Snort fails to start after pfSense upgrade
-
I thought this would be an easy problem for someone to resolve, but perhaps I was wrong. Is there at least a way to increase Snort logging to debug level so I can get some more information?
-Justin
-
On the GLOBAL SETTINGS tab is an option to enable verbose logging during startup. Turn that on, save the change, and then try starting Snort. It will write a bunch (and I mean a bunch!) of messages to the system log in pfSense.
Bill
-
Yes, that setting gave about 1600 log entries during startup. Unfortunately, the highest level error was only Warning. No Fatal errors at all. The last entry before it finished trying to start was this:
snort[90622]: 198 out of 1024 flowbits in use.
Is there anything else I can look for in that detailed log that would help debug this problem?
-Justin
-
Hi
Check youre snort status , in de command line .
It's possible you have two Snort instances running. Go to a shell prompt and run this command: ps -ax |grep snort
You should see only a single running instance of Snort assuming you have it running on only one interface. If you see more Snort instances running than you have configured Snort interfaces, kill them all and then restart snort. You can run /usr/local/etc/rc.d/snort.sh stop to stop Snort. Then kill any Snort process that remains. After that, run /usr/local/etc/rc.d/snort.sh start to restart your Snort interfaces.
-
Thanks for the suggestion. There are no snort processes running:
/root: ps -ax | grep snort | grep -v grep
74243 - Ss 13:47.58 /usr/local/bin/barnyard2 -r 17275 -f snort_17275_fxp0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_17275_fxp0/barnyard2.conf -d /var/log/sThe response gets truncated instead of wrapping in the terminal window for some reason, but as you can see, that is the barnyard process.
I am open to any other troubleshooting suggestions.
-Justin
-
Can you try start snort in the command line ? run /usr/local/etc/rc.d/snort.sh start
or stop the barnyard delete the package en reinstall again :o
maybe it work i try to think with you 8)
Rob
-
Same results trying to start from the command line. I followed your suggestion to stop barnyard, delete the package and reinstall again. It was interesting that after the installation completed, there was a brief moment when a snort process was actually running, but then it stopped again:
[2.3.1-RELEASE]/root: ps -ax | grep snort | grep -v grep
29454 - IW 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start
30668 - DL 0:43.98 /usr/local/bin/snort -R 17275 -D -l /var/log/snort/snort_fxp017275 –pid-path /var/run --nolock-pidfile -G 17275 -c /usr/local/etc/snort/snort_17275_fxp0/snort.conf
[2.3.1-RELEASE]/root: ps -ax | grep snort | grep -v grep
87433 - Ss 0:00.05 /usr/local/bin/barnyard2 -r 17275 -f snort_17275_fxp0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_17275_fxp0/barnyard2.conf -d /var/log/s
[2.3.1-RELEASE]/root:Do you have any further suggestions?
-Justin
-
Did your pfsene updates have gone well ? I installed it two times via the console.
Check of youre system is on the latest version.
System/Update/SystemUpdate check if its 2.3.1_5 status up to date
-
Yes, the two recent updates went perfectly. The status shows up to date, 2.3.1_5.
-Justin
-
What is the Snort version ?
Check the [status/services] can you see [Snort IDS/IPS Daemon] running / not running / nothing to see ?
You have reinstall snort did you set youre rules on ? (for example see the attachment)
What rulesets are you using ? VRT rules / GPLv2 Community Rules / Emerging Threats Open Rules
-
The Installed Packages page shows Snort version 3.2.9.1_13.
The status/services page shows snort stopped.
I have Snort set up to save the configuration upon uninstall, so all my previous rules are set on. I use the VRT and ET rulesets.
That's interesting, I just noticed no VRT rules have been downloaded. I forced an update and the VRT rules failed to download. The log has these entries:
Jul 2 18:48:51 Jul 2 18:48:51 php-cgi: snort_check_for_rule_updates.php: [Snort] Snort VRT rules md5 download failed…
Jul 2 18:48:51 Jul 2 18:48:51 php-cgi: snort_check_for_rule_updates.php: [Snort] Server returned error code 422…Will Snort start if VRT rules have been enabled but the VRT file hasn't been downloaded?
-Justin
-
Snort version 3.2.9.1_13 is ok ,look by Package Dependencies there is the right Snort version . [2.9.8.0.-1] i guess ?
There is a problem with the VRT rules zie my post below the link;
https://forum.pfsense.org/index.php?topic=114519.msg636493#msg636493What you can try ; goto services/snort/globelsettings/ [Enable Snort GPLv2] [save] goto updates [Update Rules]
goto snort interfaces klik on [edit] check the WAN catagories and enable all the GPLv2 rules.
goto WAN rules and check the rules [Category Selection] GPLv2_community.rules (check of the rules are enabled)
Restart youre device and check of the Snort wil start .
For the VRT rules we have to be patience and wait for a pfSense cure .
-
The Package Dependencies state Snort 2.9.8.0_1.
I enabled the GPLv2 rules per your instructions and rebooted the firewall. Snort still does not start.
I really appreciate all your suggestions, Soonie. Do you have anything else I should try?
-Justin
-
Interestingly, Suricata starts just fine :o
I've been using Snort on pfSense for years. Is Suricata the only solution I have now if I want an IDS/IPS on pfSense? Feeling a tug from the dark side…
-Justin
Temporarily changing "snort" to "suricata" in my Splunk search :-\ -
Interestingly, Suricata starts just fine :o
I've been using Snort on pfSense for years. Is Suricata the only solution I have now if I want an IDS/IPS on pfSense? Feeling a tug from the dark side…
-Justin
Temporarily changing "snort" to "suricata" in my Splunk search :-\Snort will be back up soon. I was very late getting the 2.9.8.3 update posted for review and merge, and the developer who normally reviews and merges Snort is out on vacation right now. So give me the blame for being late submitting the update. I let the EOL of the 2.9.8.0 Snort VRT rules sneak up on me.
Bill
-
My problems began about June 17th after my pfSense upgrade, which I believe is before any Snort EOL took place, correct?
Thank you for keeping Snort up to date and providing support, Bill. I'm not about to blame you for anything. I just wish I could find a smoking gun in the logs to point me to a solution. I'll try the next version of Snort when it comes out but I don't think it's a rules issue at this point. I would be happy to be proven wrong, though.
-Justin