Snort Won't Start After Upgrade
-
Thanks for the info.
I also notice that I get a bunch of false positives when I enable the port scan and SMTP preprocessor. There are so many false positives that I have to turn those preprocessors off.
-
I do not think that as today the preprocessors part works correctly.
-
@ermal:
I do not think that as today the preprocessors part works correctly.
for amd64? or both, am64 and i386?
-
Both.
-
I have alerts from it:
(http_inspect) NON-RFC DEFINED CHAR 119:14:1
(portscan) TCP Filtered Portscan 122:5:0those kind of alerts are from the preprocessors I believe, but I could be wrong…
this is on i386 -
Yep those look just like the errors I am getting.
-
Snort is finally running fine now. Following solution worked out for me on 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011 ! Maybe it will work for others on amd64.
ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1
Reference
http://forum.pfsense.org/index.php/topic,39677.msg205142.html#msg205142Copy and paste (from other reference post)
@seattle-it:I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"
make sure /usr/lib/libpcap.so is there then run..
ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1
And try again
-
Not really sure why some are having issues with AMD64 and Snort.. I did a fresh install over the weekend and snort worked. blocking offenders doesn't work but it did at least create alerts.. Until that part is fix, doesn't make sure to run snort. IMHO.
Only thing i can think of, i'm running 2.1 Dev and not the mainstream 2.0RC3 snapshots…
@Ermal Could my above statement make any sense on why AMD64 runs for me and not others?
-
Not really sure why some are having issues with AMD64 and Snort.. I did a fresh install over the weekend and snort worked. blocking offenders doesn't work but it did at least create alerts.. Until that part is fix, doesn't make sure to run snort. IMHO.
Only thing i can think of, i'm running 2.1 Dev and not the mainstream 2.0RC3 snapshots…
@Ermal Could my above statement make any sense on why AMD64 runs for me and not others?
Have the issues with Snort and PfSense 2.0 RC3 been corrected?
-
ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
I used the above command, which fixed that issue. However, when I tried to start after that, I got messages about a missing folder, "/usr/local/lib/snort/snort_dynamicpreprocessor/".
To fix that issue, I wound up making three more symlinks:
ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrulesI then had an issue with snort unable to find "local.rules". To fix this (and I have no idea why this works) I had to manully update the rules (again, since they were already up to date) and then wait about five minutes. I discovered this by updating the rules by chance (read: desparation), then, when it failed to start, looking online for a few minutes before, out of desparation, trying to start Snort again only to see it work. Once all of the above was completed, Snort started. I do not know if the rules update helped or not, but I know that when I made a change to my "Performance" by changing AC-SPARSEBANDS to AC-STD, when I restarted Snort it would not work. After running the rules update again and waiting a few minutes, it started right up.
Hope this helps folks.
-
ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
I used the above command, which fixed that issue. However, when I tried to start after that, I got messages about a missing folder, "/usr/local/lib/snort/snort_dynamicpreprocessor/".
To fix that issue, I wound up making three more symlinks:
ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrulesI then had an issue with snort unable to find "local.rules". To fix this (and I have no idea why this works) I had to manully update the rules (again, since they were already up to date) and then wait about five minutes. I discovered this by updating the rules by chance (read: desparation), then, when it failed to start, looking online for a few minutes before, out of desparation, trying to start Snort again only to see it work. Once all of the above was completed, Snort started. I do not know if the rules update helped or not, but I know that when I made a change to my "Performance" by changing AC-SPARSEBANDS to AC-STD, when I restarted Snort it would not work. After running the rules update again and waiting a few minutes, it started right up.
Hope this helps folks.
"DANG" What a Pain! Thanks for the info, the way I look at it, if you have to go through all this, no telling if it is even doing it's job or not. I greatly appreciate the info!
-
Another update. Just tried rebooting the server – no updates were done or any changes to configuration or addition/deletion of any packages. When the server came back up, Snort would not start. When I started Snort manually from the command line, it gave that same FATAL ERROR about not being able to locate /usr/local/etc/snort/../rules/local.rules. I let the box sit for about 10 minutes and tried to start Snort again thinking something just needed to catch up. No dice. So, I re-ran the rules updater. It didn't update any of the rules, though the operation was successful (which makes since, the rules were up to date already). Still no dice. I ran the updater a second time and Snort was able to start up immediately. I can reproduce this anytime just by rebooting the server.
To fix this, I had to create the file using the following command:
touch /usr/local/etc/snort/rules/local.rules
I know that the Snort error message use the path "/usr/local/etc/snort/../rules/local.rules", but you need to remove the "../" in order for the touch command to work (since the /usr/local/etc/rules/ folder does not exist). Once the local.rules file exists, you can reboot the pfSense server all day long and Snort will start up at boot time automatically.
Okay, I think that concludes all of the odd little tweaks one has to do to get Snort to run under pfSense v2.0-RC3. I hope... the only snag that I think might cause an issue is a future rules update since that flushes the rules folder. if local.rules is deleted, then it will have to be recreated. I would like to add the touch command to the bootup init scripts, someplace before the Snort service starts. But, I'm not as familiar with FreeBSD, so I'm not entirely sure where that would be. As it stands, I might have to re-run this touch command after rules are updated, though it will work otherwise.
At any rate, as a recap of all I've done to get Snort to work, I'm listing all of the commands here:
1.) ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
2.) ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
3.) ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
4.) ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrules
5.) manually update the Snort rules.
6.) touch /usr/local/etc/snort/rules/local.rules -
Still the function "Block offenders" is not working. Kinda beats the purpose of having Snort as it shows you the alerts but is not able to to take the right action when needed.
I have upgraded to 8GB today and 50/8 bandwidth. Haven't installed the snort package as it doesn't make a difference as it's yet not fully functional on amd64.
-
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from starting -
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from startingJust curious…
Do you have a separate box for the mySQL server that Barnyard uses? As for the Netbios rules, I believe performing the steps I listed just a couple of posts ago should fix that problem.
-
Kind of bummed.
Just got the Internet installed at the new place and upgrade to the latest snap / uninstalled and reinstalled SNORT and it still doesn't work.
I am now getting a different error: snort[110]: FATAL ERROR: /usr/local/etc/snort/snort_36327_em0/snort.conf(351) Unknown output plugin: "alert_pf"
Any ideas?
Thanks,
-th3r3isnospoon
-
Kind of bummed.
Just got the Internet installed at the new place and upgrade to the latest snap / uninstalled and reinstalled SNORT and it still doesn't work.
I am now getting a different error: snort[110]: FATAL ERROR: /usr/local/etc/snort/snort_36327_em0/snort.conf(351) Unknown output plugin: "alert_pf"
Any ideas?
Thanks,
-th3r3isnospoon
I'd try running the rules updater again. Maybe something went wrong during the update. If that doesn't help, try reinstalling the package and then do another rules update (again).
-
Kind of bummed.
Just got the Internet installed at the new place and upgrade to the latest snap / uninstalled and reinstalled SNORT and it still doesn't work.
I am now getting a different error: snort[110]: FATAL ERROR: /usr/local/etc/snort/snort_36327_em0/snort.conf(351) Unknown output plugin: "alert_pf"
Any ideas?
Thanks,
-th3r3isnospoon
I'd try running the rules updater again. Maybe something went wrong during the update. If that doesn't help, try reinstalling the package and then do another rules update (again).
Tried that, still doesn't work.
I just updated to the Aug 30th snap and am now getting this error: snort[12676]: FATAL ERROR: /usr/local/etc/snort/snort_50067_em0/snort.conf(351) Unknown output plugin: "alert_pf"
-th3r3isnospoon
-
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from startingSame here. Without trying to use Barnyard everything works fine. When I tried to enable Barnyard I get the following error while saving the settings for it:
Warning: fopen(/usr/local/etc/snort/snort__rl2/barnyard2.conf): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 1439
The right path for the snort configuration is:
[2.0-RC3][root@kainak]/usr/local/etc/snort(3): ls -l | grep rl2 drwxrwx--- 3 snort snort 512 Aug 30 20:36 snort_46454_rl2 [2.0-RC3][root@kainak]/usr/local/etc/snort(4):
And the problematic line 1439 from /usr/local/pkg/snort/snort.inc is:
$bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w");
Looks like it's missing $snort_uuid for some reason. :-\
-
Here's the issue on redmine: http://redmine.pfsense.org/issues/1753
If you un-check 'block offenders', SNORT will start. Guess for now on the AMD64 builds, you can have SNORT running, you will just have to watch the logs and block attacks via firewall rules.
-th3r3isnospoon