Snort won't start

MMacD

I've reinstalled again, same result

Whose problem are these missing libsf files, pfsense's or snort's?  And how serious are they?

MMacD

I just ssh'd over to the firewall box to see whether I could start snort by hand.

The executable is meant to be in /bin, but there's nothing there.

There is something in /usr/local/bin, but it appears to be a log generator…or at least it appears to be generating log entries.

There's no job named snort in the proc list.

I really need some help here.

bmeeks

@MMacD:

I just ssh'd over to the firewall box to see whether I could start snort by hand.

The executable is meant to be in /bin, but there's nothing there.

There is something in /usr/local/bin, but it appears to be a log generator…or at least it appears to be generating log entries.

There's no job named snort in the proc list.

I really need some help here.

MMacD:

Just so I am clear.  When you say "…I reinstalled again..."; do you mean you clicked the "X" icon to totally remove the package, and then went back to the Available Packages tab and installed like a clean install?  The reinstall icon (titled PKG) on the Installed Packages tab does not always work properly.

If you did not do a complete remove with the "X" and then fresh install, try that.

If you already did a complete remove, then try it again but reboot after removing but before installing again.  I had to do that in one my 2.1-BETA snapshot virtual machines I test with.  Don't know exactly what's wrong at this point, but from your description and the missing file error message, it sounds like Snort is only partially installed on your system at this point.

MMacD

Yes, I just clicked the "pkg" to reinstall, I didn't try stripping it down first.

I'll try stripping next, tho I'll be surprised if I get a different result since I'll be executing the same code (I'm running the 2.0.1 release, not any beta code)

Is there some documentation available that details what changes have been made to the stock way freebsd does things?  I've already tripped over some of the custom changes, and since I didn't understand the rationale for them, I can't predict where or what kind of other changes I should expect.

MMacD

Okay, I stripped it out, rebooted, and reinstalled.

Jan 31 07:16:32 php: : Restarting/Starting all packages.
Jan 31 07:16:33 kernel: ugen2.2: <logitech>at usbus2 (disconnected)
Jan 31 07:16:33 kernel: ukbd0: at uhub2, port 1, addr 2 (disconnected)
Jan 31 07:16:33 kernel: ums0: at uhub2, port 1, addr 2 (disconnected)
Jan 31 07:16:33 kernel: uhid0: at uhub2, port 1, addr 2 (disconnected)
Jan 31 07:16:33 kernel: ugen2.3: <logitech>at usbus2 (disconnected)
Jan 31 07:16:33 kernel: ukbd1: at uhub2, port 2, addr 3 (disconnected)
Jan 31 07:16:33 kernel: uhid1: at uhub2, port 2, addr 3 (disconnected)
Jan 31 07:17:21 apinger: Error while feeding rrdtool: Broken pipe
Jan 31 07:18:04 check_reload_status: Syncing firewall
Jan 31 07:18:05 php: /pkg_mgr_install.php: Beginning package installation for snort.
Jan 31 07:18:05 check_reload_status: Syncing firewall
Jan 31 07:18:13 apinger: ALARM: WAN(10.9.53.1) *** delay ***
Jan 31 07:18:21 apinger: /usr/local/bin/rrdtool respawning too fast, waiting 300s.
Jan 31 07:18:23 check_reload_status: Reloading filter
Jan 31 07:19:03 apinger: alarm canceled: WAN(10.9.53.1) *** delay ***
Jan 31 07:19:13 check_reload_status: Reloading filter
Jan 31 07:20:40 php: /pkg_mgr_install.php: Snort MD5 Attempts: 5
Jan 31 07:20:40 php: /pkg_mgr_install.php: Please wait… You may only check for New Rules every 15 minutes...
Jan 31 07:20:41 php: /pkg_mgr_install.php: There is a new set of Emergingthreats rules posted. Downloading...
Jan 31 07:20:41 php: /pkg_mgr_install.php: Emergingthreats rules file update downloaded succsesfully
Jan 31 07:20:41 php: /pkg_mgr_install.php: Updating rules configuration for: WAN ...
Jan 31 07:21:06 php: /pkg_mgr_install.php: Snort has restarted with your new set of rules...
Jan 31 07:21:06 php: /pkg_mgr_install.php: The Rules update has finished...
Jan 31 07:21:20 check_reload_status: Syncing firewall
Jan 31 07:21:20 check_reload_status: Reloading filter
Jan 31 07:21:21 check_reload_status: Syncing firewall
Jan 31 07:22:42 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(Inet)...

It looks to me as though it thinks it's running, but unless it's hidden from top and ps, or is running under another name, it's not running.  I ssh'd over and called both top and ps -auxww and there's no job whose command has the substring 'snort' or any reasonable variation.</logitech></logitech>

bmeeks

@MMacD:

Okay, I stripped it out, rebooted, and reinstalled.

It looks to me as though it thinks it's running, but unless it's hidden from top and ps, or is running under another name, it's not running.  I ssh'd over and called both top and ps -auxww and there's no job whose command has the substring 'snort' or any reasonable variation.

From the menu in the GUI, select Snort to open the Snort tab view, and then look at the icon for the interface.  If it is the red X, then Snort is running.  If it's the green arrow, Snort is stopped.  If green, click the icon to attempt a start.  Things should grind along for about 20 seconds, and then the icon should change to the red X to indicate Snort is running.

MMacD

@bmeeks:

From the menu in the GUI, select Snort to open the Snort tab view, and then look at the icon for the interface.  If it is the red X, then Snort is running.  If it's the green arrow, Snort is stopped.  If green, click the icon to attempt a start.  Things should grind along for about 20 seconds, and then the icon should change to the red X to indicate Snort is running.

That's how I discovered I had a problem:  it stays green (as it just now did when I tried again).  I get a "waiting for firewall" message and then after 10 seconds or so it goes away.

joako

After I uninstall I can no longer re-install.

It should be fixed so that an update always functions and does never require a remove first.

Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/mysql-client-5.1.53.tbz.
of mysql-client-5.1.53 failed!

Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for mysql-client-5.1.53...done.
Starting package deletion for barnyard2-1.9_2...done.
Starting package deletion for libnet11-1.1.2.1_3,1...done.
Starting package deletion for libdnet-1.11_3...done.
Starting package deletion for libpcap-1.1.1_1...done.
Starting package deletion for daq-0.6.2...done.
Starting package deletion for snort-2.9.2.3...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

MMacD

I can start snort by hand, so it's not completely broken.  But to trace the problem I need better documentation.  Normally my first place in tracing no-starts would be /etc/rc.conf and /local/etc/rc.conf.  But they don't exist, and there's no documentation that I can find that explains the pfsense custom setup.

So I'm stuck.

bmeeks

@MMacD:

I can start snort by hand, so it's not completely broken.  But to trace the problem I need better documentation.  Normally my first place in tracing no-starts would be /etc/rc.conf and /local/etc/rc.conf.  But they don't exist, and there's no documentation that I can find that explains the pfsense custom setup.

So I'm stuck.

I'm not a BSD guru, and I did not write these functions, but if you look in the file /usr/local/pkg/snort/snort.inc you will find the various shared functions used by the Snort package.  In there are several that start and stop Snort by calling the snort.sh script that another function in that include file creates.  Maybe looking at those will give you some clues about where to look on your filesystem.

joako

Have you looked under Status > System log? All the snort messages should be logged there.

Turns out the issue I had posted about previously was just a temprary downtime of files.pfsense.org. After about an hour I was able to install again.