Snort not starting on version 2.0 freebsd 8.0 11/10/09 (clean install)

jamesdean

grandrivers

Post this command up.

cat /usr/local/etc/rc.d/snort.sh

James

grandrivers

hope this helps shed some light on it

cat /usr/local/etc/rc.d/snort.sh

#!/bin/sh

This file was automatically generated

by the  service handler.

rc_start() {

if [ "ls -A /usr/local/etc/snort/rules" ] ; then
        echo "rules exist"
        else
        echo "rules DONT exist"
        exit 2
        fi

if [ "pgrep -x snort" = "" ] ; then
        /bin/rm /tmp/snort.sh.pid
        fi

if [ "pgrep -x snort" != "" ] ; then
        logger -p daemon.info -i -t SnortStartup "Snort already running…"
        /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
        exit 1
        fi

if ls /tmp/snort.sh.pid > /dev/null
then
    echo "snort.sh is running"
    exit 0
else
    echo "snort.sh is not running"
fi

echo "snort.sh run" > /tmp/snort.sh.pid

echo "snort.sh run" >> /tmp/snort.sh_startup.log

rm -f /var/run/snort_*
BEFORE_MEM=top | grep Wired | awk '{print $12}'
/bin/mkdir -p /var/log/snort
/usr/bin/killall barnyard2
sleep 4
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em0 -q
sleep 4
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em2 -q

echo "Sleeping before final memory sampling..."
WAITSECURE=60
while [ "$MYSNORTLOG" = "" -a $WAITSECURE -gt 0 ] ; do
        sleep 2
        MYSNORTLOG=/usr/sbin/clog /var/log/system.log | grep snort | tail | gre                                            p 'Snort initialization completed successfully'
        WAITSECURE=expr $WAITSECURE - 1
done

AFTER_MEM=top | grep Wired | awk '{print $12}'
        TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
        echo "Ram free BEFORE starting Snort: $BEFORE_MEM – Ram free AFTER star                                            ting Snort: $AFTER_MEM -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE" | lo                                            gger -p daemon.info -i -t SnortStartup

}

rc_stop() {
        /usr/bin/killall snort; killall barnyard2
}

case $1 in
        start)
                rc_start
                ;;
        stop)
                rc_stop
                ;;
        restart)
                rc_stop
                rc_start
                ;;
esac

# cat /usr/local/etc/rc.d/snort.sh

#: Command not found.

#!/bin/sh

/bin/sh: Event not found.

# This file was automatically generated

#: Command not found.

# by the  service handler.

rc_start() {
#: Command not found.

if [ "ls -A /usr/local/etc/snort/rules" ] ; then

rc_start() {

echo "rules exist"
Badly placed ()'s.
        else
#        echo "rules DONT exist"

#        exit 2
        if [ "ls -A /usr/local/etc/snort/rules" ] ; then
        fi
if: Expression Syntax.

if [ "pgrep -x snort" = "" ] ; then
#        echo "rules exist"
rules exist
        /bin/rm /tmp/snort.sh.pid
#        else
        fi
else?        echo "rules DONT exist"

else?        if [ "pgrep -x snort" != "" ] ; then
        exit 2
else?        logger -p daemon.info -i -t SnortStartup "Snort already running…"
        fi
else?
        /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
else?        if [ "pgrep -x snort" = "" ] ; then
        exit 1
else?        /bin/rm /tmp/snort.sh.pid
else?        fi
else?
else?        if [ "pgrep -x snort" != "" ] ; then
else?        logger -p daemon.info -i -t SnortStartup "Snort already running…"
        fi
else?        /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
else?        exit 1
else?        fi
else?
else?
else? if ls /tmp/snort.sh.pid > /dev/null
else? then
else?    echo "snort.sh is running"
else?    exit 0
else? else
else?    echo "snort.sh is not running"
else? fi
else?
else? echo "snort.sh run" > /tmp/snort.sh.pid
else?
else? echo "snort.sh run" >> /tmp/snort.sh_startup.log
else?
rm -f /var/run/snort_*
else? rm -f /var/run/snort_*
BEFORE_MEM=top | grep Wired | awk '{print $12}'
else? BEFORE_MEM=top | grep Wired | awk '{print $12}'
else? /bin/mkdir -p /var/log/snort
else? /usr/bin/killall barnyard2
else? sleep 4
else? snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em0 -q
else? sleep 4
else? snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em2 -q
else?
else? echo "Sleeping before final memory sampling..."
else? WAITSECURE=60
else? while [ "$MYSNORTLOG" = "" -a $WAITSECURE -gt 0 ] ; do
else?        sleep 2
else?        MYSNORTLOG=/usr/sbin/clog /var/log/system.log | grep snort | tail | gre                                            p 'Snort initialization completed successfully'
else?        WAITSECURE=expr $WAITSECURE - 1
else? done

else?
        AFTER_MEM=top | grep Wired | awk '{print $12}'
else?        AFTER_MEM=top | grep Wired | awk '{print $12}'
        TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
else?        TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
else?        echo "Ram free BEFORE starting Snort: $BEFORE_MEM – Ram free AFTER star                                            ting Snort: $AFTER_MEM -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE" | lo                                            gger -p daemon.info -i -t SnortStartup
}
else?

else? case $1 in

start)
else? }
                rc_start
else?
else?                ;;
rc_stop() {
        stop)
else?        /usr/bin/killall snort; killall barnyard2
                rc_stop
else? }
                ;;
else?
else?        restart)
case $1 in
                rc_stop
else?        start)
                rc_start
else?                ;;
                rc_start
else? esac
                ;;
else?        stop)
else?                rc_stop
else?                ;;
else?        restart)
else?                rc_stop
else?                rc_start
else?
                ;;
else? esac
else?
else? #

grandrivers

when I try to start snort this is all that shows in the system log

Oct 31 04:48:27 SnortStartup[18444]: Ram free BEFORE starting Snort: 1785M – Ram free AFTER starting Snort: 1785M -- Mode ac-bnfa -- Snort memory usage:

grandrivers

this is what I get when trying to start snort from console looks like its a missing lib problem

/libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort

grandrivers

anyone have any ideas to help

grandrivers

anyone?

jamesdean

grandrivers

Are you using the latest package ?

Did you try updating the pfsense version ?

James

grandrivers

I am using latest snapshot and the latest snort package and still looks like a missing lib

snort

/libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort"                                                                            "

jamesdean

@grandrivers:

I am using latest snapshot and the latest snort package and still looks like a missing lib

snort

/libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort"                                                                             "

Sorry your questions but I been really busy at work.

That error may be because snort needs to be compiled with for freebsd 8.0.

Please post these commands.

pkg_info

and

find / | grep libpcap.so

James

grandrivers

pkg_info

libdnet-1.11_3      A simple interface to low level networking routines
mysql-client-5.1.34 Multithreaded SQL database (client)
pcre-7.9            Perl Compatible Regular Expressions library
perl-5.8.9_3        Practical Extraction and Report Language
snort-2.8.4.1_1    Lightweight network intrusion detection system

find / | grep libpcap.so

/lib/libpcap.so.7
/usr/local/lib/libpcap.so.3
/usr/local/lib/libpcap.so
/usr/lib/libpcap.so

jamesdean

grand

It seems 8.0 has updated the libpcap libs. So snort binary will have to be built for 8.0.

A quick fix is to soft link so.7 with so.5.

ln /lib/libpcap.so.7 /lib/libpcap.so.5

James

grandrivers

thank you very much I had reversed the order of the libs in the command