The pfSense Store

Author Topic: Snort Stable 2.9.2.3 pkg v. 2.2 Failed  (Read 13932 times)

0 Members and 1 Guest are viewing this topic.

Offline mschiek01

  • Full Member
  • ***
  • Posts: 153
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #30 on: June 13, 2012, 12:06:55 pm »
Delete anything in this directory
/usr/local/lib/snort/dynamicrules
also uncheck any .so rules on your interfaces.

Try to start snort

Offline sekular

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #31 on: June 13, 2012, 02:11:35 pm »
That has resolved the problem. thanks.

Online fragged

  • Full Member
  • ***
  • Posts: 223
  • Karma: +1/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #32 on: June 13, 2012, 04:21:45 pm »
You are not showing your system log there.
There will be the cause of that.

I can expect missing pre processor.

Status -> Servies -> Hit start on Snort, Status -> System log -> Jun 14 00:23:18    SnortStartup[18693]: Snort HARD START For 37895_em0... -is the only line generated.

If I try to run Snort from Services -> Snort -> Snort interfaces, I get two lines:

Jun 14 00:32:11 SnortStartup[35943]: Interface Rule START for 0_37895_em0...
Jun 14 00:32:11 SnortStartup[30175]: Toggle for 37895_em0...
« Last Edit: June 13, 2012, 04:29:12 pm by fragged »

Offline mschiek01

  • Full Member
  • ***
  • Posts: 153
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #33 on: June 13, 2012, 04:51:01 pm »
services/snort
click to edit the interface in question
Select the Catagories tab
Select the rules you want to use.

Do not select any of the .so "shared objects rules" they will cause snort to crash.

From your description it sounds like you don't have any rules selected.

Online fragged

  • Full Member
  • ***
  • Posts: 223
  • Karma: +1/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #34 on: June 13, 2012, 04:59:06 pm »
I have tried with and without rules enabled. Currently I have only EM rules installed and 2 of them selected. Still I don't get anything useful on the system log.

Offline mschiek01

  • Full Member
  • ***
  • Posts: 153
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #35 on: June 13, 2012, 06:29:41 pm »
On the Interface tab
general you have enabled the interface correct?

on the same tab under
Choose the types of logs snort should create.
you selected "Send alerts to main System logs"

On the preprocessors tab you have enabled "performance statics for this interface"


If all else fails you could try running this command from the console comand line although I do not think this is the problem

pkg_add -f http://files.pfsense.org/packages/8/All/snort-2.9.2.3.tbz

Then update your rules and try to start snort.

Offline johnnybe

  • Hero Member
  • *****
  • Posts: 1395
  • Karma: +0/-0
  • I've got... a head with wings
    • View Profile
    • nextsense blog
Its fixes so just reinstall.

It's running here 2.0.1-RELEASE (amd64) and kept all previous settings. All that I did, after reinstall, was to update ET rules.
you would not believe the view up here

Offline pfnewbe

  • Jr. Member
  • **
  • Posts: 45
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #37 on: June 14, 2012, 03:16:48 am »
To get this to work, I had to uninstall, then run the following:

pkg_delete -f snort\*
find / -name snort

and rm -rf anything that turned up.  Reinstalling with new package fixed it from there, running snort rules and ET. 
This worked for me!
Tnx

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #38 on: June 14, 2012, 09:37:11 am »
Has anyone else noticed on their Snort > Blocked (tab) that the ALERT DESCRIPTION next to each IP now says "N/A" instead of displaying a full description as it has in the past?

I've confirmed under Snort > Global Settings, my Alert file description type = FULL.

Is there any way to restore this functionality so that full alert description is listed?

Offline mschiek01

  • Full Member
  • ***
  • Posts: 153
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #39 on: June 14, 2012, 09:42:23 am »
I think it is now being shown under the Alerts/Interface tab.

Have you noticed if the blocked ip's are being removed in the time you have specified?

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #40 on: June 14, 2012, 10:12:19 am »
The alert info has always been displayed within the Snort > Alerts tab.  But requires excessive searching to find the info that corresponds with a blocked IP.  Whereas, on the BLOCKED tab, it used to specifically show the ALERT DESCRIPTION that corresponds with each blocked IP.  More straight forward.

No - I've not yet confirmed that the blocked IPs are expiring within the interval I've configured.  I've been having to clear and reset snort blocks constantly to keep snort running so it's been somewhat of a moving target.

Wish the latest snort was more stable.  Though I'm sure most of my issues are already being addressed for subsequent release.

Offline digdug3

  • Full Member
  • ***
  • Posts: 119
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #41 on: June 14, 2012, 10:27:13 am »
To get this to work, I had to uninstall, then run the following:

pkg_delete -f snort\*
find / -name snort

and rm -rf anything that turned up.  Reinstalling with new package fixed it from there, running snort rules and ET. 
This worked for me!
Tnx

Got snort working again (AMD64). EM and Snort rules.
Indeed, just remove the package first and then reinstall it.

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3365
  • Karma: +3/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #42 on: June 14, 2012, 10:36:49 am »

Wish the latest snort was more stable.  Though I'm sure most of my issues are already being addressed for subsequent release.

Stable in what sense? And how you know will be addressed in the future? :)

snadsnad

  • Guest
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #43 on: June 14, 2012, 10:39:11 am »
This is infuriating.  How come everytime a snort update is release that pfSense is totally incapable of doing an upgrade that doesn't completely break it and requiring people to wipe their snort config and reinstall?  I keep getting so close to pitching this for our enterprise but then crap like this happens perpetually.  What kind of QA, if any, is being done?  One virtual machine or box and then it gets signed off?  That's what it feels like.  If a simple package update can't be properly scripted and automated why would someone buy commercial support?

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Snort Stable 2.9.2.3 pkg v. 2.2 Failed
« Reply #44 on: June 14, 2012, 11:40:01 am »
I think it is now being shown under the Alerts/Interface tab.

Have you noticed if the blocked ip's are being removed in the time you have specified?

It does for me... make sure you save the global page.. this creates the cron job for it
« Last Edit: June 14, 2012, 11:43:00 am by Cino »