Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.6.2 pkg v3.1.4 – Bug Fix Update Release Notes

    Scheduled Pinned Locked Moved pfSense Packages
    25 Posts 9 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      Snort 2.9.6.2 pkg v3.1.4 Update

      This update corrects a bug in the code for periodically checking for posted updates to Snort rules.  This is a minor update for the GUI package only.  The underlying binary remains at version 2.9.6.2.

      Bug Fix:

      1.  When an update to any of the configured Snort rule sets is detected and downloaded (VRT or Emerging Threats), Snort is sent a start command instead of a restart command for all interfaces. This leaves the Snort binary process still using the older rules until a manual restart is performed or the firewall is rebooted.

      1 Reply Last reply Reply Quote 0
      • L
        lonevipr
        last edited by

        Updated & now I no longer have snort under services. It doesn't appear to start for me. Was not having any problems before.  :(

        With package reinstall it says

        Starting Snort using rebuilt configuration…

        Please wait while Snort is started...

        Then it just stays in a loading state. I have no snort under services like I did previously. Any help?

        System logs indicate that snort is running in the background & memory usage seems to indicate this as well, but I have no snort tab to configure anything. It looks like it pulled info from the previous install for what to run.

        Running pfSense 2.2-RELEASE (amd64)

        1 Reply Last reply Reply Quote 0
        • W
          Wolf666
          last edited by

          After updated, Snort service is not listed in the running services. I then restarted Snort, but only the instance on LAN is showed while the one on WAN is not.

          I am on 2.2Beta 04NOV

          Modem Draytek Vigor 130
          pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
          Switch Cisco SG350-10
          AP Netgear R7000 (Stock FW)
          HTPC Intel NUC5i3RYH
          NAS Synology DS1515+
          NAS Synology DS213+

          1 Reply Last reply Reply Quote 0
          • P
            plumbum
            last edited by

            I have the same problem since last update. (3.1.3)

            No Snort tab in menu.
            Snort service is not listed in service status.

            But snort is working correctly and i have still the Snort Alerts dashboard.
            I can also access the Snort tab via the address  …pfsense/snort/snort_interfaces.php
            I was thinking that it is related to the 64bit version and that it will be corrected in the next version.
            Unfortunately the problem persist in 3.1.4

            Pfsense 2.1.5-RELEASE (amd64)
            Snort 2.9.6.2 pkg v3.1.4

            thanks for any suggestion.

            1 Reply Last reply Reply Quote 0
            • F
              FlashPan
              last edited by

              Sorry to say I have no suggestion but on my 2.1.5 32bit I uninstalled, and reinstalled (box ticked to keep Snort settings) the whole package without issue.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @plumbum:

                I have the same problem since last update. (3.1.3)

                No Snort tab in menu.
                Snort service is not listed in service status.

                But snort is working correctly and i have still the Snort Alerts dashboard.
                I can also access the Snort tab via the address  …pfsense/snort/snort_interfaces.php
                I was thinking that it is related to the 64bit version and that it will be corrected in the next version.
                Unfortunately the problem persist in 3.1.4

                Pfsense 2.1.5-RELEASE (amd64)
                Snort 2.9.6.2 pkg v3.1.4

                thanks for any suggestion.

                What type of install are you running:  full install to a disk, or a NanoBSD install to a CF card?

                Bill

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @Wolf666:

                  After updated, Snort service is not listed in the running services. I then restarted Snort, but only the instance on LAN is showed while the one on WAN is not.

                  I am on 2.2Beta 04NOV

                  Did you look in the system log for any relevant messages?  My first suspicion is Snort encountered a problem starting on the WAN.  Many times this is due to one or more disabled preprocessors.  If this is the case, there will be a message in the system log containing the keywords "fatal error".

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @lonevipr:

                    Updated & now I no longer have snort under services. It doesn't appear to start for me. Was not having any problems before.  :(

                    With package reinstall it says

                    Starting Snort using rebuilt configuration…

                    Please wait while Snort is started...

                    Then it just stays in a loading state. I have no snort under services like I did previously. Any help?

                    System logs indicate that snort is running in the background & memory usage seems to indicate this as well, but I have no snort tab to configure anything. It looks like it pulled info from the previous install for what to run.

                    To be sure an older PHP include file is not being cached, completely remove the Snort package by clicking the "X" icon on the Installed Packages tab.  Then reinstall it.  Post back if you continue to have issues.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • W
                      Wolf666
                      last edited by

                      @bmeeks:

                      @Wolf666:

                      After updated, Snort service is not listed in the running services. I then restarted Snort, but only the instance on LAN is showed while the one on WAN is not.

                      I am on 2.2Beta 04NOV

                      Did you look in the system log for any relevant messages?  My first suspicion is Snort encountered a problem starting on the WAN.  Many times this is due to one or more disabled preprocessors.  If this is the case, there will be a message in the system log containing the keywords "fatal error".

                      Bill

                      No messages with Fatal Errors, I also check preprocessors they are ticked and alert system shows both LAN and WAN activities. I will check later on today and I will report back.

                      UPDATE

                      With version

                      | 2.2-BETA (amd64)
                      built on Tue Nov 04 14:39:06 CST 2014
                      FreeBSD 10.1-RC4 |

                      Everything is running as supposed to be.

                      161 processes: 5 running, 116 sleeping, 40 waiting

                      Mem: 170M Active, 882M Inact, 767M Wired, 18M Cache, 825M Buf, 6045M Free
                      Swap: 500M Total, 500M Free

                      PID USERNAME PRI NICE  SIZE    RES STATE  C  TIME    WCPU COMMAND
                        11 root    155 ki31    0K    64K CPU3    3  16.8H 100.00% [idle{idle: cpu3}]
                        11 root    155 ki31    0K    64K RUN    2  16.8H 100.00% [idle{idle: cpu2}]
                        11 root    155 ki31    0K    64K CPU1    1  16.7H 100.00% [idle{idle: cpu1}]
                        11 root    155 ki31    0K    64K CPU0    0 995:44 100.00% [idle{idle: cpu0}]
                      62872 root      22    0  217M 33152K piperd  0  0:00  0.68% php-fpm: pool lighty (php-fpm)
                      4078 root      20    0  279M  130M nanslp  1  7:24  0.49% /usr/local/bin/ntopng -s -e -i igb1 -i igb
                        12 root    -60    -    0K  640K WAIT    2  5:32  0.00% [intr{swi4: clock}]
                      6445 root      20    0 14664K  2280K select  2  0:54  0.00% /usr/sbin/syslogd -s -c -c -l /var/dhcpd/v
                      73186 root      40  20  665M  281M bpf    0  0:53  0.00% /usr/local/bin/snort -R 32316 -D -q -l /va 23809 root      20    0 12460K  2140K select  3  0:39  0.00% /usr/local/sbin/apinger -c /var/etc/apinge
                          0 root    -16    0    0K  416K swapin  0  0:37  0.00% [kernel{swapper}]
                      73397 root      40  20  665M  278M bpf    0  0:34  0.00% /usr/local/bin/snort -R 48968 -D -q -l /va 4078 root      20    0  279M  130M nanslp  0  0:32  0.00% /usr/local/bin/ntopng -s -e -i igb1 -i igb
                          5 root    -16    -    0K    16K pftm    0  0:31  0.00% [pf purge]
                      1406 root      20    0 24068K  4484K kqread  3  0:29  0.00% redis-server: /usr/pbi/ntopng-amd64/local/
                      4078 root      20    0  279M  130M nanslp  2  0:28  0.00% /usr/local/bin/ntopng -s -e -i igb1 -i igb
                        12 root    -92    -    0K  640K WAIT    0  0:25  0.00% [intr{irq257: igb0:que}]
                        15 root    -16    -    0K    16K -      0  0:25  0.00% [rand_harvestq]

                      Modem Draytek Vigor 130
                      pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
                      Switch Cisco SG350-10
                      AP Netgear R7000 (Stock FW)
                      HTPC Intel NUC5i3RYH
                      NAS Synology DS1515+
                      NAS Synology DS213+

                      1 Reply Last reply Reply Quote 0
                      • P
                        plumbum
                        last edited by

                        Hi bmeeks,

                        to your question: i have a full install to a disk on a old server HW.
                        It is actually overkill with 10GB RAM and it is not doing much but i left it as it was.
                        I haven't found any errors in log and snort is clearly running and blocking alerts as it should.
                        i also reinstalled it few times without effect.

                        Because the snort alert dashboard tab is still there i can easily access the Snort service site by the link on the title
                        and can manage snort witch also works properly.

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @plumbum:

                          Hi bmeeks,

                          to your question: i have a full install to a disk on a old server HW.
                          It is actually overkill with 10GB RAM and it is not doing much but i left it as it was.
                          I haven't found any errors in log and snort is clearly running and blocking alerts as it should.
                          i also reinstalled it few times without effect.

                          Because the snort alert dashboard tab is still there i can easily access the Snort service site by the link on the title
                          and can manage snort witch also works properly.

                          I'm not sure what could have happened.  The presence of the "snort" link under SERVICES is handled by the pfSense package installer code.  That is one of the last things it does as it saves the final new configuration for the package.  The Snort package itself has no control over that.

                          Perhaps there is some subtle corruption in the <packages>section of your config.xml file.  pfSense reads that section to determine what menu entries to display under the SERVICES item.  So just to be sure I understand your problem, under SERVICES on the pfSense menu you do not have a choice for "Snort".  Is that correct?

                          Bill</packages>

                          1 Reply Last reply Reply Quote 0
                          • P
                            plumbum
                            last edited by

                            Yes, no link in Services menu and snort is also not listed in Status->Services

                            1 Reply Last reply Reply Quote 0
                            • M
                              Mr. Jingles
                              last edited by

                              Same problem here on my Hardware1 (see sig), I had to reinstall I think four or five times before Snort was there again in the menu. Yet: posed another serious problem popped up:

                              1. The reinstalling was done 3 times yesterday, then I went to bed and tried it again today. It seemed to have worked.
                              2. I had to shut all hardware down this afternoon. When booting again, I found WAN and WAN2 were offline.
                              3. It turned out, after this reboot, Snort had blocked the WAN/WAN2 external IP's because of 122:3, ping sweep (so: not before the reboot, then it found everything ok after the install finally worked. Only after rebooting with this new Snort package suddenly it started blocking WAN/WAN2).
                              4. I disabled Snort on WAN/WAN2, cleared the block lists and WAN/WAN2 were online again. I noticed CPU load 100% in the dashboard (normally around 8%).
                              5. 'top' in the CLI showed me 'fetch' consuming 100% of CPU (no clue what 'fetch' is fetching, it seems you can not see this, at least: man fetch doesn't tell me).
                              6. I uninstalled Snort all together, in the dasboard CPU now is 52%, yet in the CLI 'top' still shows 100% usage for 'fetch'.

                              Being the eternal noob that I am I have no clue whatsoever ???

                              6 and a half billion people know that they are stupid, agressive, lower life forms.

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks
                                last edited by

                                @plumbum:

                                Yes, no link in Services menu and snort is also not listed in Status->Services

                                Those two depend on the information being in the same place in config.xml in order to display, so if one is missing the other will be as well.

                                Do you have any customized partition sizes?  In particular, how much free space is showing for the /tmp and /var areas?  There were some similar issues a while back caused by users running out of free space in those directories.  Of course those were NanoBSD installs.  I am assuming since you said your installation was on an "old server" that you have conventional disk storage and not CF.

                                If you want me to troubleshoot further, I will need your config.xml file.  If you want to proceed, send me a PM with your e-mail address.  I will reply and you can send me the config.xml file for analysis.

                                Bill

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @Hollander:

                                  Same problem here on my Hardware1 (see sig), I had to reinstall I think four or five times before Snort was there again in the menu. Yet: posed another serious problem popped up:

                                  1. The reinstalling was done 3 times yesterday, then I went to bed and tried it again today. It seemed to have worked.
                                  2. I had to shut all hardware down this afternoon. When booting again, I found WAN and WAN2 were offline.
                                  3. It turned out, after this reboot, Snort had blocked the WAN/WAN2 external IP's because of 122:3, ping sweep (so: not before the reboot, then it found everything ok after the install finally worked. Only after rebooting with this new Snort package suddenly it started blocking WAN/WAN2).
                                  4. I disabled Snort on WAN/WAN2, cleared the block lists and WAN/WAN2 were online again. I noticed CPU load 100% in the dashboard (normally around 8%).
                                  5. 'top' in the CLI showed me 'fetch' consuming 100% of CPU (no clue what 'fetch' is fetching, it seems you can not see this, at least: man fetch doesn't tell me).
                                  6. I uninstalled Snort all together, in the dasboard CPU now is 52%, yet in the CLI 'top' still shows 100% usage for 'fetch'.

                                  Being the eternal noob that I am I have no clue whatsoever ???

                                  Did you have any suspicious messages in your system log?  Could you post the contents of the log from the time of one of the failed install attempts?

                                  Fetch is not a process that Snort would be using directly.  The Snort package uses a pfSense system call to download rule updates.  If you have two WAN connections, I would start looking for something strange with CARP.  Still having high CPU with Snort gone means Snort is not the problem.

                                  I think, judging by your other posts, that you might also be a pfBlocker user.  Perhaps it is stuck attempting to fetch some updates ??  I am not a fan of using those two together on the firewall.  pfBlocker can be very resource intensive (to wit you have to increase the state table entries to an astronomical number in order for it to work).

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    Mr. Jingles
                                    last edited by

                                    Hi Bill  ;D

                                    The system log in the GUI shows so much information in 2000 lines yet nothing back to the install. Could you perhaps hint this noob as to what to grep from what log in the CLI, so I can get you the information you would want to see?

                                    As to your other remarks:
                                    -I have two WANs with failover, but no CARP. It is too scary for me  :P ( ;D )

                                    • I also don't have pfBlocker (used it once, but it gave too many problems).
                                    • I do have BB's lists, to which if I am correct JFL also contributed. They never gave problems in the past.

                                    I did found out that the usual suspect was the problem: the reboot. I've concluded that many times when you run into a less obvious problem a reboot solves all problems. I just did, and CPU in the GUI is 6% now, around where it always was.

                                    So what remains is Snort, after yesterday's update blocking my WAN-IP's due to the sweep (122:3), causing off line for both my internet connections.

                                    If you would be so kind as to hint me on what I need to grep in the CLI, I will post back the logs you want to see.

                                    Did I say already that you are one of the ultimate heroes?

                                    ;D :-*

                                    6 and a half billion people know that they are stupid, agressive, lower life forms.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Supermule Banned
                                      last edited by

                                      No problems on 46 firewall running both 2.1.4 and 2.1.5 64bit

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by

                                        @Hollander:

                                        Hi Bill  ;D

                                        The system log in the GUI shows so much information in 2000 lines yet nothing back to the install. Could you perhaps hint this noob as to what to grep from what log in the CLI, so I can get you the information you would want to see?

                                        As to your other remarks:
                                        -I have two WANs with failover, but no CARP. It is too scary for me  :P ( ;D )

                                        • I also don't have pfBlocker (used it once, but it gave too many problems).
                                        • I do have BB's lists, to which if I am correct JFL also contributed. They never gave problems in the past.

                                        I did found out that the usual suspect was the problem: the reboot. I've concluded that many times when you run into a less obvious problem a reboot solves all problems. I just did, and CPU in the GUI is 6% now, around where it always was.

                                        So what remains is Snort, after yesterday's update blocking my WAN-IP's due to the sweep (122:3), causing off line for both my internet connections.

                                        If you would be so kind as to hint me on what I need to grep in the CLI, I will post back the logs you want to see.

                                        Did I say already that you are one of the ultimate heroes?

                                        ;D :-*

                                        Well, the best fix for the port sweep rule is to disable it.  It has a reputation for being both overly sensitive and not sensitive enough if that is confusing enough…  ;D.  What I mean is that there are many types of scans it will not detect, and there is a lot of innocent stuff that it thinks is a scan.  All in all it's not a very useful preprocessor in my opinion.  I have mine set to low sensitivity and I created an Alias with all my networks and external DNS forwarders in it.  I then assigned that alias to the Ignore Scanners option in the preprocessor.  Even then it occasionally fires false positives.  I may soon disable it on my own box.

                                        By the way, if yours is blocking your actual WAN IPs, then you must not have those in your Pass List.  They should not get blocked.  Since you have two, you might have to create a special Alias with all of your protected networks in it and then assign that alias to the pass list.

                                        Bill

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          priller
                                          last edited by

                                          To share my experience with Snort disappearing from the Services menu.

                                          To upgrade I just selected "Reinstall Snort's GUI Components", since the binary was not changing.

                                          Upon doing so Snort disappeared from the Services menu.

                                          I then did a "Reinstall Snort Package" and everything came back as expected.

                                          I've done just the GUI Components before, with no ill affect.

                                          2.1.5-RELEASE (amd64)

                                          1 Reply Last reply Reply Quote 0
                                          • bmeeksB
                                            bmeeks
                                            last edited by

                                            @priller:

                                            To share my experience with Snort disappearing from the Services menu.

                                            To upgrade I just selected "Reinstall Snort's GUI Components", since the binary was not changing.

                                            Upon doing so Snort disappeared from the Services menu.

                                            I then did a "Reinstall Snort Package" and everything came back as expected.

                                            I've done just the GUI Components before, with no ill affect.

                                            2.1.5-RELEASE (amd64)

                                            Thanks for the information and hint.  I will test this in my lab a bit more thoroughly to see if something shows up.  I have just started click the PKG icon to reinstall the package instead of clicking the XML icon to just reinstall GUI components.

                                            Bill

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.