Snort Won't Start After Upgrade
-
@Emarl: great work. snort seems to be working great now. (i386/2.0RC1)
I found two things that didn't seem right:
1. filenames of md5 files in /usr/local/www/snort/snort_download_updates.php seem wrong:
--- /usr/local/www/snort/snort_download_updates.php.orig 2011-08-04 22:03:35.000000000 +0200 +++ /usr/local/www/snort/snort_download_updates.php 2011-08-04 22:04:35.000000000 +0200 @@ -47,5 +47,5 @@ /* quick md5s chk */ -if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2860.tar.gz.md5')) +if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5')) { - $snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2860.tar.gz.md5'); + $snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5'); }else{ @@ -54,5 +54,5 @@ -if(file_exists('/usr/local/etc/snort/version.txt')) +if(file_exists('/usr/local/etc/snort/emerging.rules.tar.gz.md5')) { - $emergingt_net_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/version.txt'); + $emergingt_net_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/emerging.rules.tar.gz.md5'); }else{2. Trying to enable barnyard2, when I clicked save, it said it couldn't write to
/usr/local/etc/snort/snort__re1/barnyard2.conf
and then all config of snort were gone…
I guess somewhere it lost $iface_uuid, as I suspect it meant to write to
_ /usr/local/etc/snort/snort_6162_re1/barnyard2.conf_(I haven't had time to dig into the last one just yet)
-
I have not touched barnyard at all, :(.
I know there are some other issues in the code but general functionality is ok.
I will check what i can do to progress on this but support is most definitely a welcome addition :)BTW: my name is Ermal and not Emarl
EDIT:
@Burnie
imported your fix in the package, thx.fixed the warnings you mentioned.
-
Ermal, any amd64 support?
-
The amd64 support is there but look at redmine.pfsense.org under snort category of issues on pfSense-packages project.
I am trying to put there all known issues though solving those is not only based on my or pfSense good will :), some help is needed as well. -
Ermal,
I know folks here have reported that the blocked hosts being cleared after the set time is working now, but I have not had success with that working yet. I have attached my screen shot of Cron entries on my system and don't think the job to remove the blocked hosts exists for Snort. I uninstalled and installed Snort just a few minutes back, so I am positive that I am running the latest iteration of your changes.
Thanks,
Hiranmoy
 -
Never mind…..My mistake. Turns out I did not hit 'Save' after having installed the latest Snort package. The Cron entries appeared after that.
Thanks!
-
@ermal and others
Today I updated my AMD64 PFSense system (Intel Atom CPU D510 @ 1.66GHz) to the latest available snapshot (2.0-RC3 (amd64) built on Tue Aug 2 22:54:59 EDT 2011).
Snort completely deinstalled before updating to latest snapshot. Reinstalled Snort, but Snort cannot be found in any menu whatsoever. Furthermore, Snort service is not available either. Tried again: completely deinstalled Snort, restarted PFSense and reinstalled Snort again with no results.
Any suggestions on how to solve the menu and service issues?
-
You need to do a gitsync or wait for a new snapshot to come out.
-
@ermal:
You need to do a gitsync or wait for a new snapshot to come out.
Thanks ermal! It worked out by following the guide @ http://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots. Menu and service are back again.
However (don't shoot the messenger), Snort service still won't start … as before. Just like:
Latest amd64 snapshot. Clean install.
Snort not starting.
Aug 4 18:43:49 SnortStartup[10250]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:49 SnortStartup[6313]: Snort Startup files Sync…
Aug 4 18:43:22 SnortStartup[47731]: Snort HARD Reload For 35360_em0…
Aug 4 18:43:21 SnortStartup[43782]: Snort Startup files Sync…
... -
That says the service is started.
Any other logs to claim that snort is not starting Ibor? -
@ermal startup is quiet… thanks again!
-
Thank you for helping in testing Cino.
-
What happened to Barnyard??
Seems to be totally missing >:(
-
What happened to Barnyard??
Seems to be totally missing >:(
need users to test it and report back with detailed errors… this will help the dev fix issues
-
@ermal:
Thank you for helping in testing Cino.
Anytime! I may just re-install my system this weekend or next week and try amd64
-
@ermal
@ermal:
That says the service is started.
Any other logs to claim that snort is not starting Ibor?Mainly based on the following (see attached images):
-
(dashboard widget system information) memory usage before and after are the same
-
(dashboard widget services status) service status still indicates "stopped"
-
(main snort menu) icon remains as "green play icon", not turned to "red cross button"
BTW if you require additional log file(s), feel free to ask. Please note: I'm not that familiar what log file(s) Snort use(s) exactly within PFSense. Guidance is then appreciated. If wanted I'm available for testing/debugging.
 -
-
What happened to Barnyard??
Seems to be totally missing >:(
need users to test it and report back with detailed errors… this will help the dev fix issues
Test what? the barnyard2 binary is missing
-
What happened to Barnyard??
Seems to be totally missing >:(
need users to test it and report back with detailed errors… this will help the dev fix issues
Test what? the barnyard2 binary is missing
You just did but saying the binary is missing.
-
You just did but saying the binary is missing.
You make zero sense .. anyways, back to reality:
I've been able to get Snort + Barnyard to a working state with the current Snort package. For others that may be running into similar issues, the quick fixes i had to apply were:
- pkg_add -r barnyard2
- ln -s /usr/local/etc/snort/snort_<digits>interface /usr/local/etc/snort/snort_ <interface>I've had other front-end issues with my config not being saved properly. Something triggers it to blank out interface and other snort settings, which is a pita. Things seem to work from the UI now, but I'm sticking with using the terminal to control things (and will probably roll out my own 2.9.0.X binary eventually).</interface></digits>
-
@Ermal I'm testing the amd64 platform. Snort starts and seems to be work but when I check Block Offenders, I get this error
Aug 5 23:49:30 SnortStartup[62468]: Interface Rule START for 0_39737_em3... Aug 5 23:49:30 snort[62343]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf" Aug 5 23:49:30 snort[62343]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf" Aug 5 23:49:30 snort[62343]: Log directory = /var/log/snortline 351 from my conf
output alert_pf: /usr/local/etc/snort/whitelist/defaultwlist,snort2csnort2c table is defined under tables, whitelist files look to be the same format as i386
I retested i386 and it doesn't have this problem, its able to block offenders… would this happen to do with the amd64 snort binaries?
also noticed if i try to clear the alerts, it goes to a blank page without clearing the alerts (Does this on i386 and amd64)