Snort fails to install.

BlueCoffee

I can't seem to install snort. This is the error I am getting.

>>> Installing pfSense-pkg-snort... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	daq: 2.2.2_3 [pfSense]
	pfSense-pkg-snort: 4.1.6_8 [pfSense]
	snort: 2.9.20_3 [pfSense]

Number of packages to be installed: 3

The process will require 9 MiB more space.
[1/3] Installing daq-2.2.2_3...
[1/3] Extracting daq-2.2.2_3: .......... done
[2/3] Installing snort-2.9.20_3...
[2/3] Extracting snort-2.9.20_3: .......... done
[3/3] Installing pfSense-pkg-snort-4.1.6_8...
[3/3] Extracting pfSense-pkg-snort-4.1.6_8: 
pkg-static: Fail to set time on /snort.inc:No such file or directory
[3/3] Extracting pfSense-pkg-snort-4.1.6_8... done
Failed

BlueCoffee

PiHole was blocking the install all sorted now.

edit =

I can't seem to get snort to start. where is the logs please to see whats up.

bmeeks

@BlueCoffee said in Snort fails to install.:

PiHole was blocking the install all sorted now.

edit =

I can't seem to get snort to start. where is the logs please to see whats up.

Snort logs all startup information to the pfSense system log under STATUS > SYSTEM LOGS in the pfSense menu.

If PiHole was blocking the installation of the Snort package, then you apparently have highly restrictive settings there. I would not be surprised if you experience other difficulties with the Snort package during updates.

BlueCoffee

@bmeeks ive changed pihole for some reason it hard a HUGE list.

I can't see any logs at all about snort. there is nothing in general last log was 4 hours ago

bmeeks

@BlueCoffee said in Snort fails to install.:

last log was 4 hours ago

I don't understand. What was "4 hours ago"? The last log message about Snort, or the last log message of any kind in the system log?

If Snort is not logging anything, then that means it is failing to even bootstrap itself. That would mean one or more of the required dependent libraries failed to install.

To see if that is the case, you can run this command from a shell prompt on the firewall:

/usr/local/bin/snort -V

It should print the version number and exit. If you see any errors reported, post those back here.

If you have not already, I would delete the Snort package and then install it again now that you have PiHole loosened up.

BlueCoffee

@bmeeks sorry I mean anytype log.

the time now is 13:42

showing installed but will not start and can't see any logs about why

bmeeks

I see Service Watchdog being installed. Be sure that you do NOT configure it to monitor Snort. Those two packages are not compatible with each other!

The very last entry in the log screenshot you posted is troublesome. It indicates you have some disk problems. Notice the entry from the kernel at Aug 24 09:45:11 is showing a mangled directory entry in the filesystem tables. You may want to run a fsck on that disk a few times to make sure it is repaired.

As for Snort not starting, let's make sure something is not running by executing this command from a shell prompt:

ps -ax | grep snort

Does that show any running Snort processes?

I assume you are trying to start Snort from its GUI page using the icons on the package's INTERFACES tab?

Have you configured Snort on an interface and set the appropriate options? I don't know your skill level here, so I have to guess a bit when offering troubleshooting tips.

1. How are you determining Snort is not running?
2. Are you looking at its GUI screens under SERVICES > SNORT, or are you simply looking at the Services widget in pfSense?

BlueCoffee

@bmeeks Only got this system today its bran new.
fsck came up with this. sorry I have no idea what all this means.

fsck
** /dev/ufsid/64e6b03123ba9871 (NO WRITE)
** SU+J Recovering /dev/ufsid/64e6b03123ba9871

USE JOURNAL? no

** Skipping journal, falling through to full fsck

** Last Mounted on /
** Root file system
** Phase 1 - Check Blocks and Sizes
UFS2 cylinder group 484 failed: cgp->cg_ckhash ("1628775478") != calchash ("3446595380")
CYLINDER GROUP 484: INTEGRITY CHECK FAILED
UNEXPECTED SOFT UPDATE INCONSISTENCY

REBUILD CYLINDER GROUP? no

YOU WILL NEED TO RERUN FSCK.
INCORRECT BLOCK COUNT I=40224272 (640 should be 632)
CORRECT? no

UFS2 cylinder group 654 failed: cgp->cg_ckhash ("4294967295") != calchash ("2945136171")
UFS2 cylinder group 654 failed: cg_chkmagic(cgp) ("0") == 0 ("0")
UFS2 cylinder group 654 failed: cgp->cg_cgx ("4294967295") != cg ("654")
UFS2 cylinder group 654 failed: cgp->cg_ndblk ("4294967295") > sblock.fs_fpg ("160056")
UFS2 cylinder group 654 failed: cgp->cg_niblk ("4294967295") != sblock.fs_ipg ("80128")
UFS2 cylinder group 654 failed: cgp->cg_initediblk ("4294967295") > sblock.fs_ipg ("80128")
UFS2 cylinder group 654 failed: cgp->cg_ndblk ("4294967295") != sblock.fs_fpg ("160056")
UFS2 cylinder group 654 failed: cgp->cg_iusedoff ("4294967295") != start ("168")
UFS2 cylinder group 654 failed: cgp->cg_freeoff ("4294967295") != cgp->cg_iusedoff + howmany(sblock.fs_ipg, CHAR_BIT) ("4294977311")
UFS2 cylinder group 654 failed: cgp->cg_nclusterblks ("4294967295") != cgp->cg_ndblk / sblock.fs_frag ("536870911")
UFS2 cylinder group 654 failed: cgp->cg_clustersumoff ("4294967295") != roundup(cgp->cg_freeoff + howmany(sblock.fs_fpg, CHAR_BIT), sizeof(u_int32_t)) - sizeof(u_int32_t) ("20004")
UFS2 cylinder group 654 failed: cgp->cg_clusteroff ("4294967295") != cgp->cg_clustersumoff + (sblock.fs_contigsumsize + 1) * sizeof(u_int32_t) ("4294967363")
UFS2 cylinder group 654 failed: cgp->cg_nextfreeoff ("4294967295") != cgp->cg_clusteroff + howmany(fragstoblks(&sblock, sblock.fs_fpg), CHAR_BIT) ("4294969796")
CYLINDER GROUP 654: INTEGRITY CHECK FAILED
UNEXPECTED SOFT UPDATE INCONSISTENCY

REBUILD CYLINDER GROUP? no

YOU WILL NEED TO RERUN FSCK.
Too many initialized inodes (4294967295 > 80128) in cylinder group 654
Reset to 80128

UNEXPECTED SOFT UPDATE INCONSISTENCY
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
UNREF FILE I=50480645  OWNER=root MODE=100666
SIZE=0 MTIME=Aug 24 10:05 2023

CLEAR? no

** Phase 5 - Check Cyl groups
CG 484: BAD CHECK-HASH 0x61152436 vs 0xcd6edf34
SETTING DIRTY FLAG IN READ_ONLY MODE

UNEXPECTED SOFT UPDATE INCONSISTENCY
FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? no

SUMMARY INFORMATION BAD
SALVAGE? no

BLK(S) MISSING IN BIT MAPS
SALVAGE? no

CG 654: BAD MAGIC NUMBER

UNEXPECTED SOFT UPDATE INCONSISTENCY
CG 654: BAD CHECK-HASH 0xffffffff vs 0xaf8b362b
SETTING DIRTY FLAG IN READ_ONLY MODE

UNEXPECTED SOFT UPDATE INCONSISTENCY
LOST 3 DIRECTORIES

UNEXPECTED SOFT UPDATE INCONSISTENCY
fsck: /dev/ufsid/64e6b03123ba9871: Segmentation fault

I think I have it set up. Ive done it like this for years.

I bought this for pfsense

https://www.amazon.co.uk/dp/B0C5BM397H?psc=1&ref=ppx_yo2ov_dt_b_product_details

bmeeks

@BlueCoffee said in Snort fails to install.:

@bmeeks Only got this system today its bran new.
fsck came up with this. sorry I have no idea what all this means.

fsck
** /dev/ufsid/64e6b03123ba9871 (NO WRITE)
** SU+J Recovering /dev/ufsid/64e6b03123ba9871

USE JOURNAL? no

** Skipping journal, falling through to full fsck

** Last Mounted on /
** Root file system
** Phase 1 - Check Blocks and Sizes
UFS2 cylinder group 484 failed: cgp->cg_ckhash ("1628775478") != calchash ("3446595380")
CYLINDER GROUP 484: INTEGRITY CHECK FAILED
UNEXPECTED SOFT UPDATE INCONSISTENCY

REBUILD CYLINDER GROUP? no

YOU WILL NEED TO RERUN FSCK.
INCORRECT BLOCK COUNT I=40224272 (640 should be 632)
CORRECT? no

UFS2 cylinder group 654 failed: cgp->cg_ckhash ("4294967295") != calchash ("2945136171")
UFS2 cylinder group 654 failed: cg_chkmagic(cgp) ("0") == 0 ("0")
UFS2 cylinder group 654 failed: cgp->cg_cgx ("4294967295") != cg ("654")
UFS2 cylinder group 654 failed: cgp->cg_ndblk ("4294967295") > sblock.fs_fpg ("160056")
UFS2 cylinder group 654 failed: cgp->cg_niblk ("4294967295") != sblock.fs_ipg ("80128")
UFS2 cylinder group 654 failed: cgp->cg_initediblk ("4294967295") > sblock.fs_ipg ("80128")
UFS2 cylinder group 654 failed: cgp->cg_ndblk ("4294967295") != sblock.fs_fpg ("160056")
UFS2 cylinder group 654 failed: cgp->cg_iusedoff ("4294967295") != start ("168")
UFS2 cylinder group 654 failed: cgp->cg_freeoff ("4294967295") != cgp->cg_iusedoff + howmany(sblock.fs_ipg, CHAR_BIT) ("4294977311")
UFS2 cylinder group 654 failed: cgp->cg_nclusterblks ("4294967295") != cgp->cg_ndblk / sblock.fs_frag ("536870911")
UFS2 cylinder group 654 failed: cgp->cg_clustersumoff ("4294967295") != roundup(cgp->cg_freeoff + howmany(sblock.fs_fpg, CHAR_BIT), sizeof(u_int32_t)) - sizeof(u_int32_t) ("20004")
UFS2 cylinder group 654 failed: cgp->cg_clusteroff ("4294967295") != cgp->cg_clustersumoff + (sblock.fs_contigsumsize + 1) * sizeof(u_int32_t) ("4294967363")
UFS2 cylinder group 654 failed: cgp->cg_nextfreeoff ("4294967295") != cgp->cg_clusteroff + howmany(fragstoblks(&sblock, sblock.fs_fpg), CHAR_BIT) ("4294969796")
CYLINDER GROUP 654: INTEGRITY CHECK FAILED
UNEXPECTED SOFT UPDATE INCONSISTENCY

REBUILD CYLINDER GROUP? no

YOU WILL NEED TO RERUN FSCK.
Too many initialized inodes (4294967295 > 80128) in cylinder group 654
Reset to 80128

UNEXPECTED SOFT UPDATE INCONSISTENCY
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
UNREF FILE I=50480645  OWNER=root MODE=100666
SIZE=0 MTIME=Aug 24 10:05 2023

CLEAR? no

** Phase 5 - Check Cyl groups
CG 484: BAD CHECK-HASH 0x61152436 vs 0xcd6edf34
SETTING DIRTY FLAG IN READ_ONLY MODE

UNEXPECTED SOFT UPDATE INCONSISTENCY
FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? no

SUMMARY INFORMATION BAD
SALVAGE? no

BLK(S) MISSING IN BIT MAPS
SALVAGE? no

CG 654: BAD MAGIC NUMBER

UNEXPECTED SOFT UPDATE INCONSISTENCY
CG 654: BAD CHECK-HASH 0xffffffff vs 0xaf8b362b
SETTING DIRTY FLAG IN READ_ONLY MODE

UNEXPECTED SOFT UPDATE INCONSISTENCY
LOST 3 DIRECTORIES

UNEXPECTED SOFT UPDATE INCONSISTENCY
fsck: /dev/ufsid/64e6b03123ba9871: Segmentation fault

I think I have it set up. Ive done it like this for years.

And when you click the "start icon" (the black triangle in blue circle with your color scheme), what happens?

Immediately after clicking that icon, look in the pfSense system log. Something should be logged there for Snort.

BlueCoffee

@bmeeks Its starts to log than fails to start

am I in the correct place because its not showing anything?

bmeeks

Those fsck errors look sort of ugly. If you just bought this box from Amazon, I would strongly recommend taking advantage of their easy exchange service. That disk looks defective.

BlueCoffee

@bmeeks Wonderful... could it be a bad install? or is the disk buggered?

and my god this error on this forum is so annoying

As a new user, you can only post once every 120 second(s) until you have earned 3 reputation - please wait before posting again

bmeeks

@BlueCoffee said in Snort fails to install.:

Its starts to log than fails to start

am I in the correct place because its not showing anything?

You are showing the log entries for the package's installation. That is not related to starting it up. Unless you had a pre-existing Snort configuration on the box, then the package will not be configured and thus it will not auto-start. Manual user configuration steps are required first.

1. After installation on a new machine, proceed to SERVICES > SNORT under the pfSense menu and configure the rules you want to download and use by visiting the GLOBAL SETTINGS tab.

2. Download the initial rules packages by visiting the UPDATES tab.

3. Finally, configure Snort on an interface. I strongly suggest LAN and not WAN. Save the changes you make, then return to the INTERFACES tab in Snort and click the "start" icon. You should see a spinning gear icon for a bit and then either Snort starts or it does not. At that point, immediately open up and view the system log in pfSense. You should see Snort log entries there.

Snort is not to protect your firewall. It's to protect hosts behind the firewall who all talk out using their LAN interface to the firewall. Putting Snort on the LAN has many advantages, and chief among them is that local hosts will have their local IP registered in alerts instead of the WAN's public IP which is what happens when you put Snort on the WAN.

@BlueCoffee said in Snort fails to install.:

could it be a bad install? or is the disk buggered?

Bad install I doubt. Bad disk much more likely. I would exchange it. Those errors do not bode well for longevity.

BlueCoffee

@bmeeks said in Snort fails to install.:

t is not to protect your firewall. It's to protect hosts behind the firewall who all talk out using their LAN interface to the firewall. Putting Snort on the LAN has many advantages, and chief among them is that local hosts will have their local IP registered in alerts instead of the WAN's public IP which is what happens when you p

I have done want you said other than the lan part. Ive changed it to lan and still the same will not start.

bmeeks

@BlueCoffee said in Snort fails to install.:

and my god this error on this forum is so annoying

As a new user, you can only post once every 120 second(s) until you have earned 3 reputation - please wait before posting again

I've given you 3 "up votes" to boost your reputation to 3. That should prevent the error in the future.

BlueCoffee

@bmeeks Thanks for that.

bmeeks

@BlueCoffee:
But immediately after it failing to start, show me what your pfSense system log says.

There has to be something there if the process is actually attempting to start. The only time it will fail to log something is if there is a shared library issue. But we proved that is not the case because it starts up enough to show the Snort version at the command line.

Have you configured and used the Snort package on pfSense before?

BlueCoffee

@bmeeks said in Snort fails to install.:

@BlueCoffee:
But immediately after it failing to start, show me what your pfSense system log says.

There has to be something there if the process is actually attempting to start. The only time it will fail to log something is if there is a shared library issue. But we proved that is not the case because it starts up enough to show the Snort version at the command line.

Have you used the Snort package on pfSense before?

I have on my last system. not on this new system. (tho I had it on wan for years.)

can fsck try and repair? should I start the whole install of Pfsense again?

bmeeks

@BlueCoffee said in Snort fails to install.:

can fsck try and repair? should I start the whole install of Pfsense again?

Yes, the utility can attempt a repair. That usually requires several runs while in single-user mode. Here is the official FreeBSD documentation for fsck: https://man.freebsd.org/cgi/man.cgi?fsck.

And here is the official Netgate documentation on disk repairs: https://docs.netgate.com/pfsense/en/latest/troubleshooting/filesystem-check.html#filesystem-check-manual.

You can try this, but I would be very hesitant to keep this hardware. Having these issues right out of the box is not normal unless at some point you simply removed power abruptly without letting the operating system perform a normal shutdown. pfSense is a computer operating system and needs to be shutdown gracefully. Simply pulling the plug or turning off a power switch will corrupt the file system.

bmeeks

And if you decide to perform a fresh install of pfSense, and you did not choose the ZFS option the first time, I recommend installing using the ZFS option when choosing the filesystem. That filesystem is much more resilient in case of sudden power loss. ZFS will be an option in the installer window.