Snort fails to install.
-
@BlueCoffee said in Snort fails to install.:
and my god this error on this forum is so annoying
As a new user, you can only post once every 120 second(s) until you have earned 3 reputation - please wait before posting again
I've given you 3 "up votes" to boost your reputation to 3. That should prevent the error in the future.
-
@bmeeks Thanks for that.
-
@BlueCoffee:
But immediately after it failing to start, show me what your pfSense system log says.There has to be something there if the process is actually attempting to start. The only time it will fail to log something is if there is a shared library issue. But we proved that is not the case because it starts up enough to show the Snort version at the command line.
Have you configured and used the Snort package on pfSense before?
-
@bmeeks said in Snort fails to install.:
@BlueCoffee:
But immediately after it failing to start, show me what your pfSense system log says.There has to be something there if the process is actually attempting to start. The only time it will fail to log something is if there is a shared library issue. But we proved that is not the case because it starts up enough to show the Snort version at the command line.
Have you used the Snort package on pfSense before?
I have on my last system. not on this new system. (tho I had it on wan for years.)
can fsck try and repair? should I start the whole install of Pfsense again?
-
@BlueCoffee said in Snort fails to install.:
can fsck try and repair? should I start the whole install of Pfsense again?
Yes, the utility can attempt a repair. That usually requires several runs while in single-user mode. Here is the official FreeBSD documentation for
fsck: https://man.freebsd.org/cgi/man.cgi?fsck.And here is the official Netgate documentation on disk repairs: https://docs.netgate.com/pfsense/en/latest/troubleshooting/filesystem-check.html#filesystem-check-manual.
You can try this, but I would be very hesitant to keep this hardware. Having these issues right out of the box is not normal unless at some point you simply removed power abruptly without letting the operating system perform a normal shutdown. pfSense is a computer operating system and needs to be shutdown gracefully. Simply pulling the plug or turning off a power switch will corrupt the file system.
-
And if you decide to perform a fresh install of pfSense, and you did not choose the ZFS option the first time, I recommend installing using the ZFS option when choosing the filesystem. That filesystem is much more resilient in case of sudden power loss. ZFS will be an option in the installer window.
-
@bmeeks ZFS asks me to do raid all the time.
-
@BlueCoffee said in Snort fails to install.:
@bmeeks ZFS asks me to do raid all the time.
No, you do not have to choose RAID. It will let you install to a single disk. Look through the options carefully. RAID is typically used with ZFS, but it is not a requirement that blocks installation otherwise.
Have a look here: https://docs.netgate.com/pfsense/en/latest/install/install-zfs.html.
-
ive installed again (before I had seen your ZFS post and I ran the command again
[2.7.0-RELEASE][admin@pfSense.home.arpa]/root: fsck ** /dev/ufsid/64e75ea55ebb8f0b (NO WRITE) ** SU+J Recovering /dev/ufsid/64e75ea55ebb8f0b USE JOURNAL? no ** Skipping journal, falling through to full fsck ** Last Mounted on / ** Root file system ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=25721102 (8 should be 0) CORRECT? no INCORRECT BLOCK COUNT I=40224271 (712 should be 704) CORRECT? no ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts UNREF FILE I=23317317 OWNER=root MODE=100644 SIZE=12462 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=23317318 OWNER=root MODE=100644 SIZE=12589 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=24999963 OWNER=root MODE=100600 SIZE=3389 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=24999964 OWNER=root MODE=100644 SIZE=748 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=24999965 OWNER=root MODE=100600 SIZE=419 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=24999966 OWNER=root MODE=100644 SIZE=104 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=27163420 OWNER=root MODE=100644 SIZE=2228 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=40224291 OWNER=root MODE=100644 SIZE=0 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=40624914 OWNER=root MODE=100644 SIZE=0 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=41666593 OWNER=root MODE=100644 SIZE=6 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=46554389 OWNER=root MODE=100644 SIZE=553 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no UNREF FILE I=50480645 OWNER=root MODE=100666 SIZE=0 MTIME=Aug 24 14:45 2023 CLEAR? no UNREF FILE I=50480649 OWNER=root MODE=100644 SIZE=522 MTIME=Aug 24 14:51 2023 RECONNECT? no CLEAR? no ** Phase 5 - Check Cyl groups FREE BLK COUNT(S) WRONG IN SUPERBLK SALVAGE? no SUMMARY INFORMATION BAD SALVAGE? no BLK(S) MISSING IN BIT MAPS SALVAGE? no 26286 files, 459947 used, 119573829 free (3669 frags, 14946270 blocks, 0.0% fragmentation) ** /dev/nvd0p1 (NO WRITE) ** Phase 1 - Read FAT and checking connectivity ** Phase 2 - Checking Directories ** Phase 3 - Checking for Lost Files 6 files, 259 MiB free (16549 clusters) MARK FILE SYSTEM CLEAN? no ***** FILE SYSTEM IS LEFT MARKED AS DIRTY ***** [2.7.0-RELEASE][admin@pfSense.home.arpa]/root:Odd right
-
@BlueCoffee:
Follow the instructions very carefully in the documentation links I've provided from Netgate. Both of them for repairing the disk and installing using ZFS single-disk mode (also called Stripe 0). -
@bmeeks said in Snort fails to install.:
@BlueCoffee:
Follow the instructions very carefully in the documentation links I've provided from Netgate. Both of them for repairing the disk and installing using ZFS single-disk mode (also called Stripe 0).im sending it back mega crash than a flashing screen thanks for the help bmeeks.
-
Yeah, that hardware seems to have some gremlins inside. Exchange is a good idea.
-
@bmeeks could you recommend me one for around 200 pounds? (if you know of any)
-
@BlueCoffee said in Snort fails to install.:
@bmeeks could you recommend me one for around 200 pounds? (if you know of any)
The hardware you provided a link to appears fine for the job. Looks like maybe you just got unlucky and received a unit that should have failed the factory testing before it was stocked and shipped to a customer.
I am partial to Netgate hardware as purchasing that directly funds the continued development of pfSense CE.
But pretty much any Intel 64-bit CPU should work. If you want to use Snort, then you want the fastest CPU clock speed you can get. Snort is single-threaded, so that means no matter how many cores a CPU may have, Snort will only use one of them. In that scenario, faster clocks speeds trump more cores (at least for Snort).
The IDS/IPS packages want either a SSD or an actual spinning disk for logging. They can log so much stuff that a smaller eMMC can wear out quickly. In terms of RAM, anything over 4 GB is suffiicient. 8 GB would be more than enough for home use.
If you want to consider changing, Suricata is multithreaded and can can efficiently use all the cores in the CPU.
-
@bmeeks said in Snort fails to install.:
@BlueCoffee said in Snort fails to install.:
@bmeeks could you recommend me one for around 200 pounds? (if you know of any)
The hardware you provided a link to appears fine for the job. Looks like maybe you just got unlucky and received a unit that should have failed the factory testing before it was stocked and shipped to a customer.
I am partial to Netgate hardware as purchasing that directly funds the continued development of pfSense CE.
But pretty much any Intel 64-bit CPU should work. If you want to use Snort, then you want the fastest CPU clock speed you can get. Snort is single-threaded, so that means no matter how many cores a CPU may have, Snort will only use one of them. In that scenario, faster clocks speeds trump more cores (at least for Snort).
The IDS/IPS packages want either a SSD or an actual spinning disk for logging. They can log so much stuff that a smaller eMMC can wear out quickly. In terms of RAM, anything over 4 GB is suffiicient. 8 GB would be more than enough for home use.
If you want to consider changing, Suricata is multithreaded and can can efficiently use all the cores in the CPU.
Ive gone with the same one getting it tomorrow hopefully all's well with this one.
Are you the guy who made snort? I remember reading some stuff many years ago with that avatar you have.
Also can't believe I've been ruining it wrong all these years.
-
@BlueCoffee said in Snort fails to install.:
Are you the guy who made snort? I remember reading some stuff many years ago with that avatar you have.
Also can't believe I've been ruining it wrong all these years.
I did not create the original pfSense package, but I did eventually take over maintenance of it many years ago. I have been responsible for the updates to it for many years. I did create the Suricata package on pfSense.
And no, you have not been "ruining Snort" by running it on the WAN. It's just that the LAN turns out to be better. Don't despair, the very first time I installed the package many, many years ago I chose the WAN as well. But later, as I learned more about how the internal plumbing of FreeBSD and pfSense worked, I realized that putting it on the WAN makes it busy scanning Internet "noise" that the default firewall rules on the WAN are going to drop anyway. Snort (or Suricata) when running on the WAN sees inbound traffic before the firewall does. So, the firewall rules have not yet acted to clean-up and filter out the noise. But when running on the LAN, the WAN firewall rules have already eliminated the noise. And of course there is the annoyance of all the local IP addresses being masked behind the NAT operation of the firewall engine. That means all local hosts show up in any alerts as having your public WAN IP. That makes it hard to track a problem to an indvidual local host on your LAN. Running on an internal interface eliminates these disadvantages and does not impact security. All the WAN traffic still must come and go through the Snort instance on the LAN interface in order to reach any of the hosts on the LAN.
-
@bmeeks I was meant to say "running" :) Thanks for the info and I thank you for your hard work over the years.
What is Suricata is it similar to snort?
-
@BlueCoffee said in Snort fails to install.:
@bmeeks I was meant to say "running" :) Thanks for the info and I thank you for your hard work over the years.
What is Suricata is it similar to snort?
Suricata is also an IDS/IPS like Snort. It is much newer and was created by a consortium originally sponsored by Emerging Threats. Emerging Threats was purchased and absorbed into Proofpoint a few years ago.
Here is the Suricata official website: https://suricata.io/.
Snort on pfSense is currently running the older 2.9.x branch which is single-threaded. There is a new Snort3 branch that is multithreaded, but there is currently no plan to port that to pfSense. I tried twice, and there were just too many changes required and porting over an existing install was almost impossible. So, I gave up on a Snort3 package. Someone else in the future may decide to create one, but I'm not interested. I had rather continue support for Suricata. At some point in the future, the upstream Snort/Cisco folks will discontinue the Snort 2.9.x branch. At that point, unless someone has created a Snort3 package for pfSense, then Suricata will be the only IDS/IPS option on pfSense. However, a case can certainly be made that without MITM (man-in-the-middle) breaking of the encryption prevalent in all of modern network traffic, IDS/IPS software on any host but an endpoint is becoming almost useless. At least that's true in terms of payload inspection. Sure the IDS can examine headers for now, but even there moves are afoot to encrypt them as well.
Suricata offers many advantages to Snort. Chief among them is more detailed logging. You can find discussions of both Snort and Suricata in the IDS/IPS forum here on the Netgate forums site. At the moment the only shortcoming of Suricata is that it lacks an equivalent of OpenAppID.
-
@bmeeks said in Snort fails to install.:
@BlueCoffee said in Snort fails to install.:
@bmeeks I was meant to say "running" :) Thanks for the info and I thank you for your hard work over the years.
What is Suricata is it similar to snort?
Suricata is also an IDS/IPS like Snort. It is much newer and was created by a consortium originally sponsored by Emerging Threats. Emerging Threats was purchased and absorbed into Proofpoint a few years ago.
Here is the Suricata official website: https://suricata.io/.
Snort on pfSense is currently running the older 2.9.x branch which is single-threaded. There is a new Snort3 branch that is multithreaded, but there is currently no plan to port that to pfSense. I tried twice, and there were just too many changes required and porting over an existing install was almost impossible. So, I gave up on a Snort3 package. Someone else in the future may decide to create one, but I'm not interested. I had rather continue support for Suricata. At some point in the future, the upstream Snort/Cisco folks will discontinue the Snort 2.9.x branch. At that point, unless someone has created a Snort3 package for pfSense, then Suricata will be the only IDS/IPS option on pfSense. However, a case can certainly be made that without MITM (man-in-the-middle) breaking of the encryption prevalent in all of modern network traffic, IDS/IPS software on any host but an endpoint is becoming almost useless. At least that's true in terms of payload inspection. Sure the IDS can examine headers for now, but even there moves are afoot to encrypt them as well.
Suricata offers many advantages to Snort. Chief among them is more detailed logging. You can find discussions of both Snort and Suricata in the IDS/IPS forum here on the Netgate forums site. At the moment the only shortcoming of Suricata is that it lacks an equivalent of OpenAppID.
Thanks again mbeeks for the information ill have a read on the site
I do have one quick question is it safe to use. no spying from the owners etc,,, -
@BlueCoffee said in Snort fails to install.:
I do have one quick question is it safe to use. no spying from the owners etc,,,
Of course! It is fully open source software, and it is used by many corporations and individuals around the world.
