Snort 2.9.6.2 pkg v3.1.1 Update – Release Notes
-
Snort 2.9.6.2 pkg v3.1.1 Update
IMPORTANT WARNING: this update is only available for pfSense versions 2.1 and higher. DO NOT attempt to install this update on 2.0.x firewalls. The required binary package does not exist for older pfSense versions.
This update for the Snort package fixes five bugs, adds two new features and simplifies the code around the snort.conf file generation.
NOTICE: this version makes some changes for the better in the way the snort configuration file is created. However, on the first install of this update it is possible that Snort may not start and you see some errors about missing options in the snort.conf file. If this happens, simply click to edit any of the Snort interfaces, click SAVE to force regeneration of the snort.conf file, and then manually start Snort. This may only impact some users and not others.
Bug Fixes: (3.1)
-
The word CANCEL is misspelled in a confirmation prompt when clearing all blocks on BLOCKED tab.
-
Snort will install but not start on pfSense 2.2 snapshots.
-
When disabling Snort on an interface, some Snort settings are cleared and lost.
-
Adapt to recent change in URL and rules updates process at snort.org web site.
-
Remove unneeded extra trailing slash on string initialized from RCFILEPREFIX constant.
Bug Fixes (3.1.1)
- The cron task that checks for and downloads updates to the rule sets does not execute.
Feature Change:
-
"Save Settings on Deinstall" now defaults to 'on' for new initial installs. Note this change only affects first-time installs of the Snort package. Existing installs will continue to use the last saved setting when Snort is reinstalled.
-
Additional information added to system log message when the log file archiving job for Unified2 logs rotates a file to archive storage.
-
Added the "-q" switch to the command line for the Snort block table clean-up cron job to stop unwanted messages when table is empty.
New Features:
-
The ability to create a new Snort interface instance by "duplicating" an existing instance is now available. This feature allows an admin to duplicate the settings for an existing interface over to a new Snort instance on a different physical interface. All settings are duplicated with the exception of: (1) the interface name, (2) the interface description, (3) the Home Net, External Net, Pass List and Suppress List values. The Home Net, External Net, Pass List and Suppress List values for the new instance are set to "default". The "duplicate" feature is activated by clicking the plus (+) icon next to the desired "source" instance. NOTE – you must have an existing interface or VLAN not currently assigned to a Snort instance for the DUP icon to become active.
-
Additional configuration parameters for the POP3, IMAP and SMTP preprocessors are now available on the PREPROCESSORS tab. These parameters were formerly defaulted to hard-coded values, but are now configurable by the user to optimize performance of these preprocessors in a specific environment.
-
-
I did a basic package update on my i386 2.1.4 box without any issues. It updated the binary, downloaded some rules and started up my 3 interfaces. Still need to take it for a spin tho…
Thanks again Bill for keeping this package alive and feature rich
-
As posted in other thread - updated without any issues.
It just took approx 5 minutes, most of which was to download updated rule sets.BTW, once we are on the topic - could there be an option to show alerts for all interfaces on the same page?
I have only two, but still would like to see them together… People with many more may benefit from it even more... Of course, it should indicate which interface each alert is for... More like firewall log. -
Thank you very much bmeeks for keeping the wonderful (and I think essential) package going and up to date.
I do a have a question about upgrading though.
I seem to remember way back when that it was advised to remove snort, reboot then install the new snort package to avoid potential problems.
Is this still the norm or can we just use the reinstall package function from the packages menu?
Cheers
-
…I simply went to the package manager (2.1.4) and said "reinstall" for the snort package showing the update. Everything went fine, no errors, but after a reboot, there is no snort under "Services", although the package manager indicates that snort is installed.... puuuuuhhhhhhh..... ???
UPDATE: Uninstalled Snort, reboot, new install Snort, reboot -> Still no Snort under Services
What can I try next? :o
...updating the GUI components doesn't help either...
UPDATE 2: In the SystemLog I find
snort[59701]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules": No such file or directory.
…every time a service for an interface is started...
-
I get this when reinstalling Snort via WebGUI on 2.0.3
Removing snort components…
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/8/All/snort-2.9.6.2.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/snort-2.9.6.2.tbz.
of snort-2.9.6.2 failed!Installation aborted.Backing up libraries...
Removing package...
Skipping package deletion for mysql55-client-5.5.35 because it is a dependency.
Skipping package deletion for barnyard2-1.13 because it is a dependency.
Skipping package deletion for libnet-1.1.6_1,1 because it is a dependency.
Skipping package deletion for libdnet-1.11_3 because it is a dependency.
Skipping package deletion for libpcap-1.5.2 because it is a dependency.
Skipping package deletion for daq-2.0.1 because it is a dependency.
Starting package deletion for snort-2.9.6.2...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.Package reinstallation failed.
-
I get this when reinstalling Snort via WebGUI on 2.0.3
Removing snort components…
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/8/All/snort-2.9.6.2.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/snort-2.9.6.2.tbz.
of snort-2.9.6.2 failed!Installation aborted.Backing up libraries...
Removing package...
Skipping package deletion for mysql55-client-5.5.35 because it is a dependency.
Skipping package deletion for barnyard2-1.13 because it is a dependency.
Skipping package deletion for libnet-1.1.6_1,1 because it is a dependency.
Skipping package deletion for libdnet-1.11_3 because it is a dependency.
Skipping package deletion for libpcap-1.5.2 because it is a dependency.
Skipping package deletion for daq-2.0.1 because it is a dependency.
Starting package deletion for snort-2.9.6.2...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.Package reinstallation failed.
Looks like the *.tbz package for 2.0.x failed to build and upload. I will notify the pfSense guys to take a look. I know you are loathe to do so, but it's about time to consider upgrading to the 2.1.x version.
UPDATE: I know you probably won't like this answer, but here is what I got back from the pfSense guys:
Hello Bill,
We are not building new .tbz packages for 2.0, I believe the best thing to do in this case is to mark snort package to require pfSense 2.1 or higher.
Regards
I am going to update the Snort package so that pfSense 2.1 or higher is required.
Bill
-
Thank you very much bmeeks for keeping the wonderful (and I think essential) package going and up to date.
I do a have a question about upgrading though.
I seem to remember way back when that it was advised to remove snort, reboot then install the new snort package to avoid potential problems.
Is this still the norm or can we just use the reinstall package function from the packages menu?
Cheers
With the new PBI package system used on 2.1.x and later, it handles the "remove and install" itself so all you have to do is click the PKG icon to update. The manual "remove and reinstall" still holds true for the older 2.0.x version of pfSense.
Bill
-
As posted in other thread - updated without any issues.
It just took approx 5 minutes, most of which was to download updated rule sets.BTW, once we are on the topic - could there be an option to show alerts for all interfaces on the same page?
I have only two, but still would like to see them together… People with many more may benefit from it even more... Of course, it should indicate which interface each alert is for... More like firewall log.Yeah, that's technically possible. It would require quite a bit of recoding for the ALERTS tab page, though. I will add it to my list of future features.
Bill
-
@chemlud:
…I simply went to the package manager (2.1.4) and said "reinstall" for the snort package showing the update. Everything went fine, no errors, but after a reboot, there is no snort under "Services", although the package manager indicates that snort is installed.... puuuuuhhhhhhh..... ???
UPDATE: Uninstalled Snort, reboot, new install Snort, reboot -> Still no Snort under Services
What can I try next? :o
...updating the GUI components doesn't help either...
UPDATE 2: In the SystemLog I find
snort[59701]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rules": No such file or directory.
…every time a service for an interface is started...
Your install is not actually completing. The key is the missing Snort entry under SERVICES in the pfSense menu. Are you using a full install of pfSense or one of the Compact Flash versions? If the latter, how much free space exists on the /var partition?
Also just noticed that the path is all messed up:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1//usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesIt should look like this instead:
/usr/pbi/snort-i386/etc/snort/snort_59777_re1/rules/flowbit-required.rulesThere is a double backslash where there should be only one, and the complete path is doubled.
Bill
-
This is not good :(
Can we build this "on the side" for 2.0.x??
A lot of people are still running this release and I think this is a major bummer for the community.
2.1.x is still flawed and NOT running widescreeen and with 243 VLANS I need this bad….
-
This is not good :(
Can we build this "on the side" for 2.0.x??
A lot of people are still running this release and I think this is a major bummer for the community.
2.1.x is still flawed and NOT running widescreeen and with 243 VLANS I need this bad….
No, "on the side" would be a frowned upon option. While widescreen is broken in 2.1, it does seem to work fine in the 2.2 snapshots. Could you limp by using 2.1.x until 2.2 goes production?
Bill
-
BTW, once we are on the topic - could there be an option to show alerts for all interfaces on the same page?
I have only two, but still would like to see them together… People with many more may benefit from it even more... Of course, it should indicate which interface each alert is for... More like firewall log.Yeah, that's technically possible. It would require quite a bit of recoding for the ALERTS tab page, though. I will add it to my list of future features.
Bill
Thank you, Bill. No rush :)
-
Problem is that 2.1.x doesnt upgrade correctly…
-
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ... [ repository] (extracting) Loading package configuration... done. Configuring package components... Additional files... snort_download_updates.php failed. Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.Any thoughts on the above?
EDIT: First dozen times it failed. Lucky #13 worked.
-
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ... [ repository] (extracting) Loading package configuration... done. Configuring package components... Additional files... snort_download_updates.php failed. Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.Any thoughts on the above?
EDIT: First dozen times it failed. Lucky #13 worked.
I have no clue. That message literally means the physical PHP file could not be found or pulled down from the packages repository. The fact it eventually worked indicates some type of glitch and not a permanent problem. Glad it finally worked for you.
Bill
-
Problem is that 2.1.x doesnt upgrade correctly…
It's been a while since I updated to 2.1, but if I remember correctly I did it coincident with upgrading my firewall hardware. So I just did a clean install of 2.1 and then imported my old config. In my case I had to adjust the NIC driver names from Realtek on the old hardware to Intel on the new. However, if you do an install on the same hardware; you should not have that problem.
Bill
-
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ... [ repository] (extracting) Loading package configuration... done. Configuring package components... Additional files... snort_download_updates.php failed. Removing package... Starting package deletion for snort-2.9.6.2-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.When will be this fixed. I have on more server the same problem :((
-
How can i delete all old snort config file?
-
How can i delete all old snort config file?
To physically remove Snort from the disk, delete this folder and all sub-folders: /usr/pbi/snort-amd64
Removing Snort settings from your config.xml file is much more delicate and can lead to a non-working firewall if the file is corrupted.
The error you reported is more likely a temporary issue with one of the pfSense package repository servers. I don't know if those are mirrored. If they are, maybe one of them is missing that particular file.
Bill
