Fatal error in Snort version 2.9.2.3 pkg v. 2.5.1
-
Hi, I have just upgraded to Snort 2.9.2.3 pkg v. 2.5.1 and Snort fails to start with the following error:
snort[32558]: FATAL ERROR: Failed to load /usr/local/etc/snort/snort_48765_em0/dynamicrules/exploit.so: /usr/local/etc/snort/snort_48765_em0/dynamicrules/exploit.so: Undefined symbol "byteTest"
The strange thing is that the exploit.so is not even being used. Any way to correct this urgently as I cannot start Snort?
Thanks!
-
What happens if you disable all rules except the preprocessors?
-
Just tried - same error :-(
-
I have started completely removing and then re-installing the Snort package of late. That makes sure a new binary is also downloaded. I believe s simple update or re-install from the GUI just updates the PHP code stuff and does not update the underlying Snort binary.
I have my Snort configured to save settings across removal and re-install, so I just remove the package and then re-install it from the GUI. With the latest update to 2.5.1, I was also affected by the new SSL preprocessor breakout, but checking that preprocessor and restarting fixed it for me.
P.S. – I have the expoit.so rule enabled and it works fine for me. I have Snort on 32-bit 2.0.1 pfSense.
-
When I reinstalled, Snort did start with no rules. However, when I add a category, it will no longer start with the same error. Now, even if I remove all the rules again, it still will not start! Very strange!! :-)
-
trvsecurity,
what type of processor are you using? I have 2 virtual machines running, where I do not observe your problem, but so far I haven't downloaded and activated the Snort.org rules. I could take a snapshot, install the rules and see what happens.
-
Hi again
I fully reinstalled Snort and now I can't download Snort rules (Update failed). Snort will start when no Snort rules are present so it does seem related to that.
We have a Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz processor
-
trvsecurity, I was aiming at 32 or 64-bit, because different binaries are involved.
-
32 bit
Now I keep getting:
php: /snort/snort_download_rules.php: Snort rules file downloaded failed…
-
I don't have any problem downloading the Snort.org and ET rules and installing them.
Maybe, you should remove the snort package. Find residual files and dirs with find / -name 'snort*', delete them, maybe reboot the machine, and finally install snort again.
-
32 bit
Now I keep getting:
php: /snort/snort_download_rules.php: Snort rules file downloaded failed…
You have to wait 15 minutes and then try again.
-
I uninstalled and rebooted and all the ETC files had gone. I cannot delete all Snort files as I need the back up config to come back after reinstall. Still cannot download Snort rules.
Can you tell me what directories I should delete after uninstall while maintaning the config back up?
-
You can savely remove all snort files. The config is saved in XML.
-
Done. When I uninstall, all the files in /usr/local/etc/snort/ go away. Then I reinstall and I still can't download the Snort rules.
I have never had this issue before.
In the logs, I see:
php: /snort/snort_download_rules.php: There is a new set of Snort.org rules posted. Downloading…
Then 3 seconds later:
php: /snort/snort_download_rules.php: Snort rules file downloaded failed...
-
trvsecurity ,
I am just guessing. Is your oinkcode ok?
-
yes - definitely not the cause. Just put it in again, and the problem continues.
-
Next idea: do you have a virtual machine to play with? Setting this up using VirtualBox takes less than an hour.
-
yes - definitely not the cause. Just put it in again, and the problem continues.
Maybe they put you on blacklist.
It gets cleared in 1/2 hours.Though reinstall teh package i put code to remove the dynamic rules in case they are not enabled in categories tab.
-
I think you are right! I left it for a while and now everything is working fine! Thaks to ALL! Case closed!