Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort immediately dies

    Scheduled Pinned Locked Moved pfSense Packages
    13 Posts 4 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mentalhemroids
      last edited by

      I'm noticing problems with 1.2.2 and 1.2.3 with snort loading dns.rules; it says there is an error and shuts down the service.  Without it on I'm slowly adding rule sets and it seems to be working fine.  We'll see though.

      1 Reply Last reply Reply Quote 0
      • T Offline
        tester_02
        last edited by

        Turn on the pre-processors.  That is what was killing my netbios rules from starting.

        1 Reply Last reply Reply Quote 0
        • M Offline
          mentalhemroids
          last edited by

          @tester_02:

          Turn on the pre-processors.  That is what was killing my netbios rules from starting.

          tester_02 we are not using the rc or beta versions.  This is the older one
          2.8.4.1_5 pkg v.1.7
          I'm also finding it's not just dns.rules, having issues with smtp.rules and sql.rules too; does anyone else run darkstat with snort?  Also, I don't have any of the .so rules selected or the following -

          chat, icmp, experimental, local, and netbios
          I'm going to try reloading without Dark stat installed and see how it does.

          1 Reply Last reply Reply Quote 0
          • J Offline
            jan.gestre
            last edited by

            @jamesdean:

            @madapaka  are you on nano bsd ?

            Can you give me the size of theses dir.

            /usr/local/etc/snort

            /var/log/snort

            James

            Hi James,

            I'm not on nanobsd, this is a regular PC with 40GB HDD

            madapaka

            1 Reply Last reply Reply Quote 0
            • M Offline
              mentalhemroids
              last edited by

              James, I did a clean load on my 1ghz with 512mb ram running 1.2.2, and as soon as I have dns.rules enabled in the list snort shuts down.  If I move to the next rule it's fine, but still those same rules are giving problems.

              Install snort on a clean system without any packages and start snort.

              Then install another package you are using and start snort.

              Do that until you see the error again.

              oh make sure you do

              rm /var/log/snort/*

              James

              1 Reply Last reply Reply Quote 0
              • T Offline
                tester_02
                last edited by

                The reason I switched from 1.7 to the snort dev was because I was having issues like youself.  It seems like snort released new rules that the old snort release does not handle.  My setup was running great until I did an update and then it failed to start. I narrowed down the list of rules via the pfsense logs, and started removing rules until it started back up.  The only way to get those rules running seems to be to to switch to the new package, and all the rules work.
                  I hate to suggest dev/beta builds also, but to me its dev vs less rules.
                Besides, the new release that Jamesdean has released is working perfectly for me.

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jan.gestre
                  last edited by

                  Is it caused by two versions pf perl? ntop uses 5.8 while snort uses 5.10

                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    mentalhemroids
                    last edited by

                    I did a reinstall with 1.2.3 and then installed the newest snort package and it worked well, but now I'm dealing with an uninstall problem with snort.  Just don't restart after installed snort. ;)

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jamesdean
                      last edited by

                      @madapaka:

                      Hi,

                      I've just installed snort 2.8.4.1_5 pkg v.1.7 on my pfSense 1.2.3 box, followed everything on the documentation and started the service however snort only runs for less than 5 minutes then dies, I've even restarted the machine and still have the same result.

                      The only significant error displayed on the pfSense console is this:

                      swap_pager: out of swap space
                      swap_pager_getswapspace(16): failed

                      I found the error odd because when I looked at the system page, the disk is not full and swap space is only consuming 14%.

                      BTW this is a 512MB RAM with AMD CPU box.

                      TIA.

                      Remove your old logs.

                      rm /var/log/snort/*

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        jamesdean
                        last edited by

                        @mentalhemroids:

                        I did a reinstall with 1.2.3 and then installed the newest snort package and it worked well, but now I'm dealing with an uninstall problem with snort.  Just don't restart after installed snort. ;)

                        @mentalhemroids

                        Tracked the problem to the old-snort.

                        Seems old-snort is not uninstalling completely and is conflicting with the new install.

                        Do a fresh install, sorry I didn't see this coming.

                        James

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          mentalhemroids
                          last edited by

                          Thanks JamesDean!  You rock!  We can only get better, because nothings perfect.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.