixing this for Preproc settings.  I did a quick VM test the other night, but I can do a more thorough test with multiple engines to be sure.  The Pull Request is still open, so if I find anything else that needs fixing, I will try and get it in the open request.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • BBcan177B
                        BBcan177 Moderator
                        last edited by

                        Thanks Bill we all appreciate the work you do in Maintaining these packages so well !

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @BBcan17:

                          Thanks Bill we all appreciate the work you do in Maintaining these packages so well !

                          I just tested in a VM with multiple engines (HTTP_INSPECT for my test).  All the previous settings are now retained when Snort is disabled on an interface.  When you enable it again, the old settings are still there.

                          Note this behavior is different for a DELETE operation.  If you delete a Snort interface on the INTERFACES tab, then all Snort settings belonging to that deleted interface are permanently removed.  It does prompt for a confirmation before deleting the interface, though.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.