Snort Won't Start After Upgrade
-
I can confirm Snort and suppress working again with RC3-build 05-08 i386.
Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.Second problem i have is this when I enable the snort_netbios.rules:
snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.
I noticed that too when I install the amd64 ver, that barnyard wasn't installing. it did try to change some of the files but came back with files not found.
uncheck netbios and it should start… you may get some more errors that are rules related... uncheck the rules until snort starts. These kind of errors I believe are not because of the snort package but because of the rules themselves. Sometimes its a duplication because of the .so rules and/or when you are using 2 different rulesets(emerging and snort together).
-
emerging threats seems to be okay after deleting and installing again . I have not been able to clear the alerts log after hitting clear then ok just endup on blank page.
note: now seems to quit adding to log
-
I can confirm Snort and suppress working again with RC3-build 05-08 i386.
Barnyard is NOT working because it is not installed during the update process, that's why barnyard.conf does not exist.
Reinstalling the package will not bring Barnyard alive also. I think this is the reason for the GUI to break as well.Second problem i have is this when I enable the snort_netbios.rules:
snort[26631]: FATAL ERROR: /usr/local/etc/snort/snort_61390_em1/rules/snort_netbios.rules(152) GID 1 SID 3239 in rule duplicates previous rule, with different protocol.
I noticed that too when I install the amd64 ver, that barnyard wasn't installing. it did try to change some of the files but came back with files not found.
uncheck netbios and it should start… you may get some more errors that are rules related... uncheck the rules until snort starts. These kind of errors I believe are not because of the snort package but because of the rules themselves. Sometimes its a duplication because of the .so rules and/or when you are using 2 different rulesets(emerging and snort together).
Yes, that's exactly what I did. I disabled the snort_netbios.rules
Strange thing is with my pfSense v1.2.3-i386 box it works(?). Same rules, same settings… -
Hmmm….The blocked list is not reset after being set once. I know it was working just couple days back since I have verified the cron job to auto update the snort signatures as well as resetting the blocked list was there before. Now it is no longer present.
-
Something I noticed on the SNORT categories tab and rules tab. If you click categories and then click on a ruleset from the category tab it will take you to that rule set under the rules tab and show every rule that you may have enabled or disabled. But, if you click the rules tab and then select the ruleset from the drop down list, it will show the same rules and show things enabled and disabled in a different manner than from clicking the ruleset from the category list?
Anyone else have this or know what this is about?
Thanks,
-
Something I noticed on the SNORT categories tab and rules tab. If you click categories and then click on a ruleset from the category tab it will take you to that rule set under the rules tab and show every rule that you may have enabled or disabled. But, if you click the rules tab and then select the ruleset from the drop down list, it will show the same rules and show things enabled and disabled in a different manner than from clicking the ruleset from the category list?
Anyone else have this or know what this is about?
Thanks,
I noticed that Ermal put in a bunch of tickets for Snort, http://redmine.pfsense.org/projects/pfsense/issues?set_filter=1&tracker_id=1 I think 2 of them maybe related to what your reporting
-
I created a ticket for the alerts page not clearing. It did work sometime last week so I'm hoping its a quick fix.
http://redmine.pfsense.org/issues/1765
-
On a fresh AMD64 install as below, SNORT service will not start. Log output as below.
There are no alerts, no blocks and the Snort interface tab shows both WAN1 and WAN2 interfaces with a green "go" icon, but no "x" icon. Snort rules are updated via a subscription OINK code, and various blocking rules were selected for both interfaces.
Version 2.0-RC3 (amd64)
built on Mon Aug 8 18:38:15 EDT 2011
CPU Type Intel(R) Atom(TM) CPU 330 @ 1.60GHz
Current: 599 MHz, Max: 1599 MHzAug 9 12:52:38 SnortStartup[15371]: Toggle for 64301_re1…
Aug 9 12:52:39 SnortStartup[26325]: Interface Rule START for 0_64301_re1…
Aug 9 12:52:44 SnortStartup[39021]: Toggle for 64301_re1…
Aug 9 12:52:44 SnortStartup[51124]: Interface Rule START for 0_64301_re1…
Aug 9 12:53:18 SnortStartup[17090]: Snort Startup files Sync…
Aug 9 12:53:18 SnortStartup[21542]: Snort HARD Reload For 64301_re1… -
Thanks for the info.
I also notice that I get a bunch of false positives when I enable the port scan and SMTP preprocessor. There are so many false positives that I have to turn those preprocessors off.
-
I do not think that as today the preprocessors part works correctly.
-
@ermal:
I do not think that as today the preprocessors part works correctly.
for amd64? or both, am64 and i386?
-
Both.
-
I have alerts from it:
(http_inspect) NON-RFC DEFINED CHAR 119:14:1
(portscan) TCP Filtered Portscan 122:5:0those kind of alerts are from the preprocessors I believe, but I could be wrong…
this is on i386 -
Yep those look just like the errors I am getting.
-
Snort is finally running fine now. Following solution worked out for me on 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011 ! Maybe it will work for others on amd64.
ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1Reference
http://forum.pfsense.org/index.php/topic,39677.msg205142.html#msg205142Copy and paste (from other reference post)
@seattle-it:I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"
make sure /usr/lib/libpcap.so is there then run..
ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1And try again
-
Not really sure why some are having issues with AMD64 and Snort.. I did a fresh install over the weekend and snort worked. blocking offenders doesn't work but it did at least create alerts.. Until that part is fix, doesn't make sure to run snort. IMHO.
Only thing i can think of, i'm running 2.1 Dev and not the mainstream 2.0RC3 snapshots…
@Ermal Could my above statement make any sense on why AMD64 runs for me and not others?
-
Not really sure why some are having issues with AMD64 and Snort.. I did a fresh install over the weekend and snort worked. blocking offenders doesn't work but it did at least create alerts.. Until that part is fix, doesn't make sure to run snort. IMHO.
Only thing i can think of, i'm running 2.1 Dev and not the mainstream 2.0RC3 snapshots…
@Ermal Could my above statement make any sense on why AMD64 runs for me and not others?
Have the issues with Snort and PfSense 2.0 RC3 been corrected?
-
ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
I used the above command, which fixed that issue. However, when I tried to start after that, I got messages about a missing folder, "/usr/local/lib/snort/snort_dynamicpreprocessor/".
To fix that issue, I wound up making three more symlinks:
ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrulesI then had an issue with snort unable to find "local.rules". To fix this (and I have no idea why this works) I had to manully update the rules (again, since they were already up to date) and then wait about five minutes. I discovered this by updating the rules by chance (read: desparation), then, when it failed to start, looking online for a few minutes before, out of desparation, trying to start Snort again only to see it work. Once all of the above was completed, Snort started. I do not know if the rules update helped or not, but I know that when I made a change to my "Performance" by changing AC-SPARSEBANDS to AC-STD, when I restarted Snort it would not work. After running the rules update again and waiting a few minutes, it started right up.
Hope this helps folks.
-
ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
I used the above command, which fixed that issue. However, when I tried to start after that, I got messages about a missing folder, "/usr/local/lib/snort/snort_dynamicpreprocessor/".
To fix that issue, I wound up making three more symlinks:
ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrulesI then had an issue with snort unable to find "local.rules". To fix this (and I have no idea why this works) I had to manully update the rules (again, since they were already up to date) and then wait about five minutes. I discovered this by updating the rules by chance (read: desparation), then, when it failed to start, looking online for a few minutes before, out of desparation, trying to start Snort again only to see it work. Once all of the above was completed, Snort started. I do not know if the rules update helped or not, but I know that when I made a change to my "Performance" by changing AC-SPARSEBANDS to AC-STD, when I restarted Snort it would not work. After running the rules update again and waiting a few minutes, it started right up.
Hope this helps folks.
"DANG" What a Pain! Thanks for the info, the way I look at it, if you have to go through all this, no telling if it is even doing it's job or not. I greatly appreciate the info!
-
Another update. Just tried rebooting the server – no updates were done or any changes to configuration or addition/deletion of any packages. When the server came back up, Snort would not start. When I started Snort manually from the command line, it gave that same FATAL ERROR about not being able to locate /usr/local/etc/snort/../rules/local.rules. I let the box sit for about 10 minutes and tried to start Snort again thinking something just needed to catch up. No dice. So, I re-ran the rules updater. It didn't update any of the rules, though the operation was successful (which makes since, the rules were up to date already). Still no dice. I ran the updater a second time and Snort was able to start up immediately. I can reproduce this anytime just by rebooting the server.
To fix this, I had to create the file using the following command:
touch /usr/local/etc/snort/rules/local.rules
I know that the Snort error message use the path "/usr/local/etc/snort/../rules/local.rules", but you need to remove the "../" in order for the touch command to work (since the /usr/local/etc/rules/ folder does not exist). Once the local.rules file exists, you can reboot the pfSense server all day long and Snort will start up at boot time automatically.
Okay, I think that concludes all of the odd little tweaks one has to do to get Snort to run under pfSense v2.0-RC3. I hope... the only snag that I think might cause an issue is a future rules update since that flushes the rules folder. if local.rules is deleted, then it will have to be recreated. I would like to add the touch command to the bootup init scripts, someplace before the Snort service starts. But, I'm not as familiar with FreeBSD, so I'm not entirely sure where that would be. As it stands, I might have to re-run this touch command after rules are updated, though it will work otherwise.
At any rate, as a recap of all I've done to get Snort to work, I'm listing all of the commands here:
1.) ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
2.) ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
3.) ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
4.) ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrules
5.) manually update the Snort rules.
6.) touch /usr/local/etc/snort/rules/local.rules