Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 289.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kilthro
      last edited by

      @ermal:

      I just pushed a patch to silence the damn snort with its thousands log entries during startup and left just the error/fatal messages.
      When it gets recompiled it would be easier to even read syslog and the errors of the pacakge.

      Thanks so much for this! It was annoying to have the sys log fill every restart.

      1 Reply Last reply Reply Quote 0
      • swinnS Offline
        swinn
        last edited by

        Snort will no longer start: (I changed the IP's below with the asterisks)
        Looks like there is no subnet set for the IPv6 address.

        Jan 27 00:23:21 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... 
        Jan 27 00:23:21 snort[43598]: FATAL ERROR: /usr/local/etc/snort/snort_51073_em0/snort.conf(6) Failed to parse the IP address: [127.0.0.1,192.168.0.0/16,75.131.*.*,2602:100:*:*::,75.131.*.*/20,2602:100:*:*::/,75.131.112.1,24.159.64.23,4.2.2.4,2607:f428:1::5353:1,2607:f428:2::5353:1,192.168.2.0/24]. 
        Jan 27 00:23:19 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... 
        Jan 27 00:22:13 check_reload_status: Syncing firewall 
        Jan 27 00:20:54 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)... 
        Jan 27 00:20:54 snort[95541]: FATAL ERROR: /usr/local/etc/snort/snort_51073_em0/snort.conf(6) Failed to parse the IP address: [127.0.0.1,75.131.*.*,2602:100:*:*::,75.131.*.*/20,2602:100:*:*::/,75.131.112.1,24.159.64.23,4.2.2.4,2607:f428:1::5353:1,2607:f428:2::5353:1,192.168.2.0/24]. 
        Jan 27 00:20:51 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... 
        
        
        1 Reply Last reply Reply Quote 0
        • T Offline
          tester_02
          last edited by

          Updated snort today, now it does not start.  Error is…

          snort[4286]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

          I disabled the bad traffic rules (so and non so) and it still fails to start.  reinstalled package again, and no go..  Was working for quite a while.  Had not updated for a month, but thought from the thread here that it was stable.

          1 Reply Last reply Reply Quote 0
          • RonpfSR Offline
            RonpfS
            last edited by

            Just went for a re-install of Snort 2.9.2.3 pkg v. 2.5.4  ::)

            
            2013-01-27 02:16:43	Auth.Emerg	172.24.42.254	php: /status_rrd_graph.php: Successful webConfigurator login for user 'admin' from 172.24.48.84
            2013-01-27 02:16:45	Local0.Info	172.24.42.254	pf: 00:00:02.978226 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 9, id 34704, offset 0, flags [none], proto UDP (17), length 52)
            2013-01-27 02:16:45	Local0.Info	172.24.42.254	pf:     68.209.243.115.34612 > 50.21.133.210.33526: UDP, length 24
            2013-01-27 02:16:47	Local0.Info	172.24.42.254	pf: 00:00:01.870908 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 52039, offset 0, flags [DF], proto TCP (6), length 83)
            2013-01-27 02:16:47	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x6769 (correct), seq 3683470708:3683470739, ack 2243077203, win 44064, options [nop,nop,TS val 1236008655 ecr 155036732], length 31
            2013-01-27 02:16:48	Local0.Info	172.24.42.254	pf: 00:00:01.152559 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 9, id 34705, offset 0, flags [none], proto UDP (17), length 52)
            2013-01-27 02:16:48	Local0.Info	172.24.42.254	pf:     68.209.243.115.34612 > 50.21.133.210.33527: UDP, length 24
            2013-01-27 02:16:51	Local0.Info	172.24.42.254	pf: 00:00:03.027552 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 10, id 34706, offset 0, flags [none], proto UDP (17), length 52)
            2013-01-27 02:16:51	Local0.Info	172.24.42.254	pf:     68.209.243.115.34612 > 50.21.133.210.33528: UDP, length 24
            2013-01-27 02:17:00	Daemon.Notice	172.24.42.254	snort[41717]: S5: Session exceeded configured max bytes to queue 1048576 using 1049922 bytes (client queue). 135.19.140.229 52457 --> 172.24.48.32 18447 (0) : LWstate 0xf LWFlags 0x406007
            2013-01-27 02:17:03	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
            2013-01-27 02:17:07	Daemon.Notice	172.24.42.254	snort[41717]: S5: Session exceeded configured max bytes to queue 1048576 using 1049226 bytes (server queue). 121.157.96.186 52598 --> 172.24.48.32 18447 (0) : LWstate 0xf LWFlags 0x406007
            2013-01-27 02:17:13	User.Notice	172.24.42.254	check_reload_status: Reloading filter
            2013-01-27 02:17:15	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
            2013-01-27 02:17:25	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
            2013-01-27 02:17:25	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
            2013-01-27 02:17:25	Daemon.Error	172.24.42.254	snort[41717]: *** Caught Term-Signal
            2013-01-27 02:17:25	Daemon.Error	172.24.42.254	snort[10973]: *** Caught Term-Signal
            2013-01-27 02:17:25	Kernel.Info	172.24.42.254	kernel: bridge0: promiscuous mode disabled
            2013-01-27 02:17:25	User.Notice	172.24.42.254	check_reload_status: Reloading filter
            2013-01-27 02:17:25	Kernel.Info	172.24.42.254	kernel: pppoe1: promiscuous mode disabled
            2013-01-27 02:17:26	Daemon.Notice	172.24.42.254	snort[41717]: ===============================================================================
            2013-01-27 02:17:26	Daemon.Notice	172.24.42.254	snort[41717]: Run time for packet processing was 91065.975548 seconds
            2013-01-27 02:17:26	Daemon.Notice	172.24.42.254	snort[41717]: Snort processed 13503818 packets.
            
            2013-01-27 02:17:27	Daemon.Notice	172.24.42.254	snort[10973]: | gen-id=120    sig-id=8          type=Suppress  tracking=none filtered=51
            2013-01-27 02:17:35	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Beginning package installation for snort.
            2013-01-27 02:17:36	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
            2013-01-27 02:17:40	Local0.Info	172.24.42.254	pf: 00:00:48.508720 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 105, id 19829, offset 0, flags [none], proto UDP (17), length 95)
            2013-01-27 02:17:40	Local0.Info	172.24.42.254	pf:     71.45.120.110.6112 > 50.21.133.210.3912: UDP, length 67
            2013-01-27 02:17:41	Local0.Info	172.24.42.254	pf: 00:00:01.004974 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 26462, offset 0, flags [DF], proto TCP (6), length 360)
            2013-01-27 02:17:41	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855935432 ecr 155013193], length 308
            2013-01-27 02:17:51	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
            2013-01-27 02:17:52	Local0.Info	172.24.42.254	pf: 00:00:11.146024 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 357, offset 0, flags [DF], proto TCP (6), length 83)
            2013-01-27 02:17:52	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x6d33 (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236072708 ecr 155036732], length 31
            2013-01-27 02:18:00	Cron.Info	172.24.42.254	/usr/sbin/cron[20360]: (*system*) RELOAD (/etc/crontab)
            2013-01-27 02:18:01	User.Notice	172.24.42.254	check_reload_status: Reloading filter
            2013-01-27 02:18:06	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
            2013-01-27 02:18:06	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
            2013-01-27 02:18:06	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
            2013-01-27 02:18:07	User.Warning	172.24.42.254	php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
            2013-01-27 02:18:07	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
            2013-01-27 02:18:07	User.Notice	172.24.42.254	check_reload_status: Reloading filter
            2013-01-27 02:18:08	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
            2013-01-27 02:18:15	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
            2013-01-27 02:18:25	User.Notice	172.24.42.254	check_reload_status: Reloading filter
            2013-01-27 02:18:45	Local0.Info	172.24.42.254	pf: 00:00:53.416103 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 10930, offset 0, flags [DF], proto TCP (6), length 360)
            2013-01-27 02:18:45	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855936072 ecr 155013193], length 308
            2013-01-27 02:18:47	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
            2013-01-27 02:18:49	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_smtp_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_ssl_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dce2_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dns_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_pop_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_imap_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_smtp_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dce2_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Could not find the libsf_dns_preproc file. Snort might error out!
            2013-01-27 02:18:49	User.Warning	172.24.42.254	php: /snort/snort_interfaces_global.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
            2013-01-27 02:18:57	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
            2013-01-27 02:18:57	User.Notice	172.24.42.254	check_reload_status: Reloading filter
            2013-01-27 02:18:58	Local0.Info	172.24.42.254	pf: 00:00:12.500097 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 7989, offset 0, flags [DF], proto TCP (6), length 83)
            2013-01-27 02:18:58	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x72fa (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236136764 ecr 155036732], length 31
            2013-01-27 02:19:00	Cron.Info	172.24.42.254	/usr/sbin/cron[20360]: (*system*) RELOAD (/etc/crontab)
            2013-01-27 02:19:06	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Snort MD5 Attempts: 1
            2013-01-27 02:19:06	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: There is a new set of Snort.org rules posted. Downloading...
            2013-01-27 02:19:07	User.Notice	172.24.42.254	check_reload_status: Reloading filter
            2013-01-27 02:19:23	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.4)  *** delay ***
            2013-01-27 02:19:31	User.Error	172.24.42.254	apinger: alarm canceled: WAN(10.249.0.4)  *** delay ***
            2013-01-27 02:19:33	User.Notice	172.24.42.254	check_reload_status: Reloading filter
            2013-01-27 02:19:41	User.Notice	172.24.42.254	check_reload_status: Reloading filter
            2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf: 00:00:46.492618 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34037, offset 0, flags [DF], proto TCP (6), length 98)
            2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 3864903423, win 131, length 58
            2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf: 00:00:00.000044 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34038, offset 0, flags [DF], proto TCP (6), length 67)
            2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [FP.], cksum 0x0993 (correct), seq 58:85, ack 1, win 131, length 27
            2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf: 00:00:00.510370 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34039, offset 0, flags [DF], proto TCP (6), length 98)
            2013-01-27 02:19:44	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
            2013-01-27 02:19:45	Local0.Info	172.24.42.254	pf: 00:00:01.019304 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34040, offset 0, flags [DF], proto TCP (6), length 98)
            2013-01-27 02:19:45	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
            2013-01-27 02:19:48	Local0.Info	172.24.42.254	pf: 00:00:02.051460 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34041, offset 0, flags [DF], proto TCP (6), length 98)
            2013-01-27 02:19:48	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
            2013-01-27 02:19:49	Local0.Info	172.24.42.254	pf: 00:00:01.904027 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 42928, offset 0, flags [DF], proto TCP (6), length 360)
            2013-01-27 02:19:49	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [FP.], seq 0:308, ack 1, win 8460, options [nop,nop,TS val 855936712 ecr 155013193], length 308
            2013-01-27 02:19:52	Local0.Info	172.24.42.254	pf: 00:00:02.148327 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34042, offset 0, flags [DF], proto TCP (6), length 98)
            2013-01-27 02:19:52	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
            2013-01-27 02:19:59	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Snort Rules Attempts: 1
            2013-01-27 02:19:59	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: There is a new set of Emergingthreats rules posted. Downloading...
            2013-01-27 02:20:00	Local0.Info	172.24.42.254	pf: 00:00:08.102416 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34043, offset 0, flags [DF], proto TCP (6), length 98)
            2013-01-27 02:20:00	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
            2013-01-27 02:20:00	Cron.Info	172.24.42.254	/usr/sbin/cron[24641]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
            2013-01-27 02:20:02	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Emergingthreats rules file update downloaded succsesfully
            2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: 00:00:03.031497 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 41, id 0, offset 0, flags [DF], proto UDP (17), length 441)
            2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf:     112.64.146.77.5101 > 50.21.133.210.5060: SIP, length: 413
            2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>OPTIONS sip:100@50.21.133.210 SIP/2.0
            2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>Via: SIP/2.0/UDP 112.64.146.77:5101;branch=z9hG4bK-89865205;rport
            2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>Content-Length: 0
            2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: <009>From: "sipvicious"<sip:100@1.1.1.1>; ta#\0xd5\0x04Q\0xca3\0x04\0x00\0x93\0x00\0x00\0x00\0x93\0x00\0x00\0x00\0x14\0x00\0x00\0x00=\0x02\0x01\0x00bridge0\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x02\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00\0x8aQ\0x00\0x00\0x02\0x00\0x00\0x00E\0x00\0x00S!\0xbb@\0x000\0x06\0xe49L@\0x1c8\0xac\0x180 \0xeb$H\0x0f\0xdb\0x8dMt\0x85\0xb2\0xa4S\0x80\0x19\0xac x\0xd5\0x00\0x00\0x01\0x01\0x08\0x0aI\0xae\0xed`\0x09=\0xac<\0x0b\0x19T\0x1fr\0x0c*I\0xba\0x9ec\0xff\0xc0\0xbc\0xfa\0x14\0xe75\0xf9q\0xc8\0x0a\0xa4\0x96\0xddFT\0x178\0x84\0x0e^ \0xee\0xff\0xd3\0xe6]\0xbe\0xffP\0x18\0x00\0x83bY\0x00\0x00\0x17\0x03\0x01\0x005MT\0xe1H/\0xd7\0x9aN\0xaf\0xf3\0x11\0xd4pA\0x10is\0xa8\0x09;\0x8c\0xa8\0xe8\0xcf\0x81qJw\0xeb^B\0xbc\0x17f\0x07B\0x1b\0x11\0x98v\0xb2+z\0x17F{FV\0xc2\0xc6\0xf0w\0x80\0x00\0x00\0x00\0x00\0x00\0x00\0x00
            2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf: 00:00:00.230625 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 48, id 8635, offset 0, flags [DF], proto TCP (6), length 83)
            2013-01-27 02:20:03	Local0.Info	172.24.42.254	pf:     76.64.28.56.60196 > 172.24.48.32.18447: Flags [FP.], cksum 0x78d5 (correct), seq 0:31, ack 1, win 44064, options [nop,nop,TS val 1236200800 ecr 155036732], length 31
            2013-01-27 02:20:16	Local0.Info	172.24.42.254	pf: 00:00:13.026235 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34044, offset 0, flags [DF], proto TCP (6), length 98)
            2013-01-27 02:20:16	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
            2013-01-27 02:20:25	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Updating rules configuration for: WAN ...
            2013-01-27 02:20:29	User.Warning	172.24.42.254	php: /snort/snort_download_rules.php: Updating rules configuration for: LAN ...
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Found pid path directive (/var/run)
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Running in IDS mode
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:         --== Initializing Snort ==--
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Initializing Output Plugins!
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Initializing Preprocessors!
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Initializing Plug-ins!
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Parsing Rules file "/usr/local/etc/snort/snort_18203_pppoe1/snort.conf"
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: PortVar 'DNS_PORTS' defined :
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:  [ 53 ]
            
            ...
            
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: PortVar 'MODBUS_PORTS' defined :
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:  [ 502 ]
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Detection:
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:    Search-Method = AC-BNFA-Q
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:     Search-Method-Optimizations = enabled
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:     Maximum pattern length = 20
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Found pid path directive (/var/run)
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Tagged Packet Limit: 256
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:   Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules...
            2013-01-27 02:20:32	Daemon.Notice	172.24.42.254	snort[29577]:   Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so...
            2013-01-27 02:20:32	Daemon.Error	172.24.42.254	snort[29577]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
            2013-01-27 02:20:32	Daemon.Info	172.24.42.254	SnortStartup[29590]: Snort START For Wan Snort(18203_pppoe1)...
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Found pid path directive (/var/run)
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Running in IDS mode
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]:
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]:         --== Initializing Snort ==--
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Initializing Output Plugins!
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Initializing Preprocessors!
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Initializing Plug-ins!
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf"
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]: PortVar 'DNS_PORTS' defined :
            2013-01-27 02:20:34	Daemon.Notice	172.24.42.254	snort[30298]:  [ 53 ]
            
            ...
            
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Detection:
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:    Search-Method = AC-BNFA-Q
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:     Search-Method-Optimizations = enabled
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:     Maximum pattern length = 20
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Found pid path directive (/var/run)
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Tagged Packet Limit: 256
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:   Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules...
            2013-01-27 02:20:35	Daemon.Notice	172.24.42.254	snort[30298]:   Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so...
            2013-01-27 02:20:35	Daemon.Error	172.24.42.254	snort[30298]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
            2013-01-27 02:20:35	Daemon.Info	172.24.42.254	SnortStartup[30417]: Snort START For Lan(53096_bridge0)...
            2013-01-27 02:20:49	Local0.Info	172.24.42.254	pf: 00:00:32.574901 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 46, id 34045, offset 0, flags [DF], proto TCP (6), length 98)
            2013-01-27 02:20:49	Local0.Info	172.24.42.254	pf:     98.139.218.251.993 > 50.21.133.210.10078: Flags [P.], cksum 0x6259 (correct), ack 1, win 131, length 58
            2013-01-27 02:20:55	Local0.Info	172.24.42.254	pf: 00:00:05.274322 rule 2/0(match): block out on bridge0: (tos 0x0, ttl 40, id 61566, offset 0, flags [DF], proto TCP (6), length 40)
            2013-01-27 02:20:55	Local0.Info	172.24.42.254	pf:     124.122.251.67.50603 > 172.24.48.32.18447: Flags [R.], cksum 0x605b (correct), seq 309, ack 1, win 8460, length 0
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Found pid path directive (/var/run)
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Running in IDS mode
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:         --== Initializing Snort ==--
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Initializing Output Plugins!
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Initializing Preprocessors!
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Initializing Plug-ins!
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Parsing Rules file "/usr/local/etc/snort/snort_18203_pppoe1/snort.conf"
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: PortVar 'DNS_PORTS' defined :
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:  [ 53 ]
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:
            
            ...
            
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]: Detection:
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:    Search-Method = AC-BNFA-Q
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:     Search-Method-Optimizations = enabled
            2013-01-27 02:20:57	Daemon.Notice	172.24.42.254	snort[34948]:     Maximum pattern length = 20
            2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Found pid path directive (/var/run)
            2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Tagged Packet Limit: 256
            2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine...
            2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
            2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]:   Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
            2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules...
            2013-01-27 02:20:58	Daemon.Notice	172.24.42.254	snort[34948]:   Loading dynamic detection library /usr/local/lib/snort/dynamicrules/bad-traffic.so...
            2013-01-27 02:20:58	Daemon.Error	172.24.42.254	snort[34948]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
            2013-01-27 02:20:58	Daemon.Info	172.24.42.254	SnortStartup[35000]: Snort START For Wan Snort(18203_pppoe1)...
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Found pid path directive (/var/run)
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Running in IDS mode
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]:
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]:         --== Initializing Snort ==--
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Initializing Output Plugins!
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Initializing Preprocessors!
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Initializing Plug-ins!
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf"
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]: PortVar 'DNS_PORTS' defined :
            2013-01-27 02:21:00	Daemon.Notice	172.24.42.254	snort[36232]:  [ 53 ]</sip:100@1.1.1.1> 
            

            No luck

            Remove , install, update rules and it started ok

            Is there a 'requirement' to have a re-install button?  ???
            I could live without it  ;D

            2.4.5-RELEASE-p1 (amd64)
            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

            1 Reply Last reply Reply Quote 0
            • S Offline
              Supermule Banned
              last edited by

              Why does the package reinstall doesnt work, but the package delete- reinstall does?

              1 Reply Last reply Reply Quote 0
              • E Offline
                eri--
                last edited by

                It should work after updating to 2.5.4 previously it was removing some files that were not being restored after an update.
                There is some resolution missing for enabled disabled preprocessors.

                After you get it running it will run ok.
                I will have to find some time to get back to solve this last bits and making it less error prone to this install/reinstall and using rules when the preprocessor is not active but for now you just have to find the preprocessors needed and activate them.

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kilthro
                  last edited by

                  So far I havent had any issues with the updated version. I am guessing the auto update worked fine as snort was still running this morning. I dont see any snort reload items in system log. (to be expected with the verbose items being turned off) Not sure if there is a way to find a good compromise of leaving all the other stuff off but still showing with the update runs and if its successful.

                  Thanks again for the quick fixes on the problems yesterday.

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    kilthro
                    last edited by

                    @tester_02:

                    Updated snort today, now it does not start.  Error is…

                    snort[4286]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

                    I disabled the bad traffic rules (so and non so) and it still fails to start.   reinstalled package again, and no go..   Was working for quite a while.  Had not updated for a month, but thought from the thread here that it was stable.

                    I got this too. I had to delete snort, do a find all for snort and remove everything until nothing was returned. Then i reinstalled snort and configured. So far so good!

                    1 Reply Last reply Reply Quote 0
                    • E Offline
                      eri--
                      last edited by

                      Normally you should have the logs from the update process itself.
                      Something like "Starting with your new set of rules…."

                      1 Reply Last reply Reply Quote 0
                      • K Offline
                        kilthro
                        last edited by

                        I dont see this in the system log. When I go to the updated tab in snort the view updates log button doesnt do anything when clicked. I did a manual update and did see this in the sys log
                        Jan 27 11:49:12 php: /snort/snort_download_rules.php: The Rules update has finished…
                        Jan 27 11:49:12 php: /snort/snort_download_rules.php: Emerging threat rules are up to date...
                        Jan 27 11:49:12 php: /snort/snort_download_rules.php: Snort rules are up to date...
                        So i am guessing if the auto update ran I should see something similar? I do not see anything like this around midnight when the update generally runs.

                        1 Reply Last reply Reply Quote 0
                        • A Offline
                          asterix
                          last edited by

                          Having issues with the latest snort package as well. Initial update killed the package. Uninstalled, did a reboot and reinstalled to make it work. But now the problem is with every reboot snort fails again. As long as its up after reinstall it works. Upon a reboot snort fails and only way to make it work is to uninstall, reboot and reinstall… till the next reboot.

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            Supermule Banned
                            last edited by

                            Dont get that error on reboot, but still a shit load of Snort related load messages in the systemlogs….

                            1 Reply Last reply Reply Quote 0
                            • E Offline
                              eri--
                              last edited by

                              You need to reinstall supermule or you have issues.
                              It will only print fatal/errors as i said now. Those things need some attention.

                              asterix
                              i need mor einfo rather than not just starting!

                              1 Reply Last reply Reply Quote 0
                              • S Offline
                                Supermule Banned
                                last edited by

                                Its running fine here Ermal and survives the reboot.

                                Wont reinstall if it makes snort crash…

                                1 Reply Last reply Reply Quote 0
                                • A Offline
                                  asterix
                                  last edited by

                                  Get this on startup. Service re-start fails.

                                  Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
                                  Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
                                  Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                                  Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                                  Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…

                                  On manual start it fails with these messages in the system logs

                                  Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                                  Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
                                  Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...

                                  1 Reply Last reply Reply Quote 0
                                  • E Offline
                                    eri--
                                    last edited by

                                    There is no failure there.
                                    The error messages there are just too much noise.

                                    1 Reply Last reply Reply Quote 0
                                    • A Offline
                                      asterix
                                      last edited by

                                      Well I dont see any other logs in there.. It just fails to start. I am on a VM but that shouldnt be a an issue. Been using a VM for many months with no such issues.

                                      1 Reply Last reply Reply Quote 0
                                      • M Offline
                                        monodactylus
                                        last edited by

                                        Assuming this is the proper way to start snort from the prompt, you would see the following error:

                                        /usr/local/etc/rc.d/snort.sh start
                                        pgrep: Pidfile `/var/run/snort_vr152213.pid' is empty
                                        /libexec/ld-elf.so.1: Shared object "libmysqlclient.so.18" not found, required by "snort"

                                        @asterix:

                                        Get this on startup. Service re-start fails.

                                        Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
                                        Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
                                        Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                                        Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                                        Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…

                                        On manual start it fails with these messages in the system logs

                                        Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                                        Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
                                        Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...

                                        1 Reply Last reply Reply Quote 0
                                        • A Offline
                                          asterix
                                          last edited by

                                          Snort needs to be started automatically when pfSense boots. Even so the GUI service start should throw some errors.

                                          The latest package definitely needs a fix.

                                          1 Reply Last reply Reply Quote 0
                                          • E Offline
                                            eri--
                                            last edited by

                                            Hrm that is a problem with the building of the package.
                                            barnyard2 requires mysql but snort does not require it.

                                            Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz
                                            i386

                                            
                                            pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbz
                                            
                                            

                                            AMD64

                                            
                                            http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz
                                            
                                            

                                            For 2.1 PBI should include that

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.