Snort Won't Start After Upgrade

Cino

@seattle-it:

What happened to Barnyard??

Seems to be totally missing >:(

need users to test it and report back with detailed errors… this will help the dev fix issues

Cino

@ermal:

Thank you for helping in testing Cino.

Anytime! I may just re-install my system this weekend or next week and try amd64

Ibor Daru

@ermal

@ermal:

That says the service is started.
Any other logs to claim that snort is not starting Ibor?

Mainly based on the following (see attached images):

(dashboard widget system information) memory usage before and after are the same
(dashboard widget services status) service status still indicates "stopped"
(main snort menu) icon remains as "green play icon", not turned to "red cross button"

BTW if you require additional log file(s), feel free to ask. Please note: I'm not that familiar what log file(s) Snort use(s) exactly within PFSense. Guidance is then appreciated. If wanted I'm available for testing/debugging.

![Dashboard overview after starting snort.JPG](/public/imported_attachments/1/Dashboard overview after starting snort.JPG)
![Dashboard overview after starting snort.JPG_thumb](/public/imported_attachments/1/Dashboard overview after starting snort.JPG_thumb)
![Snort started.JPG](/public/imported_attachments/1/Snort started.JPG)
![Snort started.JPG_thumb](/public/imported_attachments/1/Snort started.JPG_thumb)
![green icon after snort has been started.JPG](/public/imported_attachments/1/green icon after snort has been started.JPG)
![green icon after snort has been started.JPG_thumb](/public/imported_attachments/1/green icon after snort has been started.JPG_thumb)

seattle-it

@Cino:

@seattle-it:

What happened to Barnyard??

Seems to be totally missing >:(

need users to test it and report back with detailed errors… this will help the dev fix issues

Test what? the barnyard2 binary is missing

Cino

@seattle-it:

@Cino:

@seattle-it:

What happened to Barnyard??

Seems to be totally missing >:(

need users to test it and report back with detailed errors… this will help the dev fix issues

Test what? the barnyard2 binary is missing

You just did but saying the binary is missing.

seattle-it

You just did but saying the binary is missing.

You make zero sense .. anyways, back to reality:

I've been able to get Snort + Barnyard to a working state with the current Snort package. For others that may be running into similar issues, the quick fixes i had to apply were:

pkg_add -r barnyard2
ln -s /usr/local/etc/snort/snort_<digits>interface /usr/local/etc/snort/snort_ <interface>I've had other front-end issues with my config not being saved properly. Something triggers it to blank out interface and other snort settings, which is a pita. Things seem to work from the UI now, but I'm sticking with using the terminal to control things (and will probably roll out my own 2.9.0.X binary eventually).</interface></digits>

Cino

@Ermal I'm testing the amd64 platform. Snort starts and seems to be work but when I check Block Offenders, I get this error


Aug 5 23:49:30 	SnortStartup[62468]: Interface Rule START for 0_39737_em3...
Aug 5 23:49:30 	snort[62343]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf"
Aug 5 23:49:30 	snort[62343]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(351) Unknown output plugin: "alert_pf"
Aug 5 23:49:30 	snort[62343]: Log directory = /var/log/snort

line 351 from my conf


output alert_pf: /usr/local/etc/snort/whitelist/defaultwlist,snort2c

snort2c table is defined under tables, whitelist files look to be the same format as i386

I retested i386 and it doesn't have this problem, its able to block offenders… would this happen to do with the amd64 snort binaries?

also noticed if i try to clear the alerts, it goes to a blank page without clearing the alerts (Does this on i386 and amd64)

digdug3

I can confirm Snort and suppress working again with RC3-build 05-08 i386.
Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.

Second problem i have is this when I enable the snort_netbios.rules:

snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.

Cino

@digdug3:

I can confirm Snort and suppress working again with RC3-build 05-08 i386.
Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.

Second problem i have is this when I enable the snort_netbios.rules:

snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.

I noticed that too when I install the amd64 ver, that barnyard wasn't installing. it did try to change some of the files but came back with files not found.

uncheck netbios and it should start… you may get some more errors that are rules related... uncheck the rules until snort starts. These kind of errors I believe are not because of the snort package but because of the rules themselves. Sometimes its a duplication because of the .so rules and/or when you are using 2 different rulesets(emerging and snort together).

grandrivers

emerging threats seems to be okay after deleting and installing again . I have not been able to clear the alerts log after hitting clear then ok just endup on blank page.

note: now seems to quit adding to log

digdug3

@Cino:

@digdug3:

I can confirm Snort and suppress working again with RC3-build 05-08 i386.
Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.

Second problem i have is this when I enable the snort_netbios.rules:

snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.

I noticed that too when I install the amd64 ver, that barnyard wasn't installing. it did try to change some of the files but came back with files not found.

uncheck netbios and it should start… you may get some more errors that are rules related... uncheck the rules until snort starts. These kind of errors I believe are not because of the snort package but because of the rules themselves. Sometimes its a duplication because of the .so rules and/or when you are using 2 different rulesets(emerging and snort together).

Yes, that's exactly what I did. I disabled the snort_netbios.rules
Strange thing is with my pfSense v1.2.3-i386 box it works(?). Same rules, same settings…

hmishra

Hmmm….The blocked list is not reset after being set once. I know it was working just couple days back since I have verified the cron job to auto update the snort signatures as well as resetting the blocked list was there before. Now it is no longer present.

darklogic

Something I noticed on the SNORT categories tab and rules tab. If you click categories and then click on a ruleset from the category tab it will take you to that rule set under the rules tab and show every rule that you may have enabled or disabled. But, if you click the rules tab and then select the ruleset from the drop down list, it will show the same rules and show things enabled and disabled in a different manner than from clicking the ruleset from the category list?

Anyone else have this or know what this is about?

Thanks,

Cino

@darklogic:

Something I noticed on the SNORT categories tab and rules tab. If you click categories and then click on a ruleset from the category tab it will take you to that rule set under the rules tab and show every rule that you may have enabled or disabled. But, if you click the rules tab and then select the ruleset from the drop down list, it will show the same rules and show things enabled and disabled in a different manner than from clicking the ruleset from the category list?

Anyone else have this or know what this is about?

Thanks,

I noticed that Ermal put in a bunch of tickets for Snort, http://redmine.pfsense.org/projects/pfsense/issues?set_filter=1&tracker_id=1 I think 2 of them maybe related to what your reporting

Cino

I created a ticket for the alerts page not clearing. It did work sometime last week so I'm hoping its a quick fix.

http://redmine.pfsense.org/issues/1765

dwood

On a fresh AMD64 install as below, SNORT service will not start. Log output as below.

There are no alerts, no blocks and the Snort interface tab shows both WAN1 and WAN2 interfaces with a green "go" icon, but no "x" icon. Snort rules are updated via a subscription OINK code, and various blocking rules were selected for both interfaces.

Version 2.0-RC3 (amd64)
built on Mon Aug 8 18:38:15 EDT 2011
CPU Type Intel(R) Atom(TM) CPU 330 @ 1.60GHz
Current: 599 MHz, Max: 1599 MHz

Aug 9 12:52:38 SnortStartup[15371]: Toggle for 64301_re1…
Aug 9 12:52:39 SnortStartup[26325]: Interface Rule START for 0_64301_re1…
Aug 9 12:52:44 SnortStartup[39021]: Toggle for 64301_re1…
Aug 9 12:52:44 SnortStartup[51124]: Interface Rule START for 0_64301_re1…
Aug 9 12:53:18 SnortStartup[17090]: Snort Startup files Sync…
Aug 9 12:53:18 SnortStartup[21542]: Snort HARD Reload For 64301_re1…

darklogic

Thanks for the info.

I also notice that I get a bunch of false positives when I enable the port scan and SMTP preprocessor. There are so many false positives that I have to turn those preprocessors off.

eri--

I do not think that as today the preprocessors part works correctly.

Cino

@ermal:

I do not think that as today the preprocessors part works correctly.

for amd64? or both, am64 and i386?

eri--

Both.