Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.0.1 - Snort won't start - New Install

    Scheduled Pinned Locked Moved pfSense Packages
    24 Posts 7 Posters 11.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mschiek01
      last edited by

      from the console shell go to:

      /usr/local/lib/snort/dynamicrules

      Delete anything in this directory

      Start snort from the Gui.

      1 Reply Last reply Reply Quote 0
      • N
        NetworkNubbin
        last edited by

        @mschiek01:

        from the console shell go to:

        /usr/local/lib/snort/dynamicrules

        Delete anything in this directory

        Start snort from the Gui.

        Saw that on another post but…there's nothing there:

         pwd && ls
        /usr/local/lib/snort/dynamicrules
        
        

        :(

        1 Reply Last reply Reply Quote 0
        • M
          mschiek01
          last edited by

          I am sure you did but I have to ask, you did click on the update rules in the gui after the install and also select an interface for snort to run on and finally selected rules to apply to the interface correct?

          1 Reply Last reply Reply Quote 0
          • N
            NetworkNubbin
            last edited by

            @mschiek01:

            I am sure you did but I have to ask, you did click on the update rules in the gui after the install and also select an interface for snort to run on and finally selected rules to apply to the interface correct?

            lol…sadly yes :(

            What's next?

            1 Reply Last reply Reply Quote 0
            • _
              _igor_
              last edited by

              same issue here:

              starting snort from gui doesn't work. logs show this (end of log):

              Jul 6 12:58:02	snort[37407]: Search-Method = AC-Full-Q
              Jul 6 12:58:02	snort[37407]: Search-Method = AC-Full-Q
              Jul 6 12:58:02	snort[37407]: Detection:
              Jul 6 12:58:02	snort[37407]: Detection:
              Jul 6 12:58:02	snort[37407]:
              Jul 6 12:58:02	snort[37407]:
              Jul 6 12:58:02	snort[37407]: [ 6503:6504 ]
              Jul 6 12:58:02	snort[37407]: [ 6503:6504 ]
              Jul 6 12:58:02	snort[37407]: PortVar 'DCERPC_BRIGHTSTORE' defined :
              Jul 6 12:58:02	snort[37407]: PortVar 'DCERPC_BRIGHTSTORE' defined :
              

              /usr/local/lib/snort/dynamicrules is empty -> have installed rules before!

              1 Reply Last reply Reply Quote 0
              • M
                mschiek01
                last edited by

                On the interface IF settings tab at the bottom is there anything in the advanced configuration box?

                Also is this a i386 or a amd64 build

                1 Reply Last reply Reply Quote 0
                • _
                  _igor_
                  last edited by

                  @mschiek01: Nop, nothing in there. Redownloaded the rules, but same as before: pidfile empty:

                  /usr/local/etc/rc.d/snort.sh start
                  pgrep: Pidfile `/var/run/snort_pppoe016197.pid' is empty

                  1 Reply Last reply Reply Quote 0
                  • M
                    mschiek01
                    last edited by

                    You didn't say if this is a 64 of 386 build.  If it is a 64 build make sure you did not select any .so "shared object rules" on the categories tab of the interface.

                    1 Reply Last reply Reply Quote 0
                    • _
                      _igor_
                      last edited by

                      oh, sorry. Its amd64 and i have no .so rules activated. Looked twice to be sure.

                      1 Reply Last reply Reply Quote 0
                      • M
                        mschiek01
                        last edited by

                        You can try this:
                        Edit this file
                        /usr/local/etc/snort/snort.conf

                        and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

                        then see if it starts.

                        1 Reply Last reply Reply Quote 0
                        • _
                          _igor_
                          last edited by

                          Did that, but same message appears:

                          /usr/local/etc/rc.d/snort.sh start
                          pgrep: Pidfile `/var/run/snort_pppoe016197.pid' is empty

                          :(((

                          1 Reply Last reply Reply Quote 0
                          • M
                            mschiek01
                            last edited by

                            can you try to start snort from the gui and then post your system log?

                            1 Reply Last reply Reply Quote 0
                            • E
                              eri--
                              last edited by

                              The pidfile empty message is a normal error just put the system log here to know what is happening to your setup.

                              1 Reply Last reply Reply Quote 0
                              • _
                                _igor_
                                last edited by

                                Found it!

                                The system-log had additional enties which were not shown in the gui:

                                Jul  6 20:53:13 pf snort[53576]: Initializing rule chains…
                                Jul  6 20:53:14 pf snort[53576]: FATAL ERROR: /usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-attack_response.rules(224) Please enable the HTTP Inspect preprocessor before using the http content modifiers
                                Jul  6 20:53:14 pf snort[53576]: FATAL ERROR: /usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-attack_response.rules(224) Please enable the HTTP Inspect preprocessor before using the http content modifiers
                                Jul  6 20:53:14 pf SnortStartup[53705]: Interface Rule START for 0_16197_pppoe0…
                                tory.

                                Enabling the http-inspection resolved the problem. Thanks for your help!

                                1 Reply Last reply Reply Quote 0
                                • N
                                  NetworkNubbin
                                  last edited by

                                  @mschiek01:

                                  You can try this:
                                  Edit this file
                                  /usr/local/etc/snort/snort.conf

                                  and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

                                  then see if it starts.

                                  Didn't seem to work:

                                  
                                   249 # path to base preprocessor engine
                                   250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
                                  
                                  

                                  Still getting the same old
                                  Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
                                  Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

                                  And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    eri--
                                    last edited by

                                    Please provide system log to see what is wrong.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mschiek01
                                      last edited by

                                      @NetworkNubbin:

                                      @mschiek01:

                                      You can try this:
                                      Edit this file
                                      /usr/local/etc/snort/snort.conf

                                      and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

                                      then see if it starts.

                                      Didn't seem to work:

                                         
                                       249 # path to base preprocessor engine
                                       250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
                                      
                                      

                                      Still getting the same old
                                      Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
                                      Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

                                      And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)

                                      Uninstall snort

                                      Delete /usr/local/lib/snort/*

                                      Reinstall snort

                                      Start snort and post the system log if it does not start.

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        dwood
                                        last edited by

                                        With a clean AMD64 install (did not save settings, uninstalled, executed "find /* | grep -i snort | xargs rm -rv" command, rebooted) and valid oinkcode, a rules update is attempted.  The Updates TAB indicates that no emergingthreats.net or pfsense.org signatures are installed.  The "Install Emergingthreats rules" option is however toggled on under the Global Settings Tab.  During an update, the status message is that Emerging Threats rules are up to date..although they are not present in the interface Category Tab.

                                        Unlike the previous attempt (clean install, but had "save settings" toggled on from 2.2.2), this time Snort 2.2.3 does start successfully with all rules (except emergingthreats which as described above are not there) enabled.

                                        The issue of Alert Description displaying "N/A" remains..not sure if it's on a fix matrix or not..

                                        Cheers,
                                        Dennis.

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          NetworkNubbin
                                          last edited by

                                          @mschiek01:

                                          @NetworkNubbin:

                                          @mschiek01:

                                          You can try this:
                                          Edit this file
                                          /usr/local/etc/snort/snort.conf

                                          and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

                                          then see if it starts.

                                          Didn't seem to work:

                                             
                                           249 # path to base preprocessor engine
                                           250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
                                          
                                          

                                          Still getting the same old
                                          Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
                                          Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

                                          And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)

                                          Uninstall snort

                                          Delete /usr/local/lib/snort/*

                                          Reinstall snort

                                          Start snort and post the system log if it does not start.

                                          Looks like that did it - I suppose we'll never know what was really wrong. Thanks!

                                          1 Reply Last reply Reply Quote 0
                                          • B
                                            bman212121
                                            last edited by

                                            Bumping this thread.

                                            I updated to 2.1-dev from 2.0.1 a couple of days ago. Using AMD64 build with the latest packages. Snort won't start with the configuration I had setup from before. Error message is the FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DNS (IPV6) version 1.1.4 (-2) which definitely means it's having an issue with the IPv6 part of "Enable DNS Detection" preprocessor. Only catch is that if you disable the preprocessor, it's not actually disabling it.

                                            Steps to reproduce:

                                            Create a new snort interface (Defaults are fine)
                                            enable snort. Everything works fine.
                                            Disable snort.
                                            Edit the interface, go to the preprocessors tab, check the box for "Enable DNS Detection" and save the changes
                                            Try enabling snort again, and it crashes with the error message.
                                            Edit the interface, go to the preprocessors tab, uncheck the box for "Enable DNS Detection" and save the changes
                                            Try to start snort again, and the error message still appears.

                                            You can keep creating new rules and they will keep working as long as you don't enable that preprocessor. I was able to enable the HTTP inspect one, need to test the others yet.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.