Snort package on 64 doesn't work

Cino

its working for my on i386..

make you save the global page then goto the interface page and save there… can't hurt, change the setting, save, then change it to the setting you want... but here is my cron settings

*/5  *  *  *  *  root  /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c

hmishra

Thanks Cino! I really appreciate it. I will try the saving of the setting again once I get back home.

In the meantime, in case the cron job does not get added with the steps above, could you also post the cron entry for Snort auto update? That is missing as well since it was part of the same cron entry, just another command.

Thanks!

Cino

@hmishra:

Thanks Cino! I really appreciate it. I will try the saving of the setting again once I get back home.

In the meantime, in case the cron job does not get added with the steps above, could you also post the cron entry for Snort auto update? That is missing as well since it was part of the same cron entry, just another command.

Thanks!

Anytime :-)

3  */12  *  *  *  root  /usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log

hmishra

Cino,

Your suggestion worked! Unchecking block offender, Save, rechecking and Save introduced the missing cron jobs for even the auto update of Snort rules.

Thanks!

Cino

good to hear!!! I try to re-save all my settings when I update the package to make sure it takes all the settings.

VeGeTa-X

I am not able to get snort to start also I also unchecked my block offender and re-checked it and it did not work.  Also I deleted the interface in snort and recreated and also did not work. I am running AMD64 version also; does anyone else have anymore tips to fix this?

seattle-it

@VeGeTa-X:

I am not able to get snort to start also I also unchecked my block offender and re-checked it and it did not work.  Also I deleted the interface in snort and recreated and also did not work. I am running AMD64 version also; does anyone else have anymore tips to fix this?

SSH into pfsense and run:

 /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_<number>_<interface>/snort.conf -i <interface></interface></interface></number> 

The error(s) should appear

VeGeTa-X

I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below

/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

seattle-it

@VeGeTa-X:

I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below

/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

make sure /usr/lib/libpcap.so is there then run..

ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1

And try again

VeGeTa-X

thx linking both files worked i just had to turn off block offender and restart and it worked. Thx again for your help

VeGeTa-X

I have one more question when I enable block offenders snort does not work and when I disable it snort works.  I found the link below saying that snort package is missing some kind of spoink code?

http://redmine.pfsense.org/issues/1753

Ibor Daru

@seattle-it:

@VeGeTa-X:

I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below

/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

make sure /usr/lib/libpcap.so is there then run..

ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1

And try again

Can't thank you enough! Snort is working again after so long, such an easy fix!

VeGeTa-X

it seems a bit weird  snort is running but I am not receiving any alerts

Cino

are your preprocessors turned on? goto https://www.grc.com/x/ne.dll?bh0bkyd2 to test snort… you should get a scan alert

VeGeTa-X

yes all options are turned on for preprocessors and did a all port scan on the site below and no alerts.

Cino

i have no idea ???  It worked for me last weekend… Are your running 2.0RC3 or 2.1-Dev?

VeGeTa-X

I am running 2.0rc3 64bit

Gloom

@VeGeTa-X:

I have one more question when I enable block offenders snort does not work and when I disable it snort works.  I found the link below saying that snort package is missing some kind of spoink code?

http://redmine.pfsense.org/issues/1753

spoink is an Open BSD output plugin that adds the offending host to the block list in snort. I was always under the impression that pfsense used snort2c to do that job. Seems I was wrong.

Cino

@VeGeTa-X:

I am running 2.0rc3 64bit

i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

Ibor Daru

@Cino:

@VeGeTa-X:

I am running 2.0rc3 64bit

i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

Running 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011. Checked "Send alerts to main System logs". I'm getting alerts within the Alerts tab as well as the main system logs.