Snort not starting on WAN Interface
-
I am running pfsense + on a Netgate SG-3100 appliance, Version 21.05.1-release (arm). I installed SNORT from pfsense package list, Version 4.1.4_1 was the only option available. After install and configuration, I am unable to start the Snort Status successfully. It starts then immediately stops. It is on WAN (mvneta2) interface.
-
There is a known issue with Snort and armv7 processors, like are used in the SG-3100. The issue has been identified and fixed in the latest development snapshots for pfSense+ (which is the pfSense branch you must run on Netgate appliances like the SG-3100). That fix is not in the RELEASE code yet, but should be in the next pfSense+ update.
The fix requires changes in the way Snort is compiled for pfSense+ on ARM hardware, so it requires an updated core OS to work. That means it's not as easy as simply reinstalling Snort.
So unless you want to switch to the pfSense+ 21.09 snapshots (which, remember, are not in RELEASE yet), you will need to remove Snort for now, or go to the INTERFACES tab, edit each Snort interface, and uncheck the Enable checkbox. That will prevent Snort from attempting to start.
Once you update to the 21.09 pfSense+ branch, you can go back and enable Snort again.
-
@bmeeks Thank you for the quick feedback. I will await the stable release to proceed.
-
Good news on this front. The Netgate team was able to migrate the Snort fix for SG-3100 appliances over to pfSense+ 21.05.1: https://redmine.pfsense.org/issues/12157#change-55832. So we didn't have to wait for 21.09 to be released.
So look for an updated Snort package on the SG-3100 soon (if you are running the current 21.05.1 release of pfSense+)..
-
@bmeeks This is excellent news!!!
