Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.6.2 pkg v3.1.2 Update – Release Notes

    Scheduled Pinned Locked Moved pfSense Packages
    21 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      An update for the Snort package has been posted.  Here are the release notes.

      Snort 2.9.6.2 pkg v3.1.2
      This update corrects three bugs and improves the behavior of the SELECT ALIAS button on the Pass List tab. It also reverts the rule enable/disable icons on the RULES tab back to their previous behavior. The default HOME_NET variable and default PASS LIST now include any Link-Local IPv6 addresses for the firewall interfaces.

      Bug Fixes:

      • When editing a Pass List entry, changes are only saved for the first entry in the list regardless of which entry is actually being edited.

      • Link to GLOBAL SETTINGS tab on the UPDATE RULES tab has an incorrect URL.

      • With latest changes at snort.org web site, the registration and rules subscription links on the GLOBAL SETTINGS tab are no longer correct.

      Changed Features:

      • When returning from selecting an alias using the SELECT ALIAS button on the Pass List Edit form, any previously typed data is not lost.

      • When force enabling or disabling a rule on the RULES tab for an interface, the state now simply toggles between "forced on" and "forced off" (as in the original behavior) instead of toggling between the forced state and the default state. This revert to old behavior is by popular user request. You can use the "Remove All Changes" icons on the tab to reset a single rules category or all rules categories back to their default values.

      • When you force enable or disable a rule, a message is displayed at the top of the page reminding you to APPLY the changes to the running Snort configuration before exiting the page.

      • Link-Local IPv6 addresses for the firewall interfaces are now automatically included in the HOME_NET variable and the default PASS LIST when "Local Networks" or "WAN IP" is selected.

      Bill

      1 Reply Last reply Reply Quote 0
      • A
        adam65535
        last edited by

        Anyone know if this can still be installed on 2.0.3?  I noticed after uninstalling the old one the newest version does not appear to be listed in the packages to install anymore.

        Before updating the installed package showed an update.

        Available: 2.9.6.2 pkg v3.1.2
        Installed: 2.9.6.0 pkg v3.0.6

        I uninstalled 2.9.6.0 and now it doesn't appear I can install 2.9.6.2.

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          Hey Adam. I think you need to upgrade. I think Bill posted in a thread about that.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • A
            adam65535
            last edited by

            I should have looked at all the point releases between and not just the last version.  Snort 2.9.6.2 pkg v3.1.1 Update is what left pfsense 2.0.3 behind.  Now I need to figure out how to get the previous snort package back on the system.  This will be fun.  The secondary still has the previous package.  I don't know enough about the package system yet to do it though.

            EDIT: I am wondering if my best bet is to somehow edit the package gui code to think snort-2.9.6.0.tbz is the latest version.

            EDIT2: I assume there is not a way for the developers to mark older package versions as only available for older versions of pfsense.  That way 2.0.x would see a different list than 2.1.x.

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              What is holding you to stay with version 2.0.3?

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • A
                adam65535
                last edited by

                I won't have maintenance time until next month (I prefer to be there during an upgrade).  My time is needing locally for other projects right now.

                I plan to reproduce the site config locally for testing.

                Another idea I have is to mirror the package directory…

                http://files.pfsense.org/packages/8/All/

                to a local site, removing the newest snort package, and finding the url in the gui code to change it my private site.

                I am not sure if this will work though as I don't know if there is another file that gets downloaded that lists available packages (which I bet there is).  I am trying to make sense of the pkg-utils.inc code.

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  I'm sure you can find a way too hack the installation, but I would wait for Bill to chime in and say that it won't break your box. The last thing you want if you are not local to your box.

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @adam65535:

                    I won't have maintenance time until next month (I prefer to be there during an upgrade).  My time is needing locally for other projects right now.

                    I plan to reproduce the site config locally for testing.

                    Another idea I have is to mirror the package directory…

                    http://files.pfsense.org/packages/8/All/

                    to a local site, removing the newest snort package, and finding the url in the gui code to change it my private site.

                    I am not sure if this will work though as I don't know if there is another file that gets downloaded that lists available packages (which I bet there is).  I am trying to make sense of the pkg-utils.inc code.

                    The latest Snort package will not run on 2.0.3 pfSense.  This is because it uses some native pfSense functions that are only available in 2.1 and higher.

                    You could stay with the older Snort version, though.  However, installing it will require lots of hacking.  In addition to manually installing the *.tbz packages, you will need to carefully hand-edit the config.xml file to simulate actual pacakge installation.  After that you would also need to copy the older version of the PHP and INC files to the box in their proper directories.  If you have a secondary box still running the older version, you could use it as a source and template to follow.  It's all a lot of work and there are multiple points to make critical errors.  In my view this is as risky as simply doing a remote upgrade to 2.1.x and then installing the current Snort package.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • G
                      gregober
                      last edited by

                      Hi,

                      Since this update, I am facing an error :

                      php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 24394 -D -q -l /var/log/snort/snort_em024394 –pid-path /var/run --nolock-pidfile -G 24394 -c /usr/pbi/snort-i386/etc/snort/snort_24394_em0/snort.conf -i em0' returned exit code '1', the output was ''
                      snort[43498]: FATAL ERROR: Failed to load /usr/pbi/snort-i386/lib/snort/dynamicrules/file-executable.so: /usr/pbi/snort-i386/lib/snort/dynamicrules/file-executable.so: Shared object has no run-time symbol table

                      Following a post I have tried to de-install / re-install the package… But the error is persistent.

                      I would like to avoid killing my configuration since It is quite elaborated and complex.

                      Do you have any idea how to correct this bug without having to delete all created rule set and configuration ?

                      1 Reply Last reply Reply Quote 0
                      • S
                        Supermule Banned
                        last edited by

                        Save settings on deinstall in global settings and then deinstall/reinstall package.

                        Then it should work

                        1 Reply Last reply Reply Quote 0
                        • G
                          gregober
                          last edited by

                          Save settings on deinstall in global settings and then deinstall/reinstall package.

                          Then it should work

                          It has already been done… and It does not work.

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned
                            last edited by

                            Have you rebooted between installations?

                            1 Reply Last reply Reply Quote 0
                            • G
                              gregober
                              last edited by

                              Have you rebooted between installations?

                              No - no reboot… 
                              It is a firewall that's in production and rebooting is something I only do upon upgrade.

                              Isn't there any way to avoid this reboot ?

                              The libraries are linked to the kernel ?

                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned
                                last edited by

                                Do you run CARP?

                                If you do then reboot is easy peasy :)

                                1 Reply Last reply Reply Quote 0
                                • G
                                  gregober
                                  last edited by

                                  no - no CARP !

                                  :'(

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by

                                    @gregober:

                                    no - no CARP !

                                    :'(

                                    What installation type is this?  Is it a full install on a conventional hard disk, or is it a NanoBSD install on a CF card?

                                    Bill

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      gregober
                                      last edited by

                                      What installation type is this?  Is it a full install on a conventional hard disk, or is it a NanoBSD install on a CF card?

                                      It is a nanobsd install.

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by

                                        @gregober:

                                        What installation type is this?  Is it a full install on a conventional hard disk, or is it a NanoBSD install on a CF card?

                                        It is a nanobsd install.

                                        Try increasing the /tmp partition to 80 MB or even 100 MB.  Another user had a similar issue with rule updates and found out his /tmp partition was running out of space.  Once the partition is enlarged, try the remove and reinstall step again.

                                        Snort and Suricata really don't play well with NanoBSD because both packages need a lot of disk space and RAM.

                                        Bill

                                        1 Reply Last reply Reply Quote 0
                                        • G
                                          gregober
                                          last edited by

                                          Try increasing the /tmp partition to 80 MB or even 100 MB.  Another user had a similar issue with rule updates and found out his /tmp partition was running out of space.  Once the partition is enlarged, try the remove and reinstall step again.

                                          Snort and Suricata really don't play well with NanoBSD because both packages need a lot of disk space and RAM.

                                          Ok - I will wait a bis since we are planning to upgrade our pfSense to a newer appliance in the coming weeks.
                                          It'll be based on SSD disks… I guess problem should disappear…

                                          Thanks very much for your help.

                                          1 Reply Last reply Reply Quote 0
                                          • bmeeksB
                                            bmeeks
                                            last edited by

                                            @gregober:

                                            Try increasing the /tmp partition to 80 MB or even 100 MB.  Another user had a similar issue with rule updates and found out his /tmp partition was running out of space.  Once the partition is enlarged, try the remove and reinstall step again.

                                            Snort and Suricata really don't play well with NanoBSD because both packages need a lot of disk space and RAM.

                                            Ok - I will wait a bis since we are planning to upgrade our pfSense to a newer appliance in the coming weeks.
                                            It'll be based on SSD disks… I guess problem should disappear…

                                            Thanks very much for your help.

                                            You will be much more satisfied with Snort when you get the SSD setup.

                                            Bill

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.