Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Won't Start After Upgrade

    Scheduled Pinned Locked Moved pfSense Packages
    301 Posts 64 Posters 219.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cino
      last edited by

      @seattle-it:

      What happened to Barnyard??

      Seems to be totally missing >:(

      need users to test it and report back with detailed errors… this will help the dev fix issues

      1 Reply Last reply Reply Quote 0
      • C
        Cino
        last edited by

        @ermal:

        Thank you for helping in testing Cino.

        Anytime! I may just re-install my system this weekend or next week and try amd64

        1 Reply Last reply Reply Quote 0
        • I
          Ibor Daru
          last edited by

          @ermal

          @ermal:

          That says the service is started.
          Any other logs to claim that snort is not starting Ibor?

          Mainly based on the following (see attached images):

          • (dashboard widget system information) memory usage before and after are the same

          • (dashboard widget services status) service status still indicates "stopped"

          • (main snort menu) icon remains as "green play icon", not turned to "red cross button"

          BTW if you require additional log file(s), feel free to ask. Please note: I'm not that familiar what log file(s) Snort use(s) exactly within PFSense. Guidance is then appreciated. If wanted I'm available for testing/debugging.

          ![Dashboard overview after starting snort.JPG](/public/imported_attachments/1/Dashboard overview after starting snort.JPG)
          ![Dashboard overview after starting snort.JPG_thumb](/public/imported_attachments/1/Dashboard overview after starting snort.JPG_thumb)
          ![Snort started.JPG](/public/imported_attachments/1/Snort started.JPG)
          ![Snort started.JPG_thumb](/public/imported_attachments/1/Snort started.JPG_thumb)
          ![green icon after snort has been started.JPG](/public/imported_attachments/1/green icon after snort has been started.JPG)
          ![green icon after snort has been started.JPG_thumb](/public/imported_attachments/1/green icon after snort has been started.JPG_thumb)

          1 Reply Last reply Reply Quote 0
          • S
            seattle-it
            last edited by

            @Cino:

            @seattle-it:

            What happened to Barnyard??

            Seems to be totally missing >:(

            need users to test it and report back with detailed errors… this will help the dev fix issues

            Test what? the barnyard2 binary is missing

            My tech blog - seattleit.net/blog

            1 Reply Last reply Reply Quote 0
            • C
              Cino
              last edited by

              @seattle-it:

              @Cino:

              @seattle-it:

              What happened to Barnyard??

              Seems to be totally missing >:(

              need users to test it and report back with detailed errors… this will help the dev fix issues

              Test what? the barnyard2 binary is missing

              You just did but saying the binary is missing.

              1 Reply Last reply Reply Quote 0
              • S
                seattle-it
                last edited by

                You just did but saying the binary is missing.

                You make zero sense .. anyways, back to reality:

                I've been able to get Snort + Barnyard to a working state with the current Snort package. For others that may be running into similar issues, the quick fixes i had to apply were:

                1. pkg_add -r barnyard2
                2. ln -s /usr/local/etc/snort/snort_<digits>interface  /usr/local/etc/snort/snort_ <interface>I've had other front-end issues with my config not being saved properly. Something triggers it to blank out interface and other snort settings, which is a pita. Things seem to work from the UI now, but I'm sticking with using the terminal to control things (and will probably roll out my own 2.9.0.X binary eventually).</interface></digits>

                My tech blog - seattleit.net/blog

                1 Reply Last reply Reply Quote 0
                • C
                  Cino
                  last edited by

                  @Ermal  I'm testing the amd64 platform. Snort starts and seems to be work but when I check Block Offenders, I get this error

                  
                  Aug 5 23:49:30 	SnortStartup[62468]: Interface Rule START for 0_39737_em3...
                  Aug 5 23:49:30 	snort[62343]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf"
                  Aug 5 23:49:30 	snort[62343]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf"
                  Aug 5 23:49:30 	snort[62343]: Log directory = /var/log/snort
                  
                  

                  line 351 from my conf

                  
                  output alert_pf: /usr/local/etc/snort/whitelist/defaultwlist,snort2c
                  
                  

                  snort2c table is defined under tables, whitelist files look to be the same format as i386

                  I retested i386 and it doesn't have this problem, its able to block offenders… would this happen to do with the amd64 snort binaries?

                  also noticed if i try to clear the alerts, it goes to a blank page without clearing the alerts (Does this on i386 and amd64)

                  1 Reply Last reply Reply Quote 0
                  • D
                    digdug3
                    last edited by

                    I can confirm Snort and suppress working again with RC3-build 05-08 i386.
                    Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
                    Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.

                    Second problem i have is this when I enable the snort_netbios.rules:

                    snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.

                    1 Reply Last reply Reply Quote 0
                    • C
                      Cino
                      last edited by

                      @digdug3:

                      I can confirm Snort and suppress working again with RC3-build 05-08 i386.
                      Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
                      Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.

                      Second problem i have is this when I enable the snort_netbios.rules:

                      snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.

                      I noticed that too when I install the amd64 ver, that barnyard wasn't installing. it did try to change some of the files but came back with files not found.

                      uncheck netbios and it should start… you may get some more errors that are rules related... uncheck the rules until snort starts. These kind of errors I believe are not because of the snort package but because of the rules themselves. Sometimes its a duplication because of the .so rules and/or when you are using 2 different rulesets(emerging and snort together).

                      1 Reply Last reply Reply Quote 0
                      • G
                        grandrivers
                        last edited by

                        emerging threats seems to be okay after deleting and installing again .  I have not been able to clear the alerts log after hitting clear then ok just endup on blank page.

                        note: now seems to quit adding to log

                        pfsense plus 25.03 super micro A1SRM-2558F
                        C2558 32gig ECC  60gig SSD

                        1 Reply Last reply Reply Quote 0
                        • D
                          digdug3
                          last edited by

                          @Cino:

                          @digdug3:

                          I can confirm Snort and suppress working again with RC3-build 05-08 i386.
                          Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
                          Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.

                          Second problem i have is this when I enable the snort_netbios.rules:

                          snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.

                          I noticed that too when I install the amd64 ver, that barnyard wasn't installing. it did try to change some of the files but came back with files not found.

                          uncheck netbios and it should start… you may get some more errors that are rules related... uncheck the rules until snort starts. These kind of errors I believe are not because of the snort package but because of the rules themselves. Sometimes its a duplication because of the .so rules and/or when you are using 2 different rulesets(emerging and snort together).

                          Yes, that's exactly what I did. I disabled the snort_netbios.rules
                          Strange thing is with my pfSense v1.2.3-i386 box it works(?). Same rules, same settings…

                          1 Reply Last reply Reply Quote 0
                          • H
                            hmishra
                            last edited by

                            Hmmm….The blocked list is not reset after being set once. I know it was working just couple days back since I have verified the cron job to auto update the snort signatures as well as resetting the blocked list was there before. Now it is no longer present.

                            1 Reply Last reply Reply Quote 0
                            • D
                              darklogic
                              last edited by

                              Something I noticed on the SNORT categories tab and rules tab. If you click categories and then click on a ruleset from the category tab it will take you to that rule set under the rules tab and show every rule that you may have enabled or disabled. But, if you click the rules tab and then select the ruleset from the drop down list, it will show the same rules and show things enabled and disabled in a different manner than from clicking the ruleset from the category list?

                              Anyone else have this or know what this is about?

                              Thanks,

                              1 Reply Last reply Reply Quote 0
                              • C
                                Cino
                                last edited by

                                @darklogic:

                                Something I noticed on the SNORT categories tab and rules tab. If you click categories and then click on a ruleset from the category tab it will take you to that rule set under the rules tab and show every rule that you may have enabled or disabled. But, if you click the rules tab and then select the ruleset from the drop down list, it will show the same rules and show things enabled and disabled in a different manner than from clicking the ruleset from the category list?

                                Anyone else have this or know what this is about?

                                Thanks,

                                I noticed that Ermal put in a bunch of tickets for Snort, http://redmine.pfsense.org/projects/pfsense/issues?set_filter=1&tracker_id=1 I think 2 of them maybe related to what your reporting

                                1 Reply Last reply Reply Quote 0
                                • C
                                  Cino
                                  last edited by

                                  I created a ticket for the alerts page not clearing. It did work sometime last week so I'm hoping its a quick fix.

                                  http://redmine.pfsense.org/issues/1765

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    dwood
                                    last edited by

                                    On a fresh AMD64 install  as below, SNORT service will not start.  Log output as below.

                                    There are no alerts, no blocks and the Snort interface tab shows both WAN1 and WAN2 interfaces with a green "go" icon, but no "x" icon.  Snort rules are updated via a subscription OINK code, and various blocking rules were selected for both interfaces.

                                    Version 2.0-RC3 (amd64)
                                    built on Mon Aug 8 18:38:15 EDT 2011
                                    CPU Type Intel(R) Atom(TM) CPU 330 @ 1.60GHz
                                    Current: 599 MHz, Max: 1599 MHz

                                    Aug 9 12:52:38 SnortStartup[15371]: Toggle for 64301_re1…
                                    Aug 9 12:52:39 SnortStartup[26325]: Interface Rule START for 0_64301_re1…
                                    Aug 9 12:52:44 SnortStartup[39021]: Toggle for 64301_re1…
                                    Aug 9 12:52:44 SnortStartup[51124]: Interface Rule START for 0_64301_re1…
                                    Aug 9 12:53:18 SnortStartup[17090]: Snort Startup files Sync…
                                    Aug 9 12:53:18 SnortStartup[21542]: Snort HARD Reload For 64301_re1…

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      darklogic
                                      last edited by

                                      Thanks for the info.

                                      I also notice that I get a bunch of false positives when I enable the port scan and SMTP preprocessor. There are so many false positives that I have to turn those preprocessors off.

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        eri--
                                        last edited by

                                        I do not think that as today the preprocessors part works correctly.

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          Cino
                                          last edited by

                                          @ermal:

                                          I do not think that as today the preprocessors part works correctly.

                                          for amd64? or both, am64 and i386?

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            eri--
                                            last edited by

                                            Both.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.