Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 263.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eri--
      last edited by

      Normally you should have the logs from the update process itself.
      Something like "Starting with your new set of rules…."

      1 Reply Last reply Reply Quote 0
      • K
        kilthro
        last edited by

        I dont see this in the system log. When I go to the updated tab in snort the view updates log button doesnt do anything when clicked. I did a manual update and did see this in the sys log
        Jan 27 11:49:12 php: /snort/snort_download_rules.php: The Rules update has finished…
        Jan 27 11:49:12 php: /snort/snort_download_rules.php: Emerging threat rules are up to date...
        Jan 27 11:49:12 php: /snort/snort_download_rules.php: Snort rules are up to date...
        So i am guessing if the auto update ran I should see something similar? I do not see anything like this around midnight when the update generally runs.

        1 Reply Last reply Reply Quote 0
        • A
          asterix
          last edited by

          Having issues with the latest snort package as well. Initial update killed the package. Uninstalled, did a reboot and reinstalled to make it work. But now the problem is with every reboot snort fails again. As long as its up after reinstall it works. Upon a reboot snort fails and only way to make it work is to uninstall, reboot and reinstall… till the next reboot.

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            Dont get that error on reboot, but still a shit load of Snort related load messages in the systemlogs….

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              You need to reinstall supermule or you have issues.
              It will only print fatal/errors as i said now. Those things need some attention.

              asterix
              i need mor einfo rather than not just starting!

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by

                Its running fine here Ermal and survives the reboot.

                Wont reinstall if it makes snort crash…

                1 Reply Last reply Reply Quote 0
                • A
                  asterix
                  last edited by

                  Get this on startup. Service re-start fails.

                  Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
                  Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
                  Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                  Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                  Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…

                  On manual start it fails with these messages in the system logs

                  Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                  Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
                  Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    There is no failure there.
                    The error messages there are just too much noise.

                    1 Reply Last reply Reply Quote 0
                    • A
                      asterix
                      last edited by

                      Well I dont see any other logs in there.. It just fails to start. I am on a VM but that shouldnt be a an issue. Been using a VM for many months with no such issues.

                      1 Reply Last reply Reply Quote 0
                      • M
                        monodactylus
                        last edited by

                        Assuming this is the proper way to start snort from the prompt, you would see the following error:

                        /usr/local/etc/rc.d/snort.sh start
                        pgrep: Pidfile `/var/run/snort_vr152213.pid' is empty
                        /libexec/ld-elf.so.1: Shared object "libmysqlclient.so.18" not found, required by "snort"

                        @asterix:

                        Get this on startup. Service re-start fails.

                        Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
                        Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
                        Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                        Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                        Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…

                        On manual start it fails with these messages in the system logs

                        Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                        Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
                        Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...

                        1 Reply Last reply Reply Quote 0
                        • A
                          asterix
                          last edited by

                          Snort needs to be started automatically when pfSense boots. Even so the GUI service start should throw some errors.

                          The latest package definitely needs a fix.

                          1 Reply Last reply Reply Quote 0
                          • E
                            eri--
                            last edited by

                            Hrm that is a problem with the building of the package.
                            barnyard2 requires mysql but snort does not require it.

                            Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz
                            i386

                            
                            pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbz
                            
                            

                            AMD64

                            
                            http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz
                            
                            

                            For 2.1 PBI should include that

                            1 Reply Last reply Reply Quote 0
                            • S
                              Supermule Banned
                              last edited by

                              I run mine in VM too…. So it shouldnt be a problem.

                              1 Reply Last reply Reply Quote 0
                              • L
                                LiamH
                                last edited by

                                Hi,

                                The uninstall/install after reboot happens on my machine as well, with the same errors…

                                Another thing - I don't think HOME_NET is being populated correctly on my machine. On my LAN interface, instead of including my network it only includes pfSense IP (and my external IPs, DNS, etc) . I've ended up editing snort.inc and manually adding my network address but I guess this will hold only until next reboot and reinstall. Older posts mentioned the possibility if using the firewall aliases, but I can only choose "default" at the "Home net" dropdown list.

                                1 Reply Last reply Reply Quote 0
                                • E
                                  eri--
                                  last edited by

                                  You have to create a whitelist to override.
                                  If you run snort on the LAN interface then there is no reason to trust your hosts, no?

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    fragged
                                    last edited by

                                    Is this a bug or intentional feature / behavior that Snort doesn't download new rules after a uninstall / install (pfSense snapshot update)? I need to go and download the rules which will then start Snort when finished. Shouldn't this happen during the first start?

                                    I'm fairly sure it ran just fine after a snapshot update before the latest changes. Today I updated from 24th January snapshot to:

                                    2.1-BETA1 (amd64)
                                    built on Sun Jan 27 20:37:59 EST 2013

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      eri--
                                      last edited by

                                      I put a fix on new pacakge to reapply the update during reinstall if the keep settings is on.
                                      Normally your rules should be preserved during a reinstall but….

                                      1 Reply Last reply Reply Quote 0
                                      • RonpfSR
                                        RonpfS
                                        last edited by

                                        Is there a limit on the number of download of the snort rules per hour?

                                        2.4.5-RELEASE-p1 (amd64)
                                        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Supermule Banned
                                          last edited by

                                          Yes :)

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            spi
                                            last edited by

                                            Hej ermal

                                            Thanks for all your valuable knowledge and help here on snort.

                                            Since libmysqlclient.so.18 file is missing after a reboot and not libmysqlclient.so.16

                                            may I ask why it would not be more appropriate to apply```
                                            pkg_add -v http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.5.29.tbz

                                            
                                            this will give version 18 and not 16 as version 5.1.53 would do…or does it not matter ?
                                            
                                            @ermal:
                                            
                                            > Hrm that is a problem with the building of the package.
                                            > barnyard2 requires mysql but snort does not require it.
                                            > 
                                            > Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz
                                            > i386
                                            > ```
                                            > 
                                            > pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbz
                                            > 
                                            > ```
                                            > 
                                            > AMD64
                                            > ```
                                            > 
                                            > http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz
                                            > 
                                            > ```
                                            > 
                                            > For 2.1 PBI should include that
                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.