pfSense Gold Subscription

Author Topic: Snort Updated to 2.7  (Read 28306 times)

0 Members and 1 Guest are viewing this topic.

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Snort Updated to 2.7
« on: December 03, 2007, 01:52:08 pm »
Just a heads up, Snort has been updated to version 2.7.0.1_1 in Packages.  I cant perform the update now myself, I'm off to work, but I'm interested in the experiences others have with the update.
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata

Offline trendchiller

  • Sr. Member
  • ****
  • Posts: 347
    • View Profile
Re: Snort Updated to 2.7
« Reply #1 on: December 03, 2007, 04:52:17 pm »
until now it seems to run on 2 machines without issues after scott patched the interface problem  ;D

Offline cp8

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Snort Updated to 2.7
« Reply #2 on: December 03, 2007, 11:21:45 pm »
I have 2.7.0.1_1 installed... and I get this error:

# /usr/local/etc/rc.d/snort.sh start
/libexec/ld-elf.so.1: snort: Undefined symbol "__sbtoupper"
Sleeping before final memory sampling...

FreeBSD pfsense.local 6.2-RELEASE-p8 FreeBSD 6.2-RELEASE-p8 #0: Wed Nov  7 18:38:17 EST 2007     sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense.6  i386

Any ideas?

Offline try

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: Snort Updated to 2.7
« Reply #3 on: December 04, 2007, 12:15:55 am »
I tried several time to update today.
The uninstall of the previous version run smoothly, but I cannot install the new version (2.7)
The process always stop in downloading snort.

Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...


anyone knows what happen? any help appreciated

Regards,

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Re: Snort Updated to 2.7
« Reply #4 on: December 04, 2007, 12:49:32 am »
The /usr/local/www/snort_rules.php file hasnt been updated either to fix the Browser problem with Snort Rules editing.


http://forum.pfsense.org/index.php/topic,6809.msg38729.html#msg38729
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata

Offline try

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: Snort Updated to 2.7
« Reply #5 on: December 04, 2007, 01:37:42 am »
The /usr/local/www/snort_rules.php file hasnt been updated either to fix the Browser problem with Snort Rules editing.


http://forum.pfsense.org/index.php/topic,6809.msg38729.html#msg38729

onhel,
yes, i am aware about this and perform the suggested fixed along with the snort udp incompatibility (sorry, i forget the detail, its about incompatibility in snort v2.6 with snort rules for v2.7) when I used the snort 2.6.
still I am having problem when try installing snort 2.7.
It seem that the installation process always stop there (like I mentioned b4)

When I look at the /tmp directory, I got apkg_snort-2.7.0.1_1.tbz with size 1,618,193 but the install process just sit there, doing nothing.

I already tried the installation process using Firefox and IE, both come out with the same result.

any help?


Offline shaddow501

  • Jr. Member
  • **
  • Posts: 47
    • View Profile
Re: Snort Updated to 2.7
« Reply #6 on: December 04, 2007, 01:56:40 am »
Hello All

I am using the last release of pfsense (RC3), and I didnt have any problems with installing this last version of snort.
The installation proccess worked fine and snort was installed and updated sucsessfully.

But, and here is the big but, I do see the snort loading in the system logs:
Dec 4 03:53:15 SnortStartup[20888]: Ram free BEFORE starting Snort: 60M -- Ram free AFTER starting Snort: 60M -- Mode lowmem -- Snort memory usage:
Dec 4 03:52:58 snort2c[20709]: snort2c running in daemon mode pid: 20709
Dec 4 03:52:58 snort2c[20709]: snort2c running in daemon mode pid: 20709
Dec 4 03:52:56 snort2c[20376]: SIGTERM received - exiting
Dec 4 03:52:56 snort2c[20376]: SIGTERM received - exiting

But I do not see it "work" it doesnt show any alerts and dont block anything.

I did try to "play" with the categories and change them, each time selected only one category, but still there isnt any alerts, with the older version the minute it was installed it started to give me alerts and blocked IPs, anyone know what is the problem?

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Re: Snort Updated to 2.7
« Reply #7 on: December 04, 2007, 02:16:21 am »
Shaddow501:

Thats exactly what I'm getting so you're not alone.  Install and update worked flawlessly but I dont get the Snort Initiated Successfully in my Syslog and its not blocking anything.  So in other words, its running but not exactly working.  Trendchiller has got it running and he's mentioning a patch for an interface problem that probably hasnt made it into the package manager yet.  One of the perks of being a Hero Member?

In response to you "Try":

I'm not getting your problem at all.  You could try backing up your config, without backing up your package information and try and format and reinstall pfSense and see if that clears up your problem.  With this new version of Snort you shouldnt have to update the /usr/local/www/snort_download_rules.php file to fix the "flow:to_client" incompatibility.
« Last Edit: December 04, 2007, 02:28:50 am by onhel »
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata

Offline morbus

  • Full Member
  • ***
  • Posts: 116
    • View Profile
Re: Snort Updated to 2.7
« Reply #8 on: December 04, 2007, 03:12:52 am »
I am seeing the same as onhel and Shaddow501 snort tries to start but fails so I went to the shell to check what was up and did

# snort -V
/libexec/ld-elf.so.1: snort: Undefined symbol "__sbtoupper"


so it looks like ld-elf.so.1 is missing some bits and it looks like the snapshots wont help as no one has recently committed anything to fix this

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Re: Snort Updated to 2.7
« Reply #9 on: December 04, 2007, 03:37:50 am »
While we're waiting for this to get resolved, anyone have any insight as to why Snort wasnt updated straight to 2.8 since that seems to be the most current stable version.  Not complaining, just curious.
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata

Offline n1ko

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
Re: Snort Updated to 2.7
« Reply #10 on: December 04, 2007, 03:42:19 am »
Is ac-bnfa in the webgui also now? It seems to be the best option atm with not-so-highend machines and it has been stable with 2.6

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Re: Snort Updated to 2.7
« Reply #11 on: December 04, 2007, 04:03:55 am »
No, its not, unfortunately.
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata

Offline morbus

  • Full Member
  • ***
  • Posts: 116
    • View Profile
Re: Snort Updated to 2.7
« Reply #12 on: December 04, 2007, 05:57:20 am »
it is pretty easy to add if you want it.

Just edit /usr/local/pkg/snort.xml
and in the performance fields add an extra option for this mode

I haven't tested it on mine yet as snort is broke but can't see why it won't (the value of that field is just put into the config detection: search-method bit of the conf)

Code: [Select]
#Use lower memory models
config detection: search-method {$snort_performance}

 
« Last Edit: December 04, 2007, 06:07:33 am by morbus »

Offline try

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: Snort Updated to 2.7
« Reply #13 on: December 05, 2007, 09:39:08 pm »
In response to you "Try":

I'm not getting your problem at all.  You could try backing up your config, without backing up your package information and try and format and reinstall pfSense and see if that clears up your problem.  With this new version of Snort you shouldnt have to update the /usr/local/www/snort_download_rules.php file to fix the "flow:to_client" incompatibility.

I tried your suggestion today.
Fresh install pfSense (RC3), after basic setting (lan, wan) i go to package and install snort 2.7.
But still the installation process stop at the:
Downloading snort and its dependencies...

The same apkg_snort*.tbz is downloaded to /tmp dir.  But just sit there like my earlier post.

I am confused?!?

Offline AhnHEL

  • Sr. Member
  • ****
  • Posts: 572
    • View Profile
Re: Snort Updated to 2.7
« Reply #14 on: December 06, 2007, 12:06:50 pm »
I'm at a loss "Try"

Hopefully a Hero member will chime in and be able to help you out.  Even if you did get a successful install, Snort isnt working for any of us anyway so maybe when the issue does get resolved, it will fix your install problem as well.
AhnHEL (Angel)
NYC

3 pfSense sites: 2.1 RELEASE (amd64)
Dell 745 SFF E4400 @ 2.0Ghz, 2GB RAM, 20/5 Mbps
Dell 755 SFF E6550 @ 2.3Ghz, 2GB RAM, 20/5 Mbps
White Box i5 3570k @ 4.4Ghz, 16GB RAM, 114/6 Mbps, SSD
OpenVPN (Site to Site, Road Warrior), IPSec Mobile, UPnP Gaming, Traffic Shaping, Snort, Suricata