Snort stops working after snort update (newest 2.0 RELEASE)
-
Fixed the display on the GUI and snort reload on ip change.
Now who will send me beer?!
Of course you need to reinstall.
-
Notice work I me an other user have found an issue with the interface.php page http://forum.pfsense.org/index.php/topic,42955.msg221944.html#msg221944
When i try to start from the interface page, i get the below error, the file location is doubled
snort[4101]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_39737_em3//usr/local/etc/snort/snort_39737_em3/rules/emerging-attack_response.rules": No such file or directory.
if i reboot the box or do a manually rule update, snort starts fine
Also, did the new binaries compile over night? I look under http://files.pfsense.org/packages/8/All/ and the date stamp didn't change. As i said in a previous post, my box isn't downloading binaries anymore and i think it has to do with the future pbi that is coming when 2.1 is on freebsd 9.
p.s you like pale ale's
-
Post your snort.conf since nothing has changed there!
Apart that PBI installs iirc snort 2.9.1 -
@ermal:
Post your snort.conf since nothing has changed there!
Apart that PBI installs iirc snort 2.9.1Dont know if this helps: When I stop snort via the interface page, it deletes /usr/local/etc/snort/snort_39737_em3 folder. When i try to start it, it doesn't create it.. So thats why snort wont start. BUT if I do a manually update of the rules, it creates the folder and snort is able to start again
-
Fixed.
Try after 15 minutes. -
@ermal:
Fixed.
Try after 15 minutes.looking good man! i'll do some more testing later today. also, since i never tested this for you before; barnyard2 is reporting data to my windows mysql server. I did have to manually copy the barnyard2 file from file.pfsense.org to get it on my box but i don't know if that's because its not in the package install or the issue I'm having with my box not pulling down binaries.
I don't think the new snort binary has been complied yet… I dont them on files.pfsense.org... also for the pbi, they look to be 2.9.1 but i'll have to wait for a freebsd9 snapshot before i can test
-
Removed and installed Services: Snort 2.9.1 pkg v. 2.0
I did see 2.9.0.5.tar during the install ??
Now the status is ok in the GUI.
I changed the WAN IP and snort restarted fine ::)Thank you
-
I will need some beer together with pfSense.org guys to continue improve this more :)
Hope people put some effort into donation as they do in the reporting of issues ;)
-
Ermal, you are right of course.
Considering that according to recent blog post pfsense has recently surpassed 100k active installs, there should be a better way to fund projects than posting in the Bounty forum and waiting a couple of weeks for others to join in, since apparently a very small fraction of pfsense users reads these forums regularly.
I'm thinking of a funding platform like http://www.indiegogo.com/ (just the concept) coupled with a way for people to vote up/down on features (e.g. feature.astaro.com)
-
@RonpfS 2.9.0.5 is the correct file for install for 2.0 installs. I have 2.1 development code installed on my box for testing…
@Ermal I sent some money this morning... Bug Scott for a case or 2 :-)
-
Thanks Cino, much appreciated.
-
I forgot to do a save after the last install :-[ No entry was expiring !!!
[quote author=Cino link=topic=41533.msg221876#msg221876 date=1320973760]
@RonpfS Every time you reinstall snort, save the global settings page for it to re-create the cron job.. This has been normal practice since snort was fixed a few months back.This could be emphasized with a BIG MESSAGE
in the System: Package Manager Installer or Services: Snort: Updates window.Why not 'automatic global settings save' when you click the Update Rules Button??
-
Any body having issues with memory when snort is running?
-
I updated today to version 2.9.1 pkg v. 2.0 and after a rules update snort isnt starting and i get the following message: snort[3689]: FATAL ERROR: /usr/local/etc/snort/snort_15641_em0/snort.conf(320) Unknown output plugin: "alert_pf"
What can i do to fix this?
-
Try to remove, then Install
-
I have done that and keep getting the same error.
-
If your look at the file /usr/local/etc/snort/snort_15641_em0/snort.conf
you will should find something like that:
output alert_pf: /usr/local/etc/snort/whitelist/Blablabla,snort2cso maybe your whilelist is incorrect or snort2c is corrupted, try to look at them in Diagnostics: Tables
Try to clear the Alert and Blocked
You could also start from scratch:
Uncheck Keep snort settings after deinstall, Save, Reset, Save, remove snort, install snort -
snort2c is empty. is that the problem?
-
No, it will be empty when you clear the Blocked.
-
<hehehe>I just found the problem on my side:
1. Login to your console (press 8 :))
2. do a "clog -f /var/log/system.log"
3. Start snort and see the error…I found that after re-installing, the rules were missing.
Hope this helps
Kind regards
Aubrey Kloppers
Cape Town</hehehe>
