Snort
-
Snort fails to start with pfsense now after the last up date 1.26.
-
works here
-
~~Same here,
Does not start for me after 1.26 update (from 1.25)Log Error:
snort[11812]: FATAL ERROR: parser.c(5161) Could not stat dynamic module path "/usr/local/lib/snort/dynamicrules/": No such file or directory.OP: just a friendly suggestion… i would change your title of the Thread to something like
"Snort: won't start after 1.26 upgrade"
Also, what do you have in your logs?You might want to list your PF version also to help JamesDean and others.
My Box:
PF 1.2.3 Full~~CDX304: Update your rule and try to start Snort.
I forgot to do this after the install…After Rule update...all is good.
:) -
It does not matter i did the update twice and still not start with reboot .
-
@cdx304:
It does not matter i did the update twice and still not start with reboot .
Did you try to re-save you interface settings. That will rebuild your missing files.
James
-
Yes sir i did re-save the settings .
-
What is in the system log?
Any Errors? -
May 27 12:11:59 snort[35715]: [ Number of null byte prefixed patterns trimmed: 19648 ]
May 27 12:11:59 snort[35715]: [ Number of null byte prefixed patterns trimmed: 19648 ]
May 27 12:11:59 snort[35715]:
May 27 12:11:59 snort[35715]:
May 27 12:11:59 snort[35715]: –== Initialization Complete ==--
May 27 12:11:59 snort[35715]: –== Initialization Complete ==--
May 27 12:11:59 snort[35715]: Snort initialization completed successfully (pid=35715)
May 27 12:11:59 snort[35715]: Snort initialization completed successfully (pid=35715)
May 27 12:11:59 snort[35715]: Not Using PCAP_FRAMES
May 27 12:11:59 snort[35715]: Not Using PCAP_FRAMES
May 27 12:11:59 snort[35715]:
May 27 12:11:59 snort[35715]:
May 27 12:11:59 snort[35715]: –== Reloading Snort ==--
May 27 12:11:59 snort[35715]: –== Reloading Snort ==--
May 27 12:11:59 snort[35715]:
May 27 12:11:59 snort[35715]:
May 27 12:11:59 snort[35715]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_9698_fxp0/snort.conf": No such file or directory.
May 27 12:11:59 snort[35715]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_9698_fxp0/snort.conf": No such file or directory.
May 27 12:11:59 kernel: fxp0: promiscuous mode disabled
May 27 12:12:15 dnsmasq[33264]: reading /etc/resolv.conf
May 27 12:12:15 dnsmasq[33264]: using nameserver 208.67.222.222#53
May 27 12:12:15 dnsmasq[33264]: using nameserver 208.67.220.220#53 -
latest log after reboot
May 29 17:49:44 check_reload_status: reloading filter
May 29 17:49:55 check_reload_status: updating dyndns
May 29 17:49:55 snort[32531]:
May 29 17:49:55 snort[32531]:
May 29 17:49:55 snort[32531]: [ Port Based Pattern Matching Memory ]
May 29 17:49:55 snort[32531]: [ Port Based Pattern Matching Memory ]
May 29 17:49:55 snort[32531]: +-[AC-BNFA Search Info Summary]–----------------------------
May 29 17:49:55 snort[32531]: +-[AC-BNFA Search Info Summary]–----------------------------
May 29 17:49:55 snort[32531]: | Instances : 729
May 29 17:49:55 snort[32531]: | Instances : 729
May 29 17:49:55 snort[32531]: | Patterns : 199662
May 29 17:49:55 snort[32531]: | Patterns : 199662
May 29 17:49:55 snort[32531]: | Pattern Chars : 2233499
May 29 17:49:55 snort[32531]: | Pattern Chars : 2233499
May 29 17:49:55 snort[32531]: | Num States : 1586585
May 29 17:49:55 snort[32531]: | Num States : 1586585
May 29 17:49:55 snort[32531]: | Num Match States : 333501
May 29 17:49:55 snort[32531]: | Num Match States : 333501
May 29 17:49:55 snort[32531]: | Memory : 40.93Mbytes
May 29 17:49:55 snort[32531]: | Memory : 40.93Mbytes
May 29 17:49:55 snort[32531]: | Patterns : 6.70M
May 29 17:49:55 snort[32531]: | Patterns : 6.70M
May 29 17:49:55 snort[32531]: | Match Lists : 15.34M
May 29 17:49:55 snort[32531]: | Match Lists : 15.34M
May 29 17:49:55 snort[32531]: | Transitions : 18.72M
May 29 17:49:55 snort[32531]: | Transitions : 18.72M
May 29 17:49:55 snort[32531]: +–-----------------------------------------------
May 29 17:49:55 snort[32531]: +–-----------------------------------------------
May 29 17:49:55 snort[32531]: [ Number of null byte prefixed patterns trimmed: 8347 ]
May 29 17:49:55 snort[32531]: [ Number of null byte prefixed patterns trimmed: 8347 ]
May 29 17:49:55 snort[32531]:
May 29 17:49:55 snort[32531]:
May 29 17:49:55 snort[32531]: –== Initialization Complete ==--
May 29 17:49:55 snort[32531]: –== Initialization Complete ==--
May 29 17:49:55 snort[32531]: Snort initialization completed successfully (pid=32531)
May 29 17:49:55 snort[32531]: Snort initialization completed successfully (pid=32531)
May 29 17:49:55 snort[32531]: Not Using PCAP_FRAMES
May 29 17:49:55 snort[32531]: Not Using PCAP_FRAMES
May 29 17:49:55 snort[32531]:
May 29 17:49:55 snort[32531]:
May 29 17:49:55 snort[32531]: –== Reloading Snort ==--
May 29 17:49:55 snort[32531]: –== Reloading Snort ==--
May 29 17:49:55 snort[32531]:
May 29 17:49:55 snort[32531]:
May 29 17:49:55 snort[32531]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39431_xl0/snort.conf": No such file or directory.
May 29 17:49:55 snort[32531]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39431_xl0/snort.conf": No such file or directory.
May 29 17:49:56 kernel: xl0: promiscuous mode disabled
May 29 17:50:55 dnsmasq[32812]: reading /etc/resolv.conf
May 29 17:50:55 dnsmasq[32812]: using nameserver 208.67.222.222#53
May 29 17:50:55 dnsmasq[32812]: using nameserver 208.67.220.220#53 -
If i restart pfsense …..I have to manually start snort it will not otherwise .
-
This may or may not be in the same related problem-field but I've found that with mine I have to disable any 'Emerging' categories and then save. I'll get the same or similar error (no pattern really) of conf not found.
Then enable the emerging threats one at a time until I find one that causes an error so I just leave that one out.
It has happened a few times now, but by the next rule update that particular category (changes which one each time) is fixed - though another might have a problem.
Might try that if you have the problem again and other solutions don't work. IF you use those categories :)
-
I tried that and it does not work .
-
This may or may not be in the same related problem-field but I've found that with mine I have to disable any 'Emerging' categories and then save. I'll get the same or similar error (no pattern really) of conf not found.
Then enable the emerging threats one at a time until I find one that causes an error so I just leave that one out.
It has happened a few times now, but by the next rule update that particular category (changes which one each time) is fixed - though another might have a problem.
Might try that if you have the problem again and other solutions don't work. IF you use those categories :)
Version 1.25 worked fine but the updates would not work .
-
Have you even seen if the file or directory truely exists? If the directory exits but not the file have you tried " touch /usr/local/etc/snort/snort_9698_fxp0/snort.conf" in the shell?
-
Have you even seen if the file or directory truely exists? If the directory exits but not the file have you tried " touch /usr/local/etc/snort/snort_9698_fxp0/snort.conf" in the shell?
g4m3c4ck has a good idea.
I have a few hours this morning to work on this issue.
I'm going to add code to create missing files when a save is executed.James