Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Latest Snort Upgrade error in library engine

    Scheduled Pinned Locked Moved IDS/IPS
    30 Posts 12 Posters 10.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phantonuser
      last edited by

      Hi All,

      I did the latest snort upgrade and I am getting this error:

      FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.

      Snort does not start.

      Does anyone having the same issue or know how to fix it?

      I have looked in the forum and did not see any discussion about this. If I have missed something sorry.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Try completely removing the Snort package and then install it again.  If you have "save settings" checked on the GLOBAL SETTINGS tab, you won't lose any configuration.  Sounds like during the update your dynamic pre-compiled rules did not get updated.  That is usually the cause of these kinds of errors.

        Another thing you can try first is to force a rules update using the Force Update button on the UPDATES tab.  That should bring down the new version of the rules.

        Bill

        1 Reply Last reply Reply Quote 0
        • P
          phantonuser
          last edited by

          Hi Bmeeks,

          Thanks for the response.

          I had already tried that but i did it again like you suggested. Rebooted the system, removed snort, rebooted again and installed snort again and I am still getting the same error.

          Can you give another suggestion? Something that I may be missing or not doing.

          Thank you.

          1 Reply Last reply Reply Quote 0
          • B
            battles
            last edited by

            As I mentioned in another post, it installed correctly for me.  This is my system:

            2.3.1-RELEASE-p5 (i386)
            built on Thu Jun 16 12:53:31 CDT 2016
            FreeBSD 10.3-RELEASE-p3

            Services
            Service Description Status Actions
            dhcpd DHCP Service Running    
            dpinger Gateway Monitoring Daemon Running    
            ntpd NTP clock sync Running    
            snort Snort IDS/IPS Daemon Running
            sshd Secure Shell Daemon Running
            unbound DNS Resolver Running

            Installed Packages
            Name Category Version
            Cron sysutils 0.3.6_2
            snort security 3.2.9.1_14
                  Dependencies: barnyard2-1.13  snort-2.9.8.3
            System_Patches sysutils 1.1.4_1

            pfSense 2.3.4-RELEASE-p1 (i386)
            FreeBSD 10.3-RELEASE-p19
            pfBlockerNG 2.1.2_1
            Snort Security 3.2.9.5_3
            Intel(R) Atom(TM) CPU N270 @ 1.60GHz

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @phantonuser:

              Hi Bmeeks,

              Thanks for the response.

              I had already tried that but i did it again like you suggested. Rebooted the system, removed snort, rebooted again and installed snort again and I am still getting the same error.

              Can you give another suggestion? Something that I may be missing or not doing.

              Thank you.

              Is server-webapp the only shared object rules you have enabled, or are there others enabled?  Might be a problem with just that rule set (but I sort of doubt that).  I don't have any public facing web servers in my network, so I don't have that rule set enabled.

              Bill

              1 Reply Last reply Reply Quote 0
              • P
                phantonuser
                last edited by

                Hi Everyone,

                I have tried removing everything and doing a fresh install of Snort and I am still getting the same error and some different ones now.

                I will try doing a fresh install of Pfsense later. For now I will continue using it without snort. Everything else seems to be working fine.

                Thanks for all your help.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  I just tested enabling that shared object rule set in a virtual machine and had no issues.  Are you by chance running a NanoBSD version of pfSense?

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • P
                    ProxyMoron
                    last edited by

                    Hi,
                      I have also just upgraded and have exactly the same error - however i dug a bit further and noticed this in the logs for a forced update in the update tab which fails to download the Snort VRT rules:-

                    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Expected File MD5:
                    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: fcf6bf610e0f417ae97bb9efd30e73c2
                    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed. Bad MD5 checksum…
                    Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully

                    It appears to not be downloading the MD5 for the ruleset correctly and matching on a blank MD5 - any suggestions?

                    1 Reply Last reply Reply Quote 0
                    • morrealeM
                      morreale
                      last edited by

                      same issue…subscribing

                      Release: pfSense 2.3.4 p1(amd64)
                      M/B: Supermicro A1SRi-2758F-O
                      SSD: 128GB
                      RAM: 2x8Gb Kingston 1600MHz DDR3L PC3-12800 ECC
                      AP: Cisco

                      1 Reply Last reply Reply Quote 0
                      • L
                        lutel
                        last edited by

                        Same issue here

                        1 Reply Last reply Reply Quote 0
                        • P
                          Paint
                          last edited by

                          same issue.

                          pfSense i5-4590
                          940/880 mbit Fiber Internet from FiOS
                          BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
                          Netgear R8000 AP (DD-WRT)

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks
                            last edited by

                            @ProxyMoron:

                            Hi,
                              I have also just upgraded and have exactly the same error - however i dug a bit further and noticed this in the logs for a forced update in the update tab which fails to download the Snort VRT rules:-

                            Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Expected File MD5:
                            Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: fcf6bf610e0f417ae97bb9efd30e73c2
                            Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed. Bad MD5 checksum…
                            Jul 11 22:17:56 php-cgi snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully

                            It appears to not be downloading the MD5 for the ruleset correctly and matching on a blank MD5 - any suggestions?

                            This is not a Snort package problem.  The Snort VRT rules checksum file posted is not formatted correctly.  The VRT guys should get it sorted out soon.

                            Bill

                            1 Reply Last reply Reply Quote 0
                            • P
                              ProxyMoron
                              last edited by

                              Just forced an update and it seems to be working now.

                              1 Reply Last reply Reply Quote 0
                              • morrealeM
                                morreale
                                last edited by

                                @morreale:

                                same issue…subscribing

                                just to clarify…i am having the same issue as the OP not the VRT issue.  I have actually disabled all rulesets.

                                Jul 12 11:41:26	snort	80512	FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
                                

                                Release: pfSense 2.3.4 p1(amd64)
                                M/B: Supermicro A1SRi-2758F-O
                                SSD: 128GB
                                RAM: 2x8Gb Kingston 1600MHz DDR3L PC3-12800 ECC
                                AP: Cisco

                                1 Reply Last reply Reply Quote 0
                                • P
                                  ProxyMoron
                                  last edited by

                                  @morreale:

                                  @morreale:

                                  same issue…subscribing

                                  just to clarify…i am having the same issue as the OP not the VRT issue.  I have actually disabled all rulesets.

                                  Jul 12 11:41:26	snort	80512	FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
                                  

                                  Hi,
                                    Just so you know i had exactly that issue as well after i updated to the latest version of Snort. However, after i searched the forum i saw people suggest that i force update the ruleset to resolve that issue,. This I did but then noticed the issue above.

                                  However, now, forcing the update has resolved both issues so you may want to try that.

                                  1 Reply Last reply Reply Quote 0
                                  • morrealeM
                                    morreale
                                    last edited by

                                    thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.

                                    Release: pfSense 2.3.4 p1(amd64)
                                    M/B: Supermicro A1SRi-2758F-O
                                    SSD: 128GB
                                    RAM: 2x8Gb Kingston 1600MHz DDR3L PC3-12800 ECC
                                    AP: Cisco

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      @morreale:

                                      thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.

                                      If you have the "mismatched library version" error, that means your disk structure still contains files from the 2.9.8.0 rule set.  It should get cleared out and fixed if you force a rule download on the UPDATES tab.  If not, you can remove the Snort package using the DELETE icon on the Package Manager page and the reinstall Snort from scratch.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • morrealeM
                                        morreale
                                        last edited by

                                        @bmeeks:

                                        @morreale:

                                        thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.

                                        If you have the "mismatched library version" error, that means your disk structure still contains files from the 2.9.8.0 rule set.  It should get cleared out and fixed if you force a rule download on the UPDATES tab.  If not, you can remove the Snort package using the DELETE icon on the Package Manager page and the reinstall Snort from scratch.

                                        Bill

                                        i have done a force update 5 times.  i will do a delete and reinstall.

                                        Release: pfSense 2.3.4 p1(amd64)
                                        M/B: Supermicro A1SRi-2758F-O
                                        SSD: 128GB
                                        RAM: 2x8Gb Kingston 1600MHz DDR3L PC3-12800 ECC
                                        AP: Cisco

                                        1 Reply Last reply Reply Quote 0
                                        • morrealeM
                                          morreale
                                          last edited by

                                          @bmeeks:

                                          @morreale:

                                          thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.

                                          If you have the "mismatched library version" error, that means your disk structure still contains files from the 2.9.8.0 rule set.  It should get cleared out and fixed if you force a rule download on the UPDATES tab.  If not, you can remove the Snort package using the DELETE icon on the Package Manager page and the reinstall Snort from scratch.

                                          Bill

                                          still will not start

                                          FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
                                          

                                          same error.

                                          do i need to restart server after uninstall before reinstall?

                                          Release: pfSense 2.3.4 p1(amd64)
                                          M/B: Supermicro A1SRi-2758F-O
                                          SSD: 128GB
                                          RAM: 2x8Gb Kingston 1600MHz DDR3L PC3-12800 ECC
                                          AP: Cisco

                                          1 Reply Last reply Reply Quote 0
                                          • bmeeksB
                                            bmeeks
                                            last edited by

                                            @morreale:

                                            @bmeeks:

                                            @morreale:

                                            thanks for the suggestions but the error still exists and snort does not start.  if no one is having this issue i will reinstall / reconfigure but it was working before.

                                            If you have the "mismatched library version" error, that means your disk structure still contains files from the 2.9.8.0 rule set.  It should get cleared out and fixed if you force a rule download on the UPDATES tab.  If not, you can remove the Snort package using the DELETE icon on the Package Manager page and the reinstall Snort from scratch.

                                            Bill

                                            still will not start

                                            FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
                                            

                                            same error.

                                            do i need to restart server after uninstall before reinstall?

                                            Try this brute force approach.  Manually delete the /usr/local/lib/snort_dynamicengine directory and all files in it, then force a rules update.  Or for an even more radical approach, remove the Snort package again, open a shell command line session and delete all the snort directories you see in /usr/local/lib, then reinstall Snort.

                                            I may have asked you already, and if so forgive me for asking again, but are you by chance running this on NanoBSD?  For some reason your old Snort version shared object rules are not getting removed and overwritten with the new version during updates from the new Snort 2.9.8.3 package.  Shared object rules are pre-compiled and tagged with specific version numbers that tie them to the Snort binary.  Each time the binary updates, the shared object rules get a new version number.  The error message is telling us that you have a version mismatch between the Snort binary and the installed shared object pre-compiled rules.

                                            Bill

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.