Snort Won't Start After Upgrade

NightHawk007 · Sep 4, 2011, 5:14 PM

I try to update now and i get this error
Parse error: syntax error, unexpected '}' in /usr/local/www/snort/snort_download_rules.php on line 481
Is there a way to fix it ?

knaj · Sep 4, 2011, 5:48 PM

Hi. In case you didn't find the solution for the line 481 error, all you need to do is remove the } on line 481. Then update will work again..

Cino · Sep 4, 2011, 5:48 PM

@knaj:

Hi. In case you didn't find the solution for the line 481 error, all you need to do is remove the } on line 481. Then update will work again..

was able to write that

Cino · Sep 4, 2011, 6:02 PM

My findings so far:

The package doesn't remove correctly. It still shows up on my Services page. Uninstalling the package twice seems to fix this issue.
Once rules are updated, I have to re-save my Categories then start the interface.
Snort rules seem to detecting attacks and auto-blocking is working :-)
Can't clear the alerts page, already reported and ticket.
Portscan Detection Preprocessor is not working, this was already reported 2 days ago. (This is a biggie for me since I'm always being scanned for open ports)

hmishra · Sep 4, 2011, 6:23 PM

Manually editing the snort_download_rules.php file to remove the extra '}' allows the rules to update again. However, I am no closer to having Snort start. I get the same message as before:

Sep 4 13:21:54 SnortStartup[49255]: Snort HARD Reload For 21540_em0_vlan10…
Sep 4 13:21:54 SnortStartup[46000]: Snort Startup files Sync…

eri-- · Sep 4, 2011, 6:42 PM

Fixed the syntax error.

hmishra - i am not sure what you mean by not being able to start snort!

Cino, i am not sure what changed to have snort not detect autoblocking.
Maybe a new directive is needed?! But the config is right afaik.

eri-- · Sep 4, 2011, 7:00 PM

Cino,

can you try a full reinstall of the package i recompiled the port with some options removed that might impact this.

DynamoHum · Sep 4, 2011, 7:27 PM

Ok i just tried, the update glitch is gone.
But i still get the :
FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
error when i start snort. ive tried disabling all preprocessor, and same error. it is still downloading the 2.8 rules instead of teh 2.9. Can this be caused by the "keep settings through reinstall" feature. or maybe the ET rules … hmm ill check that asap

running : 2.0-RC3 (i386) built on Fri Sep 2 14:17:09 EDT 2011

Thanks for your time & efforts

bmeeks · Sep 4, 2011, 7:25 PM

My problem now is more like "selective Snort starting". What I mean is that selecting certain rule categories will not let Snort start successfully. Not selecting them will allow Snort to start.

These are the rule categories that do not work for me on 2.0-RC3 using the i386 build –

snort_spyware-put.rules
snort_web-activex.rules
snort_web-client.rules

Also, for some of the rule categories that do work, if I select any of the matching Shared Objects rule categories then Snort will not start successfully. One example of this behavior is as follows.

snort_bad-traffic.rules
snort_bad-traffic.so.rules

If I select just snort_bad-traffic.rules, then Snort starts. If I try to add snort_bad-traffic.so.rules, then Snort will not start.

hmishra · Sep 4, 2011, 7:31 PM

ermal,

I mean, nowhere I have evidence that Snort is even running on my system!

Previously, I always found Snort on my list of running services as well as in System Acticity.

![Service status.png](/public/imported_attachments/1/Service status.png)
![Service status.png_thumb](/public/imported_attachments/1/Service status.png_thumb)
![System Activity.png](/public/imported_attachments/1/System Activity.png)
![System Activity.png_thumb](/public/imported_attachments/1/System Activity.png_thumb)

eri-- · Sep 4, 2011, 7:32 PM

Yeah i know about the status->services problem.
A ps -ax | grep snort should tell you.

@DynamoHum,

check before in this thread.

DynamoHum · Sep 4, 2011, 7:49 PM

duh ! :-\ 1st i had skiped over yer post and 2nd, find / -name "snort" works better then find / -name "snrot" :-X

Thanks again for your great work and devotion to this project.

hmishra · Sep 4, 2011, 9:58 PM

Thanks ermal. I think 'ps -ax | grep snort' reveals that snort is not running…..

43792 0 S+ 0:00.02 grep snort

Doesn't the above mean grep ran and a running instance of snort was not found?

Cino · Sep 5, 2011, 2:54 AM

@ermal:

Cino, i am not sure what changed to have snort not detect autoblocking.
Maybe a new directive is needed?! But the config is right afaik.

i stated that auto-blocking is working when a rule is trigger.. port scanning wasn't being detected….

I'm about to do a firmware update. i'll fully uninstall snort and re-install after my firmware is updated and see how snort is working.

NightHawk007 · Sep 5, 2011, 4:52 AM

@Cino:

@ermal:

Cino, i am not sure what changed to have snort not detect autoblocking.
Maybe a new directive is needed?! But the config is right afaik.

i stated that auto-blocking is working when a rule is trigger.. port scanning wasn't being detected….

I'm about to do a firmware update. i'll fully uninstall snort and re-install after my firmware is updated and see how snort is working.

I am having the same problem snort is not detecting a port scan at all .i know it did about 3 firmware updates ago .

Cino · Sep 5, 2011, 5:11 AM

@NightHawk007 I did a firmware update for other reasons, nothing to do with snort… probably shouldn't had mention it.. The Snort package has had its binary updated to a more recent version from Snort. A side effect it seems is that port scanning detecting isn't working. From my current testing, any attack that matches a rule is being detected.

strasharo · Sep 5, 2011, 8:34 AM

@Jare:

@strasharo:
With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn
[2.0-RC3][root@kainak]/usr/local/bin(7):
I didn't have time to examine the real cause why barnyard2 binary fails to install. Since it's just a single binary file you can download and "install" it manually by executing one of these commands:

amd64
/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2
i386
/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2
At least for me it seems to be working and logging now just like it should… ;)

Thanks a lot for the tip, Jare! ;D At last I got it running with Snorby. ::)

P.S. Portscan detection still isn't working, I launched a portscan from GRC.com + a remote full portscan with nmap and the only alerts that I got from that are those who match specific rules from the signature (for example ET SCAN Potential VNC Scan 5900-5920 ). :-[

valshare · Sep 5, 2011, 10:25 AM

Hi,

if i want edit a rule, i get this error:


Fatal error: Call to undefined function get_middle() in /usr/local/www/snort/snort_rules_edit.php on line 99

Regards, Valle

eri-- · Sep 5, 2011, 11:47 AM

Reinstall, already fixed.

Cino · Sep 5, 2011, 1:44 PM

Not realy a bug but I noticed when I try to shutdown snort from the main snort page, I have to refresh the page for the status to update. Before the recent changes were made; i would click on the little icon to disable snort, the page would refresh after snort was shutdown for that interface.