Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort immediately dies

    Scheduled Pinned Locked Moved pfSense Packages
    13 Posts 4 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tester_02
      last edited by

      Turn on the pre-processors.  That is what was killing my netbios rules from starting.

      1 Reply Last reply Reply Quote 0
      • M Offline
        mentalhemroids
        last edited by

        @tester_02:

        Turn on the pre-processors.  That is what was killing my netbios rules from starting.

        tester_02 we are not using the rc or beta versions.  This is the older one
        2.8.4.1_5 pkg v.1.7
        I'm also finding it's not just dns.rules, having issues with smtp.rules and sql.rules too; does anyone else run darkstat with snort?  Also, I don't have any of the .so rules selected or the following -

        chat, icmp, experimental, local, and netbios
        I'm going to try reloading without Dark stat installed and see how it does.

        1 Reply Last reply Reply Quote 0
        • J Offline
          jan.gestre
          last edited by

          @jamesdean:

          @madapaka  are you on nano bsd ?

          Can you give me the size of theses dir.

          /usr/local/etc/snort

          /var/log/snort

          James

          Hi James,

          I'm not on nanobsd, this is a regular PC with 40GB HDD

          madapaka

          1 Reply Last reply Reply Quote 0
          • M Offline
            mentalhemroids
            last edited by

            James, I did a clean load on my 1ghz with 512mb ram running 1.2.2, and as soon as I have dns.rules enabled in the list snort shuts down.  If I move to the next rule it's fine, but still those same rules are giving problems.

            Install snort on a clean system without any packages and start snort.

            Then install another package you are using and start snort.

            Do that until you see the error again.

            oh make sure you do

            rm /var/log/snort/*

            James

            1 Reply Last reply Reply Quote 0
            • T Offline
              tester_02
              last edited by

              The reason I switched from 1.7 to the snort dev was because I was having issues like youself.  It seems like snort released new rules that the old snort release does not handle.  My setup was running great until I did an update and then it failed to start. I narrowed down the list of rules via the pfsense logs, and started removing rules until it started back up.  The only way to get those rules running seems to be to to switch to the new package, and all the rules work.
                I hate to suggest dev/beta builds also, but to me its dev vs less rules.
              Besides, the new release that Jamesdean has released is working perfectly for me.

              1 Reply Last reply Reply Quote 0
              • J Offline
                jan.gestre
                last edited by

                Is it caused by two versions pf perl? ntop uses 5.8 while snort uses 5.10

                1 Reply Last reply Reply Quote 0
                • M Offline
                  mentalhemroids
                  last edited by

                  I did a reinstall with 1.2.3 and then installed the newest snort package and it worked well, but now I'm dealing with an uninstall problem with snort.  Just don't restart after installed snort. ;)

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jamesdean
                    last edited by

                    @madapaka:

                    Hi,

                    I've just installed snort 2.8.4.1_5 pkg v.1.7 on my pfSense 1.2.3 box, followed everything on the documentation and started the service however snort only runs for less than 5 minutes then dies, I've even restarted the machine and still have the same result.

                    The only significant error displayed on the pfSense console is this:

                    swap_pager: out of swap space
                    swap_pager_getswapspace(16): failed

                    I found the error odd because when I looked at the system page, the disk is not full and swap space is only consuming 14%.

                    BTW this is a 512MB RAM with AMD CPU box.

                    TIA.

                    Remove your old logs.

                    rm /var/log/snort/*

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jamesdean
                      last edited by

                      @mentalhemroids:

                      I did a reinstall with 1.2.3 and then installed the newest snort package and it worked well, but now I'm dealing with an uninstall problem with snort.  Just don't restart after installed snort. ;)

                      @mentalhemroids

                      Tracked the problem to the old-snort.

                      Seems old-snort is not uninstalling completely and is conflicting with the new install.

                      Do a fresh install, sorry I didn't see this coming.

                      James

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        mentalhemroids
                        last edited by

                        Thanks JamesDean!  You rock!  We can only get better, because nothings perfect.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.