Snort 2.9.6.2 pkg v3.1.2 Update – Release Notes



  • An update for the Snort package has been posted.  Here are the release notes.

    Snort 2.9.6.2 pkg v3.1.2
    This update corrects three bugs and improves the behavior of the SELECT ALIAS button on the Pass List tab. It also reverts the rule enable/disable icons on the RULES tab back to their previous behavior. The default HOME_NET variable and default PASS LIST now include any Link-Local IPv6 addresses for the firewall interfaces.

    Bug Fixes:

    • When editing a Pass List entry, changes are only saved for the first entry in the list regardless of which entry is actually being edited.

    • Link to GLOBAL SETTINGS tab on the UPDATE RULES tab has an incorrect URL.

    • With latest changes at snort.org web site, the registration and rules subscription links on the GLOBAL SETTINGS tab are no longer correct.

    Changed Features:

    • When returning from selecting an alias using the SELECT ALIAS button on the Pass List Edit form, any previously typed data is not lost.

    • When force enabling or disabling a rule on the RULES tab for an interface, the state now simply toggles between "forced on" and "forced off" (as in the original behavior) instead of toggling between the forced state and the default state. This revert to old behavior is by popular user request. You can use the "Remove All Changes" icons on the tab to reset a single rules category or all rules categories back to their default values.

    • When you force enable or disable a rule, a message is displayed at the top of the page reminding you to APPLY the changes to the running Snort configuration before exiting the page.

    • Link-Local IPv6 addresses for the firewall interfaces are now automatically included in the HOME_NET variable and the default PASS LIST when "Local Networks" or "WAN IP" is selected.

    Bill



  • Anyone know if this can still be installed on 2.0.3?  I noticed after uninstalling the old one the newest version does not appear to be listed in the packages to install anymore.

    Before updating the installed package showed an update.

    Available: 2.9.6.2 pkg v3.1.2
    Installed: 2.9.6.0 pkg v3.0.6

    I uninstalled 2.9.6.0 and now it doesn't appear I can install 2.9.6.2.


  • Moderator

    Hey Adam. I think you need to upgrade. I think Bill posted in a thread about that.



  • I should have looked at all the point releases between and not just the last version.  Snort 2.9.6.2 pkg v3.1.1 Update is what left pfsense 2.0.3 behind.  Now I need to figure out how to get the previous snort package back on the system.  This will be fun.  The secondary still has the previous package.  I don't know enough about the package system yet to do it though.

    EDIT: I am wondering if my best bet is to somehow edit the package gui code to think snort-2.9.6.0.tbz is the latest version.

    EDIT2: I assume there is not a way for the developers to mark older package versions as only available for older versions of pfsense.  That way 2.0.x would see a different list than 2.1.x.


  • Moderator

    What is holding you to stay with version 2.0.3?



  • I won't have maintenance time until next month (I prefer to be there during an upgrade).  My time is needing locally for other projects right now.

    I plan to reproduce the site config locally for testing.

    Another idea I have is to mirror the package directory…

    http://files.pfsense.org/packages/8/All/

    to a local site, removing the newest snort package, and finding the url in the gui code to change it my private site.

    I am not sure if this will work though as I don't know if there is another file that gets downloaded that lists available packages (which I bet there is).  I am trying to make sense of the pkg-utils.inc code.


  • Moderator

    I'm sure you can find a way too hack the installation, but I would wait for Bill to chime in and say that it won't break your box. The last thing you want if you are not local to your box.



  • @adam65535:

    I won't have maintenance time until next month (I prefer to be there during an upgrade).  My time is needing locally for other projects right now.

    I plan to reproduce the site config locally for testing.

    Another idea I have is to mirror the package directory…

    http://files.pfsense.org/packages/8/All/

    to a local site, removing the newest snort package, and finding the url in the gui code to change it my private site.

    I am not sure if this will work though as I don't know if there is another file that gets downloaded that lists available packages (which I bet there is).  I am trying to make sense of the pkg-utils.inc code.

    The latest Snort package will not run on 2.0.3 pfSense.  This is because it uses some native pfSense functions that are only available in 2.1 and higher.

    You could stay with the older Snort version, though.  However, installing it will require lots of hacking.  In addition to manually installing the *.tbz packages, you will need to carefully hand-edit the config.xml file to simulate actual pacakge installation.  After that you would also need to copy the older version of the PHP and INC files to the box in their proper directories.  If you have a secondary box still running the older version, you could use it as a source and template to follow.  It's all a lot of work and there are multiple points to make critical errors.  In my view this is as risky as simply doing a remote upgrade to 2.1.x and then installing the current Snort package.

    Bill



  • Hi,

    Since this update, I am facing an error :

    php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 24394 -D -q -l /var/log/snort/snort_em024394 –pid-path /var/run --nolock-pidfile -G 24394 -c /usr/pbi/snort-i386/etc/snort/snort_24394_em0/snort.conf -i em0' returned exit code '1', the output was ''
    snort[43498]: FATAL ERROR: Failed to load /usr/pbi/snort-i386/lib/snort/dynamicrules/file-executable.so: /usr/pbi/snort-i386/lib/snort/dynamicrules/file-executable.so: Shared object has no run-time symbol table

    Following a post I have tried to de-install / re-install the package… But the error is persistent.

    I would like to avoid killing my configuration since It is quite elaborated and complex.

    Do you have any idea how to correct this bug without having to delete all created rule set and configuration ?


  • Banned

    Save settings on deinstall in global settings and then deinstall/reinstall package.

    Then it should work



  • Save settings on deinstall in global settings and then deinstall/reinstall package.

    Then it should work

    It has already been done… and It does not work.


  • Banned

    Have you rebooted between installations?



  • Have you rebooted between installations?

    No - no reboot… 
    It is a firewall that's in production and rebooting is something I only do upon upgrade.

    Isn't there any way to avoid this reboot ?

    The libraries are linked to the kernel ?


  • Banned

    Do you run CARP?

    If you do then reboot is easy peasy :)



  • no - no CARP !

    :'(



  • @gregober:

    no - no CARP !

    :'(

    What installation type is this?  Is it a full install on a conventional hard disk, or is it a NanoBSD install on a CF card?

    Bill



  • What installation type is this?  Is it a full install on a conventional hard disk, or is it a NanoBSD install on a CF card?

    It is a nanobsd install.



  • @gregober:

    What installation type is this?  Is it a full install on a conventional hard disk, or is it a NanoBSD install on a CF card?

    It is a nanobsd install.

    Try increasing the /tmp partition to 80 MB or even 100 MB.  Another user had a similar issue with rule updates and found out his /tmp partition was running out of space.  Once the partition is enlarged, try the remove and reinstall step again.

    Snort and Suricata really don't play well with NanoBSD because both packages need a lot of disk space and RAM.

    Bill



  • Try increasing the /tmp partition to 80 MB or even 100 MB.  Another user had a similar issue with rule updates and found out his /tmp partition was running out of space.  Once the partition is enlarged, try the remove and reinstall step again.

    Snort and Suricata really don't play well with NanoBSD because both packages need a lot of disk space and RAM.

    Ok - I will wait a bis since we are planning to upgrade our pfSense to a newer appliance in the coming weeks.
    It'll be based on SSD disks… I guess problem should disappear…

    Thanks very much for your help.



  • @gregober:

    Try increasing the /tmp partition to 80 MB or even 100 MB.  Another user had a similar issue with rule updates and found out his /tmp partition was running out of space.  Once the partition is enlarged, try the remove and reinstall step again.

    Snort and Suricata really don't play well with NanoBSD because both packages need a lot of disk space and RAM.

    Ok - I will wait a bis since we are planning to upgrade our pfSense to a newer appliance in the coming weeks.
    It'll be based on SSD disks… I guess problem should disappear…

    Thanks very much for your help.

    You will be much more satisfied with Snort when you get the SSD setup.

    Bill



  • As an update… thanks for the replies guys.  I finished the HA cluster upgrade from 2.0.3 to 2.1.5 this morning (everything went perfectly).  I definitely didn't want to customize the installation by trying to get snort to work on 2.0.3.


Log in to reply