Snort 4.0_7 Not starting

A Former User

I did a update to the latest version of Snort 4.0_7 not starting on reboot of Pfsense
2.5.0-DEVELOPMENT latest snapshot !

kiokoman

any log about it?

A Former User

Nothing in the log about snort at all

bmeeks

@cdx304 said in Snort 4.0_7 Not starting:

Nothing in the log about snort at all

There is nothing at all in the pfSense system log? There should be an entry there indicating the cause of the failure to start. In the rare instance where this has happened in the past, you might find a library dependency is wrong. You can check that by doing this:

1. Open a CLI (command line interface) session with the firewall either directly via the console or over the network via SSH.
2. Attempt to start Snort and have it print version information with this command -

/usr/local/bin/snort -V

Post back if any errors print. Otherwise, if Snort prints the version information to the screen and exits, then the basic install is good. Post back either way and we can continue troubleshooting from there.

See this later updated post for an update on the reported issue.

You should also find an entry similar to this one in the pfSense system log --

Oct 3 10:13:35	snort	4335	FATAL ERROR: /usr/local/etc/snort/snort_48750_/snort.conf(0) Unable to open rules file "/usr/local/etc/snort/snort_48750_/snort.conf": No such file or directory.

The exact values will of course be unique to your firewall, but you should find a "FATAL ERROR:" line that looks much like the one above.

bmeeks

Follow-up to my earlier post --

I did some checking and found that the new code is creating an incorrect /usr/local/etc/rc.d/snort.sh shell script. That script is used to start Snort initially after package installation and after a firewall reboot. The shell script is created with an incorrect path entry.

I will get a fix out shortly. In the meantime, you should be able to start Snort manually on each interface using the icons on the INTERFACES tab. At least that works for me in a test virtual machine. However, if you reboot the firewall, then the Snort instances will need to be manually restarted until I get the fix posted.

If you want to "quick fix it" for yourself while waiting on the update, make the following change in the file /usr/local/pkg/snort/snort.inc at line 3252 --

	if (($value['enable'] <> 'on') || ($if_real = ""))

Change that line to read instead as --

	if (($value['enable'] <> 'on') || ($if_real == ""))

Notice the single equals sign ("=") should be a double-equals sign instead ("==").

Make that change, save the file, then go to the INTERFACE SETTINGS tab for a Snort interface and click Save to regenerate the snort.sh shell script.

I will get this fix posted soon.

bmeeks

The fix for the issue identified in this thread is now available in the Snort-4.0_8 package version. The update is available for install for users of pfSense-2.5 snapshots only.