Snort stops working after snort update (newest 2.0 RELEASE)
-
Reinstall the package at least the reloading should be correct now and snort should not exit anymore as reported here.
-
It seems that compiling snort with –enable-reload will allow snort to reload on receiving a SIGHUP without requiring it to be running as root.
http://groups.google.com/group/pulledpork-users/browse_thread/thread/00acf6e138df1a07
I run my snort instances as -u snorty.. sending a HUP from root works fine
for me and has, it is much cleaner now though than the –enable-reload
option has been added (and I configured with that) into snort.On Tue, Jan 26, 2010 at 5:00 PM, William wil...@gmail.comwrote:
It doesn't seem to matter if I am root or not when I send the HUP.
What seems to make a difference is whether or not snort itself is
running as root or as another user (eg. started as snort -u
someotheruser). If it is NOT running as root, then snort will respond
with the "Reload via Signal HUP..." message and not re-read its
config.
I posted a similar question to the Snort users list and someone from
Sourcefire explained the reasoning (snort needs to open pcap again,
which requires root privileges)/wil...@gmail.com -
Well i fixed the FreeBSD package used on pfSense to compile snort with the proper flags to restart on reload error rather than exit since the present binary will just plain exit on reload errors.
I honestly do not think that it will really work properly reloading not as root user so i am not reverting that change.
Tomorrow the binary should be updated and the fixes done today should fix the report.
-
@ermal:
Well i fixed the FreeBSD package used on pfSense to compile snort with the proper flags to restart on reload error rather than exit since the present binary will just plain exit on reload errors.
I honestly do not think that it will really work properly reloading not as root user so i am not reverting that change.
Tomorrow the binary should be updated and the fixes done today should fix the report.
@ermal
I believe the snort_interfaces.php needs to be updated to correctly display snort status. With the changes you just made, snort stated but snort_interfaces.php page states that its not started. The services page, does show that snort is running and i see the process running in the background.
Also, snort isn't auto-starting anymore upon reboot. nothing in my log or on the console
Unless the new binary is needed for the changes you made to resolve the 2 issues i noticed.
As a side-note… With changes made to the 2.1 code to use pbi I notice that that my box didn't download snort binaries this afternoon. Example: I uninstalled snort, noticed that snort-2.8.6.1 and snort-2.9.0.5 where still listed under pkg_info. I manually deleted them using pkg_delete.. Rebooted the box, installed snort and did a rule update. Looked at my log and only had 4 snort entries. I looked to see if the binaries where under /usr/local/bin... Nothing, so i added snort package via pkg_add -r http://files.pfsense.org/packages/8/All/snort-2.9.0.5.tbz and then was able to get snort to start...
just wondering if I should do the same tomorrow to get the new binaries.
As always, thanks for all your support on the snort package
Edit:
When i run /usr/local/etc/rc.d/snort.sh restart
i'm seeing these errors:ls: /tmp/snort.sh.pid: No such file or directory rm: /tmp/snort.sh.pid: No such file or directory rm: /var/run/snort*: No such file or directory ls: /tmp/snort.sh.pid: No such file or directory rm: /var/run/snort_39737_em3.pid: No such file or directoryWhen i run /usr/local/etc/rc.d/snort.sh start
just:ls: /tmp/snort.sh.pid: No such file or directoryi thought the pid and such were stored at '/var/log/snort/run'?
-
Those errors are harmless.
That code is not very trustworthy but no time to make it proper use pidfiles.The chnages i made has nothing in relation to what you report on snort_interfaces.php.
-
i'll have to do some more testing and look over the code because i can't seem to get snort_interfaces.php to show that snort is running..
like i said, i can't get snort to run when type "/usr/local/etc/rc.d/snort.sh" start but i able to get it to start running "/usr/local/etc/rc.d/snort.sh start_real"
Would this be the reason why it wont auto-start on reboot? -
Try again reinstalling.
Seems the code generated for the snort.sh was as always full of surprises :)
-
Removed snort, installed snort
this vanished<minute>3</minute> <hour>0</hour> <mday>*/1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log <minute>*/15</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 10800 snort2cI save in the Global settings it showed up again like this
<minute>*/15</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 10800 snort2c <minute>3</minute> <hour>0</hour> <mday>*/1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.logI ran Update and snort started, trigger Alerts and Blocks IP ;o) ;D
maybe if I ran Update first, the crontab entry might have reappeared.However, the Snort Interface shows a GREEN arrow, RED Wan,
the If settings show a start button.
But snort is running as root in System Activity
Snort is showed running under Services. Stopping snort under Services requires a refresh to update the status to not running
You also have to refresh Dashboard to see the updated snort status. Starting snort in Dashboard failedI started Snort under Services: Snort work ok.
During all that time, the Snort Interface ALLWAYS shows a GREEN arrow, RED Wan
The midnight update went fine and snort reloaded without problem. ::)
-
that seem to do it! thanks again.
I trying to figure out why i'm not seeing it up. You didn't make any changes to the page(and snort_interfaces_edit.php) but they are not reporting status correctly.
I'm wondering because root is running snort is it failing the few checks i see not idk.
-
@RonpfS Every time you reinstall snort, save the global settings page for it to re-create the cron job.. This has been normal practice since snort was fixed a few months back.
I'm having the same issue with the snort_interface.php showing the status of snort.
-
Any body seen that snort is using more mem than before?
Using ac-std with just 3 categories enable…. my mem goes to 58% where before it was only like 28% any ideas?
-
I too now have the issue with Snort not being seen as running, although it is.
-
I just changed the WAN ip and snort failed with
2011-11-10 22:50:24 Daemon.Error x.x.x.x snort[41456]: FATAL ERROR: /usr/local/etc/snort/snort_18203_pppoe0/snort.conf(356) Invalid configuration line: s 2011-11-10 22:50:24 Daemon.Info x.x.x.x SnortStartup[6772]: Snort HARD START For 18203_pppoe0...Start manual is ok …
-
Fixed the display on the GUI and snort reload on ip change.
Now who will send me beer?!
Of course you need to reinstall.
-
Notice work I me an other user have found an issue with the interface.php page http://forum.pfsense.org/index.php/topic,42955.msg221944.html#msg221944
When i try to start from the interface page, i get the below error, the file location is doubled
snort[4101]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/snort_39737_em3/rules/emerging-attack_response.rules": No such file or directory.
if i reboot the box or do a manually rule update, snort starts fine
Also, did the new binaries compile over night? I look under http://files.pfsense.org/packages/8/All/ and the date stamp didn't change. As i said in a previous post, my box isn't downloading binaries anymore and i think it has to do with the future pbi that is coming when 2.1 is on freebsd 9.
p.s you like pale ale's
-
Post your snort.conf since nothing has changed there!
Apart that PBI installs iirc snort 2.9.1 -
@ermal:
Post your snort.conf since nothing has changed there!
Apart that PBI installs iirc snort 2.9.1Dont know if this helps: When I stop snort via the interface page, it deletes /usr/local/etc/snort/snort_39737_em3 folder. When i try to start it, it doesn't create it.. So thats why snort wont start. BUT if I do a manually update of the rules, it creates the folder and snort is able to start again
-
Fixed.
Try after 15 minutes. -
@ermal:
Fixed.
Try after 15 minutes.looking good man! i'll do some more testing later today. also, since i never tested this for you before; barnyard2 is reporting data to my windows mysql server. I did have to manually copy the barnyard2 file from file.pfsense.org to get it on my box but i don't know if that's because its not in the package install or the issue I'm having with my box not pulling down binaries.
I don't think the new snort binary has been complied yet… I dont them on files.pfsense.org... also for the pbi, they look to be 2.9.1 but i'll have to wait for a freebsd9 snapshot before i can test
-
Removed and installed Services: Snort 2.9.1 pkg v. 2.0
I did see 2.9.0.5.tar during the install ??
Now the status is ok in the GUI.
I changed the WAN IP and snort restarted fine ::)Thank you
