• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort Won't Start After Upgrade

Scheduled Pinned Locked Moved pfSense Packages
301 Posts 64 Posters 220.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    Cino
    last edited by Aug 5, 2011, 7:36 PM

    @seattle-it:

    What happened to Barnyard??

    Seems to be totally missing >:(

    need users to test it and report back with detailed errors… this will help the dev fix issues

    1 Reply Last reply Reply Quote 0
    • C
      Cino
      last edited by Aug 5, 2011, 7:37 PM

      @ermal:

      Thank you for helping in testing Cino.

      Anytime! I may just re-install my system this weekend or next week and try amd64

      1 Reply Last reply Reply Quote 0
      • I
        Ibor Daru
        last edited by Aug 5, 2011, 9:59 PM Aug 5, 2011, 9:49 PM

        @ermal

        @ermal:

        That says the service is started.
        Any other logs to claim that snort is not starting Ibor?

        Mainly based on the following (see attached images):

        • (dashboard widget system information) memory usage before and after are the same

        • (dashboard widget services status) service status still indicates "stopped"

        • (main snort menu) icon remains as "green play icon", not turned to "red cross button"

        BTW if you require additional log file(s), feel free to ask. Please note: I'm not that familiar what log file(s) Snort use(s) exactly within PFSense. Guidance is then appreciated. If wanted I'm available for testing/debugging.

        ![Dashboard overview after starting snort.JPG](/public/imported_attachments/1/Dashboard overview after starting snort.JPG)
        ![Dashboard overview after starting snort.JPG_thumb](/public/imported_attachments/1/Dashboard overview after starting snort.JPG_thumb)
        ![Snort started.JPG](/public/imported_attachments/1/Snort started.JPG)
        ![Snort started.JPG_thumb](/public/imported_attachments/1/Snort started.JPG_thumb)
        ![green icon after snort has been started.JPG](/public/imported_attachments/1/green icon after snort has been started.JPG)
        ![green icon after snort has been started.JPG_thumb](/public/imported_attachments/1/green icon after snort has been started.JPG_thumb)

        1 Reply Last reply Reply Quote 0
        • S
          seattle-it
          last edited by Aug 5, 2011, 10:01 PM

          @Cino:

          @seattle-it:

          What happened to Barnyard??

          Seems to be totally missing >:(

          need users to test it and report back with detailed errors… this will help the dev fix issues

          Test what? the barnyard2 binary is missing

          My tech blog - seattleit.net/blog

          1 Reply Last reply Reply Quote 0
          • C
            Cino
            last edited by Aug 6, 2011, 1:00 AM

            @seattle-it:

            @Cino:

            @seattle-it:

            What happened to Barnyard??

            Seems to be totally missing >:(

            need users to test it and report back with detailed errors… this will help the dev fix issues

            Test what? the barnyard2 binary is missing

            You just did but saying the binary is missing.

            1 Reply Last reply Reply Quote 0
            • S
              seattle-it
              last edited by Aug 6, 2011, 1:42 AM

              You just did but saying the binary is missing.

              You make zero sense .. anyways, back to reality:

              I've been able to get Snort + Barnyard to a working state with the current Snort package. For others that may be running into similar issues, the quick fixes i had to apply were:

              1. pkg_add -r barnyard2
              2. ln -s /usr/local/etc/snort/snort_<digits>interface  /usr/local/etc/snort/snort_ <interface>I've had other front-end issues with my config not being saved properly. Something triggers it to blank out interface and other snort settings, which is a pita. Things seem to work from the UI now, but I'm sticking with using the terminal to control things (and will probably roll out my own 2.9.0.X binary eventually).</interface></digits>

              My tech blog - seattleit.net/blog

              1 Reply Last reply Reply Quote 0
              • C
                Cino
                last edited by Aug 6, 2011, 4:07 PM Aug 6, 2011, 2:26 AM

                @Ermal  I'm testing the amd64 platform. Snort starts and seems to be work but when I check Block Offenders, I get this error

                
                Aug 5 23:49:30 	SnortStartup[62468]: Interface Rule START for 0_39737_em3...
                Aug 5 23:49:30 	snort[62343]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf"
                Aug 5 23:49:30 	snort[62343]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf"
                Aug 5 23:49:30 	snort[62343]: Log directory = /var/log/snort
                
                

                line 351 from my conf

                
                output alert_pf: /usr/local/etc/snort/whitelist/defaultwlist,snort2c
                
                

                snort2c table is defined under tables, whitelist files look to be the same format as i386

                I retested i386 and it doesn't have this problem, its able to block offenders… would this happen to do with the amd64 snort binaries?

                also noticed if i try to clear the alerts, it goes to a blank page without clearing the alerts (Does this on i386 and amd64)

                1 Reply Last reply Reply Quote 0
                • D
                  digdug3
                  last edited by Aug 6, 2011, 3:40 PM

                  I can confirm Snort and suppress working again with RC3-build 05-08 i386.
                  Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
                  Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.

                  Second problem i have is this when I enable the snort_netbios.rules:

                  snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cino
                    last edited by Aug 6, 2011, 3:48 PM

                    @digdug3:

                    I can confirm Snort and suppress working again with RC3-build 05-08 i386.
                    Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
                    Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.

                    Second problem i have is this when I enable the snort_netbios.rules:

                    snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.

                    I noticed that too when I install the amd64 ver, that barnyard wasn't installing. it did try to change some of the files but came back with files not found.

                    uncheck netbios and it should start… you may get some more errors that are rules related... uncheck the rules until snort starts. These kind of errors I believe are not because of the snort package but because of the rules themselves. Sometimes its a duplication because of the .so rules and/or when you are using 2 different rulesets(emerging and snort together).

                    1 Reply Last reply Reply Quote 0
                    • G
                      grandrivers
                      last edited by Aug 7, 2011, 12:57 PM Aug 7, 2011, 3:38 AM

                      emerging threats seems to be okay after deleting and installing again .  I have not been able to clear the alerts log after hitting clear then ok just endup on blank page.

                      note: now seems to quit adding to log

                      pfsense plus 25.03 super micro A1SRM-2558F
                      C2558 32gig ECC  60gig SSD

                      1 Reply Last reply Reply Quote 0
                      • D
                        digdug3
                        last edited by Aug 7, 2011, 6:24 AM

                        @Cino:

                        @digdug3:

                        I can confirm Snort and suppress working again with RC3-build 05-08 i386.
                        Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
                        Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.

                        Second problem i have is this when I enable the snort_netbios.rules:

                        snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.

                        I noticed that too when I install the amd64 ver, that barnyard wasn't installing. it did try to change some of the files but came back with files not found.

                        uncheck netbios and it should start… you may get some more errors that are rules related... uncheck the rules until snort starts. These kind of errors I believe are not because of the snort package but because of the rules themselves. Sometimes its a duplication because of the .so rules and/or when you are using 2 different rulesets(emerging and snort together).

                        Yes, that's exactly what I did. I disabled the snort_netbios.rules
                        Strange thing is with my pfSense v1.2.3-i386 box it works(?). Same rules, same settings…

                        1 Reply Last reply Reply Quote 0
                        • H
                          hmishra
                          last edited by Aug 8, 2011, 3:42 AM

                          Hmmm….The blocked list is not reset after being set once. I know it was working just couple days back since I have verified the cron job to auto update the snort signatures as well as resetting the blocked list was there before. Now it is no longer present.

                          1 Reply Last reply Reply Quote 0
                          • D
                            darklogic
                            last edited by Aug 9, 2011, 3:39 AM

                            Something I noticed on the SNORT categories tab and rules tab. If you click categories and then click on a ruleset from the category tab it will take you to that rule set under the rules tab and show every rule that you may have enabled or disabled. But, if you click the rules tab and then select the ruleset from the drop down list, it will show the same rules and show things enabled and disabled in a different manner than from clicking the ruleset from the category list?

                            Anyone else have this or know what this is about?

                            Thanks,

                            1 Reply Last reply Reply Quote 0
                            • C
                              Cino
                              last edited by Aug 9, 2011, 1:18 PM

                              @darklogic:

                              Something I noticed on the SNORT categories tab and rules tab. If you click categories and then click on a ruleset from the category tab it will take you to that rule set under the rules tab and show every rule that you may have enabled or disabled. But, if you click the rules tab and then select the ruleset from the drop down list, it will show the same rules and show things enabled and disabled in a different manner than from clicking the ruleset from the category list?

                              Anyone else have this or know what this is about?

                              Thanks,

                              I noticed that Ermal put in a bunch of tickets for Snort, http://redmine.pfsense.org/projects/pfsense/issues?set_filter=1&tracker_id=1 I think 2 of them maybe related to what your reporting

                              1 Reply Last reply Reply Quote 0
                              • C
                                Cino
                                last edited by Aug 9, 2011, 4:55 PM

                                I created a ticket for the alerts page not clearing. It did work sometime last week so I'm hoping its a quick fix.

                                http://redmine.pfsense.org/issues/1765

                                1 Reply Last reply Reply Quote 0
                                • D
                                  dwood
                                  last edited by Aug 9, 2011, 5:00 PM

                                  On a fresh AMD64 install  as below, SNORT service will not start.  Log output as below.

                                  There are no alerts, no blocks and the Snort interface tab shows both WAN1 and WAN2 interfaces with a green "go" icon, but no "x" icon.  Snort rules are updated via a subscription OINK code, and various blocking rules were selected for both interfaces.

                                  Version 2.0-RC3 (amd64)
                                  built on Mon Aug 8 18:38:15 EDT 2011
                                  CPU Type Intel(R) Atom(TM) CPU 330 @ 1.60GHz
                                  Current: 599 MHz, Max: 1599 MHz

                                  Aug 9 12:52:38 SnortStartup[15371]: Toggle for 64301_re1…
                                  Aug 9 12:52:39 SnortStartup[26325]: Interface Rule START for 0_64301_re1…
                                  Aug 9 12:52:44 SnortStartup[39021]: Toggle for 64301_re1…
                                  Aug 9 12:52:44 SnortStartup[51124]: Interface Rule START for 0_64301_re1…
                                  Aug 9 12:53:18 SnortStartup[17090]: Snort Startup files Sync…
                                  Aug 9 12:53:18 SnortStartup[21542]: Snort HARD Reload For 64301_re1…

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    darklogic
                                    last edited by Aug 9, 2011, 5:26 PM

                                    Thanks for the info.

                                    I also notice that I get a bunch of false positives when I enable the port scan and SMTP preprocessor. There are so many false positives that I have to turn those preprocessors off.

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      eri--
                                      last edited by Aug 9, 2011, 5:52 PM

                                      I do not think that as today the preprocessors part works correctly.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        Cino
                                        last edited by Aug 9, 2011, 6:05 PM

                                        @ermal:

                                        I do not think that as today the preprocessors part works correctly.

                                        for amd64? or both, am64 and i386?

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          eri--
                                          last edited by Aug 9, 2011, 6:18 PM

                                          Both.

                                          1 Reply Last reply Reply Quote 0
                                          185 out of 301
                                          • First post
                                            185/301
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received