Snort Won't Start After Upgrade

strasharo

With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:

[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn
[2.0-RC3][root@kainak]/usr/local/bin(7):

Cino

@ermal receiving this error on the new i386 ver:

Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

Wolfsokin

@Cino:

@ermal receiving this error on the new i386 ver:

Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

Getting this same error.

eri--

Is this amd64 or i386?

asterix

@strasharo:

With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn
[2.0-RC3][root@kainak]/usr/local/bin(7):

Where do you see 2.9 pkg v. 2.0?

The version i see still is 2.8.6.1 pkg v. 2.0 platform: 2.0

Edit: Never mind.. Just noticed it just for i386 version.

Cino

@ermal:

Is this amd64 or i386?

i386

eri--

You are sure there is no old library on that folder that is not compatible with newest snort?
I cannot replicate this.

Do this to test.
Uninstall snort
Remove the snort/lib folder
Reinstall snort

See if it happens again.

Cino

That did the trick! I had to removed /usr/local/lib/snort/*

I'll do more testing later today and over the weekend and report back with my findings.

P.S Still can't clear alerts but I don't know if you worked on that work not… using FF6

Cino

Ran a quick port scan, snort is running but the "Portscan Detection Preprocessor" isn't detecting my port scan now. I was working on the previous ver.

Spock75

@Cino:

That did the trick! I had to removed /usr/local/lib/snort/*

I'll do more testing later today and over the weekend and report back with my findings.

P.S Still can't clear alerts but I don't know if you worked on that work not… using FF6

Thanks Cino :)

strasharo

@Cino:

Ran a quick port scan, snort is running but the "Portscan Detection Preprocessor" isn't detecting my port scan now. I was working on the previous ver.

Yup, same here, the only alert that pops is for VNC Scan on 5900.

johnnybe

@ermal:

You are sure there is no old library on that folder that is not compatible with newest snort?
I cannot replicate this.

Do this to test.
Uninstall snort
Remove the snort/lib folder
Reinstall snort

See if it happens again.

Yep, that works for 2.0-RC3 (i386) built on Thu Aug 4 12:47:50 EDT 2011.

But… take a look on that screenshot below. It just happens in Snort Interfaces, Global Settings and Updates tab.
Browser Firefox 6.0.1
I know… it's out of the subject. Just reporting. Sorry if it's the wrong place for that.

snort_2.9.0.5_pfs.jpg
snort_2.9.0.5_pfs.jpg_thumb

Jare

@strasharo:

With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn
[2.0-RC3][root@kainak]/usr/local/bin(7):

I didn't have time to examine the real cause why barnyard2 binary fails to install. Since it's just a single binary file you can download and "install" it manually by executing one of these commands:

amd64

/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2

i386

/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2

At least for me it seems to be working and logging now just like it should… ;)

hmishra

After several weeks of working Snort package on i386 platform, the last update broke it. Here is what I get on my system logs.

Sep 3 06:49:16 SnortStartup[4087]: Snort HARD Reload For 21540_em0_vlan10…
Sep 3 06:49:16 SnortStartup[850]: Snort Startup files Sync…

I didn't just rely on status of running services (i.e. Snort not running) either but kicked off a port scan from grc.com which used to automatically add that ip to blocked list and now nothing. None of the suggestions mentioned on this thread have worked for me.

eri--

Can you try out this?


diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 0b30a8c..09b8835 100644
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -2123,7 +2123,7 @@ preprocessor sfportscan: scan_type { all } \
                          proto  { all } \
                          memcap { 10000000 } \
                          sense_level { medium } \
-                         ignore_scanners { \$HOME_NET }
+                         # ignore_scanners { \$HOME_NET }

 EOD;

hmishra

I guess I don't understand what needs to be done as per your suggestion. Do I just reinstall the package?

Cino

i should look up how to use diff, but i manually edited the file instead:

Sep 3 13:56:25 snort[44707]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(302) => Invalid option 'preprocessor' to portscan preprocessor.
Sep 3 13:56:25 snort[44707]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(302) => Invalid option 'preprocessor' to portscan preprocessor.

digdug3

Great! pfsense 2.0-RC3 (i386) built on Sat Sep 3 21:08:08 EDT 2011 - Snort 2.9.0.5 pkg v. 2.0
Barnyard now configures correctly and doesn't corrupt previous settings (but is not installed and started like Jare stated correctly).

The snort_netbios.rules fatal error still exists:

snort[33208]: FATAL ERROR: /usr/local/etc/snort/snort_54739_em1/rules/snort_netbios.rules(72) GID 1 SID 2511 in rule duplicates previous rule, with different protocol.

When the rule duplicates a previous rule, then the protocol should be the same(?) Otherwise it's not duplicate…

I use the same rulesets (snort.org/emergingthreats.net/pfsense.org) with pfsense 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009 - Snort 2.8.6.1 pkg v. 1.34 and the error does not come up... (?)

hmishra

I just upgraded to 2.0-RC3 (i386) built on Sat Sep 3 21:08:08 EDT 2011 and continue to get the following error which is different from before but the result is same i.e. Snort not starting. No change in ruleset.

Sep 4 06:59:48 SnortStartup[24402]: Interface Rule START for 0_21540_em0_vlan10…

Reinstalling the Snort package results in the previous error message.

Sep 4 07:04:33 SnortStartup[43419]: Snort HARD Reload For 21540_em0_vlan10…

eri--

Try resintalling the package.