Bug#677810: marked as done (Package fails to configure)

[Debian Bug Tracking System]

Your message dated Wed, 08 Aug 2012 01:47:51 +0000
with message-id <e1syvnh-0005mt...@franck.debian.org>
and subject line Bug#677810: fixed in snort 2.9.2.2-3
has caused the Debian Bug report #677810,
regarding Package fails to configure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
677810: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677810
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: snort
Version: 2.9.2.2-2
Severity: important

First of all, I don't really know much about snort, but installing it seemed like a good idea at the time. This may be incredibly stupid of me, and I just don't realize it. That said, the latest package fails to configure for me, and I can't figure out what to do about it. Attempting to rule out bad configuration, I purged the old packages so that I would get a clean install. This is what happens when the package is configured:

# dpkg --configure --pending
Setting up snort (2.9.2.2-2) ...

[warn] Stopping Network Intrusion Detection System : snort[....] - No running snort instance found ... (warning). [FAIL] Starting Network Intrusion Detection System : snort (eth0 using /etc/snort/snort.conf ...ERROR: failed (check /var/log/daemon.log, /var/log/syslog and /var/log/snort/)) failed!

invoke-rc.d: initscript snort, action "start" failed.
dpkg: error processing snort (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 snort

There is nothing to see in /var/log/snort other than an empty "alerts" file. There are plenty of messages in daemon.log and syslog (they appear to be the same messages), but none of them look like obvious errors to me. The last few were:

Jun 16 22:35:07 localhost snort[23531]: rpc_decode arguments:

Jun 16 22:35:07 localhost snort[23531]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779

Jun 16 22:35:07 localhost snort[23531]:     alert_fragments: INACTIVE
Jun 16 22:35:07 localhost snort[23531]:     alert_large_fragments: INACTIVE
Jun 16 22:35:07 localhost snort[23531]:     alert_incomplete: INACTIVE

Jun 16 22:35:07 localhost snort[23531]: alert_multiple_requests: INACTIVE

Jun 16 22:35:07 localhost snort[23531]: FTPTelnet Config:
Jun 16 22:35:07 localhost snort[23531]:     GLOBAL CONFIG
Jun 16 22:35:07 localhost snort[23531]:       Inspection Type: stateful

Jun 16 22:35:07 localhost snort[23531]: Check for Encrypted Traffic: YES alert: NO Jun 16 22:35:07 localhost snort[23531]: Continue to check encrypted data: NO Jun 16 22:35:07 localhost rsyslogd-2177: imuxsock begins to drop messages from pid 23531 due to rate-limiting

If I start snort in self-test mode I get a lot of output, with the last couple of lines being:

DNP3 config:
    Memcap: 262144
    Check Link-Layer CRCs: ENABLED
    Ports:
        20000
Reputation config:

ERROR: /etc/snort/snort.conf(512) => Unable to open address file /etc/snort/../rules/white_list.rules, Error:

Fatal Error, Quitting..

But I don't know if that error is what's preventing configuration, or if the error happens because the package isn't configured. I can't find any package that provides the file, so I figured that perhaps it's automatically generated or something like that.

Please let me know if there's any information I should provide to help diagnosing the problem.

Regards,

Torbjörn Andersson


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages snort depends on:
ii  adduser                      3.113+nmu3
ii  debconf [debconf-2.0]        1.5.43
ii  libc6                        2.13-33
ii  libdaq0                      0.6.2-2
ii  libdumbnet1                  1.12-3.1
ii  libgcrypt11                  1.5.0-3
ii  libgnutls26                  2.12.20-1
ii  libpcap0.8                   1.3.0-1
ii  libpcre3                     1:8.30-5
ii  libprelude2                  1.0.0-9
ii  libuuid1                     2.20.1-5
ii  logrotate                    3.8.1-4
ii  net-tools                    1.60-24.1
ii  rsyslog [system-log-daemon]  5.8.11-1+b1
ii  snort-common                 2.9.2.2-2
ii  snort-common-libraries       2.9.2.2-2
ii  snort-rules-default          2.9.2.2-2
ii  zlib1g                       1:1.2.7.dfsg-11

Versions of packages snort recommends:
ii  iproute  20120521-2

Versions of packages snort suggests:
pn  snort-doc  <none>

-- debconf information:
* snort/startup: boot
  snort/please_restart_manually:
* snort/stats_treshold: 1
* snort/address_range: 192.168.0.0/16
  snort/options:
  snort/invalid_interface:
* snort/interface: eth0
* snort/stats_rcpt: d91tan
* snort/send_stats: true
  snort/config_parameters:
  snort/disable_promiscuous: false

--- End Message ---

--- Begin Message ---

Source: snort
Source-Version: 2.9.2.2-3

We believe that the bug you reported is fixed in the latest version of
snort, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 677...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javier Fernández-Sanguino Peña <j...@debian.org> (supplier of updated snort 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 07 Aug 2012 23:53:24 +0200
Source: snort
Binary: snort snort-common snort-doc snort-mysql snort-pgsql 
snort-rules-default snort-common-libraries
Architecture: source i386 all
Version: 2.9.2.2-3
Distribution: unstable
Urgency: medium
Maintainer: Javier Fernández-Sanguino Peña <j...@debian.org>
Changed-By: Javier Fernández-Sanguino Peña <j...@debian.org>
Description: 
 snort      - flexible Network Intrusion Detection System
 snort-common - flexible Network Intrusion Detection System [common files]
 snort-common-libraries - flexible Network Intrusion Detection System ruleset
 snort-doc  - Documentation for the Snort IDS [documentation]
 snort-mysql - flexible Network Intrusion Detection System [MySQL]
 snort-pgsql - flexible Network Intrusion Detection System [PostgreSQL]
 snort-rules-default - flexible Network Intrusion Detection System ruleset
Closes: 626596 677810 680303
Changes: 
 snort (2.9.2.2-3) unstable; urgency=medium
 .
   [ Upload target towards Wheezy fixing some important bugs
     and substantially improving the information provided on the
     packages to clarify user expectations ]
   * Acknowledge previous NMU
   * debian/patches/config: Update the patch to:
      - use absolute paths instead of relative paths to point to
        the white list and black list used by the reputation
        pre-processor.
      - disable the reputation as we do not ship any white/black lists
        by default (which causes it to fail at startup) and also
        because this preprocessor is experimental.
 .
        Both changes fix the bug that prevented the package from being
        configured due to errors when starting up Snort with the
        default configuration (Closes: #677810)
 .
       - Add a comment to /etc/snort/snort.conf documenting for users
         reading the file that preinstalled rules are surely out of date.
 .
   * debian/patches/config_disabled_rules: Comment out shellcode rules as these
     have a huge impact in performance unless properly tuned.
   * debian/patches/rules: Fix the definition of many SIP rules (defined
     as 'alert ip any any'. These were generating a lot of false positives
     in environment were enabled. Regardless of the change comment out SIP
     rules since they are outdate can generate many false alarms unless
     properly defined.  (Closes: #626596, #680303).
   * debian/control: Adjust description of snort-rules-default to indicate
     users that the ruleset provided should not be considered up-to-date.
     Encourage users to obtain additional/upgraded rules elsewhere.
   * debian/snort-rules-default.README.Debian: Include more information to
     potential users on the issues related to the default ruleset provided
     (and why it is out of date) as well as pointers as to where obtain
     additional rulesets. Some of this information is also in the NEWS file
     but is easy to miss to new users.
Checksums-Sha1: 
 bf040db7eb892231242742dfb65f862661303174 1775 snort_2.9.2.2-3.dsc
 77178e80091fa45d33146d06601ae5cedb5186c9 1591288 snort_2.9.2.2-3.debian.tar.gz
 6b4f7dfdf2643f1014b112a35055e2f6fb57382c 860640 snort_2.9.2.2-3_i386.deb
 9eaa68595155572a65b60ed89c91761b5a3a6870 873774 snort-mysql_2.9.2.2-3_i386.deb
 b61176d0ded524aa096706b11fec08680d88cd15 873410 snort-pgsql_2.9.2.2-3_i386.deb
 d5badc5e7414013f05052abe6892cb5a774877c9 532786 
snort-common-libraries_2.9.2.2-3_i386.deb
 fe88bcbd7bc70cd07ea1dc383e93a7c6b1f04cd7 210010 snort-common_2.9.2.2-3_all.deb
 6de0b296a6b2b0271f78e058e838b22aa146ab6d 2655846 snort-doc_2.9.2.2-3_all.deb
 0cbf675ba7dd2c799de8c1fab59a1445a10f81fb 343536 
snort-rules-default_2.9.2.2-3_all.deb
Checksums-Sha256: 
 9464c4d13a925a71825ffe617135b9a196e279e2f131f973569348252bd3b040 1775 
snort_2.9.2.2-3.dsc
 e7e6b44659d09379f7e68b7f965b3eb1d22b75c3da9330f6af510dd8b60b262b 1591288 
snort_2.9.2.2-3.debian.tar.gz
 f51f7eeda41f2e4769f9fcff47e90c61e1e02eb1b8e629a57e7423b4b6c06cbd 860640 
snort_2.9.2.2-3_i386.deb
 08e4cfa2a2f37a184b9318d092751e082939e81ac3839f58bb5a6be1f868752b 873774 
snort-mysql_2.9.2.2-3_i386.deb
 f1cfc842e78edd21c2fdd7b3b94851a710ad8d52b28ce70f842847e4208efad9 873410 
snort-pgsql_2.9.2.2-3_i386.deb
 f12016c282d18bb379c587019d6358f6bdf5b0c28dafb01868648d95e52fd7f1 532786 
snort-common-libraries_2.9.2.2-3_i386.deb
 b0d5b598a6369dc385721a2775a6ffcf41f655fe9bcf23d1446347670cbc48ae 210010 
snort-common_2.9.2.2-3_all.deb
 d45d6f459cc78ef7d1b74deb8612693b9a3329403163d2493b58def556dc2656 2655846 
snort-doc_2.9.2.2-3_all.deb
 565f8435501648a9bf49bbc5101e0be336d355dc7ff0aab9ca0165cb60e18379 343536 
snort-rules-default_2.9.2.2-3_all.deb
Files: 
 97034dd983dbdb4273410678dde3c4e7 1775 net optional snort_2.9.2.2-3.dsc
 80de9a751c67aed5a22183a717838a39 1591288 net optional 
snort_2.9.2.2-3.debian.tar.gz
 981ae3cbee2ddc712063c4d8dd6a9a48 860640 net optional snort_2.9.2.2-3_i386.deb
 056eee237750bd30842c4ffa5893c62e 873774 net extra 
snort-mysql_2.9.2.2-3_i386.deb
 40353e56f50e0d4f5082a0807755b5d6 873410 net optional 
snort-pgsql_2.9.2.2-3_i386.deb
 b916d1cea461a1c4187040c5ed285198 532786 net optional 
snort-common-libraries_2.9.2.2-3_i386.deb
 85e958914b86054887eaa8aa6b94e325 210010 net optional 
snort-common_2.9.2.2-3_all.deb
 42a87352168af79ebc38fb733b6ca5eb 2655846 doc optional 
snort-doc_2.9.2.2-3_all.deb
 d3bbb5b45e9f9039c35ebbcb1138a055 343536 net optional 
snort-rules-default_2.9.2.2-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFQIb4GsandgtyBSwkRAllDAJ9c+WRZ+wtGCKWfBCyl1IFYncFJ+gCfeOn6
s+CiDALAJDPc1yQ/ndJumYY=
=+ncz
-----END PGP SIGNATURE-----

--- End Message ---