Snort package on 64 doesn't work

seattle-it

@VeGeTa-X:

I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below

/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

make sure /usr/lib/libpcap.so is there then run..

ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1

And try again

VeGeTa-X

thx linking both files worked i just had to turn off block offender and restart and it worked. Thx again for your help

VeGeTa-X

I have one more question when I enable block offenders snort does not work and when I disable it snort works.  I found the link below saying that snort package is missing some kind of spoink code?

http://redmine.pfsense.org/issues/1753

Ibor Daru

@seattle-it:

@VeGeTa-X:

I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below

/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

make sure /usr/lib/libpcap.so is there then run..

ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1

And try again

Can't thank you enough! Snort is working again after so long, such an easy fix!

VeGeTa-X

it seems a bit weird  snort is running but I am not receiving any alerts

Cino

are your preprocessors turned on? goto https://www.grc.com/x/ne.dll?bh0bkyd2 to test snort… you should get a scan alert

VeGeTa-X

yes all options are turned on for preprocessors and did a all port scan on the site below and no alerts.

Cino

i have no idea ???  It worked for me last weekend… Are your running 2.0RC3 or 2.1-Dev?

VeGeTa-X

I am running 2.0rc3 64bit

Gloom

@VeGeTa-X:

I have one more question when I enable block offenders snort does not work and when I disable it snort works.  I found the link below saying that snort package is missing some kind of spoink code?

http://redmine.pfsense.org/issues/1753

spoink is an Open BSD output plugin that adds the offending host to the block list in snort. I was always under the impression that pfsense used snort2c to do that job. Seems I was wrong.

Cino

@VeGeTa-X:

I am running 2.0rc3 64bit

i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

Ibor Daru

@Cino:

@VeGeTa-X:

I am running 2.0rc3 64bit

i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

Running 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011. Checked "Send alerts to main System logs". I'm getting alerts within the Alerts tab as well as the main system logs.

Cino

@Ibor:

@Cino:

@VeGeTa-X:

I am running 2.0rc3 64bit

i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

Running 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011. Checked "Send alerts to main System logs". I'm getting alerts within the Alerts tab as well as the main system logs.

So it is working on 2.0RC3..Good to know

asterix

Can a couple of more folks confirm Snort works on latest amd64 2.0 RC3 snapshots? I tried it on earlier this week and it was not working. Had done clean installs a few times but was never successful to get Snort running. Now on 32-bit 2.0 RC3 as Snort is kinda broken even on 1.2.3 with Snort.org rules not updating. Not a happy camper !!

Cino

@asterix:

Can a couple of more folks confirm Snort works on latest amd64 2.0 RC3 snapshots? I tried it on earlier this week and it was not working. Had done clean installs a few times but was never successful to get Snort running. Now on 32-bit 2.0 RC3 as Snort is kinda broken even on 1.2.3 with Snort.org rules not updating. Not a happy camper !!

Its works on 2.0RC3 i386… 2 bugs that I know of, Barnyard2 and you can't clear the alerts but you can clear the block list... There are post for a workaround on barnyard2

asterix

amd64?

Ibor Daru

@Cino:

@Ibor:

@Cino:

@VeGeTa-X:

I am running 2.0rc3 64bit

i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

Running 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011. Checked "Send alerts to main System logs". I'm getting alerts within the Alerts tab as well as the main system logs.

So it is working on 2.0RC3..Good to know

BUT only after entering/executing the following code!! Without it, Snort will not work!

ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1

Cino

@Ibor:

@Cino:

@Ibor:

@Cino:

@VeGeTa-X:

I am running 2.0rc3 64bit

i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

Running 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011. Checked "Send alerts to main System logs". I'm getting alerts within the Alerts tab as well as the main system logs.

So it is working on 2.0RC3..Good to know

BUT only after entering/executing the following code!! Without it, Snort will not work!

ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1

I wonder if its because of all the packages i have install, maybe one of them ran that command for me…

asterix

So basically snort on amd64 is still broken.

Cino

@asterix:

So basically snort on amd64 is still broken.

well if it runs after running a command or two, it wouldn't be broken then! Any why not just run i386? Unless your pumping heavy traffic thru the box and need a lot of memory, I see no benefit running AMD64.

I hate to say this but if your so bent out of shape for snort, then go install another fw distro and deal with their bloatware instead of whining on every snort thread that its not working. There are tickets opened on the issue and the dev's will get to them when they can. You can always donate money to help push it along if you like.