Snort Won't Start After Upgrade
-
any success?
I am now back on June 1st snapshot but haven't install snort yet.
-
I recently deployed 6 PFS 2.0RC2 boxes. The first two were deployed a week or so ago and I installed snort via the package manager; the other ones were installed a few days after. I have noticed on the more recently built servers I am having the same issue with snort failing to start.
As others have noticed, it appears to be an issue with the dynamic link to libpcap. The WORKING snort I had installed was exactly the same version (2.8.6.1 pkg v. 1.34) as the "broken" snort installs, except the difference is the working snort installation has the following:
$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f9000)
libpcap.so.7 => /lib/libpcap.so.7 (0x800835000)
libm.so.5 => /lib/libm.so.5 (0x800966000)
libc.so.7 => /lib/libc.so.7 (0x800a85000)The non working version has the following:
$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f4000)
libpcap.so.1 => not found (0x0)
libm.so.5 => /lib/libm.so.5 (0x800830000)
libc.so.7 => /lib/libc.so.7 (0x80094f000)My resolution was this:
ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
the result is:
$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f4000)
libpcap.so.1 => /lib/libpcap.so.1 (0x800830000)
libm.so.5 => /lib/libm.so.5 (0x800961000)
libc.so.7 => /lib/libc.so.7 (0x800a80000)I won't say that this is an "official" fix but it does appear to work without issues and allow snort to function until this is resolved…
Hope this helps someone! -
Ok, so I tried the above fix. Didn't work for me. Here's what it says:
[2.0-RC2][admin@pfsense.localdomain]/root(1): ln -s /lib/libpcap.so.7 /lib/libpc ap.so.1
[2.0-RC2][admin@pfsense.localdomain]/root(2): snort
Running in IDS mode–== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830 2301 2381 28 09 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 82 43 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort_d ynamicpreprocessor/": No such file or directory.
Fatal Error, Quitting..
[2.0-RC2][admin@pfsense.localdomain]/root(3):Getting closer anyways :)
-th3r3isnospoon
-
At the bottom of this website, they talk about the same issues: http://michaelok.tumblr.com/
I'll read through it and possibly try some fixes and post back :)
-th3r3isnospoon
-
Hello all–
I have same error after upgrade to 7-june and 8-june pfsense2-RC2 amd64 full.
after I ln -s /lib/libpcap.so.7 to /usr/local/lib/libpcap.so.1
and try running snort on the web-configurator I got unsupported output plugin: "alert_pf" error on my syslog...@th3r3isnospoon:
ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.
is dynamic lib path error.. the path in pfsense is "/usr/local/lib/snort/dynamicpreprocessor/" -
FWIW, I submitted a bug report.
http://redmine.pfsense.org/issues/1590
-th3r3isnospoon
-
Hi all,
I have the exact same console output. The interesting thing is syslog.
In the latest release of pfsense 2.0-RC2 I can't get Snort to start. The syslog reveals the following:
Jun 9 07:12:19 SnortStartup[63658]: Snort HARD Reload For 34679_sis0…
Jun 9 07:12:19 snort[56907]: FATAL ERROR: /usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output plugin: "alert_pf"
Jun 9 07:12:19 snort[56907]: FATAL ERROR: /usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output plugin: "alert_pf"Line 207 of the above file is:
output alert_pf: /usr/local/etc/snort/whitelist/defaultwlist,snort2c
Andrew
-
no go.
Are we the only ones facing this issue? Can anyone else confirm the same with a clean install of pfsense and snort package?
-
no go.
Are we the only ones facing this issue? Can anyone else confirm the same with a clean install of pfsense and snort package?
Mine had some clean installs and I did have the issue; which I resolved with my ln fix. I'm not sure why it's not working for others. :(
-
Latest few snapshots even dynamic DNS is failing and IP shows in red as 0.0.0.0
Looks like both a snapshot and Snort package issue.
-
I looked into snort.inc, looks like snort supposed to fetch perl-threaded-5.12.1_1.tbz as dependency… but couldn't find anywhere... the link to the file seems broken... I don't know if this is the cause of alert_pf error... hope this will be fixed soon. :)
-
Can anyone fix the Snort install package?
-
It's possible the maintainer is on vacation. I sent him a pm a while back and have not yet received a response.
-
Any updates on the Snort package fix?
-
I haven't heard or seen anything yet :-\
Hopefully soon….
-th3r3isnospoon
-
Over a week since the package is in broken state >:(
Has no one installed snort since last 7 days?
-
Over a week since the package is in broken state >:(
Has no one installed snort since last 7 days?
Apparently not….Hope this is fixed soon...
-th3r3isnospoon
-
Down with Snort since past 10 days !! >:(
-
I am having the same problem and it appears this person might have the same issue as well.
http://forum.pfsense.org/index.php/topic,37952.0.htmlI feel so naked without my Snort. ;D
pfSense 2.0 RC2 build date June 15th
Snort 2.8.6.1 pkg 1.34Also one more thing to add. According to the pfSense_Snort Twitter account it looks like he is planning a release pretty soon of Snort 2.9.0.4 pkg 1.37. Hopefully that has a fix for the issue we are seeing.
-
I too am having the same issue. Based on the number of reads I'm thinking we're not alone.