Can't Remove / Re-install Snort



  • I'm having some issues with Snort on my Alix.  It started when I tried to download the latest rule set, the web GUI kept timing out and it appeared the udpate didn't work.

    There is an error message in the Syslog relating to the rules file list which makes me think the cause is a failed rules update…

    CPE000db91909ed-CMc4279573dbc0 snort[50696]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_22594_vr0//usr/pbi/snort-i386/etc/snort/snort_22594_vr0/rules/snort.rules(0) Unable to open rules file "/usr/pbi/snort-i386/etc/snort/snort_22594_vr0//usr/pbi/snort-i386/etc/snort/snort_22594_vr0/rules/snort.rules": No such file or directory.

    I have tried to remove and re-install a number of times, but I can no longer get the Snort link in the Services menu.  Is there a way I can clear out any left over snort related files and start again with a clean install of Snort?


  • Moderator

    There is a "//" in those errors.

    I think this is a bug that Bill Meeks is working on.

    See the following thread:

    https://forum.pfsense.org/index.php?topic=79720.msg436964#msg436964

    I remember seeing a thread about a temporary fix, but can't find it. You can look at the recents posts to see if you can find it.



  • Looks like there might not be a solution for the bug yet.

    Is there a way I can manually remove Snort from the command line?



  • What worked for me (removing snort the hard way) -> YMMV

    Delete folder snort + snort.xml here: /usr/local/pkg

    Afterwards check from installed packages page it is gone, if not initiate removal by pressing the "x"

    Now you should be able to do a fresh new install.



  • Thanks bennyc, that allowed me to attempt the re-install again.

    The installation got further this time, however it got stuck at 'installing sourcefire vrt rules'.  What I think happens is the interface gets reset as part of the installation and the installation interrupts itself and doesn't resume.

    Before this all started I had the option checked to not delete snort settings on un-install.  I think this might be what is trying to update the rules on a new install.

    I am going to try and delete the snort folder, and the rules folder and try again.



  • @rcampbell:

    Thanks bennyc, that allowed me to attempt the re-install again.

    The installation got further this time, however it got stuck at 'installing sourcefire vrt rules'.  What I think happens is the interface gets reset as part of the installation and the installation interrupts itself and doesn't resume.

    Before this all started I had the option checked to not delete snort settings on un-install.  I think this might be what is trying to update the rules on a new install.

    I am going to try and delete the snort folder, and the rules folder and try again.

    Is this any type of CF or Nano installation of pfSense?  If so, you need to have at least 200 MB of free space in /tmp.

    If not a Nano image installation, then first click the "X" on the System…Packages...Installed Packages tab to remove Snort.  Once Snort is verified as removed, browse to System…Packages and install it again.  Should work fine with previously saved settings.

    Bill



  • Hi Bill, yes its a Nano install on a CF (Alix).

    Deleting the Rules folder and the Snort folder didn't work.  Still gets stuck at the same point of 'installing sourcefire vrt rules'.



  • @rcampbell:

    Hi Bill, yes its a Nano install on a CF (Alix).

    Deleting the Rules folder and the Snort folder didn't work.  Still gets stuck at the same point of 'installing sourcefire vrt rules'.

    I think it is a space issue.  On the Upgrades sub-forum there is a current post from a user with a similar problem.  Down near the bottom is his solution.  I suspect it may work for you as well.

    Start reading the thread here and continue to the bottom – https://forum.pfsense.org/index.php?topic=79982.msg436412#msg436412

    Bill



  • I changed the /tmp space to 300MB, but I'm still having the same issues.  Any other suggestions?



  • @rcampbell:

    I changed the /tmp space to 300MB, but I'm still having the same issues.  Any other suggestions?

    Those rules are getting unpacked in /tmp but installed in /usr.  How much free space in /usr?

    Bill



  • I don't see /usr

    $ df -h
    Filesystem          Size    Used  Avail Capacity  Mounted on
    /dev/ufs/pfsense1    1.8G    166M    1.5G    10%    /
    devfs                1.0k    1.0k      0B  100%    /dev
    /dev/ufs/cf          49M    1.8M    43M    4%    /cf
    /dev/md0            290M    474k    266M    0%    /tmp
    /dev/md1              57M    19M    34M    36%    /var
    devfs                1.0k    1.0k      0B  100%    /var/dhcpd/dev



  • @rcampbell:

    I don't see /usr

    $ df -h
    Filesystem          Size    Used  Avail Capacity  Mounted on
    /dev/ufs/pfsense1    1.8G    166M    1.5G    10%    /
    devfs                1.0k    1.0k      0B  100%    /dev
    /dev/ufs/cf          49M    1.8M    43M    4%    /cf
    /dev/md0            290M    474k    266M    0%    /tmp
    /dev/md1              57M    19M    34M    36%    /var
    devfs                1.0k    1.0k      0B  100%    /var/dhcpd/dev

    It may just be a directory underneath the root filesystem instead of its own partition.  These Nano installations have been giving people fits trying to install packages.  There is just sometimes not enough space in the right places coupled with the mounting/remounting of the file systems in read-write and then back to read-only mode.

    Also just noticed that your /var partition seems a little tight as well.  Need at least 200 MB free on that one.

    As I stated in another thread to a different user, if possible, your life would be easier if you ditched the CF card and instead used a SSD and installed the full version of pfSense.

    Bill



  • I agree with you on the CF, currently though I have an Alix so don't have another option with the current setup.  I have another thread looking for an Alix alternative, but I won't get into that here.

    I figured out how to check the space on /usr.  Its mounted under the /dev/ufs/pfsense1 location, so it has 1.5GB free.

    
    [2.1.4-RELEASE][admin@CPE000db91909ed-CMc4279573dbc0]/root(1): df /usr
    Filesystem        1K-blocks   Used   Avail Capacity  Mounted on
    /dev/ufs/pfsense1   1890014 170738 1568075    10%    /
    
    

    Space doesn't seem to be an issue on either of the locations /tmp or  /usr.

    I suspect it has something to do with enabling the option of saving Snort settings after Snort has been removed.  Assuming this is the case, where can I located these saved settings and remove them so the next install thinks its a fresh install with no legacy settings?



  • @rcampbell:

    I agree with you on the CF, currently though I have an Alix so don't have another option with the current setup.  I have another thread looking for an Alix alternative, but I won't get into that here.

    I figured out how to check the space on /usr.  Its mounted under the /dev/ufs/pfsense1 location, so it has 1.5GB free.

    
    [2.1.4-RELEASE][admin@CPE000db91909ed-CMc4279573dbc0]/root(1): df /usr
    Filesystem        1K-blocks   Used   Avail Capacity  Mounted on
    /dev/ufs/pfsense1   1890014 170738 1568075    10%    /
    
    

    Space doesn't seem to be an issue on either of the locations /tmp or  /usr.

    I suspect it has something to do with enabling the option of saving Snort settings after Snort has been removed.  Assuming this is the case, where can I located these saved settings and remove them so the next install thinks its a fresh install with no legacy settings?

    First, make a backup of your configuration so you can recover if the editing goes bad.  You will find all the Snort settings in /conf/config.xml in the section <snortglobal>.  You will want to edit the file using Diagnostics…Edit File and then delete everything between the element tags <snortglobal>and</snortglobal> including those tags themselves.  That will wipe out the Snort configuration for the box.  Just be careful and highlight those two tags and everything between them, then hit DELETE and SAVE.  The idea is to get rid of the entire <snortglobal>section within the config.xml file.

    IMPORTANT – do this after you have removed the Snort package using System…Packages menu.

    Bill</snortglobal></snortglobal>



  • Thanks Bill that worked.  Removing those retained settings allowed the installation to complete.

    I'm still having problems installing Snort rules though.  I have an Oink code and am installing the free VRT rules only.  The installation gets stuck on 'Installing Sourcefire VRT Rules' a few moments later I can see the WAN interface loses connection momentariily (like an interface reset) and the web browser just twirls till it looks like the pfsense session times out.

    I log back into pfSense and check to see if the rules have been installed on the Snort - Updates tab and it says Not Downloaded.

    Its as if the install of the rules is dependent on the browser session being active, rather than a service that is started to initiate a download and install of the rules in the background.



  • @rcampbell:

    Thanks Bill that worked.  Removing those retained settings allowed the installation to complete.

    I'm still having problems installing Snort rules though.  I have an Oink code and am installing the free VRT rules only.  The installation gets stuck on 'Installing Sourcefire VRT Rules' a few moments later I can see the WAN interface loses connection momentariily (like an interface reset) and the web browser just twirls till it looks like the pfsense session times out.

    I log back into pfSense and check to see if the rules have been installed on the Snort - Updates tab and it says Not Downloaded.

    Its as if the install of the rules is dependent on the browser session being active, rather than a service that is started to initiate a download and install of the rules in the background.

    I suggest checking with the Snort VRT folks and verifying that your Oinkcode is still valid.  There was another user a few weeks back whose Oinkcode got messed up during the VRT web site updates in early July.  He had to contact them to straighten things out.

    There is nothing during the rules download process that should reset your WAN interface or any other interface.  It simply uses curl to download the file over https://.  Now, if for some other unrelated reason, your WAN interface bounces, then "yes" that will confuse the rules download process.

    Bill



  • I tried to re-install the rules today and it worked.  Not sure why it didn't work yesterday after the new install but works today.  The only setting I have enabled is to check for updates every 12 hours.  Maybe this cleared something??



  • Justed tried adding the Emerging Threats rules as well, but now receiving this error message:

    08-14-14 14:19:01 [ There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [24]: table persist file /etc/bogonsv6]

    My Alix has 256MB RAM, so I'll remove Emerging Threats (ETOpen) and stick to VRT.



  • @rcampbell:

    Justed tried adding the Emerging Threats rules as well, but now receiving this error message:

    08-14-14 14:19:01 [ There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [24]: table persist file /etc/bogonsv6]

    My Alix has 256MB RAM, so I'll remove Emerging Threats (ETOpen) and stick to VRT.

    Whoa!  256 MB of RAM is nowhere near enough to run Snort with any decent set of rules.  You need at least 1 GB and preferably 2 GB of RAM.  You have exhausted the memory available to pfSense, and that is the cause of the error you see.

    I did not ask earlier, but this low amount of RAM is probably the root of all the problems you are having.  You just don't have enough memory to run extra packages, and especially memory-hungry ones such as Snort or Suricata.

    Bill


  • Moderator

    @rcampbell:

    08-14-14 14:19:01 [ There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [24]: table persist file /etc/bogonsv6]

    This error is related to the Max Table Entry Size in pfSense.

    You can increase the size of the table in:

    System:Advanced:Firewall/NAT:  Firewall Maximum Table Entries

    Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined. Note: Leave this blank for the default.



  • @BBcan177:

    @rcampbell:

    08-14-14 14:19:01 [ There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [24]: table persist file /etc/bogonsv6]

    This error is related to the Max Table Entry Size in pfSense.

    You can increase the size of the table in:

    System:Advanced:Firewall/NAT:  Firewall Maximum Table Entries

    Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined. Note: Leave this blank for the default.

    That may fix that particular error, but with only 256 MB of RAM more troubles will likely follow if you use Snort or Suricata or other memory-intensive packages.

    Bill


  • Moderator

    @bmeeks:

    That may fix that particular error, but with only 256 MB of RAM more troubles will likely follow if you use Snort or Suricata or other memory-intensive packages.

    Yes that is a definite issue…. Need atleast 3-4GB at minimum....



  • I have sorted the hardware issue for now.  I exported the config from the Alix, created a new pfSense VM and imported the config.  The difference is night and day, it is so much faster working with the GUI and adding or removing packages.

    I still seem to have one lingering problem though.  Some websites still seem to be blocked, or, certain elements of the page are blocked (such as banner adds etc) even though Snort is removed.

    My question now is; what is the config file that holds the list of IP's being blocked and where is it located.  I want to flush this out so I can start Snort from scratch.


  • Moderator

    There is a table called "Snort2c" which you can see in Diagnostics:Tables

    If the file is there, you can open it and click the "all" icon at the bottom to clear it.

    If Snort is installed, you can clear the table by going to the Snort:Blocked Tab and hitting the "Clear" Icon.