Unable to install Snort

kevin.goffart

Hello all !

I'm new to PfSense.

Thank you for your indulgence :-)

Most of the packets I want to install result in an error.

For example, for snort, I get the following error:

Installing pfSense-pkg-snort...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 5 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
daq: 2.2.2_3 [pfSense]
libdnet: 1.13_3 [pfSense]
libpcap: 1.10.4 [pfSense]
pfSense-pkg-snort: 4.1.6_9 [pfSense]
snort: 2.9.20_3 [pfSense]

Number of packages to be installed: 5

The process will require 10 MiB more space.
2 MiB to be downloaded.
[1/4] Fetching libdnet-1.13_3.pkg: .......... done
[2/4] Fetching snort-2.9.20_3.pkg: .......... done
[3/4] Fetching daq-2.2.2_3.pkg: .......... done
[4/4] Fetching pfSense-pkg-snort-4.1.6_9.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/5] Installing libdnet-1.13_3...
[1/5] Extracting libdnet-1.13_3: .......... done
[2/5] Installing libpcap-1.10.4...
[2/5] Extracting libpcap-1.10.4: .......... done
pkg-static: Fail to rename /usr/local/man/man3/.pkgtemp.pcap_tstamp_type_name_to_val.3.gz.WKXdWoBcYp6D -> /usr/local/man/man3/pcap_tstamp_type_name_to_val.3.gz:No such file or directory
Failed

For ntopng, I get a different error:

Installing pfSense-pkg-ntopng...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 25 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
fontconfig: 2.14.2,1 [pfSense]
gdbm: 1.23 [pfSense]
graphite2: 1.3.14 [pfSense]
graphviz: 7.1.0_6 [pfSense]
groff: 1.22.4_4 [pfSense]
harfbuzz: 7.3.0 [pfSense]
hidapi: 0.13.1 [pfSense]
hiredis: 1.0.2 [pfSense]
libfido2: 1.13.0 [pfSense]
libfontenc: 1.1.4 [pfSense]
libgd: 2.3.3_5,1 [pfSense]
libmaxminddb: 1.7.1 [pfSense]
libunwind: 20211201_2 [pfSense]
libzmq4: 4.3.4 [pfSense]
lua54: 5.4.4 [pfSense]
mkfontscale: 1.2.1 [pfSense]
mysql80-client: 8.0.32_2 [pfSense]
ndpi: 4.6.d20230201,1 [pfSense]
norm: 1.5r6_3 [pfSense]
ntopng: 5.6.d20230216,1 [pfSense]
openpgm: 5.2.122_6 [pfSense]
pfSense-pkg-ntopng: 0.8.13_10 [pfSense]
redis: 7.0.11 [pfSense]
webfonts: 0.30_14 [pfSense]
webp: 1.3.0 [pfSense]

Number of packages to be installed: 25

The process will require 191 MiB more space.
[1/25] Installing groff-1.22.4_4...
[1/25] Extracting groff-1.22.4_4:
pkg-static: Fail to set time on /gpinyin/subs.pl:No such file or directory
[1/25] Extracting groff-1.22.4_4... done
Failed

On first installation, pfsense completely crashed and rebooted.

The only packet I can install is openvpn-client-export.

In short, I'm a bit disarmed.

Do you have an opinion?

This is the configuration on which I run PfSense :

Intel(R) N100
4 CPUs: 1 package(s) x 4 core(s)
16GB RAM
Disk : 512GB (SSD)

Thank you !

Kevin.

bmeeks

Something is definitely not correct with your basic pfSense installation. If this is a new install, I would wipe out what you have and start over with a fresh install. Let the installer wipe the disk during the reinstall.

The fact your initial install try resulted in a crash and reboot is a strong indication something is amiss. My first suspicion would be something hardware related. Are your 100% sure that SSD is good? Those errors you posted hint at a possible disk issue when attempting to read or write.

Are you perhaps trying to use a RAM Disk? If so, that setup is not compatible with some packages, especially Snort, Suricata, and pfBlockerNG. You can easily run out of disk space during certain operations, and that would trip up a package installation. But I still come back to the crash and reboot after the initial install. That is not normal and it's possible the install of pfSense did not fully complete.

kevin.goffart

@bmeeks Thank you for your reply.
I've already reinstalled several times but the problem recurs with each installation.

In terms of hardware, I let myself be tempted by a box I found on AliExpress, the important thing for me being to have 4 network interfaces and a more powerful processor or the equivalent of a SOPHOS XG116. Perhaps the disk in this machine is indeed worthless. Thanks for your help!

Capture d’écran 2023-09-27 à 16.26.34.png

slu

@kevin-goffart said in Unable to install Snort:

I've already reinstalled several times but the problem recurs with each installation.

From the same source?

kevin.goffart

@slu Hello, I've edited my answer, which wasn't complete. See above. Thank you very much!

bmeeks

If you are having crashes and reboots immediately upon installation, I would wonder about the hardware compatibility or reliability.

Your error messages with the package installation attempts strongly hint at disk problems encountered by the pkg utility while attempting to unpack and rename the various files that are part of a package bundle.

When you experience the crash and reboot, have you examined the system log at the next loging to see if anything is showing?

Are you using the straight out-of-the-box defaults when installing?

Are you attempting to implement any "security customizations" during the install or changing user or filesystem permissions?

kevin.goffart

@bmeeks No, it's not directly after installation, but after the packets have been installed. If I don't try to install packets, then I don't get any crashes.

bmeeks

@kevin-goffart said in Unable to install Snort:

@bmeeks No, it's not directly after installation, but after the packets have been installed. If I don't try to install packets, then I don't get any crashes.

Does the firewall itself crash and reboot on its own? Or by "crash" do you mean the package installation is failing?

A crash and automatic reboot indicates a likely hardware failure or a severe driver incompabibility somewhere. In your posted errors, you did not even reach the install point for Snort itself. The pkg utility was still unpacking support libraries for Snort and failing to rename a file because that file did not exist. A non-existent file can happen either because of a disk read or write failure, or because of a file permissions issue. That latter problem could only result from the user making some change to default permissions.

kevin.goffart

Hello everyone,

I have just reinstalled PFSENSE again.

All the times I installed PFSENSE I used the UFS mode, I just redid an installation with the ZFS mode and I no longer have the problem ...

I'll keep my fingers crossed and continue my tests.

Thank you all for your participation.

I'll check out the difference between these 2 partitioning modes later.