Snort doesn't want to start after latest upgrade to Snort 4.1.6_12
-
I had the same issue yesterday after upgrade to 4.6.11 to 4.6.12 and my snort just wont launch and got a fatal ERROR trying to launch snort deamon.
i've tried everything from reconfigure snort or reinstall the package wont help.
the last think i did is try to upgrade my pfsense to the latest 2.7.1-RC and it prompt to downgrade Snort back to version 4.6.11 where it resolves the issue.
I don't dare to update snort again even now it prompt upgrade version 4.6.12 detected. -
@feins said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
I had the same issue yesterday after upgrade to 4.6.11 to 4.6.12 and my snort just wont launch and got a fatal ERROR trying to launch snort deamon.
i've tried everything from reconfigure snort or reinstall the package wont help.
the last think i did is try to upgrade my pfsense to the latest 2.7.1-RC and it prompt to downgrade Snort back to version 4.6.11 where it resolves the issue.
I don't dare to update snort again even now it prompt upgrade version 4.6.12 detected.There is a fix for that FATAL ERROR bug. The 4.1.6_13 package contains the fix. That package should build overnight for the 2.7.1-RC branch. If you see that package version available, upgrading will be fine. Only 4.1.6_12 had the bug. The workaround fix for the bug is in one of my posts a bit farther up this same thread.
Packages are getting built at diffferent times for the various pfSense versions out there now. Some are built immediately after the updated source code is posted, but others only build overnight on scheduled jobs. And some pfSense versions only rebuild packages every few days (this seems to be true for BETA and RC snapshots in particular).
-
@bmeeks Updated to 4.1.6_13 all is good. Thanks again for the quick fix.
-
This problem I think has re-appeared for 4.1.6_14.
Nov 25 08:05:05 php 74892 /tmp/snort_em0_startcmd.php: The command '/usr/local/bin/snort -R _29104 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_em029104 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 29104 -c /usr/local/etc/snort/snort_29104_em0/snort.conf -i em0' returned exit code '1', the output was 'ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "snort"'
Snort has been running 100% until this update for me.
-
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
This problem I think has re-appeared for 4.1.6_14.
Nov 25 08:05:05 php 74892 /tmp/snort_em0_startcmd.php: The command '/usr/local/bin/snort -R _29104 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_em029104 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 29104 -c /usr/local/etc/snort/snort_29104_em0/snort.conf -i em0' returned exit code '1', the output was 'ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "snort"'
Snort has been running 100% until this update for me.
No, this has absolutely nothing to do with the original Signal 11 crash from the Kill States portion of the Legacy Blocking Mode nor with the $EXTERNAL_NET variable creation in
snort.conf.Look at the error message logged:
ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "snort"'You have a shared library version problem. Have you updated any other package from an incorrect repo. That's one way that could happen.
-
@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
You have a shared library version problem. Have you updated any other package from an incorrect repo. That's one way that could happen.I've only upgraded through the UI/package manager within PFSense. I've tried re-installing with no luck. I was successfully on 4.1.6_13 before updating.
-
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
You have a shared library version problem. Have you updated any other package from an incorrect repo. That's one way that could happen.I've only upgraded through the UI/package manager within PFSense
What is your pfSense version? That error means you have a mixture of shared library versions on your system.
-
@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
What is your pfSense version? That error means you have a mixture of shared library versions on your system.
Going to try and bump the pfsense version to see if that resolves.
-
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
What is your pfSense version? That error means you have a mixture of shared library versions on your system.
Going to try and bump the pfsense version to see if that resolves.
Oh my goodness!!!
That is exactly your problem. It has been posted on these forum pages over and over and over -- never ever never upgrade a package when a pfSense update is available and you have not yet installed the pfSense update. New packages are always compiled with the new versions of shared libraries for the current pfSense release. Today, that is 2.7.1 and not 2.7.0.
-
@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
Oh my goodness!!!
That is exactly your problem. It has been posted on these forum pages over and over and over -- never ever never upgrade a package when a pfSense update is available and you have not yet installed the pfSense update. New packages are always compiled with the new versions of shared libraries for the current pfSense release. Today, that is 2.7.1 and not 2.7.0.
Yep - that is my fault. I didn't notice there was a pfsense update before I went to latest snort. Updating to 2.7.1 has fixed the issue for me and likely got lucky for not cratering my system. :)
thanks again for the quick response!
-
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
I didn't notice there was a pfsense update before I went to latest snort.
Get in the habit of always going to the pfSense Dashboard first, let the "update check complete", and if a pfSense update is avaiable, do not update your packages before first updating pfSense- unless you specifically go and choose "Previous stable version" in the UPDATE menu. But usually if you do that, the new package version you are after will not show as new packages generally appear only for the newest pfSense release.
