Backup/Restore - SNORT settings missing?



  • First post.  :)

    Got corruption from a power failure last week and just did a reinstall and restore.  Everything looks okay so far except for SNORT.  It isn't enabled and missing everything - settings, suppress, ip list, etc.

    Anyway to get this back?  I don't see a specific restore option for SNORT.

    Is it a bug?  Sorry if this should be in Packages/IDS/SNORT.  Figured it would get more eyes here.

    Thanks!



  • Have you reinstalled the Snort package?  You also did not state what version of pfSense you are using.  Snort is no longer available for versions older than 2.2.x.

    Bill



  • Yes, reinstalled.  The version was a release since pfsense 2.2.4.  (wrote a long post with versions, then realized I wasn't logged in when I tried to post!).

    I attempted restore without package(s) first, but got "can't find installed pbi (snort…)."  Then tried again after installing the current pkg in pfsense 2.2.5.  Openvpn and everything else restored just fine as far as I can tell.

    Biggest pain will be turning off SID rules one by one, as they occur, again.  [I'd really like to have FULL/FAST restores and do SMB level deployments.  This issue would be a problem; also, the original crash.]  I can see what was turned off in my backup XML.  I do not have "Enable Automatic SID State Management" checked.  If I check that, it looks like I can use/create custom SID mgmt files, so cool.

    I'd still like to know if there's a way to do full (& faster or automatic?) restores and any other regular maintenance issues/concerns to consider.  I think it was a power loss that caused my crash - BTX Halt error - but I'm not 100% certain.  I do believe in and use backups fortunately, so I saved some time.  :)



  • Unless your backup config.xml was somehow corrupted, all of the Snort settings are in there and should be recognized when you reinstall the package.  So when you restored the backup, even if the package did not automatically reinstall on its own, the old settings would still be found and used if you manually reinstall the package.  Are you saying no Snort settings came back?  If so, then my first suspicion would be the backup you had was either older than when you first installed Snort.

    Bill



  • That's correct - no settings were there after the restore.  Is it possible I didn't do something right?  For example, this was NOT checked: "Global Settings: Settings will not be removed during package deinstallation."  I never uninstalled it before the crash/corruption, just reinstalled/restored.  I can see the settings in my backup config.xml.  The version was 3.2.8.2.  Current is 3.2.9.1.  Like I said, Openvpn/etc restored flawlessly, best I can tell.

    EDIT: version 2.9.7.5 was the previous, now 2.9.7.6.  I guess the # above is a package version?

    I've only run pfsense & snort for a few months on this setup.  I can try to reproduce it on a VM when I get a chance.  Snort was stopped for no apparent reason today that I can tell (NM… actually forgot to enable start/stop logging).  It was doing that consistently before with AppID enabled, but that's no longer the case.  Should I maybe look at another IDS/IPS option with pfsense?  [Looking at comparing with Suricata now…]



  • @alottapuddin:

    That's correct - no settings were there after the restore.  Is it possible I didn't do something right?  For example, this was NOT checked: "Global Settings: Settings will not be removed during package deinstallation."  I never uninstalled it before the crash/corruption, just reinstalled/restored.  I can see the settings in my backup config.xml.  The version was 3.2.8.2.  Current is 3.2.9.1.  Like I said, Openvpn/etc restored flawlessly, best I can tell.

    EDIT: version 2.9.7.5 was the previous, now 2.9.7.6.  I guess the # above is a package version?

    I've only run pfsense & snort for a few months on this setup.  I can try to reproduce it on a VM when I get a chance.  Snort was stopped for no apparent reason today that I can tell (NM… actually forgot to enable start/stop logging).  It was doing that consistently before with AppID enabled, but that's no longer the case.  Should I maybe look at another IDS/IPS option with pfsense?  [Looking at comparing with Suricata now…]

    If that box on the GLOBAL SETTINGS page was not checked, then that's why your settings are gone.  You will have to set up Snort again from the beginning and then make sure that box is checked so that in the future settings will be restored when the package is re-installed.

    Bill



  • Okay, thanks.  I'll do more testing and report back if that does not work.  I need more experience with snort and pfsense anyway.  ;)

    For anyone who arrives here via hit on snort vs suricata - from what I read - Snort has more support, more documentation, a longer history.  Suricata uses or can use(?) Snort rules (as of Nov 2014?), but is not always compatible with them.  Suricata's key advantage is multi-threading, possibly making it more suitable for large, high traffic implementations.



  • Restore worked this time, so it was the above setting and/or something else that prevented a proper restore last time.  All good!

    Also, the original crash may have been to a failed/failing USB stick; CAM error today.  :(  Went with hdd this time.  Hopefully no problems for a while.


Log in to reply