Snort Won't Start After Upgrade

jamesdean

Update….

I am pretty much done with every thing, GUI wise. New snort binaries are building right now, that is a relief.

Only 2 things left to do...

1. create snortsam GUI.

2. create snortsam/snort/barnyard2 startup scripts.

I been stuck on creating a way to manage the snortsam block sid rule sets and saving user changes to said blocked sids.
You guys/girls have to realize there are 30,000 snort/emeging rule block sids and I have to make sure your saved settings are saved and displayed correctly as fast as possible.

Side note: I am always happy when you guys care enough to complain. Makes me feel my work on the GUI and the forums is useful to you.
I understand you guys bothered, but snort is working on pfsense 1.2.3 and the removal of the old snort version from 2.0 could not be helped.
Moreover, I understand the urgency and I am working as fast as possible with the limited amount of time I have. (personal life, work, paid projects etc...)

I am not giving you an a date on release to beta, just know I am close.

follow my progress
https://github.com/robiscool

Thanks
Robert

cyber7

Hi Robert.
Actually, it is very true what you say.  The reason people (including myself!) are complaining is because your work is so very important in the entire release of pfSense that without your contribution, the firewall is reasoned lacking.  (In other words, without Snort, pfSense just won't do!)

I thank you for your update.  I believe most people (if not all) have been put to rest seeing that you are putting so much effort into Snort.

Kind regards
Aubrey Kloppers
Cape Town
South Africa

Cino

Robert,

Keep up the good work man! From what i've seen, the new package looks really awesome! Looking forward to beta testing when that time comes..

Darkk

Awesome!! Looking forward to it.

Darkk

NightHawk007

I am glad my standby utm software still works on my hardware . I hope you guys tell us when the beta is ready to go ..

seattle-it

Segfaults for me on an AMD64 box when started from a shell .. looks as if progress is being made though, keep @ it Jamesdean ;)

cmb

We need to be able to dedicate more of our core developer resources to clean this up and keep it working, as is it's largely just Rob's volunteer efforts, where the base system is largely done by people on our payroll (who, no offense to Rob, are far more experienced developers). What gets done by our core developers is largely what people are willing to pay for, and it's been years since we've had anyone interested in paying for Snort work. I've dedicated 10 hours of Ermal's time (with no funding, as a favor to a partner) to cleaning up bugs and bad code in the Snort package this week, which has lead to this massive clean up today, with more work to be done on it tomorrow.
https://github.com/bsdperimeter/pfsense-packages/commit/c8b7c369d1b391fc687e4ad09ee156dbec37043a

That's not going to leave things in perfect shape (there are other improvements I'd like to see), but it will at least be much better. That's limited to the main snort package, not snort-dev, which Rob can continue to do whatever he wants with, but nothing will be merged back into the main snort package from now on without review and merge approval to keep things sane.

If anyone can dedicate some money to furthering our efforts here, please contact me (cmb at pfsense dot org). I'd love to get more of our resources on it, but we also have to make payroll so we're limited in what we can do because we want to do it.

Cino

@cmb:

We need to be able to dedicate more of our core developer resources to clean this up and keep it working, as is it's largely just Rob's volunteer efforts, where the base system is largely done by people on our payroll (who, no offense to Rob, are far more experienced developers). What gets done by our core developers is largely what people are willing to pay for, and it's been years since we've had anyone interested in paying for Snort work. I've dedicated 10 hours of Ermal's time (with no funding, as a favor to a partner) to cleaning up bugs and bad code in the Snort package this week, which has lead to this massive clean up today, with more work to be done on it tomorrow.
https://github.com/bsdperimeter/pfsense-packages/commit/c8b7c369d1b391fc687e4ad09ee156dbec37043a

That's not going to leave things in perfect shape (there are other improvements I'd like to see), but it will at least be much better. That's limited to the main snort package, not snort-dev, which Rob can continue to do whatever he wants with, but nothing will be merged back into the main snort package from now on without review and merge approval to keep things sane.

If anyone can dedicate some money to furthering our efforts here, please contact me (cmb at pfsense dot org). I'd love to get more of our resources on it, but we also have to make payroll so we're limited in what we can do because we want to do it.

funny I just checked github to see what updates are out there and Ermal has been busy!! I see the old snort package is enable… Who is going to be the brave soul and try it? Well i gave it shot and it installed on my system but it couldn't download the rules from snort.org

Warning: curl_exec(): Could not call the CURLOPT_WRITEFUNCTION in /usr/local/www/snort/snort_download_rules.php on line 859 

I guess i should wait until the devs say its good to go.

going to see if i can manually download them

jamesdean

@cmb is right snort should be maintained by the core paid developers. My work on snort package will stop immediately and will move my code to a package called Orion.
I have really enjoyed giving my free time and code to the pfSense snort community. I hope people continue to enjoy my GUI I have built and code I have donated.
Those of you that expect the Old snort gui to return dont worry, 90% of my snort 1.2.3 code will not change for 2.0.

My snort 2.0 package I was working on will become Orion IDS package and will likely become private for paid supporters. This will help me give my full attention to this package.
I think I have a base now that can support me to work on this package on a limited part time.

Moreover, this should give me the freedom to add features as fast as possible.

Robert

eri--

I just made some other changes that should make it behave better in regards to rule downloading.

I couldn't test with snort.org since it was slow and did not have an account to test with.

Cino

This makes sense if i'm reading this last couple of post correctly.  Snort being maintained my the core dev team.. If users want more then a basic Snort package… They have the option to pay for the Orion IDS.

@Ermal I'll give it a shot but you are right! Snort.org is really slow today... My manual updating from the cmd failed due to timeouts

Cino

Snorts site is timing out so i can't test. emergingnet rules downloaded with no problems.

When I tried to start snort on my WAN interface, this is the error i received:

Warning: Invalid argument supplied for foreach() in /usr/local/pkg/snort/snort.inc on line 92 Warning: fopen(/usr/local/etc/snort/suppress/): failed to open stream: Is a directory in /usr/local/pkg/snort/snort.inc on line 1184 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 192 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 193 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 194 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 195 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 196 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:92) in /usr/local/www/snort/snort_interfaces.php on line 197 

This is in my system log:

Aug 2 13:20:31 	php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.
Aug 2 13:20:31 	php: /snort/snort_interfaces.php: Could not open /usr/local/etc/snort/suppress/ for writing.

I don't know if this is relate to adding snort or my mornings gitsync but when i look at my system log i get the below errors. I'm able to see the system log tho but this is at the header of the page. Also, none of the other tabs are showing this error(firewall,dhcp,openvpn)

Warning: Unknown: GC cache entry '/usr/local/www/guiconfig.inc' (dev=109 ino=801962) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/usr/local/www/csrf/csrf-magic.php' (dev=109 ino=801951) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/xmlparse.inc' (dev=109 ino=7301225) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/util.inc' (dev=109 ino=7301219) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.defs.inc' (dev=109 ino=7301206) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv.inc' (dev=109 ino=7301205) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/priv/user.priv.inc' (dev=109 ino=7301204) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/notices.inc' (dev=109 ino=7301195) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/led.inc' (dev=109 ino=7301192) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/IPv6.inc' (dev=109 ino=7301190) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/globals.inc' (dev=109 ino=7301185) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/crypt.inc' (dev=109 ino=7301178) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.lib.inc' (dev=109 ino=7301176) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/config.gui.inc' (dev=109 ino=7301175) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/authgui.inc' (dev=109 ino=7301168) was on gc-list for 3659 seconds in Unknown on line 0 Warning: Unknown: GC cache entry '/etc/inc/auth.inc' (dev=109 ino=7301167) was on gc-list for 3659 seconds in Unknown on line 0 Warning: session_start(): Cannot send session cache limiter - headers already sent in /etc/inc/auth.inc on line 1260 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 47 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 51 

Now i'm asking for too much, could it be possible to add a index.php in the root of the snort www directory with the below code? So when i click on the pfSense image in the upper left corner, it brings back to the main dashboard page instead of page no found.

EDIT: The permissions are wrong on the /usr/local/etc/rc.d/snort.sh file I believe. Its currently 644, should 755. i tried to manually start snort using the snort.sh but i think there is an syntax error with the interface

[2.1-DEVELOPMENT][root@]/root/custom(7): /usr/local/etc/rc.d/snort.sh start
ls: /tmp/snort.sh.pid: No such file or directory
ls: /tmp/snort.sh.pid: No such file or directory
rm: /var/run/snort_7758_em3.pid: No such file or directory
rm: /var/run/snort_7758_em3.pid.lck: No such file or directory
[2.1-DEVELOPMENT][root@]/root/custom(8): usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file target_file
       cp [-R [-H | -L | -P]] [-f | -i | -n] [-alpvx] source_file ... target_directory

valshare

Hello,

i am running the latest pfsense 2.0 rc3 from today and have installed the snort 2.0 package as a virtual machine on kvm. If i want to edit the network interface in the snort settings, i get an "error: no uuid". How can i fix this problem?

Regards, valle

eri--

@Cino,

should be fixed, just reinstall.

@valshare,

please give me the right error message since that does not mean anything!

NightHawk007

The thing on this forum that just does not sense .People do not read the forum snort has been broken for a long time now .there was a couple of posts on the forum saying it will be awhile before it gets fixed .
Will someone tell us how far it has come and is the beta out yet for us to test out .
I am using my standbye UTM software with snort in there operating system and it works perfect .

Cino

@ermal:

@Cino,

should be fixed, just reinstall.

Almost there… it seems to forget the interface.. I noticed that you made some changes to how it puts the interface, wondering if something is missing there.

I deleted all my snort configs... Added a interface... told me i had no rules... updated the rules again.... checked some rules.... tried to start it, didn't start. Went back to the categorizes and was told i dont have rules... its picking the wrong directory or something.

Aug 2 17:10:29 	SnortStartup[35682]: Interface Rule START for 0_39737_...
Aug 2 17:10:29 	snort[34151]:
Aug 2 17:10:29 	snort[34151]:
Aug 2 17:10:29 	snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source.
Aug 2 17:10:29 	snort[34151]: \___/ Using Snort.org dynamic plugins and Orion IPS source.

eri--

Can you show me hte generated snort conf?

Cino

@ermal:

Can you show me hte generated snort conf?

Here you go:

#!/bin/sh
########
# This file was automatically generated
# by the pfSense service handler.
# Code added to protect from double starts on pfSense bootup
######## Begining of Main snort.sh

rc_start() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then

		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0

	fi

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid

	#### Remake the configs on boot Important!
	/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php &
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..."

###### For Each Iface

#### Fake start only used on bootup and Pfsense IP changes
#### Only try to restart if snort is running on Iface
if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" != "" ]; then

	snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`"
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart"

	#### Restart Iface
	/bin/kill -HUP ${snort_pid}
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For 39737_..."

fi

	/bin/rm /tmp/snort.sh.pid

	#### If on Fake start snort is NOT running DO a real start.
	if [ "`/bin/ps -auwx | grep -v grep | grep "R 39737" | awk '{print $2;}'`" = "" ]; then

		rc_start_real

	fi
}

rc_start_real() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0
	fi

	###### For Each Iface

# If Snort proc is NOT running
if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`" = "" ]; then

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid

	# Start snort and barnyard2
	/bin/rm /var/run/snort_39737_.pid
	/bin/rm /var/run/snort_39737_.pid.lck

	/usr/local/bin/snort -u snort -g snort -R 39737 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 39737 -c /usr/local/etc/snort/snort_39737_/snort.conf -i 

	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For 39737_..."

fi

	/bin/rm /tmp/snort.sh.pid

}

rc_stop() {

	#### Check for double starts, Pfsense has problems with that
	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
		exit 0
	fi

pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R 39737" | /usr/bin/awk '{print $2;}'`
sleep 3
pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_39737_.u2" | /usr/bin/awk '{print $2;}'`

if [ ${pid_s} ] ; then

	/bin/echo "snort.sh run" > /tmp/snort.sh.pid
	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For 39737_..."

	/bin/kill ${pid_s}
	sleep 3
	/bin/kill ${pid_b}

	/bin/rm /var/run/snort_39737_.pid.lck
	/bin/rm /var/run/snort_39737_.pid

fi

	/bin/rm /tmp/snort.sh.pid
	/bin/rm /var/run/snort*

}

case $1 in
	start)
		rc_start
		;;
	start_real)
		rc_start_real
		;;
	stop)
		rc_stop
		;;
	restart)
		rc_stop
		rc_start_real
		;;
esac

eri--

Try the new update i just made.

That is the startup script and not the config. But for now all should be fixed.

Cino

@ermal:

That is the startup script and not the config. But for now all should be fixed.

sorry about that… Just tried the new updates and seeing a different error... snort engine is trying to start tho. When i'm in 'Snort: Interface Edit:' the server, preprocessors, barnyard2 tab show the interface as '0em3' instead of '39737 em3' but the other tabs are showing the interface correctly.

Aug 2 20:39:43 	SnortStartup[22178]: Interface Rule START for 0_39737_em3...
Aug 2 20:39:43 	snort[21986]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(292) => Invalid ip_list to 'ignore_scanners' option.
Aug 2 20:39:43 	snort[21986]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(292) => Invalid ip_list to 'ignore_scanners' option.
Aug 2 20:39:43 	snort[21986]: alert_multiple_requests: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_multiple_requests: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_incomplete: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_incomplete: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_large_fragments: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_large_fragments: ACTIVE
Aug 2 20:39:43 	snort[21986]: alert_fragments: INACTIVE
Aug 2 20:39:43 	snort[21986]: alert_fragments: INACTIVE
Aug 2 20:39:43 	snort[21986]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Aug 2 20:39:43 	snort[21986]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Aug 2 20:39:43 	snort[21986]: rpc_decode arguments:
Aug 2 20:39:43 	snort[21986]: rpc_decode arguments:

here is my conf

# snort configuration file
# generated by the pfSense
# package manager system
# see /usr/local/pkg/snort.inc
# for more information
#	snort.conf
#   Snort can be found at http://www.snort.org/
#
#	Copyright (C) 2009-2010 Robert Zelaya
#	part of pfSense
#	All rights reserved.
#
#	Redistribution and use in source and binary forms, with or without
#	modification, are permitted provided that the following conditions are met:
#
#	1\. Redistributions of source code must retain the above copyright notice,
#	   this list of conditions and the following disclaimer.
#
#	2\. Redistributions in binary form must reproduce the above copyright
#	   notice, this list of conditions and the following disclaimer in the
#	   documentation and/or other materials provided with the distribution.
#
#	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
#	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
#	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
#	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
#	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
#	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
#	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
#	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#	POSSIBILITY OF SUCH DAMAGE.

#########################
                        #
# Define Local Network  #
                        #
#########################

var HOME_NET [68.xxx.xxx.xxx/22,192.168.0.1/24,192.168.200.1/32,192.168.201.1/32,/,192.168.5.1/24,68.xxx.xxx.x,2001:xxx:xx::2,8.8.8.8,8.8.4.4,127.0.0.1]
var EXTERNAL_NET !$HOME_NET

###################
                  #
# Define Servers  #
                  #
###################

var DNS_SERVERS [$HOME_NET]
var SMTP_SERVERS [$HOME_NET]
var HTTP_SERVERS [$HOME_NET]
var SQL_SERVERS [$HOME_NET]
var TELNET_SERVERS [$HOME_NET]
var SNMP_SERVERS [$HOME_NET]
var FTP_SERVERS [$HOME_NET]
var SSH_SERVERS [$HOME_NET]
var POP_SERVERS [$HOME_NET]
var IMAP_SERVERS [$HOME_NET]
var RPC_SERVERS $HOME_NET
var WWW_SERVERS [$HOME_NET]
var SIP_PROXY_IP [$HOME_NET]
var AIM_SERVERS \
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

########################
                       #
# Define Server Ports  #
                       #
########################

portvar HTTP_PORTS [80]
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS [1521]
portvar AUTH_PORTS [113]
portvar DNS_PORTS [53]
portvar FINGER_PORTS [79]
portvar FTP_PORTS [21]
portvar IMAP_PORTS [143]
portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
portvar MSSQL_PORTS [1433]
portvar NNTP_PORTS [119]
portvar POP2_PORTS [109]
portvar POP3_PORTS [110]
portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
portvar RLOGIN_PORTS [513]
portvar RSH_PORTS [514]
portvar SMB_PORTS [139,445]
portvar SMTP_PORTS [25]
portvar SNMP_PORTS [161]
portvar SSH_PORTS [222]
portvar TELNET_PORTS [23]
portvar MAIL_PORTS [25,143,465,691]
portvar SSL_PORTS [443,465,563,636,989,990,992,993,994,995]
portvar SIP_PROXY_PORTS [5060:5090,16384:32768]

# DCERPC NCACN-IP-TCP
portvar DCERPC_NCACN_IP_TCP [139,445]
portvar DCERPC_NCADG_IP_UDP [138,1024:]
portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
portvar DCERPC_NCACN_UDP_LONG [135,1024:]
portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
portvar DCERPC_NCACN_TCP [2103,2105,2107]
portvar DCERPC_BRIGHTSTORE [6503,6504]

#####################
                    #
# Define Rule Paths #
                    #
#####################

var RULE_PATH /usr/local/etc/snort/snort_39737_em3/rules
# var PREPROC_RULE_PATH ./preproc_rules

################################
                               #
# Configure the snort decoder  #
                               #
################################

config checksum_mode: all
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops

###################################
                                  #
# Configure the detection engine  #
# Use lower memory models         #
                                  #
###################################

config detection: search-method ac-bnfa max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length

#Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort/dynamicrules

###################
                  #
# Flow and stream #
                  #
###################

preprocessor frag3_global: max_frags 8192
preprocessor frag3_engine: policy bsd detect_anomalies

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp yes, track_icmp yes
preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes
preprocessor stream5_udp:
preprocessor stream5_icmp:

	##########################
                         #
# NEW                    #
# Performance Statistics #
                         #
##########################

preprocessor perfmonitor: time 300 file /var/log/snort/snort_39737_em3.stats pktcnt 10000

	#################
                #
# HTTP Inspect  #
                #
#################

preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
                        ports  { 80 8080 }  \
                        non_strict \
                        non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                        flow_depth 0  \
                        apache_whitespace no \
                        directory no \
                        iis_backslash no \
                        u_encode yes \
                        ascii no \
                        chunk_length 500000 \
                        bare_byte yes \
                        double_decode yes \
                        iis_unicode no \
                        iis_delimiter no \
                        multi_slash no

	##################
                 #
# Other preprocs #
                 #
##################

preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
preprocessor bo

	#####################
                    #
# ftp preprocessor  #
                    #
#####################

preprocessor ftp_telnet: global \
inspection_type stateless

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: \
    ftp server default \
    def_max_param_len 100 \
    ports { 21 } \
    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
    ftp_cmds { FEAT CEL CMD MACB } \
    ftp_cmds { MDTM REST SIZE MLST MLSD } \
    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
    alt_max_param_len 256 { RNTO CWD } \
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE } \
    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
    chk_str_fmt { FEAT CEL CMD } \
    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity STRU < char FRP > \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity PORT < host_port >

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes

	#####################
                    #
# SMTP preprocessor #
                    #
#####################

preprocessor SMTP: \
    ports { 25 465 691 } \
    inspection_type stateful \
    normalize cmds \
    valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    max_header_line_len 1000 \ 
    max_response_line_len 512 \
    alt_max_command_line_len 260 { MAIL } \
    alt_max_command_line_len 300 { RCPT } \
    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
    alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
    alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    xlink2state { enable }

	################
               #
# sf Portscan  #
               #
################

preprocessor sfportscan: scan_type { all } \
                         proto  { all } \
                         memcap { 10000000 } \
                         sense_level { medium } \
                         ignore_scanners { $HOME_NET }

############################
                           #
# OLD                      #
# preprocessor dcerpc: \   #
#    autodetect \          #
#    max_frag_size 3000 \  #
#    memcap 100000         #
                           #
############################

	###############
              #
# NEW         #
# DCE/RPC 2   #
              #
###############

preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

	####################
                   #
# DNS preprocessor #
                   #
####################

preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow

##############################
                             #
# NEW                        #
# Ignore SSL and Encryption  #
                             #
##############################

preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted

#####################
                    #
# Snort Output Logs #
                    #
#####################

	output unified: filename snort_39737_em3.log, limit 128
	output alert_full: alert

#################
                #
# Misc Includes #
                #
#################

include /usr/local/etc/snort/snort_39737_em3/reference.config
include /usr/local/etc/snort/snort_39737_em3/classification.config

# Snort user pass through configuration

###################
                  #
# Rules Selection #
                  #
###################

	include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/emerging-ciarmy.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-current_events.rules
include $RULE_PATH/emerging-deleted.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/emerging-dshield.rules
include $RULE_PATH/emerging-exploit.rules

EDIT: I found the issue in the conf file under var HOME_NET    01.1/32,/,192.168.5.1/24

was able to manually start snort after editing the conf file :-)

It doesnt create the folder/file for the suppress list

Aug 2 21:59:38 	snort[13300]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.
Aug 2 21:59:38 	snort[13300]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/suppress/MainSuppressList": No such file or directory.