Netgate m1n1wall

Author Topic: Problem SNORT 2.9.1 pkg v. 2.1  (Read 11538 times)

0 Members and 1 Guest are viewing this topic.

Offline dwood

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
Problem SNORT 2.9.1 pkg v. 2.1
« on: January 25, 2012, 06:09:16 pm »
I reinstalled SNORT to upgrade to version 2.9.1 v 2.1 which looks to be new as of today.

I also subsequently removed (reset all settings) and reinstalled to try and resolve the error below.

In all cases, I am getting this error:

snort[709]: FATAL ERROR: pf.conf => Table snort2c,,kill don't exists in packet filter

I also noted that two new options were added in the IF settings tab:

Kill states (on or off)
Which ip to block (SRC, DESTINATION, BOTH)

After removal/reinstallation, the options for "Which IP to block" have disappeared.


Version    2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011
FreeBSD 8.1-RELEASE-p6

You are on the latest version.
Platform    pfSense
CPU Type    Intel(R) Atom(TM) CPU 330 @ 1.60GHz
Current: 999 MHz, Max: 1599 MHz
« Last Edit: January 25, 2012, 06:11:56 pm by dwood »

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #1 on: January 25, 2012, 07:50:53 pm »
i checked github and it looks like there is going to be binary update for the package. Since the changes were made today, we have to wait at least till tomorrow for the binaries to be compiled. checking file.pfsense.org, the timestamp hasnt changed.

@emarl i didn't notice this before but the package states the ver is 2.9.1 but the binaries in the package are 2.9.0.5.. checking files.pfsense.org, i dont see a package for 2.9.1 only pbi's... there is 2.9.2 package tho... not that it really makes a difference but want to let you know
« Last Edit: January 25, 2012, 08:01:41 pm by Cino »

Offline dwood

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #2 on: January 25, 2012, 08:03:57 pm »
Thanks for the reply Cino :-)

I did observer that unchecking "block offenders" allows SNORT to start..however no point in spending any more time digging if a binary update is pending.

Cheers,
Dennis.

Offline th3r3isnospoon

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #3 on: January 25, 2012, 10:42:48 pm »
I am also having this issue.

I unchecked block offenders, however, I still had to add 'portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]' in order to get Snort to start.

As said above, the package says its '2.9.1 pkg v. 2.1', but when you install it and open it it says its version '2.9.1 pkg v. 2.0.2'

Looks like there is a few new features though.

Also, WOW, it uses A LOT more memory now.  Just throwing that out there.


Guess we'll have to wait until tomorrow.



-th3r3isnospoon
« Last Edit: January 25, 2012, 10:44:32 pm by th3r3isnospoon »

Offline darklogic

  • Full Member
  • ***
  • Posts: 175
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #4 on: January 26, 2012, 10:39:30 am »
Updated to Snort 2.9.1 pkg v. 2.0.2

Supprise Suprise,

Same issue with this stable version of SNORT. When block offenders is checked, the SNORT service will not start.

Offline trvsecurity

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #5 on: January 26, 2012, 11:02:37 am »
We have EXACTLY the same issues - as soon as we try to "block hosts", Snort fails to start.  There must be many many others around the world where their IDS security protection has just failed!!

Does anyone have a precise date / time when the corrected version will be released and available to install on PFSENSE?

Thanks!

Offline catfish99

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #6 on: January 26, 2012, 11:05:09 am »
In the meantime, does anyone know how to modify the snort2c table so that the updated snort can be made to work?

Offline trvsecurity

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #7 on: January 26, 2012, 11:40:30 am »
I have never been able to get the automatic rule update to function with any version.  I have always had to update the rules with a manual update.

To be honest, Snort on PFSENSE worries me from a testing point of view.  We have used it for 2 years now and it's nice when it works.  However, even the most basic testing would have found the current errors (especially that the product fails completely when it is set to "block hosts").

I hope they get this sorted soon!!

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #8 on: January 26, 2012, 01:33:40 pm »
To be honest, Snort on PFSENSE worries me from a testing point of view. However, even the most basic testing would have found the current errors (especially that the product fails completely when it is set to "block hosts").

Indeed the pfsense Snort package has been having problems for several months.

But keep in mind that most packages are not maintained by the pfsense core developers, so the quality control isn't necessarily the same as the base system.

I guess priorities are a matter of funding.

Offline antilog

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #9 on: January 26, 2012, 01:51:41 pm »
Offender blocking still offline as of 2:53 PM EST.

Offline ccb056

  • Full Member
  • ***
  • Posts: 129
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #10 on: January 26, 2012, 02:07:24 pm »
having the same problem......

FATAL ERROR: pf.conf => Table snort2c,src,kill don't exists in packet filter

looks like the file pf.conf should be in /etc/pf.conf but I can't seem to find it there on my pfsense box

http://www.freebsd.org/doc/handbook/firewalls-pf.html
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

if the file isnt where its supposed to be no wonder snort cant find the table.....
« Last Edit: January 26, 2012, 02:34:30 pm by ccb056 »

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #11 on: January 26, 2012, 02:54:07 pm »
the binaries didn't build last night. I heard that they are being built now. We just have to wait until they are built.

When it comes to snort, if you see a new version and don't understand pfsense and freebsd that well, wait till there is an announcement or experience users confirming that it works before re-installing.

other then barnyard, snort has been very stable for the last month.. Once in a while it has to be restarted on my box but only when I'm doing heavy heavy bit-torrent downloading..

Offline dwood

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #12 on: January 26, 2012, 03:06:23 pm »
I'm wondering if it's possible to make the package "publishing" via the GUI the last step?  In other words, remove the installation option entirely until the binaries and code etc. have been pushed to the update server?

I check the packages regularly via the PF GUI, and if an update is there, tend to install it.  The downside is that in cases like this, you can't go back and install the previous package.  That said, I remain very impressed with PF in general since pulling the pin on the previous routers.  Kudos to all in the chain.

Cino, can you describe (with a link or two if possible :-) ) the process you used to check github?
« Last Edit: January 26, 2012, 03:24:19 pm by dwood »

Offline ccb056

  • Full Member
  • ***
  • Posts: 129
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #13 on: January 26, 2012, 03:08:34 pm »
or add automatic checksum comparison to the package manager, this would prevent this problem and any man-in-middle attacks

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Problem SNORT 2.9.1 pkg v. 2.1
« Reply #14 on: January 26, 2012, 03:24:41 pm »
Check out the github site for pfsense. There u can see the old changes and new ones.