Snort fails to start after pfSense upgrade

JustinTime

I upgraded pfSense from 2.2.5 to 2.3.1 and Snort wouldn't start afterwards.  I was using the latest version of the Snort package before the pfSense upgrade.  I uninstalled Snort before the upgrade and reinstalled after the upgrade.  Then I upgraded to pfSense 2.3.1-5 hoping that would help, but it didn't.  Snort seems to fail silently with these being the only log entries:

php-fpm[87902]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
php-fpm[87902]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
php-fpm[87902]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
php-fpm[87902]: /snort/snort_interfaces.php: Starting Snort on WAN(fxp0) per user request…
php-fpm[87902]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(fxp0)…

The GUI shows Snort is not running and there is no Snort process.

Any help getting Snort running again would be greatly appreciated!

-Justin

JustinTime

I thought this would be an easy problem for someone to resolve, but perhaps I was wrong.  Is there at least a way to increase Snort logging to debug level so I can get some more information?

-Justin

bmeeks

On the GLOBAL SETTINGS tab is an option to enable verbose logging during startup.  Turn that on, save the change, and then try starting Snort.  It will write a bunch (and I mean a bunch!) of messages to the system log in pfSense.

Bill

JustinTime

Yes, that setting gave about 1600 log entries during startup.  Unfortunately, the highest level error was only Warning.  No Fatal errors at all.  The last entry before it finished trying to start was this:

snort[90622]: 198 out of 1024 flowbits in use.

Is there anything else I can look for in that detailed log that would help debug this problem?

-Justin

Soonie

Hi

Check youre snort status , in de command line .

It's possible you have two Snort instances running.  Go to a shell prompt and run this command: ps -ax |grep snort

You should see only a single running instance of Snort assuming you have it running on only one interface.  If you see more Snort instances running than you have configured Snort interfaces, kill them all and then restart snort.  You can run /usr/local/etc/rc.d/snort.sh stop to stop Snort.  Then kill any Snort process that remains.  After that, run /usr/local/etc/rc.d/snort.sh start to restart your Snort interfaces.

JustinTime

Thanks for the suggestion.  There are no snort processes running:

/root: ps -ax | grep snort | grep -v grep
74243  -  Ss      13:47.58 /usr/local/bin/barnyard2 -r 17275 -f snort_17275_fxp0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_17275_fxp0/barnyard2.conf -d /var/log/s

The response gets truncated instead of wrapping in the terminal window for some reason, but as you can see, that is the barnyard process.

I am open to any other troubleshooting suggestions.

-Justin

Soonie

Can you try start snort in the command line ? run /usr/local/etc/rc.d/snort.sh start

or stop the barnyard delete the package en reinstall again  :o

maybe it work i try to think with you  8)

Rob

JustinTime

Same results trying to start from the command line.  I followed your suggestion to stop barnyard, delete the package and reinstall again.  It was interesting that after the installation completed, there was a brief moment when a snort process was actually running, but then it stopped again:

[2.3.1-RELEASE]/root: ps -ax | grep snort | grep -v grep
29454  -  IW      0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start
30668  -  DL      0:43.98 /usr/local/bin/snort -R 17275 -D -l /var/log/snort/snort_fxp017275 –pid-path /var/run --nolock-pidfile -G 17275 -c /usr/local/etc/snort/snort_17275_fxp0/snort.conf
[2.3.1-RELEASE]/root: ps -ax | grep snort | grep -v grep
87433  -  Ss      0:00.05 /usr/local/bin/barnyard2 -r 17275 -f snort_17275_fxp0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_17275_fxp0/barnyard2.conf -d /var/log/s
[2.3.1-RELEASE]/root:

Do you have any further suggestions?

-Justin

Soonie

Did your pfsene updates have gone well ? I installed it two times via the console.

Check of youre system is on the latest version.

System/Update/SystemUpdate check if its 2.3.1_5 status up to date

JustinTime

Yes, the two recent updates went perfectly.  The  status shows up to date, 2.3.1_5.

-Justin

Soonie

What is the Snort version ?

Check the [status/services] can you see [Snort IDS/IPS Daemon] running / not running / nothing to see ?

You have reinstall snort did you set youre rules on ? (for example see the attachment)

What rulesets are you using ? VRT rules / GPLv2 Community Rules / Emerging Threats Open Rules

JustinTime

The Installed Packages page shows Snort version 3.2.9.1_13.

The status/services page shows snort stopped.

I have Snort set up to save the configuration upon uninstall, so all my previous rules are set on.  I use the VRT and ET rulesets.

That's interesting, I just noticed no VRT rules have been downloaded.  I forced an update and the VRT rules failed to download.  The log has these entries:

Jul  2 18:48:51 Jul  2 18:48:51 php-cgi: snort_check_for_rule_updates.php: [Snort] Snort VRT rules md5 download failed…
Jul  2 18:48:51 Jul  2 18:48:51 php-cgi: snort_check_for_rule_updates.php: [Snort] Server returned error code 422…

Will Snort start if VRT rules have been enabled but the VRT file hasn't been downloaded?

-Justin

Soonie

Snort version 3.2.9.1_13 is ok ,look by Package Dependencies there is the right Snort version . [2.9.8.0.-1] i guess ?

There is a problem with the VRT rules zie my post below the link;
https://forum.pfsense.org/index.php?topic=114519.msg636493#msg636493

What you can try ; goto services/snort/globelsettings/ [Enable Snort GPLv2] [save] goto updates [Update Rules]

goto snort interfaces klik on [edit] check the WAN catagories and enable all the GPLv2 rules.

goto WAN rules and check the rules [Category Selection] GPLv2_community.rules (check of the rules are enabled)

Restart youre device and check of the Snort wil start .

For the VRT rules we have to be patience and wait for a pfSense cure .

JustinTime

The Package Dependencies state Snort 2.9.8.0_1.

I enabled the GPLv2 rules per your instructions and rebooted the firewall.  Snort still does not start.

I really appreciate all your suggestions, Soonie.  Do you have anything else I should try?

-Justin

JustinTime

Interestingly, Suricata starts just fine  :o

I've been using Snort on pfSense for years.  Is Suricata the only solution I have now if I want an IDS/IPS on pfSense?  Feeling a tug from the dark side…

-Justin
Temporarily changing "snort" to "suricata" in my Splunk search  :-\

bmeeks

@JustinTime:

Interestingly, Suricata starts just fine  :o

I've been using Snort on pfSense for years.  Is Suricata the only solution I have now if I want an IDS/IPS on pfSense?  Feeling a tug from the dark side…

-Justin
Temporarily changing "snort" to "suricata" in my Splunk search  :-\

Snort will be back up soon.  I was very late getting the 2.9.8.3 update posted for review and merge, and the developer who normally reviews and merges Snort is out on vacation right now.  So give me the blame for being late submitting the update.  I let the EOL of the 2.9.8.0 Snort VRT rules sneak up on me.

Bill

JustinTime

My problems began about June 17th after my pfSense upgrade, which I believe is before any Snort EOL took place, correct?

Thank you for keeping Snort up to date and providing support, Bill.  I'm not about to blame you for anything.  I just wish I could find a smoking gun in the logs to point me to a solution.  I'll try the next version of Snort when it comes out but I don't think it's a rules issue at this point.  I would be happy to be proven wrong, though.

-Justin