Snort Won't Start After Upgrade

oztiks

I recently deployed 6 PFS 2.0RC2 boxes. The first two were deployed a week or so ago and I installed snort via the package manager; the other ones were installed a few days after. I have noticed on the more recently built servers I am having the same issue with snort failing to start.

As others have noticed, it appears to be an issue with the dynamic link to libpcap. The WORKING snort I had installed was exactly the same version (2.8.6.1 pkg v. 1.34) as the "broken" snort installs, except the difference is the working snort installation has the following:

$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f9000)
libpcap.so.7 => /lib/libpcap.so.7 (0x800835000)
libm.so.5 => /lib/libm.so.5 (0x800966000)
libc.so.7 => /lib/libc.so.7 (0x800a85000)

The non working version has the following:

$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f4000)
libpcap.so.1 => not found (0x0)
libm.so.5 => /lib/libm.so.5 (0x800830000)
libc.so.7 => /lib/libc.so.7 (0x80094f000)

My resolution was this:

ln -s /lib/libpcap.so.7 /lib/libpcap.so.1

the result is:

$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f4000)
libpcap.so.1 => /lib/libpcap.so.1 (0x800830000)
libm.so.5 => /lib/libm.so.5 (0x800961000)
libc.so.7 => /lib/libc.so.7 (0x800a80000)

I won't say that this is an "official" fix but it does appear to work without issues and allow snort to function until this is resolved…
Hope this helps someone!

th3r3isnospoon

Ok, so I tried the above fix.  Didn't work for me. Here's what it says:

[2.0-RC2][admin@pfsense.localdomain]/root(1): ln -s /lib/libpcap.so.7 /lib/libpc                                                                                                                                                            ap.so.1
[2.0-RC2][admin@pfsense.localdomain]/root(2): snort
Running in IDS mode

–== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 311 591 593 901 1220 1414 1830 2301 2381 28                                                                                                                                                            09 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 82                                                                                                                                                            43 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
Detection:
  Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort_d                                                                                                                                                            ynamicpreprocessor/": No such file or directory.
Fatal Error, Quitting..
[2.0-RC2][admin@pfsense.localdomain]/root(3):

Getting closer anyways :)

-th3r3isnospoon

th3r3isnospoon

At the bottom of this website, they talk about the same issues: http://michaelok.tumblr.com/

I'll read through it and possibly try some fixes and post back :)

-th3r3isnospoon

rudfinch

Hello all–

I have same error after upgrade to 7-june and 8-june pfsense2-RC2 amd64 full.

after I ln -s /lib/libpcap.so.7 to /usr/local/lib/libpcap.so.1
and try running snort on the web-configurator I got unsupported output plugin: "alert_pf" error on my syslog...

@th3r3isnospoon:
ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.
is dynamic lib path error.. the path in pfsense is "/usr/local/lib/snort/dynamicpreprocessor/"

th3r3isnospoon

FWIW, I submitted a bug report.

http://redmine.pfsense.org/issues/1590

-th3r3isnospoon

akm22562

Hi all,

I have the exact same console output.  The interesting thing is syslog.

In the latest release of pfsense 2.0-RC2 I can't get Snort to start.  The syslog reveals the following:

Jun 9 07:12:19 SnortStartup[63658]: Snort HARD Reload For 34679_sis0…
Jun 9 07:12:19 snort[56907]: FATAL ERROR: /usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output plugin: "alert_pf"
Jun 9 07:12:19 snort[56907]: FATAL ERROR: /usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output plugin: "alert_pf"

Line 207 of the above file is:

output alert_pf: /usr/local/etc/snort/whitelist/defaultwlist,snort2c

Andrew

asterix

no go.

Are we the only ones facing this issue? Can anyone else confirm the same with a clean install of pfsense and snort package?

oztiks

@asterix:

no go.

Are we the only ones facing this issue? Can anyone else confirm the same with a clean install of pfsense and snort package?

Mine had some clean installs and I did have the issue; which I resolved with my ln fix. I'm not sure why it's not working for others. :(

asterix

Latest few snapshots even dynamic DNS is failing and IP shows in red as 0.0.0.0

Looks like both a snapshot and Snort package issue.

rudfinch

I looked into snort.inc, looks like snort supposed to fetch perl-threaded-5.12.1_1.tbz as dependency… but couldn't find anywhere... the link to the file seems broken... I don't know if this is the cause of alert_pf error... hope this will be fixed soon. :)

asterix

Can anyone fix the Snort install package?

dzeanah

It's possible the maintainer is on vacation.  I sent him a pm a while back and have not yet received a response.

asterix

Any updates on the Snort package fix?

th3r3isnospoon

I haven't heard or seen anything yet  :-\

Hopefully soon….

-th3r3isnospoon

asterix

Over a week since the package is in broken state  >:(

Has no one installed snort since last 7 days?

th3r3isnospoon

@asterix:

Over a week since the package is in broken state  >:(

Has no one installed snort since last 7 days?

Apparently not….Hope this is fixed soon...

-th3r3isnospoon

asterix

Down with Snort since past 10 days !!  >:(

CyCyb3rradberRad

I am having the same problem and it appears this person might have the same issue as well.
http://forum.pfsense.org/index.php/topic,37952.0.html

I feel so naked without my Snort.  ;D

pfSense 2.0 RC2 build date June 15th
Snort 2.8.6.1 pkg 1.34

Also one more thing to add.  According to the pfSense_Snort Twitter account it looks like he is planning a release pretty soon of Snort 2.9.0.4 pkg 1.37.  Hopefully that has a fix for the issue we are seeing.

berglundma

I too am having the same issue. Based on the number of reads I'm thinking we're not alone.

dwood

Same thing here on a new install:

Version:
2.0-RC3 (amd64)
built on Tue Jun 21 23:37:22 EDT 2011

Intel(R) Atom(TM) CPU 330 @ 1.60GHz
Current: 799 MHz, Max: 1599 MHz

When starting Snort:
snort[26473]: FATAL ERROR: /usr/local/etc/snort/snort_31943_re1/snort.conf(351) Unknown output plugin: "alert_pf"

Cheers,
D.