Snort Won't Start After Upgrade
-
@ermal receiving this error on the new i386 ver:
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1) -
@ermal receiving this error on the new i386 ver:
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)Getting this same error.
-
Is this amd64 or i386?
-
With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn [2.0-RC3][root@kainak]/usr/local/bin(7):Where do you see 2.9 pkg v. 2.0?
The version i see still is 2.8.6.1 pkg v. 2.0 platform: 2.0
Edit: Never mind.. Just noticed it just for i386 version.
-
@ermal:
Is this amd64 or i386?
i386
-
You are sure there is no old library on that folder that is not compatible with newest snort?
I cannot replicate this.Do this to test.
Uninstall snort
Remove the snort/lib folder
Reinstall snortSee if it happens again.
-
That did the trick! I had to removed /usr/local/lib/snort/*
I'll do more testing later today and over the weekend and report back with my findings.
P.S Still can't clear alerts but I don't know if you worked on that work not… using FF6
-
Ran a quick port scan, snort is running but the "Portscan Detection Preprocessor" isn't detecting my port scan now. I was working on the previous ver.
-
That did the trick! I had to removed /usr/local/lib/snort/*
I'll do more testing later today and over the weekend and report back with my findings.
P.S Still can't clear alerts but I don't know if you worked on that work not… using FF6
Thanks Cino :)
-
Ran a quick port scan, snort is running but the "Portscan Detection Preprocessor" isn't detecting my port scan now. I was working on the previous ver.
Yup, same here, the only alert that pops is for VNC Scan on 5900.
-
@ermal:
You are sure there is no old library on that folder that is not compatible with newest snort?
I cannot replicate this.Do this to test.
Uninstall snort
Remove the snort/lib folder
Reinstall snortSee if it happens again.
Yep, that works for 2.0-RC3 (i386) built on Thu Aug 4 12:47:50 EDT 2011.
But… take a look on that screenshot below. It just happens in Snort Interfaces, Global Settings and Updates tab.
Browser Firefox 6.0.1
I know… it's out of the subject. Just reporting. Sorry if it's the wrong place for that.
-
With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn [2.0-RC3][root@kainak]/usr/local/bin(7):I didn't have time to examine the real cause why barnyard2 binary fails to install. Since it's just a single binary file you can download and "install" it manually by executing one of these commands:
amd64
/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2i386
/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2At least for me it seems to be working and logging now just like it should… ;)
-
After several weeks of working Snort package on i386 platform, the last update broke it. Here is what I get on my system logs.
Sep 3 06:49:16 SnortStartup[4087]: Snort HARD Reload For 21540_em0_vlan10…
Sep 3 06:49:16 SnortStartup[850]: Snort Startup files Sync…I didn't just rely on status of running services (i.e. Snort not running) either but kicked off a port scan from grc.com which used to automatically add that ip to blocked list and now nothing. None of the suggestions mentioned on this thread have worked for me.
-
Can you try out this?
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 0b30a8c..09b8835 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -2123,7 +2123,7 @@ preprocessor sfportscan: scan_type { all } \ proto { all } \ memcap { 10000000 } \ sense_level { medium } \ - ignore_scanners { \$HOME_NET } + # ignore_scanners { \$HOME_NET } EOD; -
I guess I don't understand what needs to be done as per your suggestion. Do I just reinstall the package?
-
i should look up how to use diff, but i manually edited the file instead:
Sep 3 13:56:25 snort[44707]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(302) => Invalid option 'preprocessor' to portscan preprocessor.
Sep 3 13:56:25 snort[44707]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(302) => Invalid option 'preprocessor' to portscan preprocessor. -
Great! pfsense 2.0-RC3 (i386) built on Sat Sep 3 21:08:08 EDT 2011 - Snort 2.9.0.5 pkg v. 2.0
Barnyard now configures correctly and doesn't corrupt previous settings (but is not installed and started like Jare stated correctly).The snort_netbios.rules fatal error still exists:
snort[33208]: FATAL ERROR: /usr/local/etc/snort/snort_54739_em1/rules/snort_netbios.rules(72) GID 1 SID 2511 in rule duplicates previous rule, with different protocol.
When the rule duplicates a previous rule, then the protocol should be the same(?) Otherwise it's not duplicate…
I use the same rulesets (snort.org/emergingthreats.net/pfsense.org) with pfsense 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009 - Snort 2.8.6.1 pkg v. 1.34 and the error does not come up... (?)
-
I just upgraded to 2.0-RC3 (i386) built on Sat Sep 3 21:08:08 EDT 2011 and continue to get the following error which is different from before but the result is same i.e. Snort not starting. No change in ruleset.
Sep 4 06:59:48 SnortStartup[24402]: Interface Rule START for 0_21540_em0_vlan10…
Reinstalling the Snort package results in the previous error message.
Sep 4 07:04:33 SnortStartup[43419]: Snort HARD Reload For 21540_em0_vlan10…
-
Try resintalling the package.
-
Not sure if it is an improvement, but after I uninstalled and installed Snort, I get the following after clicking the 'Update Rules' button:
Parse error: syntax error, unexpected '}' in /usr/local/www/snort/snort_download_rules.php on line 481