Snort 2.9.7.2 pkg v3.2.4 – Release Notes

bmeeks

Snort 2.9.7.2 pkg v3.2.4

Snort 2.9.7.2 pkg 3.2.4 has been posted. This updates the Snort package to binary version 2.9.7.2 and the GUI package to version 3.2.4. Release notes for Snort 2.9.7.2 can be found here: http://blog.snort.org/2015/03/snort-2972-has-been-released.html. There are three minor bug fixes in the v3.2.4 GUI package update.

Bug Fixes

If you're on the CATEGORIES tab and have enabled "GPLv2 Community Rules (VRT certified)", the hyperlink assigned to it to take you to the ruleset details is incorrect.
Redmine bug #4912 – Typo in snort_rulesets.php. Effect: Number of snort SO (shared object) rules always incorrectly counts as 1. There will be cases where not all snort SO rules are displayed, as $i is set by the other two rulesets.
Trailing backslash on OpenAppID detectors path needs to be removed in snort.conf file.

Update Note: Remember, it can take Snort a while to start up after the update. DO NOT leave the package install screen until you see a message in the big status box that says the package installation is compete! If you navigate away from the package installation screen too early (while Snort is still being started), the final package install steps will be skipped and Snort may not appear in the SERVICES menu.

Bill

2chemlud

Hi Bill!

Remaining in the package install screen didn't help, snort again is not in the GUI, although the process has been finished, according to the system log.

The Updated windows simply hung up after starting to build LAN config, although in the syslog I see it started builing OPT1 config afterwards…

As usual: 386 nano serial...

Kind regards and thanks for the work with the update! :-)

PS: Next try, only update the GUI, as the snort update apparently worked with the initial try. Syslog says:

php-fpm[36784]: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…

...but the package update GUI page gets stuck again at some stage and no Snort under Services in the GUI...

snortupdate2.JPG_thumb

snortupdate.JPG_thumb

2chemlud

Next try on reinstalling GUI:

Package update hangs on

"Please wait while Snort is started…"

...while system log shows errors after starting snort (see below), no snort in GUI. Tired for today, next try tomorrow....

snort3.JPG_thumb

bmeeks

With NanoBSD, then you are likely running out of space on the RAM disk. I have given up officially supporting Snort or Suricata on Nano installs. They are just too limited in terms of free disk space. The PBI packages can unzip to be quite large, and along with lots of rules, they can eat up the available free disk space on /var and /tmp during the installation.

If the packages sub-system on pfSense supported install prerequisites, I would make detection of a Nano-based system "no-go" for Snort and Suricata. People have been having trouble with those installs for quite a while, but regular installs with conventional disks or SSD work fine.

I know I sound overly negative, and I don't really intend to be, but I am out of options with regards to Nano installs. There are a few other posters that have been successful with manually increasing RAM disk partition sizes and trying the install again. If you search the Packages sub-forum those posts should pop up.

Bill

2chemlud

Hi!

No, I had an eye on the RAM on the Dashboard, nothing went out of control. And the problem is apparently at the end of the procedure (snort is there and running, only not included in the GUI), while reinstalling the rules sets for the interfaces.

It worked fine during the update from 2.1.5 to 2.2 and from 2.2 to 2.2.1 on all three boxes. But this time…

Kind regards

bmeeks

@2chemlud:

Hi!

No, I had an eye on the RAM on the Dashboard, nothing went out of control. And the problem is apparently at the end of the procedure (snort is there and running, only not included in the GUI), while reinstalling the rules sets for the interfaces.

It worked fine during the update from 2.1.5 to 2.2 and from 2.2 to 2.2.1 on all three boxes. But this time…

Kind regards

I don't mean necessarily RAM as in free system memory, but rather free space on the RAM disks used for the various system partitions. These can be filled during the package download and unpacking process. You would really have no way of seeing them run out unless you were monitoring them in a shell session while the package installation happened in the GUI. After Snort starts up during the installation process, it returns control to pfSense where the package manager code of pfSense completes the installation. This last step, done by pfSense itself and not the Snort package, is where the menu entry is created under SERVICES. That step frequently dies for some reason on Nano installs. I think it is because of RAM disk exhaustion. Some other users have been able to get successful installs by manually increasing their RAM disk partition sizes. For example, increasing /tmp to 300 MB (or at least 100 MB) in size. That is the directory partition where the package downloading, unpacking, and other temp file creation happens. By default it is somewhat small on Nano installs.

Bill