Snort won't start (2.0.1 RELEASE amd64)
-
Hi guys,
I apologize if this has been resolved, but I keep searching the web and forums and can't seem to find a resolution for this problem. Long story short, it seems that no matter what I do, I cannot get the Snort service to start. I have tried deleting and then reinstalling Snort and starting the configuration over, but I still get the same result.I saw bits and pieces of threads and bug reports mention that during RC3 snort was having issues with amd64 machines. Is this still the case?
Again, I apologize if this is obvious to many, but I consider myself a pfSense newbie and feel like I'm way over my head. I don't know if this helps anyone, but here's what I see in the system logs when Snort tries to start up:
Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/multimedia.so... Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/multimedia.so... Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/netbios.so... Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/netbios.so... Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/nntp.so... Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/nntp.so... Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/p2p.so... Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/p2p.so... Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/smtp.so... Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/smtp.so... Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/snmp.so... Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/snmp.so... Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/specific-threats.so... Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/specific-threats.so... Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: done Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/sql.so... Mar 23 12:03:28 snort[28005]: Loading dynamic detection library /usr/local/lib/snort/dynamicrules/sql.so... Mar 23 12:03:28 snort[28005]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/sql.so: /usr/local/lib/snort/dynamicrules/sql.so: unsupported file layout Mar 23 12:03:28 snort[28005]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/sql.so: /usr/local/lib/snort/dynamicrules/sql.so: unsupported file layout Mar 23 12:03:28 SnortStartup[28324]: Snort HARD START For 39025_re0...
I also see mention of a package I no longer have installed (IP-Blocklist) that seems to trigger on boot-up. Not sure if this is related or not, but here's what shows up in the log for that:
Mar 23 13:10:30 root: IP-Blocklist was found not running Mar 23 13:10:30 php: : The command '/usr/local/pkg/pf/IP-Blocklist.sh start' returned exit code '2', the output was 'not running root: IP-Blocklist was found not running 0 table deleted. 0 table deleted. rm: /tmp/rules.debug.tmp: No such file or directory /usr/local/pkg/pf/IP-Blocklist.sh: cannot create /usr/local/www/packages/ipblocklist/errorOUT.txt: No such file or directory rm: /tmp/rules.debug.tmp: No such file or directory 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 cat: /usr/local/www/packages/ipblocklist/interfaces.txt: No such file or directory 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 rm: /u Mar 23 13:10:32 check_reload_status: Reloading filter Mar 23 13:10:38 root: IP-Blocklist was found not running Mar 23 13:10:38 php: : The command '/usr/local/pkg/pf/IP-Blocklist.sh start' returned exit code '2', the output was 'not running root: IP-Blocklist was found not running 0 table deleted. 0 table deleted. rm: /tmp/rules.debug.tmp: No such file or directory /usr/local/pkg/pf/IP-Blocklist.sh: cannot create /usr/local/www/packages/ipblocklist/errorOUT.txt: No such file or directory rm: /tmp/rules.debug.tmp: No such file or directory 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 cat: /usr/local/www/packages/ipblocklist/interfaces.txt: No such file or directory 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 rm: /u
Those entries seem to show up after Snort, though.
Thanks guys! I appreciate the help!
-Justin -
Update!
I decided to uninstall and then ssh into the firewall and delete the snort folder. After a reinstall, I'm getting a different set of errors.
I'm going through and unchecking the rules that cause this error (so far its snort_netbios, pfsense-voip, and snort_policy), but the errors seem to be along the lines of this:
Mar 23 14:38:15 snort[34037]: FATAL ERROR: /usr/local/etc/snort/snort_60799_re0/rules/snort_netbios.rules(59) Unknown rule option: 'dce_iface'. Mar 23 14:38:15 snort[34037]: FATAL ERROR: /usr/local/etc/snort/snort_60799_re0/rules/snort_netbios.rules(59) Unknown rule option: 'dce_iface'.
-
Alrighty, Update #2:
I managed to find the offending rules. Not sure if this is due to an update to the packages they put out, but here's the offenders and their error messages:
@snort_netbios:
Mar 23 14:38:15 snort[34037]: FATAL ERROR: /usr/local/etc/snort/snort_60799_re0/rules/snort_netbios.rules(59) Unknown rule option: 'dce_iface'.
Mar 23 14:38:15 snort[34037]: FATAL ERROR: /usr/local/etc/snort/snort_60799_re0/rules/snort_netbios.rules(59) Unknown rule option: 'dce_iface'.@snort_specific-threats:
Mar 23 14:44:07 snort[935]: FATAL ERROR: /usr/local/etc/snort/snort_60799_re0/rules/snort_specific-threats.rules(39) Unknown rule option: 'dce_iface'.
Mar 23 14:44:07 snort[935]: FATAL ERROR: /usr/local/etc/snort/snort_60799_re0/rules/snort_specific-threats.rules(39) Unknown rule option: 'dce_iface'.@snort_exploit:
Mar 23 14:51:21 snort[28112]: FATAL ERROR: /usr/local/etc/snort/snort_60799_re0/rules/snort_exploit.rules(380) Unknown rule option: 'dce_iface'.
Mar 23 14:51:21 snort[28112]: FATAL ERROR: /usr/local/etc/snort/snort_60799_re0/rules/snort_exploit.rules(380) Unknown rule option: 'dce_iface'.This one didn't keep the interface from starting, but figured I might as well post it:
@pfsense-voip:
Mar 23 14:38:15 snort[34037]: WARNING /usr/local/etc/snort/snort_60799_re0/rules/pfsense-voip.rules(1) threshold (in rule) is deprecated; use detection_filter instead.
Mar 23 14:38:15 snort[34037]: WARNING /usr/local/etc/snort/snort_60799_re0/rules/pfsense-voip.rules(1) threshold (in rule) is deprecated; use detection_filter instead.Based on the title of those, they seem like rule sets that I'd like to use. If anyone has any information on how to make them work, it'd be very appreciated! :)
-
Doh.
I opened and closed my own case… Sorry for taking up the forum space! Hopefully it helps another newbie out though.
I realized that I needed to enable the DCE/RPC2 preprocessor to make those work.
Sometimes I wonder where my brain goes... :-[