Snort 2.9.2.3 pkg v. 2.5.1 - does not start. Please help!
-
Hello,
I just upgraded to Snort 2.9.2.3 pkg v. 2.5.1 from Snort 2.9.2.3 pkg v. 2.3.2 yesterday. PfSense 2.0.1. The upgrade succeeded. Was able to download new rules, select categories and verified that all the settings are in tact. Tried starting Snort. It never completes starting.
The last entry in the syslog is "snort[12234]: Initializing rule chains…". I searched through other threads and those that have encountered startup issues all have a "FATAL ERROR" entry. I used to with earlier builds, but, this time, there are no "ERROR" entries in the syslog. Am not using Barnyard. Never was.
Did a "ps aux" to ensure that there are no other snort sessions running.
Did a complete uninstall and a fresh install of snort. Still the same symptoms and snort does not start.
What else can I try and where do I go to look for errors?
Thanks,
MediocreFred. -
Try deselecting all of the rule categories that are enabled and switch off all of the preprocessors. Restart your box and check for errors in the log. If it doesn't get this far then you have a fault unrelated to the ruleset.
Switch on the preprocessors that you need/want and retest before enabling any categories. Enable categories one at a time in order of importance especially if your machine is low on RAM.
-
Thanks for the troubleshooting tips.
I narrowed it down to 2 categories - snort_botnet-cnc.rules and snort_exploit.rules. Enabling either of them causes snort to hang right after "Initializing rule chains". Any obvious reasons why I am unable to enable these 2 categories? Can it be due to a clash/collision with any other enabled categories - I have the similarly named emerging-botcc.rules and emerging-exploit.rules categories enabled.
Thanks,
MediocreFred. -
I had to enable the SSL data preproc for those rules to work. Give it a try!
-
Awesome! That did it! Thanks very much!