Snort Won't Start After Upgrade

hansmuff

I have pfsense 2.0 RC3 64-bit installed. I un-installed Snort when it broke and just re-installed from the packages menu. Does that give me the latest release, because I have the same problem I've been having when Snort initially stopped working.

My Snort version is 2.8.6.1 pkg v. 2.0

The error in the syslog is "Aug 4 17:27:07 SnortStartup[17989]: Snort HARD Reload For 25369_fxp0…
Aug 4 17:27:07 snort[17310]: FATAL ERROR: /usr/local/etc/snort/snort_25369_fxp0/snort.conf(316) Unknown output plugin: "alert_pf""

My apologies if I'm doing this wrong.

asterix

Latest amd64 snapshot. Clean install.

Snort not starting.

Aug 4 18:43:49 SnortStartup[10250]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:49 SnortStartup[6313]: Snort Startup files Sync…
Aug 4 18:43:22 SnortStartup[47731]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:21 SnortStartup[43782]: Snort Startup files Sync…

Did a uninstall/install of Snort (not re-install) thrice... no-go

Aug 4 18:53:13 SnortStartup[2775]: Snort HARD Reload For 33845_em0…
Aug 4 18:53:13 SnortStartup[62907]: Snort Startup files Sync…
Aug 4 18:52:54 SnortStartup[33560]: Interface Rule START for 0_33845_em0…
Aug 4 18:52:53 SnortStartup[21740]: Toggle for 33845_em0…
Aug 4 18:52:47 check_reload_status: Syncing firewall
Aug 4 18:52:32 check_reload_status: Syncing firewall
Aug 4 18:52:10 SnortStartup[23637]: Snort HARD Reload For 35360_em0…
Aug 4 18:52:10 SnortStartup[20060]: Snort Startup files Sync…
Aug 4 18:51:29 check_reload_status: Syncing firewall
Aug 4 18:50:47 check_reload_status: Syncing firewall
Aug 4 18:50:47 check_reload_status: Reloading filter
Aug 4 18:50:46 check_reload_status: Syncing firewall
Aug 4 18:50:09 check_reload_status: Syncing firewall
Aug 4 18:50:08 php: /pkg_mgr_install.php: Beginning package installation for snort.

Cino

@hansmuff and asterix I dont run amd64 on my box, all my testing has been on the i386 platform.

@ermal logged into my console and i noticed some startup errors.
this is right after starting package snort….

chown: /tmp/snort*: No such file or directory
chmod: /var/run/snort*: No such file or directory
chmod: /tmp/snort*: No such file or directory

grandrivers

I did a clean install and am having trouble with the emerging threats rules can't get them to show up

Burnie

@Emarl: great work. snort seems to be working great now. (i386/2.0RC1)

I found two things that didn't seem right:

1. filenames of md5 files in /usr/local/www/snort/snort_download_updates.php seem wrong:

--- /usr/local/www/snort/snort_download_updates.php.orig	2011-08-04 22:03:35.000000000 +0200
+++ /usr/local/www/snort/snort_download_updates.php	2011-08-04 22:04:35.000000000 +0200
@@ -47,5 +47,5 @@
 /* quick md5s chk */
-if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2860.tar.gz.md5'))
+if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5'))
 {
-	$snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2860.tar.gz.md5');
+	$snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5');
 }else{
@@ -54,5 +54,5 @@

-if(file_exists('/usr/local/etc/snort/version.txt'))
+if(file_exists('/usr/local/etc/snort/emerging.rules.tar.gz.md5'))
 {
-	$emergingt_net_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/version.txt');
+	$emergingt_net_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/emerging.rules.tar.gz.md5');
 }else{

2. Trying to enable barnyard2, when I clicked save, it said it couldn't write to
  /usr/local/etc/snort/snort__re1/barnyard2.conf
    and then all config of snort were gone…
    I guess somewhere it lost $iface_uuid, as I suspect it meant to write to
  _  /usr/local/etc/snort/snort_6162_re1/barnyard2.conf_

(I haven't had time to dig into the last one just yet)

eri--

I have not touched barnyard at all, :(.

I know there are some other issues in the code but general functionality is ok.
I will check what i can do to progress on this but support is most definitely a welcome addition :)

BTW: my name is Ermal and not Emarl

EDIT:
@Burnie
imported your fix in the package, thx.

@Cino,

fixed the warnings you mentioned.

asterix

Ermal, any amd64 support?

eri--

The amd64 support is there but look at redmine.pfsense.org under snort category of issues on pfSense-packages project.
I am trying to put there all known issues though solving those is not only based on my or pfSense good will :), some help is needed as well.

hmishra

Ermal,

I know folks here have reported that the blocked hosts being cleared after the set time is working now, but I have not had success with that working yet. I have attached my screen shot of Cron entries on my system and don't think the job to remove the blocked hosts exists for Snort. I uninstalled and installed Snort just a few minutes back, so I am positive that I am running the latest iteration of your changes.

Thanks,
Hiranmoy


hmishra

Never mind…..My mistake. Turns out I did not hit 'Save' after having installed the latest Snort package. The Cron entries appeared after that.

Thanks!

Ibor Daru

@ermal and others

Today I updated my AMD64 PFSense system (Intel Atom CPU D510 @ 1.66GHz) to the latest available snapshot (2.0-RC3 (amd64) built on Tue Aug 2 22:54:59 EDT 2011).

Snort completely deinstalled before updating to latest snapshot. Reinstalled Snort, but Snort cannot be found in any menu whatsoever. Furthermore, Snort service is not available either. Tried again: completely deinstalled Snort, restarted PFSense and reinstalled Snort again with no results.

Any suggestions on how to solve the menu and service issues?

eri--

You need to do a gitsync or wait for a new snapshot to come out.

Ibor Daru

@ermal:

You need to do a gitsync or wait for a new snapshot to come out.

Thanks ermal! It worked out by following the guide @ http://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots. Menu and service are back again.

However (don't shoot the messenger), Snort service still won't start … as before. Just like:

@asterix:

Latest amd64 snapshot. Clean install.

Snort not starting.

Aug 4 18:43:49 SnortStartup[10250]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:49 SnortStartup[6313]: Snort Startup files Sync…
Aug 4 18:43:22 SnortStartup[47731]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:21 SnortStartup[43782]: Snort Startup files Sync…
...

eri--

That says the service is started.
Any other logs to claim that snort is not starting Ibor?

Cino

@ermal  startup is quiet… thanks again!

eri--

Thank you for helping in testing Cino.

seattle-it

What happened to Barnyard??

Seems to be totally missing >:(

Cino

@seattle-it:

What happened to Barnyard??

Seems to be totally missing >:(

need users to test it and report back with detailed errors… this will help the dev fix issues

Cino

@ermal:

Thank you for helping in testing Cino.

Anytime! I may just re-install my system this weekend or next week and try amd64

Ibor Daru

@ermal

@ermal:

That says the service is started.
Any other logs to claim that snort is not starting Ibor?

Mainly based on the following (see attached images):

• (dashboard widget system information) memory usage before and after are the same

• (dashboard widget services status) service status still indicates "stopped"

• (main snort menu) icon remains as "green play icon", not turned to "red cross button"

BTW if you require additional log file(s), feel free to ask. Please note: I'm not that familiar what log file(s) Snort use(s) exactly within PFSense. Guidance is then appreciated. If wanted I'm available for testing/debugging.