Snort fails to start after pfSense upgrade
-
Same results trying to start from the command line. I followed your suggestion to stop barnyard, delete the package and reinstall again. It was interesting that after the installation completed, there was a brief moment when a snort process was actually running, but then it stopped again:
[2.3.1-RELEASE]/root: ps -ax | grep snort | grep -v grep
29454 - IW 0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh start
30668 - DL 0:43.98 /usr/local/bin/snort -R 17275 -D -l /var/log/snort/snort_fxp017275 –pid-path /var/run --nolock-pidfile -G 17275 -c /usr/local/etc/snort/snort_17275_fxp0/snort.conf
[2.3.1-RELEASE]/root: ps -ax | grep snort | grep -v grep
87433 - Ss 0:00.05 /usr/local/bin/barnyard2 -r 17275 -f snort_17275_fxp0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_17275_fxp0/barnyard2.conf -d /var/log/s
[2.3.1-RELEASE]/root:Do you have any further suggestions?
-Justin
-
Did your pfsene updates have gone well ? I installed it two times via the console.
Check of youre system is on the latest version.
System/Update/SystemUpdate check if its 2.3.1_5 status up to date
-
Yes, the two recent updates went perfectly. The status shows up to date, 2.3.1_5.
-Justin
-
What is the Snort version ?
Check the [status/services] can you see [Snort IDS/IPS Daemon] running / not running / nothing to see ?
You have reinstall snort did you set youre rules on ? (for example see the attachment)
What rulesets are you using ? VRT rules / GPLv2 Community Rules / Emerging Threats Open Rules
-
The Installed Packages page shows Snort version 3.2.9.1_13.
The status/services page shows snort stopped.
I have Snort set up to save the configuration upon uninstall, so all my previous rules are set on. I use the VRT and ET rulesets.
That's interesting, I just noticed no VRT rules have been downloaded. I forced an update and the VRT rules failed to download. The log has these entries:
Jul 2 18:48:51 Jul 2 18:48:51 php-cgi: snort_check_for_rule_updates.php: [Snort] Snort VRT rules md5 download failed…
Jul 2 18:48:51 Jul 2 18:48:51 php-cgi: snort_check_for_rule_updates.php: [Snort] Server returned error code 422…Will Snort start if VRT rules have been enabled but the VRT file hasn't been downloaded?
-Justin
-
Snort version 3.2.9.1_13 is ok ,look by Package Dependencies there is the right Snort version . [2.9.8.0.-1] i guess ?
There is a problem with the VRT rules zie my post below the link;
https://forum.pfsense.org/index.php?topic=114519.msg636493#msg636493What you can try ; goto services/snort/globelsettings/ [Enable Snort GPLv2] [save] goto updates [Update Rules]
goto snort interfaces klik on [edit] check the WAN catagories and enable all the GPLv2 rules.
goto WAN rules and check the rules [Category Selection] GPLv2_community.rules (check of the rules are enabled)
Restart youre device and check of the Snort wil start .
For the VRT rules we have to be patience and wait for a pfSense cure .
-
The Package Dependencies state Snort 2.9.8.0_1.
I enabled the GPLv2 rules per your instructions and rebooted the firewall. Snort still does not start.
I really appreciate all your suggestions, Soonie. Do you have anything else I should try?
-Justin
-
Interestingly, Suricata starts just fine :o
I've been using Snort on pfSense for years. Is Suricata the only solution I have now if I want an IDS/IPS on pfSense? Feeling a tug from the dark side…
-Justin
Temporarily changing "snort" to "suricata" in my Splunk search :-\ -
Interestingly, Suricata starts just fine :o
I've been using Snort on pfSense for years. Is Suricata the only solution I have now if I want an IDS/IPS on pfSense? Feeling a tug from the dark side…
-Justin
Temporarily changing "snort" to "suricata" in my Splunk search :-\Snort will be back up soon. I was very late getting the 2.9.8.3 update posted for review and merge, and the developer who normally reviews and merges Snort is out on vacation right now. So give me the blame for being late submitting the update. I let the EOL of the 2.9.8.0 Snort VRT rules sneak up on me.
Bill
-
My problems began about June 17th after my pfSense upgrade, which I believe is before any Snort EOL took place, correct?
Thank you for keeping Snort up to date and providing support, Bill. I'm not about to blame you for anything. I just wish I could find a smoking gun in the logs to point me to a solution. I'll try the next version of Snort when it comes out but I don't think it's a rules issue at this point. I would be happy to be proven wrong, though.
-Justin