Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Won't Start After Upgrade

    Scheduled Pinned Locked Moved pfSense Packages
    301 Posts 64 Posters 215.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tester_02
      last edited by

      Personally I think snort should be part of the main package.  To me pfsense is the main release + squid + squidguard + snort.  I just believe that part of the main development should be those packages integrated into the release.
        Beyond that, if this package is so critical to so many, why has nobody put up a bounty like others suggested.  I am also sure that the amount contributed to the snort developer is probably peanuts compared to the time he's put into this package.  I am sure more of an incentive to keep it going would not hurt.
        As just a home user I've donated my $50 in the past (and probably should do more when the next release comes out), as well as offered money for bounties when I can.  For people complaining that their company need it, I think the amount should be much more.  Your business is operating on free software, contribute to it, or it will stop being developed.  Complain when you have to spend thousands on proprietary software with yearly fees, instead of living off free software.  It's not really free, as the developers spend their time working on it for nothing.  Donated a few dollars per year, it's worth the rewards when you get software like pfsense (watch the other distros with no support fall off over the years or move strictly into pay systems and you will know how good this really is).

      That's all I have to say on the topic….

      1 Reply Last reply Reply Quote 0
      • J
        jamesdean
        last edited by

        Update….

        I am pretty much done with every thing, GUI wise. New snort binaries are building right now, that is a relief.

        Only 2 things left to do...

        1. create snortsam GUI.

        2. create snortsam/snort/barnyard2 startup scripts.

        I been stuck on creating a way to manage the snortsam block sid rule sets and saving user changes to said blocked sids.
        You guys/girls have to realize there are 30,000 snort/emeging rule block sids and I have to make sure your saved settings are saved and displayed correctly as fast as possible.

        Side note: I am always happy when you guys care enough to complain. Makes me feel my work on the GUI and the forums is useful to you.
        I understand you guys bothered, but snort is working on pfsense 1.2.3 and the removal of the old snort version from 2.0 could not be helped.
        Moreover, I understand the urgency and I am working as fast as possible with the limited amount of time I have. (personal life, work, paid projects etc...)

        I am not giving you an a date on release to beta, just know I am close.

        follow my progress
        https://github.com/robiscool

        Thanks
        Robert

        1 Reply Last reply Reply Quote 0
        • cyber7C
          cyber7
          last edited by

          Hi Robert.
          Actually, it is very true what you say.  The reason people (including myself!) are complaining is because your work is so very important in the entire release of pfSense that without your contribution, the firewall is reasoned lacking.  (In other words, without Snort, pfSense just won't do!)

          I thank you for your update.  I believe most people (if not all) have been put to rest seeing that you are putting so much effort into Snort.

          Kind regards
          Aubrey Kloppers
          Cape Town
          South Africa

          When you pause to think, do you start again?

          2.2.4-RELEASE (amd64)
          built on Sat Jul 25 19:57:37 CDT 2015
          FreeBSD 10.1-RELEASE-p15
          and
          pfSense 2.3.2-RELEASE-p1 (amd64 full-install) on pfSense

          1 Reply Last reply Reply Quote 0
          • C
            Cino
            last edited by

            Robert,

            Keep up the good work man! From what i've seen, the new package looks really awesome! Looking forward to beta testing when that time comes..

            1 Reply Last reply Reply Quote 0
            • D
              Darkk
              last edited by

              Awesome!! Looking forward to it.

              Darkk

              1 Reply Last reply Reply Quote 0
              • N
                NightHawk007
                last edited by

                I am glad my standby utm software still works on my hardware . I hope you guys tell us when the beta is ready to go ..

                1 Reply Last reply Reply Quote 0
                • S
                  seattle-it
                  last edited by

                  Segfaults for me on an AMD64 box when started from a shell .. looks as if progress is being made though, keep @ it Jamesdean ;)

                  My tech blog - seattleit.net/blog

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    We need to be able to dedicate more of our core developer resources to clean this up and keep it working, as is it's largely just Rob's volunteer efforts, where the base system is largely done by people on our payroll (who, no offense to Rob, are far more experienced developers). What gets done by our core developers is largely what people are willing to pay for, and it's been years since we've had anyone interested in paying for Snort work. I've dedicated 10 hours of Ermal's time (with no funding, as a favor to a partner) to cleaning up bugs and bad code in the Snort package this week, which has lead to this massive clean up today, with more work to be done on it tomorrow.
                    https://github.com/bsdperimeter/pfsense-packages/commit/c8b7c369d1b391fc687e4ad09ee156dbec37043a

                    That's not going to leave things in perfect shape (there are other improvements I'd like to see), but it will at least be much better. That's limited to the main snort package, not snort-dev, which Rob can continue to do whatever he wants with, but nothing will be merged back into the main snort package from now on without review and merge approval to keep things sane.

                    If anyone can dedicate some money to furthering our efforts here, please contact me (cmb at pfsense dot org). I'd love to get more of our resources on it, but we also have to make payroll so we're limited in what we can do because we want to do it.

                    1 Reply Last reply Reply Quote 0
                    • C
                      Cino
                      last edited by

                      @cmb:

                      We need to be able to dedicate more of our core developer resources to clean this up and keep it working, as is it's largely just Rob's volunteer efforts, where the base system is largely done by people on our payroll (who, no offense to Rob, are far more experienced developers). What gets done by our core developers is largely what people are willing to pay for, and it's been years since we've had anyone interested in paying for Snort work. I've dedicated 10 hours of Ermal's time (with no funding, as a favor to a partner) to cleaning up bugs and bad code in the Snort package this week, which has lead to this massive clean up today, with more work to be done on it tomorrow.
                      https://github.com/bsdperimeter/pfsense-packages/commit/c8b7c369d1b391fc687e4ad09ee156dbec37043a

                      That's not going to leave things in perfect shape (there are other improvements I'd like to see), but it will at least be much better. That's limited to the main snort package, not snort-dev, which Rob can continue to do whatever he wants with, but nothing will be merged back into the main snort package from now on without review and merge approval to keep things sane.

                      If anyone can dedicate some money to furthering our efforts here, please contact me (cmb at pfsense dot org). I'd love to get more of our resources on it, but we also have to make payroll so we're limited in what we can do because we want to do it.

                      funny I just checked github to see what updates are out there and Ermal has been busy!! I see the old snort package is enable… Who is going to be the brave soul and try it? Well i gave it shot and it installed on my system but it couldn't download the rules from snort.org

                      Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 859 
                      

                      I guess i should wait until the devs say its good to go.

                      going to see if i can manually download them

                      1 Reply Last reply Reply Quote 0
                      • J
                        jamesdean
                        last edited by

                        @cmb is right snort should be maintained by the core paid developers. My work on snort package will stop immediately and will move my code to a package called Orion.
                        I have really enjoyed giving my free time and code to the pfSense snort community. I hope people continue to enjoy my GUI I have built and code I have donated.
                        Those of you that expect the Old snort gui to return dont worry, 90% of my snort 1.2.3 code will not change for 2.0.

                        My snort 2.0 package I was working on will become Orion IDS package and will likely become private for paid supporters. This will help me give my full attention to this package.
                        I think I have a base now that can support me to work on this package on a limited part time.

                        Moreover, this should give me the freedom to add features as fast as possible.

                        Robert

                        1 Reply Last reply Reply Quote 0
                        • E
                          eri--
                          last edited by

                          I just made some other changes that should make it behave better in regards to rule downloading.

                          I couldn't test with snort.org since it was slow and did not have an account to test with.

                          1 Reply Last reply Reply Quote 0
                          • C
                            Cino
                            last edited by

                            This makes sense if i'm reading this last couple of post correctly.  Snort being maintained my the core dev team.. If users want more then a basic Snort package… They have the option to pay for the Orion IDS.

                            @Ermal I'll give it a shot but you are right! Snort.org is really slow today... My manual updating from the cmd failed due to timeouts

                            1 Reply Last reply Reply Quote 0
                            • C
                              Cino
                              last edited by

                              Snorts site is timing out so i can't test. emergingnet rules downloaded with no problems.

                              When I tried to start snort on my WAN interface, this is the error i received:

                              Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 92 Warning: fopen(/usr/local/etc/snort/suppress/): failed to open stream: Is a directory in /usr/local/pkg/snort/snort.inc on line 1184 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 192 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 193 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 194 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 195 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 196 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 197 
                              

                              This is in my system log:

                              
                              Aug 2 13:20:31 	php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.
                              Aug 2 13:20:31 	php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.
                              
                              

                              I don't know if this is relate to adding snort or my mornings gitsync but when i look at my system log i get the below errors. I'm able to see the system log tho but this is at the header of the page. Also, none of the other tabs are showing this error(firewall,dhcp,openvpn)

                              
                              Warning: Unknown: GC cache entry '/usr/local/www/guiconfig.inc' (dev=109 ino=801962) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/usr/local/www/csrf/csrf-magic.php' (dev=109 ino=801951) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/xmlparse.inc' (dev=109 ino=7301225) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/util.inc' (dev=109 ino=7301219) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.defs.inc' (dev=109 ino=7301206) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.inc' (dev=109 ino=7301205) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv/user.priv.inc' (dev=109 ino=7301204) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/notices.inc' (dev=109 ino=7301195) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/led.inc' (dev=109 ino=7301192) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/IPv6.inc' (dev=109 ino=7301190) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/globals.inc' (dev=109 ino=7301185) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/crypt.inc' (dev=109 ino=7301178) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.lib.inc' (dev=109 ino=7301176) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.gui.inc' (dev=109 ino=7301175) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/authgui.inc' (dev=109 ino=7301168) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/auth.inc' (dev=109 ino=7301167) was on gc-list for 3659 seconds in Unknown on line 0 Warning: session_start(): Cannot send session cache limiter - headers already sent in /etc/inc/auth.inc on line 1260 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 47 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 51 
                              
                              

                              Now i'm asking for too much, could it be possible to add a index.php in the root of the snort www directory with the below code? So when i click on the pfSense image in the upper left corner, it brings back to the main dashboard page instead of page no found.

                              EDIT: The permissions are wrong on the /usr/local/etc/rc.d/snort.sh file I believe. Its currently 644, should 755. i tried to manually start snort using the snort.sh but i think there is an syntax error with the interface

                              
                              [2.1-DEVELOPMENT][root@]/root/custom(7): /usr/local/etc/rc.d/snort.sh start
                              ls: /tmp/snort.sh.pid: No such file or directory
                              ls: /tmp/snort.sh.pid: No such file or directory
                              rm: /var/run/snort_7758_em3.pid: No such file or directory
                              rm: /var/run/snort_7758_em3.pid.lck: No such file or directory
                              [2.1-DEVELOPMENT][root@]/root/custom(8): usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file target_file
                                     cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file ... target_directory
                              
                              
                              1 Reply Last reply Reply Quote 0
                              • V
                                valshare
                                last edited by

                                Hello,

                                i am running the latest pfsense 2.0 rc3 from today and have installed the snort 2.0 package as a virtual machine on kvm. If i want to edit the network interface in the snort settings, i get an "error: no uuid". How can i fix this problem?

                                Regards, valle

                                1 Reply Last reply Reply Quote 0
                                • E
                                  eri--
                                  last edited by

                                  @Cino,

                                  should be fixed, just reinstall.

                                  @valshare,

                                  please give me the right error message since that does not mean anything!

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    NightHawk007
                                    last edited by

                                    The thing on this forum that just does not sense .People do not read the forum snort has been broken for a long time now .there was a couple of posts on the forum saying it will be awhile before it gets fixed .
                                    Will someone tell us how far it has come and is the beta out yet for us to test out .
                                    I am using my standbye UTM software with snort in there operating system and it works perfect .

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      Cino
                                      last edited by

                                      @ermal:

                                      @Cino,

                                      should be fixed, just reinstall.

                                      Almost there… it seems to forget the interface.. I noticed that you made some changes to how it puts the interface, wondering if something is missing there.

                                      I deleted all my snort configs... Added a interface... told me i had no rules... updated the rules again.... checked some rules.... tried to start it, didn't start. Went back to the categorizes and was told i dont have rules... its picking the wrong directory or something.

                                      Aug 2 17:10:29 	SnortStartup[35682]: Interface Rule START for 0_39737_...
                                      Aug 2 17:10:29 	snort[34151]:
                                      Aug 2 17:10:29 	snort[34151]:
                                      Aug 2 17:10:29 	snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source.
                                      Aug 2 17:10:29 	snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source.
                                      

                                      snort.jpg
                                      snort.jpg_thumb

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        eri--
                                        last edited by

                                        Can you show me hte generated snort conf?

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          Cino
                                          last edited by

                                          @ermal:

                                          Can you show me hte generated snort conf?

                                          Here you go:

                                          #!/bin/sh
                                          ########
                                          # This file was automatically generated
                                          # by the pfSense service handler.
                                          # Code added to protect from double starts on pfSense bootup
                                          ######## Begining of Main snort.sh
                                          
                                          rc_start() {
                                          
                                          	#### Check for double starts, Pfsense has problems with that
                                          	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
                                          
                                          		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
                                          		exit 0
                                          
                                          	fi
                                          
                                          	/bin/echo "snort.sh run" > /tmp/snort.sh.pid
                                          
                                          	#### Remake the configs on boot Important!
                                          	/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php &
                                          	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..."
                                          
                                          ###### For Each Iface
                                          
                                          #### Fake start only used on bootup and Pfsense IP changes
                                          #### Only try to restart if snort is running on Iface
                                          if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" != "" ]; then
                                          
                                          	snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`"
                                          	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart"
                                          
                                          	#### Restart Iface
                                          	/bin/kill -HUP ${snort_pid}
                                          	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For 39737_..."
                                          
                                          fi
                                          
                                          	/bin/rm /tmp/snort.sh.pid
                                          
                                          	#### If on Fake start snort is NOT running DO a real start.
                                          	if [ "`/bin/ps -auwx | grep -v grep | grep "R 39737" | awk '{print $2;}'`" = "" ]; then
                                          
                                          		rc_start_real
                                          
                                          	fi
                                          }
                                          
                                          rc_start_real() {
                                          
                                          	#### Check for double starts, Pfsense has problems with that
                                          	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
                                          		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
                                          		exit 0
                                          	fi
                                          
                                          	###### For Each Iface
                                          
                                          # If Snort proc is NOT running
                                          if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" = "" ]; then
                                          
                                          	/bin/echo "snort.sh run" > /tmp/snort.sh.pid
                                          
                                          	# Start snort and barnyard2
                                          	/bin/rm /var/run/snort_39737_.pid
                                          	/bin/rm /var/run/snort_39737_.pid.lck
                                          
                                          	/usr/local/bin/snort -u snort -g snort -R 39737 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 39737 -c /usr/local/etc/snort/snort_39737_/snort.conf -i 
                                          
                                          	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For 39737_..."
                                          
                                          fi
                                          
                                          	/bin/rm /tmp/snort.sh.pid
                                          
                                          }
                                          
                                          rc_stop() {
                                          
                                          	#### Check for double starts, Pfsense has problems with that
                                          	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
                                          		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
                                          		exit 0
                                          	fi
                                          
                                          pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`
                                          sleep 3
                                          pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_39737_.u2" | /usr/bin/awk '{print $2;}'`
                                          
                                          if [ ${pid_s} ] ; then
                                          
                                          	/bin/echo "snort.sh run" > /tmp/snort.sh.pid
                                          	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For 39737_..."
                                          
                                          	/bin/kill ${pid_s}
                                          	sleep 3
                                          	/bin/kill ${pid_b}
                                          
                                          	/bin/rm /var/run/snort_39737_.pid.lck
                                          	/bin/rm /var/run/snort_39737_.pid
                                          
                                          fi
                                          
                                          	/bin/rm /tmp/snort.sh.pid
                                          	/bin/rm /var/run/snort*
                                          
                                          }
                                          
                                          case $1 in
                                          	start)
                                          		rc_start
                                          		;;
                                          	start_real)
                                          		rc_start_real
                                          		;;
                                          	stop)
                                          		rc_stop
                                          		;;
                                          	restart)
                                          		rc_stop
                                          		rc_start_real
                                          		;;
                                          esac
                                          
                                          
                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            eri--
                                            last edited by

                                            Try the new update i just made.

                                            That is the startup script and not the config. But for now all should be fixed.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.