Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT Bug?

    Scheduled Pinned Locked Moved pfSense Packages
    14 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iculookn
      last edited by

      Hi

      Not sure if this is a bug in SNORT or user error, but having a UI issue when trying to create a second Pass list entry.

      I have an existing SNORT Passlist entry that points to an existing Alias. Seems to be working fine.

      I now tried to add a new/2nd entry pointing to another alias, I select the alias and click on the save button, it then takes me back to the Edit Pass list screen. All normal, however, the name and description have changed to the 1st pass list entry name and description.

      Tried reboot, delete and recreate the entry etc.
      updated to Snort 2.9.6.2, but still the same
      PFSENSE: 2.1.4-RELEASE (amd64)

      Any ideas?

      Thanks
      Eric…

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @iculookn:

        Hi

        Not sure if this is a bug in SNORT or user error, but having a UI issue when trying to create a second Pass list entry.

        I have an existing SNORT Passlist entry that points to an existing Alias. Seems to be working fine.

        I now tried to add a new/2nd entry pointing to another alias, I select the alias and click on the save button, it then takes me back to the Edit Pass list screen. All normal, however, the name and description have changed to the 1st pass list entry name and description.

        Tried reboot, delete and recreate the entry etc.
        updated to Snort 2.9.6.2, but still the same
        PFSENSE: 2.1.4-RELEASE (amd64)

        Any ideas?

        Thanks
        Eric…

        You currently can only have one Alias per Pass List, and you can only edit that Alias on the Pass List Edit screen.  I have plans to support multiple aliases in the future.

        UPDATE:  upon taking a second look at your post, I may have misunderstood your question.  You should be able to edit/delete the existing Alias.  I will double-check that still works.  Some changes were made in the Alias Import/Select code to improve security, and it's possible there is a bug lurking.

        Bill

        1 Reply Last reply Reply Quote 0
        • I
          iculookn
          last edited by

          Hi, Thanks

          Sorry if I was not clear. I am trying to create 2 separate Pass Lists. Each with its own Assigned Alias. (see screencap attached)

          But whenever I try to assign the Alias to the second passlist, the name and description are changed.

          Thanks

          Eric…

          passlist.png
          passlist.png_thumb

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @iculookn:

            Hi, Thanks

            Sorry if I was not clear. I am trying to create 2 separate Pass Lists. Each with its own Assigned Alias. (see screencap attached)

            But whenever I try to assign the Alias to the second passlist, the name and description are changed.

            Thanks

            Eric…

            Ah…OK.  Let me try to reproduce.  It will be a day or two before I can reply.

            UPDATE:  I was able to quickly reproduce this.  It is a bug.  I will add it to the FIX ME list.  Thanks for reporting it.

            Bill

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              As a workaround for this bug until I can get it fixed, do the following depending on what you want to accomplish:

              If adding a new Pass List–

              Click the (+) icon to add a new list.  Fill in the name and description and then click SAVE before doing anything else.  This will create the list and save it.  If you want to add an Alias, click the edit icon to edit the just added list.  DO NOT click the SELECT ALIAS button.  That's where the bug is.  The bug causes the SELECT ALIAS button to only operate on the very first Pass List in the collection, no matter how many actually are displayed.  Instead, just start typing the name of your intended Alias and a drop-down list of matching names should appear.  Choose the one you want and click SAVE.

              If changing the Alias for an existing Pass List–

              Click the edit icon to edit the list.  DO NOT click the SELECT ALIAS button.  Instead, erase the existing alias name in the red background text box and start typing the name of the new one.  A drop-down list should appear.  Choose the desired alias name and click SAVE.

              1 Reply Last reply Reply Quote 0
              • I
                iculookn
                last edited by

                ok thanks for checking and thanks for the workaround

                Eric…

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @iculookn:

                  ok thanks for checking and thanks for the workaround

                  Eric…

                  Actually, the more I looked the more troubles I found. I am getting everything corrected and hope to post an updated Snort package in a day or two.

                  Thanks again for the bug report.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    I posted a Pull Request today to the pfsense-packages repository that fixes this bug.  Look for version 3.1.2 to appear once the pfSense developers review and approve.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • C
                      canux
                      last edited by

                      @bmeeks:

                      I posted a Pull Request today to the pfsense-packages repository that fixes this bug.  Look for version 3.1.2 to appear once the pfSense developers review and approve.

                      Bill

                      I have snort subscription that suddenly stopped updating as well.

                      I am running 2.1.4(amd64) and just tried removing and reinstalling snort 2.9.6.2 pkg v3.1.1. It now fails to install the package altogether. What to do?

                      I've pasted the install log below.

                      Beginning package installation for snort .
                      Downloading package configuration file… done.
                      Saving updated package information... done.
                      Downloading snort and its dependencies...
                      Checking for package installation...
                      Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ...  (extracting)
                      Loading package configuration... done.
                      Configuring package components...
                      Additional files... snort_download_updates.php failed.
                      Removing package...
                      Starting package deletion for snort-2.9.6.2-amd64...done.
                      Removing snort components...
                      Menu items... done.
                      Services... done.
                      Loading package instructions...
                      Deinstall commands... done.
                      Removing package instructions...done.
                      Auxiliary files... done.
                      Package XML... done.
                      Configuration... done.
                      done.
                      Failed to install package.

                      Installation halted.

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @canux:

                        I have snort subscription that suddenly stopped updating as well.

                        I am running 2.1.4(amd64) and just tried removing and reinstalling snort 2.9.6.2 pkg v3.1.1. It now fails to install the package altogether. What to do?

                        I've pasted the install log below.

                        Beginning package installation for snort .
                        Downloading package configuration file… done.
                        Saving updated package information... done.
                        Downloading snort and its dependencies...
                        Checking for package installation...
                        Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.2-amd64.pbi ...  (extracting)
                        Loading package configuration... done.
                        Configuring package components...
                        Additional files… snort_download_updates.php failed.
                        Removing package…
                        Starting package deletion for snort-2.9.6.2-amd64...done.
                        Removing snort components...
                        Menu items... done.
                        Services... done.
                        Loading package instructions...
                        Deinstall commands... done.
                        Removing package instructions...done.
                        Auxiliary files... done.
                        Package XML... done.
                        Configuration... done.
                        done.
                        Failed to install package.

                        Installation halted.

                        I think there is a problem with a pfSense Packages repository server.  Are you by chance located outside the U.S.A.?  Some other folks have reported issues similar to the error I highlighted in maroon above, and they were outside the U.S.  There also appears to be an unrelated issue with at least one of the Snort VRT rules servers (again, maybe one for Europe).

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • C
                          canux
                          last edited by

                          You might be onto something there, I am located in Ontario, Canada.

                          The package downloads fine, but it backs out of the installation when the update fails.

                          Is there any workaround available, i.e. can I manually pulldown the pkg&update and install them from pfsense command line?

                          Thanks.

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            Hi Canux,

                            I am in Ont. Canada also and didn't have any issues installing an update to an existing Snort Installation or Installing a Fresh 2.2 Box today?

                            The package needs to be installed by the Package Manager for everything to function cleanly.

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • C
                              canux
                              last edited by

                              Thanks for the info.  Do you have a paid subscription as well?

                              1 Reply Last reply Reply Quote 0
                              • BBcan177B
                                BBcan177 Moderator
                                last edited by

                                @canux:

                                Thanks for the info.  Do you have a paid subscription as well?

                                Yes I use a Snort VRT and ET Pro subscription. Some of the other boxes I have use the Open Snort and ET Rulesets.

                                Did you upgrade Snort to the latest version? There were two releases fairly recently.

                                "Experience is something you don't get until just after you need it."

                                Website: http://pfBlockerNG.com
                                Twitter: @BBcan177  #pfBlockerNG
                                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.