Snort Won't Start After Upgrade

eri-- · Aug 3, 2011, 7:56 PM

Hmm just remove and reinstall the binaries again not just the snort files.
Those are files that come wiht the package difficult to loose those without something wrong :)

EDIT:

I put another fix to prevent the errors you are seeing.

Cino · Aug 3, 2011, 8:00 PM

@ermal:

Hmm just remove and reinstall the binaries again not just the snort files.
Those are files that come wiht the package difficult to loose those without something wrong :)

All my re-installs have been 'Reinstall this Package'

btw, thank you very much for the quick responses on fixing the snort package as i'v been finding issues… I've been kind hoping other users would be reporting on issues other then myself since there was an outcry for snort a week ago...

mdovey · Aug 3, 2011, 8:05 PM

I've already done two reinstalls of PfSense 2RC3 in the last week due to things going awry during a snapshot update (which may or may not have been related to having snort or snort-dev installed), and my first attempt to install the new snort didn't go too well (Snort was missing from the menu and services list after installation but someone else reported this before I could, with more insight as to the circumstances under which it occurred than I had).

So I'm afraid, I'm sitting on the fence at the moment, waiting for an all-clear!

Matthew

mschiek01 · Aug 3, 2011, 8:08 PM

@ermal:

Hmm just remove and reinstall the binaries again not just the snort files.
Those are files that come wiht the package difficult to loose those without something wrong :)

EDIT:

I put another fix to prevent the errors you are seeing.

Just did a reinstall same error:
Aug 3 15:06:12 snort[18906]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.
Aug 3 15:06:12 snort[18906]: FATAL ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.

Snort was this morning this only started occurring after the reinstall.

Cino · Aug 3, 2011, 8:37 PM

@emarl Im able to start snort again :-) had some issues starting it but i forgot that in my main home net list, i have to uncheck 'Add WAN DNS servers to the list.' since I have a IPv6 in my WAN DNS entries. Snort doesn't like IPv6 yet.

looking at the conf file, my net list is there.. Going to test the IDS then enable blocking and see if whitelist works again.

EDIT: Issue with the suppress file again. The file looks good

the file:


# This file is auto generated by the snort package. Please do not edit this file by hand.

suppress gen_id 119, sig_id 2, track by_src, ip 68.x.x.x

system log


Aug 3 16:28:32 	SnortStartup[57067]: Interface Rule START for 0_39737_em3...
Aug 3 16:28:32 	snort[56934]: FATAL ERROR: /usr/local/etc/snort/suppress/(1) Invalid configuration line: Ú^Y^O
Aug 3 16:28:32 	snort[56934]: FATAL ERROR: /usr/local/etc/snort/suppress/(1) Invalid configuration line: Ú^Y^O

Whitelist isn't working. It is creating the file but there is a space in the name "MainWhiteList 10285" Also when I check 'Block offenders' and Select 'MainWhiteList' from the drop down; it goes back to 'default' when i click on 'Save'

eri-- · Aug 3, 2011, 8:31 PM

mschiek01: Remove the package and install it again.
Do not use the reinstall features but really delete and install the pacakge.

That will fix your issue and it should not happen again after that.

eri-- · Aug 3, 2011, 9:04 PM

@cion

should be fixed the issues with whitelist selection and suppress.

Cino · Aug 3, 2011, 9:14 PM

thanks again Ermal!! I can't test right now but later tonight I will remove everything snort relate, do a firmware update(maybe a fresh install) and after my packages update i'll install snort.

not sure how this happen but I started up some bit-torrent downloads and it killed snort i think but it could just be my box..


Aug 3 17:01:11 	snort[26553]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS
Aug 3 17:01:11 	snort[26553]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS

when i started it back i got this:


Aug 3 17:03:41 	SnortStartup[59006]: Interface Rule START for 0_39737_em3...
Aug 3 17:03:41 	snort[58868]: FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter
Aug 3 17:03:41 	snort[58868]: FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter

but i'm having issues with countryblock now so i need to do a reset before I can test again

eri-- · Aug 3, 2011, 9:21 PM

That is IDS integration which might need some people to help out in funding to make properly usable.

hmishra · Aug 3, 2011, 10:33 PM

I am having the same issue now of not seeing Snort menu entry under Services, even after successful install. I have uninstalled and installed the Snort package a couple times already as per the earlier suggestion.

I see the following error messages on system log which I thought were relevant:

Aug 3 17:28:50 SnortStartup[36465]: Snort HARD Reload For 21540_em0_vlan10…
Aug 3 17:28:50 snort[36189]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_21540_em0_vlan10//usr/local/etc/snort/snort_21540_em0_vlan10/rules/emerging-botcc.rules": No such file or directory.
Aug 3 17:28:50 snort[36189]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_21540_em0_vlan10//usr/local/etc/snort/snort_21540_em0_vlan10/rules/emerging-botcc.rules": No such file or directory.

Now even if there were some issues with the category 'emerging-botcc.rules', I cannot uncheck those now since I cannot bring up Snort setting to uncheck those.

mschiek01 · Aug 3, 2011, 11:37 PM

@ermal:

mschiek01: Remove the package and install it again.
Do not use the reinstall features but really delete and install the pacakge.

That will fix your issue and it should not happen again after that.

That fixed the issue.

Thanks again for addressing this quickly.

hmishra · Aug 3, 2011, 11:49 PM

Ok, Snort is running now. I had to export the config xml and edit out the rule categories which were generating exceptions on system log as stated before. Once I restored it, Snort is now running although I still feel that Snort should not die if choosing what it considers as a invalid category.

Anyway, now I have a different issue which I am not sure if it is Snort install related since I also updated to the latest snapshot. Now, I can install Squid or Squidguard or Cron individually, but if I install more than one, the other gets bumped off of the services list. Even the menu entry for the previous package is lost. In other words, only one service can be active at a time from among installable packages. This is just a rough observation since I haven't tried all different combinations of packages.

Cino · Aug 4, 2011, 1:04 AM

@ermal:

That is IDS integration which might need some people to help out in funding to make properly usable.

What IDS integration are you talking about?

So far so good! Whitelist looks to be working. I notice the format of the file has change. Suppress file seems to load without errors, have not tested yet. thank you again!

Cino · Aug 4, 2011, 1:03 AM

@hmishra:

Ok, Snort is running now. I had to export the config xml and edit out the rule categories which were generating exceptions on system log as stated before. Once I restored it, Snort is now running although I still feel that Snort should not die if choosing what it considers as a invalid category.

Anyway, now I have a different issue which I am not sure if it is Snort install related since I also updated to the latest snapshot. Now, I can install Squid or Squidguard or Cron individually, but if I install more than one, the other gets bumped off of the services list. Even the menu entry for the previous package is lost. In other words, only one service can be active at a time from among installable packages. This is just a rough observation since I haven't tried all different combinations of packages.

how long since you updated? try it again since it seems to be fix for me

hmishra · Aug 4, 2011, 1:21 AM

Just tried it, still no joy. Having installed Snort first, I tried to install Cron and that bumped off the Snort menu entry under Services.

eri-- · Aug 4, 2011, 5:48 AM

You need to update to latest snapshot to fix the issues with the menu.

@Cino,

IDS integration is the Block offenders option

Cino · Aug 4, 2011, 1:32 PM

@Ermal The suppress list is working. Snort stayed up last night. Need to do some more testing but block ip's didn't clear after the set time i selected. My time is set to block for 1 hour, I had IPs in there that were blocked 8 hours ago.

Edit: I did some more testing and its not removing IPs from the Block list. I looked to see if there was an cron job but there wasn't. Some reason I thinking there was a cron job that was based on the 'Remove blocked hosts every' field

mdovey · Aug 4, 2011, 3:58 PM

The "add another entry" button under the "Add your own custom ips" for Whitelists doesn't appear to be working. So I can only add 1 ip to a whitelist!

I've tried under Opera 11.50 and IE9

Matthew

Cino · Aug 4, 2011, 4:29 PM

@mdovey:

The "add another entry" button under the "Add your own custom ips" for Whitelists doesn't appear to be working. So I can only add 1 ip to a whitelist!

I've tried under Opera 11.50 and IE9

Matthew

This is new, i can confirm that its doing the same thing for me using FF 5… Strange it wasn't doing this last night... I did notice last night that any IPs i did add, wouldn't show up under 'Values' in the 'Services:Snort:Whitelist' tab

When i try to add an IP, this is the link the button is pointing too: https://192.168.0.1:445/snort/snort_interfaces_whitelist_edit.php?id=1#

eri-- · Aug 4, 2011, 6:44 PM

Fixed even the row helper.

The expire of the hosts from the table should be done by a cron job.
Please try with the latest package and give a save under Global Settings fro that.