Latest Snort Upgrade error in library engine



  • Hi All,

    I did the latest snort upgrade and I am getting this error:

    FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.

    Snort does not start.

    Does anyone having the same issue or know how to fix it?

    I have looked in the forum and did not see any discussion about this. If I have missed something sorry.

    Thanks.



  • Try completely removing the Snort package and then install it again.  If you have "save settings" checked on the GLOBAL SETTINGS tab, you won't lose any configuration.  Sounds like during the update your dynamic pre-compiled rules did not get updated.  That is usually the cause of these kinds of errors.

    Another thing you can try first is to force a rules update using the Force Update button on the UPDATES tab.  That should bring down the new version of the rules.

    Bill



  • Hi Bmeeks,

    Thanks for the response.

    I had already tried that but i did it again like you suggested. Rebooted the system, removed snort, rebooted again and installed snort again and I am still getting the same error.

    Can you give another suggestion? Something that I may be missing or not doing.

    Thank you.



  • As I mentioned in another post, it installed correctly for me.  This is my system:

    2.3.1-RELEASE-p5 (i386)
    built on Thu Jun 16 12:53:31 CDT 2016
    FreeBSD 10.3-RELEASE-p3

    Services
    Service Description Status Actions
    dhcpd DHCP Service Running    
    dpinger Gateway Monitoring Daemon Running    
    ntpd NTP clock sync Running    
    snort Snort IDS/IPS Daemon Running
    sshd Secure Shell Daemon Running
    unbound DNS Resolver Running

    Installed Packages
    Name Category Version
    Cron sysutils 0.3.6_2
    snort security 3.2.9.1_14
          Dependencies: barnyard2-1.13  snort-2.9.8.3
    System_Patches sysutils 1.1.4_1



  • @phantonuser:

    Hi Bmeeks,

    Thanks for the response.

    I had already tried that but i did it again like you suggested. Rebooted the system, removed snort, rebooted again and installed snort again and I am still getting the same error.

    Can you give another suggestion? Something that I may be missing or not doing.

    Thank you.

    Is server-webapp the only shared object rules you have enabled, or are there others enabled?  Might be a problem with just that rule set (but I sort of doubt that).  I don't have any public facing web servers in my network, so I don't have that rule set enabled.

    Bill



  • Hi Everyone,

    I have tried removing everything and doing a fresh install of Snort and I am still getting the same error and some different ones now.

    I will try doing a fresh install of Pfsense later. For now I will continue using it without snort. Everything else seems to be working fine.

    Thanks for all your help.



  • I just tested enabling that shared object rule set in a virtual machine and had no issues.  Are you by chance running a NanoBSD version of pfSense?

    Bill



  • Hi,
      I have also just upgraded and have exactly the same error - however i dug a bit further and noticed this in the logs for a forced update in the update tab which fails to download the Snort VRT rules:-

    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Expected File MD5:
    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: fcf6bf610e0f417ae97bb9efd30e73c2
    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed. Bad MD5 checksum…
    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully

    It appears to not be downloading the MD5 for the ruleset correctly and matching on a blank MD5 - any suggestions?



  • same issue…subscribing



  • Same issue here



  • same issue.



  • @ProxyMoron:

    Hi,
      I have also just upgraded and have exactly the same error - however i dug a bit further and noticed this in the logs for a forced update in the update tab which fails to download the Snort VRT rules:-

    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Expected File MD5:
    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: fcf6bf610e0f417ae97bb9efd30e73c2
    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed. Bad MD5 checksum…
    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully

    It appears to not be downloading the MD5 for the ruleset correctly and matching on a blank MD5 - any suggestions?

    This is not a Snort package problem.  The Snort VRT rules checksum file posted is not formatted correctly.  The VRT guys should get it sorted out soon.

    Bill



  • Just forced an update and it seems to be working now.



  • @morreale:

    same issue…subscribing

    just to clarify…i am having the same issue as the OP not the VRT issue.  I have actually disabled all rulesets.

    Jul 12 11:41:26	snort	80512	FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
    


  • @morreale:

    @morreale:

    same issue…subscribing

    just to clarify…i am having the same issue as the OP not the VRT issue.  I have actually disabled all rulesets.

    Jul 12 11:41:26	snort	80512	FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
    

    Hi,
      Just so you know i had exactly that issue as well after i updated to the latest version of Snort. However, after i searched the forum i saw people suggest that i force update the ruleset to resolve that issue,. This I did but then noticed the issue above.

    However, now, forcing the update has resolved both issues so you may want to try that.



  • thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.



  • @morreale:

    thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.

    If you have the "mismatched library version" error, that means your disk structure still contains files from the 2.9.8.0 rule set.  It should get cleared out and fixed if you force a rule download on the UPDATES tab.  If not, you can remove the Snort package using the DELETE icon on the Package Manager page and the reinstall Snort from scratch.

    Bill



  • @bmeeks:

    @morreale:

    thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.

    If you have the "mismatched library version" error, that means your disk structure still contains files from the 2.9.8.0 rule set.  It should get cleared out and fixed if you force a rule download on the UPDATES tab.  If not, you can remove the Snort package using the DELETE icon on the Package Manager page and the reinstall Snort from scratch.

    Bill

    i have done a force update 5 times.  i will do a delete and reinstall.



  • @bmeeks:

    @morreale:

    thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.

    If you have the "mismatched library version" error, that means your disk structure still contains files from the 2.9.8.0 rule set.  It should get cleared out and fixed if you force a rule download on the UPDATES tab.  If not, you can remove the Snort package using the DELETE icon on the Package Manager page and the reinstall Snort from scratch.

    Bill

    still will not start

    FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
    

    same error.

    do i need to restart server after uninstall before reinstall?



  • @morreale:

    @bmeeks:

    @morreale:

    thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.

    If you have the "mismatched library version" error, that means your disk structure still contains files from the 2.9.8.0 rule set.  It should get cleared out and fixed if you force a rule download on the UPDATES tab.  If not, you can remove the Snort package using the DELETE icon on the Package Manager page and the reinstall Snort from scratch.

    Bill

    still will not start

    FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
    

    same error.

    do i need to restart server after uninstall before reinstall?

    Try this brute force approach.  Manually delete the /usr/local/lib/snort_dynamicengine directory and all files in it, then force a rules update.  Or for an even more radical approach, remove the Snort package again, open a shell command line session and delete all the snort directories you see in /usr/local/lib, then reinstall Snort.

    I may have asked you already, and if so forgive me for asking again, but are you by chance running this on NanoBSD?  For some reason your old Snort version shared object rules are not getting removed and overwritten with the new version during updates from the new Snort 2.9.8.3 package.  Shared object rules are pre-compiled and tagged with specific version numbers that tie them to the Snort binary.  Each time the binary updates, the shared object rules get a new version number.  The error message is telling us that you have a version mismatch between the Snort binary and the installed shared object pre-compiled rules.

    Bill



  • not running the nanobsd version.

    i will remove all remnants and try again.

    thanks for the help



  • @bmeeks:

    Or for an even more radical approach, remove the Snort package again, open a shell command line session and delete all the snort directories you see in /usr/local/lib, then reinstall Snort.

    Bill

    did this.  i like clean :)

    now working again.  thanks Bill



  • @morreale:

    @bmeeks:

    Or for an even more radical approach, remove the Snort package again, open a shell command line session and delete all the snort directories you see in /usr/local/lib, then reinstall Snort.

    Bill

    did this.  i like clean :)

    now working again.  thanks Bill

    Great!  Thanks for the feedback.  Not sure why those directories did not get cleaned on the remove and reinstall, though.  That is supposed to happen.

    Bill



  • Thanks to this thread I was able to get snort working again, but I stall can't get VRT rules or community rules to update at all or even openAppID rules for that matter only ET rules.

    here is a pastebin of the log..  http://pastebin.com/uG6akM28

    Disable SSL Peer is checked… i've also regenerated a new Oinkmaster Code with no good results.

    snort ver. 3.2.9.1_14  snort -2.9.8.3 and barnyard2-1.13 installed

    Any help appreciated!



  • omg.. never mind.. it was the dnsbl in pfBlocker that was causing my issue…  now i feel stupid.. pffft!



  • Aug 9 20:37:15 php-fpm 23902 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 11181 -D -l /var/log/snort/snort_em011181 –pid-path /var/run --nolock-pidfile -G 11181 -c /usr/local/etc/snort/snort_11181_em0/snort.conf -i em0' returned exit code '1', the output was ''
    Aug 9 20:37:15 snort 26537 FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.

    2.3.2-RELEASE (amd64)
    built on Tue Jul 19 12:44:43 CDT 2016
    FreeBSD 10.3-RELEASE-p5



  • i have solved problem.

    remove interface and add wan interface after.



  • @bmeeks:

    Try completely removing the Snort package and then install it again.  If you have "save settings" checked on the GLOBAL SETTINGS tab, you won't lose any configuration.

    Bill

    Just upgraded to PfSense 2.3.2 with snort-2.9.8.3 and experienced this issue… worked like a charm thanks much.



  • I am still having this issue. I have tried ALL tips from the Interwebs. No luck.
    Any more tips?



  • It helped me:

    ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1


Log in to reply