Snort Won't Start After Upgrade
-
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from startingSame here. Without trying to use Barnyard everything works fine. When I tried to enable Barnyard I get the following error while saving the settings for it:
Warning: fopen(/usr/local/etc/snort/snort__rl2/barnyard2.conf): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 1439The right path for the snort configuration is:
[2.0-RC3][root@kainak]/usr/local/etc/snort(3): ls -l | grep rl2 drwxrwx--- 3 snort snort 512 Aug 30 20:36 snort_46454_rl2 [2.0-RC3][root@kainak]/usr/local/etc/snort(4):And the problematic line 1439 from /usr/local/pkg/snort/snort.inc is:
$bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w");Looks like it's missing $snort_uuid for some reason. :-\
-
Here's the issue on redmine: http://redmine.pfsense.org/issues/1753
If you un-check 'block offenders', SNORT will start. Guess for now on the AMD64 builds, you can have SNORT running, you will just have to watch the logs and block attacks via firewall rules.
-th3r3isnospoon
-
Here's the issue on redmine: http://redmine.pfsense.org/issues/1753
If you un-check 'block offenders', SNORT will start. Guess for now on the AMD64 builds, you can have SNORT running, you will just have to watch the logs and block attacks via firewall rules.
-th3r3isnospoon
So why use snort at all.
-
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from startingJust curious…
Do you have a separate box for the mySQL server that Barnyard uses? As for the Netbios rules, I believe performing the steps I listed just a couple of posts ago should fix that problem.
Yes, I have a separate MySQL server. The Netbios rules are duplicate with EM ones, looks like psfense has to deduplicate rules before snort tries to load them. All other rules load up just fine.
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from startingSame here. Without trying to use Barnyard everything works fine. When I tried to enable Barnyard I get the following error while saving the settings for it:
Warning: fopen(/usr/local/etc/snort/snort__rl2/barnyard2.conf): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 1439The right path for the snort configuration is:
[2.0-RC3][root@kainak]/usr/local/etc/snort(3): ls -l | grep rl2 drwxrwx--- 3 snort snort 512 Aug 30 20:36 snort_46454_rl2 [2.0-RC3][root@kainak]/usr/local/etc/snort(4):And the problematic line 1439 from /usr/local/pkg/snort/snort.inc is:
$bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w");Looks like it's missing $snort_uuid for some reason. :-\
Correct. Besides that it looks like barnyard.conf is not created and Barnyard is not installed at all…
If I try to find Barnyard it is not even there (even after removing/reinstalling snort package). -
Can you please try with a new version of the package posted?
For now i386 port should be stable on most things.The amd64 is pending a rebuild of the port. will be done in an hour or so.
This includes even fixes for those "alert_pf" error messages you were getting.
-
I was having issues with it starting after I updated as well. I was able to get things going again after I unchecked block offenders and then selected start. I then went back and checked block offenders, saved, and then stopped and started the interface. This seemed to work for me.
I hope it does the same for others. Note: I am not running barnyard.
Also, could someone tell me what this update addresses?
Thanks
-
With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn [2.0-RC3][root@kainak]/usr/local/bin(7): -
@ermal receiving this error on the new i386 ver:
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1) -
@ermal receiving this error on the new i386 ver:
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)Getting this same error.
-
Is this amd64 or i386?
-
With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn [2.0-RC3][root@kainak]/usr/local/bin(7):Where do you see 2.9 pkg v. 2.0?
The version i see still is 2.8.6.1 pkg v. 2.0 platform: 2.0
Edit: Never mind.. Just noticed it just for i386 version.
-
@ermal:
Is this amd64 or i386?
i386
-
You are sure there is no old library on that folder that is not compatible with newest snort?
I cannot replicate this.Do this to test.
Uninstall snort
Remove the snort/lib folder
Reinstall snortSee if it happens again.
-
That did the trick! I had to removed /usr/local/lib/snort/*
I'll do more testing later today and over the weekend and report back with my findings.
P.S Still can't clear alerts but I don't know if you worked on that work not… using FF6
-
Ran a quick port scan, snort is running but the "Portscan Detection Preprocessor" isn't detecting my port scan now. I was working on the previous ver.
-
That did the trick! I had to removed /usr/local/lib/snort/*
I'll do more testing later today and over the weekend and report back with my findings.
P.S Still can't clear alerts but I don't know if you worked on that work not… using FF6
Thanks Cino :)
-
Ran a quick port scan, snort is running but the "Portscan Detection Preprocessor" isn't detecting my port scan now. I was working on the previous ver.
Yup, same here, the only alert that pops is for VNC Scan on 5900.
-
@ermal:
You are sure there is no old library on that folder that is not compatible with newest snort?
I cannot replicate this.Do this to test.
Uninstall snort
Remove the snort/lib folder
Reinstall snortSee if it happens again.
Yep, that works for 2.0-RC3 (i386) built on Thu Aug 4 12:47:50 EDT 2011.
But… take a look on that screenshot below. It just happens in Snort Interfaces, Global Settings and Updates tab.
Browser Firefox 6.0.1
I know… it's out of the subject. Just reporting. Sorry if it's the wrong place for that.
-
With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn [2.0-RC3][root@kainak]/usr/local/bin(7):I didn't have time to examine the real cause why barnyard2 binary fails to install. Since it's just a single binary file you can download and "install" it manually by executing one of these commands:
amd64
/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2i386
/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2At least for me it seems to be working and logging now just like it should… ;)
-
After several weeks of working Snort package on i386 platform, the last update broke it. Here is what I get on my system logs.
Sep 3 06:49:16 SnortStartup[4087]: Snort HARD Reload For 21540_em0_vlan10…
Sep 3 06:49:16 SnortStartup[850]: Snort Startup files Sync…I didn't just rely on status of running services (i.e. Snort not running) either but kicked off a port scan from grc.com which used to automatically add that ip to blocked list and now nothing. None of the suggestions mentioned on this thread have worked for me.