Snort doesn't want to start after latest upgrade to Snort 4.1.6_12

bmeeks

Okay, it's a bug I fixed but didn't really fix. I must have somehow managed to leave the "fixed' file out of the Pull Request I sent to Netgate. I will get that fixed, but in the meantime do the following edit on your system to fix it --

Go to DIAGNOSTICS > EDIT FILE and then navigate to this file: /usr/local/pkg/snort/snort_generate_conf.php

Find lines 41 and 42 in that file that look like this:

else {
	$external_net = "!$HOME_NET";
}

Edit line 42 to add a backslash character immediately before the dollar sign ($) character like this:

else {
	$external_net = "!\$HOME_NET";
}

Save the change to the file, then return to SERVICES > SNORT in the pfSense menu and choose any of your configured Snort interfaces to edit. Don't change anything, but simply scroll down and click the Save button. This will regenerate all the snort.conf files for the interfaces and fix the problem.

bmeeks

It didn't show up in my test virtual machine initially because I had the "fixed" file installed there. I had to package the Pull Requests for the update as two distinct requests based separately on the 2.7.0 CE branch and the 2.8 CE DEVEL branch. When I created the version of the 2.7.0 CE branch I somehow managed to use the wrong file in that one and thus the bug I thought I had fixed propagated over to the 2.7.0 CE branch.

I will submit a fix and ask the Netgate team to merge ASAP. Still will be at least tomorrow before it shows up, though. In the meantime, the fix I posted above will work.

Gerard64

@bmeeks

The fix worked
Thank you for the quick fix.

bmeeks

@Gerard64 said in Snort doesn't want to start after laters upgrade to Snort 4.1.6_12:

@bmeeks

The fix worked
Thank you for the quick fix.

Sorry for the problem. I was juggling two different source file versions and managed to somehow link the wrong one to the Pull Request for the package update. Will get that fixed.

Gerard64

@bmeeks

Oh don't be.
We all make mistakes sometimes.
I am grateful for al the work you do for this nice package thank you for that.

bmeeks

I've posted a new Pull Request for the Netgate developer team to review and merge that contains a permanent fix. It will likely be tomorrow, though, before that merge is completed and a new package built. The new package will be 4.1.6_13.

summersk

Same issue, I was able to resolve the problem with your posted fix, Thanks for the quick response.

denis_ju

@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

/usr/local/pkg/snort/snort_generate_conf.php

Thanks for the quick fix.
It worked for me too!

slu

@denis_ju
Available now, thank you @bmeeks

Confirmation Required to upgrade package pfSense-pkg-snort from 4.1.6_11 to 4.1.6_13

feins

I had the same issue yesterday after upgrade to 4.6.11 to 4.6.12 and my snort just wont launch and got a fatal ERROR trying to launch snort deamon.
i've tried everything from reconfigure snort or reinstall the package wont help.
the last think i did is try to upgrade my pfsense to the latest 2.7.1-RC and it prompt to downgrade Snort back to version 4.6.11 where it resolves the issue.
I don't dare to update snort again even now it prompt upgrade version 4.6.12 detected.

bmeeks

@feins said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

I had the same issue yesterday after upgrade to 4.6.11 to 4.6.12 and my snort just wont launch and got a fatal ERROR trying to launch snort deamon.
i've tried everything from reconfigure snort or reinstall the package wont help.
the last think i did is try to upgrade my pfsense to the latest 2.7.1-RC and it prompt to downgrade Snort back to version 4.6.11 where it resolves the issue.
I don't dare to update snort again even now it prompt upgrade version 4.6.12 detected.

There is a fix for that FATAL ERROR bug. The 4.1.6_13 package contains the fix. That package should build overnight for the 2.7.1-RC branch. If you see that package version available, upgrading will be fine. Only 4.1.6_12 had the bug. The workaround fix for the bug is in one of my posts a bit farther up this same thread.

Packages are getting built at diffferent times for the various pfSense versions out there now. Some are built immediately after the updated source code is posted, but others only build overnight on scheduled jobs. And some pfSense versions only rebuild packages every few days (this seems to be true for BETA and RC snapshots in particular).

summersk

@bmeeks Updated to 4.1.6_13 all is good. Thanks again for the quick fix.

repomanz

@summersk @bmeeks

This problem I think has re-appeared for 4.1.6_14.

Nov 25 08:05:05 php 74892 /tmp/snort_em0_startcmd.php: The command '/usr/local/bin/snort -R _29104 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_em029104 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 29104 -c /usr/local/etc/snort/snort_29104_em0/snort.conf -i em0' returned exit code '1', the output was 'ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "snort"'

Snort has been running 100% until this update for me.

bmeeks

@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

@summersk @bmeeks

This problem I think has re-appeared for 4.1.6_14.

Nov 25 08:05:05 php 74892 /tmp/snort_em0_startcmd.php: The command '/usr/local/bin/snort -R _29104 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_em029104 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 29104 -c /usr/local/etc/snort/snort_29104_em0/snort.conf -i em0' returned exit code '1', the output was 'ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "snort"'

Snort has been running 100% until this update for me.

No, this has absolutely nothing to do with the original Signal 11 crash from the Kill States portion of the Legacy Blocking Mode nor with the $EXTERNAL_NET variable creation in snort.conf.

Look at the error message logged:

ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "snort"'

You have a shared library version problem. Have you updated any other package from an incorrect repo. That's one way that could happen.

repomanz

@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
You have a shared library version problem. Have you updated any other package from an incorrect repo. That's one way that could happen.

I've only upgraded through the UI/package manager within PFSense. I've tried re-installing with no luck. I was successfully on 4.1.6_13 before updating.

bmeeks

@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
You have a shared library version problem. Have you updated any other package from an incorrect repo. That's one way that could happen.

I've only upgraded through the UI/package manager within PFSense

What is your pfSense version? That error means you have a mixture of shared library versions on your system.

repomanz

@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

What is your pfSense version? That error means you have a mixture of shared library versions on your system.

Going to try and bump the pfsense version to see if that resolves.

bmeeks

@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

What is your pfSense version? That error means you have a mixture of shared library versions on your system.

Going to try and bump the pfsense version to see if that resolves.

Oh my goodness!!!

That is exactly your problem. It has been posted on these forum pages over and over and over -- never ever never upgrade a package when a pfSense update is available and you have not yet installed the pfSense update. New packages are always compiled with the new versions of shared libraries for the current pfSense release. Today, that is 2.7.1 and not 2.7.0.

repomanz

@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

Oh my goodness!!!

That is exactly your problem. It has been posted on these forum pages over and over and over -- never ever never upgrade a package when a pfSense update is available and you have not yet installed the pfSense update. New packages are always compiled with the new versions of shared libraries for the current pfSense release. Today, that is 2.7.1 and not 2.7.0.

Yep - that is my fault. I didn't notice there was a pfsense update before I went to latest snort. Updating to 2.7.1 has fixed the issue for me and likely got lucky for not cratering my system. :)

thanks again for the quick response!

bmeeks

@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

I didn't notice there was a pfsense update before I went to latest snort.

Get in the habit of always going to the pfSense Dashboard first, let the "update check complete", and if a pfSense update is avaiable, do not update your packages before first updating pfSense- unless you specifically go and choose "Previous stable version" in the UPDATE menu. But usually if you do that, the new package version you are after will not show as new packages generally appear only for the newest pfSense release.