Snort 2.9.1 pkg v. 2.1.1 Error.
-
having the same #3 error "FATAL ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined." having all rules unchecked
I had the same error and had to delete the contents of /usr/local/lib/snort/dynamicrules. After that everything seemed fine and all my rules seem to work.
This works provided you're only using EMERGING rule set. Is there a fix that enables you to also use SNORT rules?
-
having the same #3 error "FATAL ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined." having all rules unchecked
Solved this by disabling all rules in snort_web-misc.so.rules category - EVEN THOUGH THIS CATEGORY WAS UNCHECKED IN CATEGORIES SCREEN. I thought that only rules from checked categories were enabled. Am I missing something, besides an illogical brain?
Update: Error reappeared after 12+ hours. No solution yet!
-
It was running fine, until I updated today to last snapshot.
Now it won't start anymore, please check it out.
-
Here is the problem:
Jun 12 13:20:43 snort[26817]: FATAL ERROR: parser.c(5245) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.
Jun 12 13:20:43 snort[26817]: FATAL ERROR: parser.c(5245) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory. -
I uninstalled, re-installed, tried:
1.) ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
2.) ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
3.) ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
4.) ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrules
5.) manually update the Snort rules.
6.) touch /usr/local/etc/snort/rules/local.rulesDisabled everything on "Preprocessors" tab, nothing!
It refuses to run, this problem just "popped" today from last snapshot update. :(
-
This is all on it:
[2.1-BETA0][root@*****]/usr/local/lib/snort(8): ls -laR total 8 drwxr-xr-x 3 root wheel 512 Jun 12 13:38 . drwxr-xr-x 14 root wheel 3584 Jun 12 13:38 .. drwxr-xr-x 2 root wheel 512 Jun 12 13:38 dynamicrules ./dynamicrules: total 4 drwxr-xr-x 2 root wheel 512 Jun 12 13:38 . drwxr-xr-x 3 root wheel 512 Jun 12 13:38 .. -
Man.. after update… the alert page (snort_alerts.php) apear blank when I try see the alerts generated.
-
It only happened today, at update:
2.1-BETA0 (i386)
built on Tue Jun 12 05:15:27 EDT 2012
FreeBSD 8.3-RELEASE-p2Snort package: 2.9.2.3 pkg v.2.1.1
-
Same issue here..
Jun 12 14:44:53 snort[54702]: FATAL ERROR: parser.c(5302) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory.
Jun 12 14:44:53 snort[54702]: FATAL ERROR: parser.c(5302) Could not stat dynamic module path "/usr/local/lib/snort/dynamicpreprocessor": No such file or directory. -
Checking snort.conf I found:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrulesHowever, there is nothing on /usr/local/lib/snort_dynamicpreprocessor (as I listed above).
There is NO libsf_engine.so file at all on system!
Only /usr/local/lib/snort_dynamicrules exists (as directory only, but there is nothing inside on it too).
-
uninstall snort
drop down to shell
run 'find /* | grep snort'
delete every reference
install snort
update rules
Click save on every page, Global page for sure, so the cron job is added
make sure every preprocessor is ONthat should do it, at least for i386… can't help with amd64 builds... and in the past, amd64 always had problems with snort for some reason
-
I'm getting this now:
Jun 12 16:42:17 php: /status_services.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was 'rm: /tmp/snort.sh.pid: No such file or directory rm: /var/run/snort*: No such file or directory'I even rebooted, no joy.
-
uninstall snort
drop down to shell
run 'find /* | grep snort'In case the Snort devs do not know this. Or maybe it is just me?
Code:
Installation of snort FAILED!
delete every reference
install snort
update rules
Click save on every page, Global page for sure, so the cron job is added
make sure every preprocessor is ONthat should do it, at least for i386… can't help with amd64 builds... and in the past, amd64 always had problems with snort for some reason
The above worked for me using a amd64 install. Needed to do this, since the snort rules would not get updated.
Used the following instead of, [find /* | grep snort]:
find /* | grep -i snort | xargs rm -rvEDIT: Thanks Cino for the info :)
When I finished setting up snort, noticed there was a new version:
Stable 2.9.2.3 pkg v. 2.2 platform: 2.0But the new version fails to install:
Installation of snort FAILED! Beginning package installation for snort... Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading http://files.pfsense.org/packages/amd64/8/All/barnyard2-1.9_2.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/barnyard2-1.9_2.tbz. of barnyard2-1.9_2 failed! Installation aborted.Backing up libraries... Removing package... Starting package deletion for mysql-client-5.1.53...done. Starting package deletion for barnyard2-1.9_2...done. Starting package deletion for snort-2.9.2.3...done. Starting package deletion for perl-threaded-5.12.4_4...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Include file snort.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Cleaning up... Failed to install package. Installation halted. -
noticed that too. barnyard2-1.9_2.tbz isnt built yet.. once its built, you should be good to go
-
noticed that too. barnyard2-1.9_2.tbz isnt built yet.. once its built, you should be good to go
Yes, just wanted to report my findings and thanks for conformation. Will try again later and report back :)
-
noticed that too. barnyard2-1.9_2.tbz isnt built yet.. once its built, you should be good to go
Yes, just wanted to report my findings and thanks for conformation. Will try again later and report back :)
it will be located here: http://files.pfsense.org/packages/8/All/ when its built
-
it will be located here: http://files.pfsense.org/packages/8/All/ when its built
Thanks for all the info :)
-
Try again after reinstalling snort.
-
@ermal:
Try again after reinstalling snort.
@ermal ah, life is good again.. Thank you sir! I uninstalled, ran 'find /* | grep -i snort | xargs rm -rv' just to be sure then a installed.. Saved the Global page(cron job creation) updated the rules and snort and barnyard started right up!! No more manually install barnyard2….. thank you again sir!
P.S thank you for breaking out the alert file by interface! Big plus there, nice to see alerts by interface. Doing this does break the snort widget on the dashboard tho :-( I changed log file its looking for but that didn't work for me... With the changes made to the alerts page, this widget would need some work to get working again... I can live without for now.. the new alert page is the better trade off IMHO
-
Well, I did everything again just now and I'm still getting:
Jun 13 11:37:34 php: /pkg_mgr_install.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was 'rm: /tmp/snort.sh.pid: No such file or directory rm: /var/run/snort*: No such file or directory'