Snort stops working after snort update (newest 2.0 RELEASE)
-
Removed snort, installed snort
this vanished<minute>3</minute> <hour>0</hour> <mday>*/1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log <minute>*/15</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 10800 snort2cI save in the Global settings it showed up again like this
<minute>*/15</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 10800 snort2c <minute>3</minute> <hour>0</hour> <mday>*/1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.logI ran Update and snort started, trigger Alerts and Blocks IP ;o) ;D
maybe if I ran Update first, the crontab entry might have reappeared.However, the Snort Interface shows a GREEN arrow, RED Wan,
the If settings show a start button.
But snort is running as root in System Activity
Snort is showed running under Services. Stopping snort under Services requires a refresh to update the status to not running
You also have to refresh Dashboard to see the updated snort status. Starting snort in Dashboard failedI started Snort under Services: Snort work ok.
During all that time, the Snort Interface ALLWAYS shows a GREEN arrow, RED Wan
The midnight update went fine and snort reloaded without problem. ::)
-
that seem to do it! thanks again.
I trying to figure out why i'm not seeing it up. You didn't make any changes to the page(and snort_interfaces_edit.php) but they are not reporting status correctly.
I'm wondering because root is running snort is it failing the few checks i see not idk.
-
@RonpfS Every time you reinstall snort, save the global settings page for it to re-create the cron job.. This has been normal practice since snort was fixed a few months back.
I'm having the same issue with the snort_interface.php showing the status of snort.
-
Any body seen that snort is using more mem than before?
Using ac-std with just 3 categories enable…. my mem goes to 58% where before it was only like 28% any ideas?
-
I too now have the issue with Snort not being seen as running, although it is.
-
I just changed the WAN ip and snort failed with
2011-11-10 22:50:24 Daemon.Error x.x.x.x snort[41456]: FATAL ERROR: /usr/local/etc/snort/snort_18203_pppoe0/snort.conf(356) Invalid configuration line: s 2011-11-10 22:50:24 Daemon.Info x.x.x.x SnortStartup[6772]: Snort HARD START For 18203_pppoe0...Start manual is ok …
-
Fixed the display on the GUI and snort reload on ip change.
Now who will send me beer?!
Of course you need to reinstall.
-
Notice work I me an other user have found an issue with the interface.php page http://forum.pfsense.org/index.php/topic,42955.msg221944.html#msg221944
When i try to start from the interface page, i get the below error, the file location is doubled
snort[4101]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/snort_39737_em3/rules/emerging-attack_response.rules": No such file or directory.
if i reboot the box or do a manually rule update, snort starts fine
Also, did the new binaries compile over night? I look under http://files.pfsense.org/packages/8/All/ and the date stamp didn't change. As i said in a previous post, my box isn't downloading binaries anymore and i think it has to do with the future pbi that is coming when 2.1 is on freebsd 9.
p.s you like pale ale's
-
Post your snort.conf since nothing has changed there!
Apart that PBI installs iirc snort 2.9.1 -
@ermal:
Post your snort.conf since nothing has changed there!
Apart that PBI installs iirc snort 2.9.1Dont know if this helps: When I stop snort via the interface page, it deletes /usr/local/etc/snort/snort_39737_em3 folder. When i try to start it, it doesn't create it.. So thats why snort wont start. BUT if I do a manually update of the rules, it creates the folder and snort is able to start again
-
Fixed.
Try after 15 minutes. -
@ermal:
Fixed.
Try after 15 minutes.looking good man! i'll do some more testing later today. also, since i never tested this for you before; barnyard2 is reporting data to my windows mysql server. I did have to manually copy the barnyard2 file from file.pfsense.org to get it on my box but i don't know if that's because its not in the package install or the issue I'm having with my box not pulling down binaries.
I don't think the new snort binary has been complied yet… I dont them on files.pfsense.org... also for the pbi, they look to be 2.9.1 but i'll have to wait for a freebsd9 snapshot before i can test
-
Removed and installed Services: Snort 2.9.1 pkg v. 2.0
I did see 2.9.0.5.tar during the install ??
Now the status is ok in the GUI.
I changed the WAN IP and snort restarted fine ::)Thank you
-
I will need some beer together with pfSense.org guys to continue improve this more :)
Hope people put some effort into donation as they do in the reporting of issues ;)
-
Ermal, you are right of course.
Considering that according to recent blog post pfsense has recently surpassed 100k active installs, there should be a better way to fund projects than posting in the Bounty forum and waiting a couple of weeks for others to join in, since apparently a very small fraction of pfsense users reads these forums regularly.
I'm thinking of a funding platform like http://www.indiegogo.com/ (just the concept) coupled with a way for people to vote up/down on features (e.g. feature.astaro.com)
-
@RonpfS 2.9.0.5 is the correct file for install for 2.0 installs. I have 2.1 development code installed on my box for testing…
@Ermal I sent some money this morning... Bug Scott for a case or 2 :-)
-
Thanks Cino, much appreciated.
-
I forgot to do a save after the last install :-[ No entry was expiring !!!
[quote author=Cino link=topic=41533.msg221876#msg221876 date=1320973760]
@RonpfS Every time you reinstall snort, save the global settings page for it to re-create the cron job.. This has been normal practice since snort was fixed a few months back.This could be emphasized with a BIG MESSAGE
in the System: Package Manager Installer or Services: Snort: Updates window.Why not 'automatic global settings save' when you click the Update Rules Button??
-
Any body having issues with memory when snort is running?
-
I updated today to version 2.9.1 pkg v. 2.0 and after a rules update snort isnt starting and i get the following message: snort[3689]: FATAL ERROR: /usr/local/etc/snort/snort_15641_em0/snort.conf(320) Unknown output plugin: "alert_pf"
What can i do to fix this?
