SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0003248: Snort don't start after update to EFW Community 2.4.1 - MantisBT
MantisBT - Endian Firewall
View Issue Details
0003248Endian FirewallIntrusion Preventionpublic2010-11-04 09:352010-11-09 10:10
EDV-Team 
lorenzo-endian 
normalmajoralways
closedfixed 
2.4 
2.4.1 
0003248: Snort don't start after update to EFW Community 2.4.1
After updating our Endian Firewall to version 2.4.1, Snort don't start anymore.

/var/log/messages says:

Nov 4 00:12:55 Endian-Firewall snort[9334]: FATAL ERROR: /etc/snort/processed.rules(17) Invalid tag arguments: session

After disabling the automatic Snort rules update feature in the Endian web-interface, the snort service starts successful and "/etc/init.d/snort status" tells me that "snort (pid 3958) is running..."
No tags attached.
related to 0003177closed christian-endian emergingthreats changed URL 
Issue History
2010-11-04 09:35EDV-TeamNew Issue
2010-11-04 10:31ra-endianAssigned To => lorenzo-endian
2010-11-04 17:48lorenzo-endianNote Added: 0005008
2010-11-04 17:48lorenzo-endianStatusnew => feedback
2010-11-04 22:57ytechNote Added: 0005010
2010-11-05 06:11vlongjvcNote Added: 0005011
2010-11-05 07:49ra-endianSeverityminor => major
2010-11-05 07:49ra-endianRelationship addedrelated to 0003177
2010-11-05 07:56lorenzo-endianNote Added: 0005012
2010-11-05 07:56lorenzo-endianStatusfeedback => confirmed
2010-11-05 08:44EDV-TeamNote Added: 0005013
2010-11-05 08:46EDV-TeamNote Edited: 0005013
2010-11-05 16:24cmateskiNote Added: 0005021
2010-11-05 17:43ra-endianNote Added: 0005022
2010-11-05 17:43ra-endianStatusconfirmed => resolved
2010-11-05 17:43ra-endianResolutionopen => fixed
2010-11-05 20:09ra-endianStatusresolved => closed
2010-11-05 20:09ra-endianFixed in Version => 2.4.1
2010-11-07 06:38AnonymousNote Added: 0005031
2010-11-07 06:38AnonymousStatusclosed => feedback
2010-11-07 06:38AnonymousResolutionfixed => reopened
2010-11-08 01:53pwizardNote Added: 0005034
2010-11-09 10:10lorenzo-endianNote Added: 0005053
2010-11-09 10:10lorenzo-endianStatusfeedback => closed
2010-11-09 10:10lorenzo-endianResolutionreopened => fixed

Notes
(0005008)
lorenzo-endian   
2010-11-04 17:48   
I am not able to reproduce this bug;
In any case, I have seen that in some cases snort takes some time to start or it is in running but the dashboard shows snort as "OFF".

Could you please try to re-enable "Automatically fetch SNORT rules", reboot the fw and check if it is started both from the shell and from the dashboard?

Moreover, I did not find the same entry in the /var/log/messages as it happen for you.

Thanks in advace
(0005010)
ytech   
2010-11-04 22:57   
I´m also having the same problem, i tried all that is listed above but nothing happens. Apears to be a bug. I ve seen in another foruns others having the same problem
(0005011)
vlongjvc   
2010-11-05 06:11   
Dear ytech,

Please check the version of Snort that you are using, Emerging threat has changed the URL that using for updating IDS/IPS signature.

I am using EFW 2.4 (Snort version 2.8.5) so I changed /var/efw/snort/default/settings to
SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.4/emerging.rules.tar.gz [^]
If I change to SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]
I have the same phenomenon above (FATAL ERROR: /etc/snort/processed.rules(17) Invalid tag arguments: session)
(0005012)
lorenzo-endian   
2010-11-05 07:56   
Ok, this morning I can reproduce the bug, but for me this bug happen with

SNORT_RULES_URL=http://www.emergingthreats.net/rules/emerging.rules.tar.gz [^]

or

SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.4/emerging.rules.tar.gz [^]

or

SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]
(0005013)
EDV-Team   
2010-11-05 08:44   
(edited on: 2010-11-05 08:46)
I changed the following line in /var/efw/snort/default/settings from

SNORT_RULES_URL=http://www.emergingthreats.net/rules/emerging.rules.tar.gz [^]

to

SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.4/emerging.rules.tar.gz [^]

and removed the "settings" and "settings.old" files from /var/efw/snort/

After that i enabled IPS in the web-interface again and all seems to work now.

The default URL "http://www.emergingthreats.net/rules/emerging.rules.tar.gz" [^] is unavailable.

(0005021)
cmateski   
2010-11-05 16:24   
I was experiencing the same problem. I followed the rules provided by the EDV-Team and it appears to be fixed. On the status page, IDS shows "running".

A new issue appears to have surfaced. When I push the "Update Rules Now" button, I get back a spinning dial with the following message, "Intrusion Prevention Systemis restarted. Please hold...". It stays up for a very long time and does not appear to finish. If I leave the page and come back it will report the rules updated.




+++++++++++++++++++++++++++++++++++
(0005013)
EDV-Team (reporter)
2010-11-05 09:44
edited on: 2010-11-05 09:46

I changed the following line in /var/efw/snort/default/settings from

SNORT_RULES_URL=http://www.emergingthreats.net/rules/emerging.rules.tar.gz [^] [^]

to

SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.4/emerging.rules.tar.gz [^] [^]

and removed the "settings" and "settings.old" files from /var/efw/snort/

After that i enabled IPS in the web-interface again and all seems to work now.

The default URL "http://www.emergingthreats.net/rules/emerging.rules.tar.gz" [^] [^] is unavailable.
(0005022)
ra-endian   
2010-11-05 17:43   
with the latest deployed version everything should works now.
(0005031)
Anonymous   
2010-11-07 06:38   
It is still not fix.

While running the efw-upgrade to get the fix, the screen show some sort of error
(crul *: cannot open the spesified website...)

Then i reboot the system. Turn off Snort and turn it on back. <-- no problem here

but when click the the "Update Rules Now" the screen whill keep on going with "Starting Snort" for ever..
(0005034)
pwizard   
2010-11-08 01:53   
After running smart update & smart upgrade
when click the the "Update Rules Now" the screen whill keep on going with "Starting Snort" for ever..

Confirmed.
(0005053)
lorenzo-endian   
2010-11-09 10:10   
Hi pwizard,

this problem is not related direclty to snort but to the communication between the web interface and the processes running in background.

We are working to solve that problem, but the problem related direclty to snort is solved for us, so I close this ticket now.

Thanks a lot

Lo