Snort Stable 2.9.2.3 pkg v. 2.2 Failed
-
I tried starting snort from console:
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(5): /usr/local/bin/snort
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"From GUI I get:
SnortStartup[36515]: Snort HARD START For 28453_em0…So it seems like I'm having problems with libcap not installing correctly even when I remove and reinstall snort.
-
I tried starting snort from console:
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(5): /usr/local/bin/snort
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"From GUI I get:
SnortStartup[36515]: Snort HARD START For 28453_em0…So it seems like I'm having problems with libcap not installing correctly even when I remove and reinstall snort.
I believe this is a different issue that was addressed in another part of the forums. Search for the error you are getting (the libpcap.so.1 not found part) and you should find it. Essentially, you need to make a couple of symlinks to fix this.
-
It seems impossible to stop snort. When I try to stop snort from gui it claims to stop but never does. From ssl I get this error
Initializing Output Plugins!
Snort BPF option: stop
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "sk0".
ERROR: Can't set DAQ BPF filter to 'stop' (pcap_daq_set_filter: pcap_compile: syntax error)!
Fatal Error, Quitting
snort never stops I have to issue killall -9 snort to get it to stop -
tritron, which version of snort you are using?
Latest one is not at all running! -
I am running 2.9.2.3 pkg v. 2.2.1 it runs too well blocks web also/
-
I installed the upgrade from the packages page.
After installing the rules, I got
snort[46689]: FATAL ERROR: /usr/local/etc/snort/snort_15989_bge0/snort.conf(190) Unknown preprocessor: "ssl".:-(
Still not working -
Been running Snort 2.9.2.3 pkg v. 2.2 (AMD64) for more than 2 full days. Everything appears to be working properly, with the exception of the dashboard widget, which I noted in an earlier post. However, it now appears that Snort is shutting down and not restarting twice-a-day. I suspect this coincides with my 12 hour update update schedule, but I can't confirm since update attempts are not logged. The shutdowns leave no log entries either.
I am able to restart Snort manually after these incidents.
Can anyone confirm this behavior on another system?
I had this problem. It appears to have been a problem with the cron job that deletes blocked ip's after a set time. I fixed it by going into the general tab and selecting never, then saved, then reselected the amount of time I wanted and clicked save again. This deleted and recreated the cron job. When this was happen there was nothing in the logs either.
This seems to have worked. Snort has gone thru an automated rules update without stopping after following these steps. BTW, Snort updates are logged to /tmp/snort_update.log, although previous entries record that Snort restarted. I don't think that's accurate. It just indicates that a restart was executed, not necessarily successfully. However, the log does report the date/time of the activity which, if no Snort alerts are received after a scheduled update, may lend evidence that there's a cron job failure.
mschiek - thanks for the help.
Update: Fix one problem - find another. An hour after successfully updating, logged error:
kernel: pid 25427 (snort), uid 0: exited on signal 10
The shutdown was preceded with this entry at the same recorded time:
snort[25427]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 109.169.37.117:5065 -> [my address]:5060
Any ideas as to what's going on?
I have had that error as well and I have not figured out as of yet what is causing it. After this error the snort process on the interface starts normally and it has not stopped again which is even more confusing.
BTW- What do you have your mem performance settings set at?, also how many wan interfaces do you have? I am just trying to figure out a common thread to this.
My mem performance settings are set to defaults. I'm running w/4 GB RAM, which is relevant. I have 1 WAN interface, 1 LAN and 1 optional designated for WIFI.
Still working on snort stopping on the interface.
I have 4gig of memory with 5 interfaces snort is running on two of them.
Snort mem setting is ac-std
What I have notice is the swap file keeps growing until it is at 100% then I see an error that the snort process has stopped because of a lack of swap space. I only see this error by using a syslog server and recording all events. If I reboot the box the swap file goes back to normal but starts to grow the longer the box is on. -
Delete anything in this directory
/usr/local/lib/snort/dynamicrules
also uncheck any .so rules on your interfaces.Try to start snort
mschiek01, I'm glad you posted this. I upgraded snort and it didn't start afterwards. Your post helped me fix it. Next time I'll check the forum before upgrading any of my packages.
Thanks!! -
I finally got snort running after removing libpcap-1.1.1_1 and snort-2.9.2.3 manually with pkg_delete <package name="">, both commands gave missing file errors. It seems like even if the remove/re-install package command from gui does seemingly remove the package, it doesn't do it properly.
Before I was getting```
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(5): /usr/local/bin/snort
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"From GUI I get:
SnortStartup[36515]: Snort HARD START For 28453_em0...Thanks to whoever suggested removing the two packages from console :) Edit: Did anyone find a fix for snort not closing when stopping/restarting from GUI and just spawning a new process?</package> -
I have the exact same error. In our case the re-install removed the existing rules, so that's probably not the cause.
-
I've read through the various recent Snort posts, and just want to add a problem - I can't get it to start, and the System log doesn't indicate any problem. Running 2.9.2.3 v2.2.1 . Previous version ran well. I tried reinstalling, changing memory parameters, using minimal rules, reboot, updating pfsense to 2.0.1 .
-
I just did a clean install of pfsense 2.0.1 (x86 version)
and all my packages Squid, HAVP, Sarg are working but SNORT is failing withsnort.conf(533) => Failed to parse: No end brace found
Any ideas or suggestions?