Snort inilization failure
-
Don't forget to save the snort settings after each upgrade/downgrade!
-
Don't forget to save the snort settings after each upgrade/downgrade!
Yep. I did that. Still getting unable to open alert file with the 11-30 snapshot, and continuous bootup cycle with the 12-4 snapshot.
-
I upgraded to 12-05 snapshot, and when I install snort I get stuck at Executing custom_php_install_command()…
-
Well I updated to 1.0.1-SNAPSHOT-12-05-2006 and everything seems fine. CPU and memory usage are normal. I guess the upgrade didn't take well the first time. I'll see how this goes.
sdale my alert file problem was resolved by reinstalling pfsense and snort and I haven't been getting the can't open alert file since the 11-25 SNAPSHOT. I just restored my config without the packages. It took all of 15 minutes. -
Well Im not sure what's going on, but I cant get mine to work. I tried all your suggestions and still nothing. Just keeps exiting :(.
-
Ok, after reformatting like 30 times, I've determined that one or more of the rulesets is causing snort to abort. I'll get back when I determine which one it is.
Update:
OK so I finally got some time to sit down and troubleshoot the crap out of this.
I reformatted to 1.0.1, installed snort, check ALL rulesets, snort would not bootup. Keeps failing, with no error code given.Using the same install, I finally determined that by un-checking the p2p.rules and web-misc.rule sets I can get snort to bootup. ???
Now, before you say its a ram issue, its not. With snort up and running, it only consumes 55-60% ram.
To confirm, I tried enabling just those two rules, and snort would not bootup.
I am not sure what in those files is preventing snort from booting up, but something is. Can anyone confirm my evaluation?
-
when I upgrade to 12-05 snapshot, reinstall snort, save settings, I get this error:
Dec 7 21:13:50 snort[4264]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_sis0.pid" for PID "4264"
Dec 7 21:13:50 snort[4264]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_sis0.pid" for PID "4264"
Dec 7 21:13:50 snort[4264]: PID path stat checked out ok, PID path set to /var/run/
Dec 7 21:13:50 snort[4264]: PID path stat checked out ok, PID path set to /var/run/
Dec 7 21:13:50 snort[4264]: Var 'sis0_ADDRESS' redefined
Dec 7 21:13:50 snort[4264]: Var 'sis0_ADDRESS' redefined
Dec 7 21:13:50 snort[4247]: Initializing daemon modeAlso, if I have backdoor.rules enabled, snort aborts. Says:
Dec 7 21:18:14 snort2c[5648]: snort2c running in daemon mode pid: 5648
Dec 7 21:18:14 snort2c[5648]: snort2c running in daemon mode pid: 5648
Dec 7 21:18:14 snort[5645]: FATAL ERROR: /usr/local/etc/snort/rules/backdoor.rules(643) => Unknown rule type: )
Dec 7 21:18:14 snort[5645]: FATAL ERROR: /usr/local/etc/snort/rules/backdoor.rules(643) => Unknown rule type: )
Dec 7 21:18:14 snort[5645]: Ports to decode telnet on: 21 23 25 119
Dec 7 21:18:14 snort[5645]: Ports to decode telnet on: 21 23 25 119Also getting
Dec 7 21:19:17 snort[5970]: FATAL ERROR: ParseRuleFile : Line 642 too long, 'alert tcp $EXTERNAL_NET $HTTP_…'
Dec 7 21:19:17 snort[5970]: FATAL ERROR: ParseRuleFile : Line 642 too long, 'alert tcp $EXTERNAL_NET $HTTP_…' -
@sdale:
when I upgrade to 12-05 snapshot, reinstall snort, save settings, I get this error:
Dec 7 21:13:50 snort[4264]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_sis0.pid" for PID "4264"
Dec 7 21:13:50 snort[4264]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_sis0.pid" for PID "4264"
Dec 7 21:13:50 snort[4264]: PID path stat checked out ok, PID path set to /var/run/
Dec 7 21:13:50 snort[4264]: PID path stat checked out ok, PID path set to /var/run/
Dec 7 21:13:50 snort[4264]: Var 'sis0_ADDRESS' redefined
Dec 7 21:13:50 snort[4264]: Var 'sis0_ADDRESS' redefined
Dec 7 21:13:50 snort[4247]: Initializing daemon modeAlso, if I have backdoor.rules enabled, snort aborts. Says:
Dec 7 21:18:14 snort2c[5648]: snort2c running in daemon mode pid: 5648
Dec 7 21:18:14 snort2c[5648]: snort2c running in daemon mode pid: 5648
Dec 7 21:18:14 snort[5645]: FATAL ERROR: /usr/local/etc/snort/rules/backdoor.rules(643) => Unknown rule type: )
Dec 7 21:18:14 snort[5645]: FATAL ERROR: /usr/local/etc/snort/rules/backdoor.rules(643) => Unknown rule type: )
Dec 7 21:18:14 snort[5645]: Ports to decode telnet on: 21 23 25 119
Dec 7 21:18:14 snort[5645]: Ports to decode telnet on: 21 23 25 119Also getting
Dec 7 21:19:17 snort[5970]: FATAL ERROR: ParseRuleFile : Line 642 too long, 'alert tcp $EXTERNAL_NET $HTTP_…'
Dec 7 21:19:17 snort[5970]: FATAL ERROR: ParseRuleFile : Line 642 too long, 'alert tcp $EXTERNAL_NET $HTTP_…'These are rule related problems. I have no idea how to fix these, you are somewhat on your own here.
-
These are rule related problems. I have no idea how to fix these, you are somewhat on your own here.
Yea, I'm taking a look into it.
-
@sdale:
These are rule related problems. I have no idea how to fix these, you are somewhat on your own here.
Yea, I'm taking a look into it.
I found the problem. It lies within my edit rule file. I will send the diff soon as I get it completed.