Stopping /usr/local/etc/rc.d/snort.sh…done. - but snort is not installed....



  • 2.2-RC (amd64)
    built on Sat Jan 10 03:54:06 CST 2015
    FreeBSD 10.1-RELEASE-p3

    When I reboot the system (Diagnostics, Reboot, Yes), I see this message
    Stopping /usr/local/etc/rc.d/snort.sh…done.

    but snort is not installed, no packages are installed.



  • was it installed at one time? you can remove the script from the cmdline

    
    rm /usr/local/etc/rc.d/snort.sh
    
    


  • It looks like snort does not remove that snort.sh on deinstall: https://github.com/pfsense/pfsense-packages/pull/784



  • Yeah, it was a bug leftover from some earlier experimenting when I was trying (unsuccessfully) to get each configured Snort interface to show up as a separate service under the SERVICES menu.  Looks like that piece of experimental code got sucked into the production branch due to an error on my part.

    Phil has submitted a Pull Request to fix the problem (thanks …  :)).  And as Cino noted, you can just manually delete the file and the message will go away.

    Bill



  • Ok, so the problem was/is easily rectified and doesnt hopefully amount to much, but one question I do wonder, is what sort of oversight is there for code getting pulled?



  • Just noticed as I've just installed snort (15:22 local time), firstly it wasnt showing in the packages, but having installed it, the below text is visable on the snort updates page.

    Snort VRT Rules Not Enabled Not Enabled
    Snort GPLv2 Community Rules e9cef31b25866760230a34cca074e854 Saturday, 10-Jan-15 13:01:08 GMT
    Emerging Threats Open Rules 1fe055c19fea21900ea4442022559ff5 Saturday, 10-Jan-15 13:01:09 GMT
    Snort OpenAppID Detectors Not Enabled Not Enabled

    Would this also be connected to the snort.sh script?

    Edit.

    Just to be clear, this was a fresh memstick install this morning, restored a backup but later decided to abort it so I chose to use the option 4 on the console, reset to factory defaults.

    Is it possible the Reset to factory defaults is not resetting everything ie there are still traces of apps & settings from packages left over?

    I could not see anything in the xml backup related to snort apart from "snort_alerts-" found in the <widgets><sequence>section having done the factory reset.

    fwiw.

    Edit 2
    https://192.168.10.1/snort/snort_rulesets.php
    Snort, Wan, Wan Catagories tab.
    Resolve Flowbits   If checked, Snort will auto-enable rules required for checked flowbits. The Default is Checked.

    Its not checked.

    Edit 3
    Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts.

    Its checked as default, but all other comments state in this section of https://192.168.10.1/snort/snort_preprocessors.php?id=0

    is to have  "Default is Checked." after the comment.

    Eg

    General Preprocessors
    Enable RPC Decode and Back Orifice detector Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is Checked.
    Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
    Enable SIP Detection The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is Checked.
    Enable GTP Detection The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts.
    Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts.
    Enable DNS Detection The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is Checked.
    Enable SSL Data SSL data searches for irregularities during SSL protocol exchange. Default is Checked.

    should be

    General Preprocessors
    Enable RPC Decode and Back Orifice detector Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is Checked.
    Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
    Enable SIP Detection The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is Checked.
    Enable GTP Detection The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts.
    Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts. Default is Checked.
    Enable DNS Detection The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is Checked.
    Enable SSL Data SSL data searches for irregularities during SSL protocol exchange. Default is Checked.

    Only cosmetic.  :)</sequence></widgets>



  • @firewalluser:

    Ok, so the problem was/is easily rectified and doesnt hopefully amount to much, but one question I do wonder, is what sort of oversight is there for code getting pulled?

    The devs with commit access look at it before committing it - Renato seems to have been doing most of that lately, and I know he makes quite a few comments on people's pull requests.
    I scan stuff for obvious dumb typos… but when it is a big pull request I don't think through every line of logic in detail. And there have been a few others who have caught and given code review comments also.
    Obviously the more competent people who review this stuff, the less errors get through - so feel free to browse pull requests and commits regularly and comment on them.
    But from a configuration/security point of view, I think the devs are doing good review now. There won't be any back-doors or other "bonus code" introduced by contributors - that will be caught before commit.



  • @firewalluser:

    Just noticed as I've just installed snort (15:22 local time), firstly it wasnt showing in the packages, but having installed it, the below text is visable on the snort updates page.

    Snort VRT Rules Not Enabled Not Enabled
    Snort GPLv2 Community Rules e9cef31b25866760230a34cca074e854 Saturday, 10-Jan-15 13:01:08 GMT
    Emerging Threats Open Rules 1fe055c19fea21900ea4442022559ff5 Saturday, 10-Jan-15 13:01:09 GMT
    Snort OpenAppID Detectors Not Enabled Not Enabled

    Would this also be connected to the snort.sh script?

    No, this is simply showing that upon the reinstall, Snort detected an existing configuration in the config.xml file and acted upon those settings.  Snort's settings are stored in the _<installed_packages></installed_packages>_section.

    @firewalluser:

    Edit.

    Just to be clear, this was a fresh memstick install this morning, restored a backup but later decided to abort it so I chose to use the option 4 on the console, reset to factory defaults.

    Is it possible the Reset to factory defaults is not resetting everything ie there are still traces of apps & settings from packages left over?

    I could not see anything in the xml backup related to snort apart from "snort_alerts-" found in the <widgets><sequence>section having done the factory reset.

    fwiw.</sequence></widgets>

    I have not tested this, but it very well could be that the reset to factory defaults only resets the pfSense firewall settings and leaves any existing packages information in the aforementioned _<installed_packges></installed_packges>_section of config.xml alone.

    @firewalluser:

    Edit 2
    https://192.168.10.1/snort/snort_rulesets.php
    Snort, Wan, Wan Catagories tab.
    Resolve Flowbits   If checked, Snort will auto-enable rules required for checked flowbits. The Default is Checked.

    Its not checked.

    Edit 3
    Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts.

    Its checked as default, but all other comments state in this section of https://192.168.10.1/snort/snort_preprocessors.php?id=0

    is to have  "Default is Checked." after the comment.

    Eg

    General Preprocessors
    Enable RPC Decode and Back Orifice detector Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is Checked.
    Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
    Enable SIP Detection The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is Checked.
    Enable GTP Detection The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts.
    Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts.
    Enable DNS Detection The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is Checked.
    Enable SSL Data SSL data searches for irregularities during SSL protocol exchange. Default is Checked.

    should be

    General Preprocessors
    Enable RPC Decode and Back Orifice detector Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is Checked.
    Enable DCE/RPC2 Detection The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is Checked.
    Enable SIP Detection The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is Checked.
    Enable GTP Detection The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts.
    Enable SSH Detection The SSH preprocessor detects various Secure Shell exploit attempts. Default is Checked.
    Enable DNS Detection The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is Checked.
    Enable SSL Data SSL data searches for irregularities during SSL protocol exchange. Default is Checked.

    Only cosmetic.  :)

    Thanks for reporting these inconsistencies.  I will look into them and fix them as necessary.  There have been at least three different sets of "hands" modifying the Snort package over the years, and there is some inconsistency here and there in all the PHP code.  For example, in some cases Boolean parameters in the config are stored as "yes" or "no", while in other places it may be "on" or "off".  I have been trying to clean those up.

    Bill


Log in to reply