Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
So far I havent had any issues with the updated version. I am guessing the auto update worked fine as snort was still running this morning. I dont see any snort reload items in system log. (to be expected with the verbose items being turned off) Not sure if there is a way to find a good compromise of leaving all the other stuff off but still showing with the update runs and if its successful.
Thanks again for the quick fixes on the problems yesterday.
-
Updated snort today, now it does not start. Error is…
snort[4286]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
I disabled the bad traffic rules (so and non so) and it still fails to start. reinstalled package again, and no go.. Was working for quite a while. Had not updated for a month, but thought from the thread here that it was stable.
I got this too. I had to delete snort, do a find all for snort and remove everything until nothing was returned. Then i reinstalled snort and configured. So far so good!
-
Normally you should have the logs from the update process itself.
Something like "Starting with your new set of rules…." -
I dont see this in the system log. When I go to the updated tab in snort the view updates log button doesnt do anything when clicked. I did a manual update and did see this in the sys log
Jan 27 11:49:12 php: /snort/snort_download_rules.php: The Rules update has finished…
Jan 27 11:49:12 php: /snort/snort_download_rules.php: Emerging threat rules are up to date...
Jan 27 11:49:12 php: /snort/snort_download_rules.php: Snort rules are up to date...
So i am guessing if the auto update ran I should see something similar? I do not see anything like this around midnight when the update generally runs. -
Having issues with the latest snort package as well. Initial update killed the package. Uninstalled, did a reboot and reinstalled to make it work. But now the problem is with every reboot snort fails again. As long as its up after reinstall it works. Upon a reboot snort fails and only way to make it work is to uninstall, reboot and reinstall… till the next reboot.
-
Dont get that error on reboot, but still a shit load of Snort related load messages in the systemlogs….
-
You need to reinstall supermule or you have issues.
It will only print fatal/errors as i said now. Those things need some attention.asterix
i need mor einfo rather than not just starting! -
Its running fine here Ermal and survives the reboot.
Wont reinstall if it makes snort crash…
-
Get this on startup. Service re-start fails.
Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…On manual start it fails with these messages in the system logs
Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... -
There is no failure there.
The error messages there are just too much noise. -
Well I dont see any other logs in there.. It just fails to start. I am on a VM but that shouldnt be a an issue. Been using a VM for many months with no such issues.
-
Assuming this is the proper way to start snort from the prompt, you would see the following error:
/usr/local/etc/rc.d/snort.sh start
pgrep: Pidfile `/var/run/snort_vr152213.pid' is empty
/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.18" not found, required by "snort"Get this on startup. Service re-start fails.
Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…On manual start it fails with these messages in the system logs
Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)... -
Snort needs to be started automatically when pfSense boots. Even so the GUI service start should throw some errors.
The latest package definitely needs a fix.
-
Hrm that is a problem with the building of the package.
barnyard2 requires mysql but snort does not require it.Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz
i386pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbzAMD64
http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbzFor 2.1 PBI should include that
-
I run mine in VM too…. So it shouldnt be a problem.
-
Hi,
The uninstall/install after reboot happens on my machine as well, with the same errors…
Another thing - I don't think HOME_NET is being populated correctly on my machine. On my LAN interface, instead of including my network it only includes pfSense IP (and my external IPs, DNS, etc) . I've ended up editing snort.inc and manually adding my network address but I guess this will hold only until next reboot and reinstall. Older posts mentioned the possibility if using the firewall aliases, but I can only choose "default" at the "Home net" dropdown list.
-
You have to create a whitelist to override.
If you run snort on the LAN interface then there is no reason to trust your hosts, no? -
Is this a bug or intentional feature / behavior that Snort doesn't download new rules after a uninstall / install (pfSense snapshot update)? I need to go and download the rules which will then start Snort when finished. Shouldn't this happen during the first start?
I'm fairly sure it ran just fine after a snapshot update before the latest changes. Today I updated from 24th January snapshot to:
2.1-BETA1 (amd64)
built on Sun Jan 27 20:37:59 EST 2013 -
I put a fix on new pacakge to reapply the update during reinstall if the keep settings is on.
Normally your rules should be preserved during a reinstall but…. -
Is there a limit on the number of download of the snort rules per hour?
