[Solved] Snort doesn't start after upgrade 3.2.9.6_1 -> 3.2.9.7_2

palomar72

pfSense 2.4.2-RELEASE
After snort package upgrade I got:

The command '/usr/local/bin/snort -R 27439 -D -q --suppress-config-log -l /var/log/snort/snort_bge127439 --pid-path /var/run --nolock-pidfil
e -G 27439 -c /usr/local/etc/snort/snort_27439_bge1/snort.conf -i bge1' returned exit code '1', the output was 'Shared object "libdl.so.1" not found, required by "snort"'
code

Here is the ouput of the upgrade:

>>> Upgrading pfSense-pkg-snort... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
	pfSense-pkg-snort: 3.2.9.6_1 -> 3.2.9.7_2 [pfSense]
	snort: 2.9.11.1_1 -> 2.9.11.1_2 [pfSense]

Number of packages to be upgraded: 2

1 MiB to be downloaded.
[1/2] Fetching pfSense-pkg-snort-3.2.9.7_2.txz: .......... done
[2/2] Fetching snort-2.9.11.1_2.txz: .......... done
Checking integrity... done (0 conflicting)
[1/2] Upgrading snort from 2.9.11.1_1 to 2.9.11.1_2...
[1/2] Extracting snort-2.9.11.1_2: .......... done
You may need to manually remove /usr/local/etc/snort/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/gen-msg.map if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/preproc_rules/decoder.rules if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/preproc_rules/preprocessor.rules if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/preproc_rules/sensitive-data.rules if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/reference.config if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/snort.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/threshold.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/unicode.map if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/file_magic.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/snort/attribute_table.dtd if it is no longer needed.
[2/2] Upgrading pfSense-pkg-snort from 3.2.9.6_1 to 3.2.9.7_2...
[2/2] Extracting pfSense-pkg-snort-3.2.9.7_2: .......... done
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...Saved settings detected.
Migrating settings to new configuration... done.
Downloading Snort Subscriber rules md5 file... done.
Checking Snort Subscriber rules md5 file... done.
There is a new set of Snort Subscriber rules posted.
Downloading snortrules-snapshot-29111.tar.gz... done.
Downloading Emerging Threats Open rules md5 file... done.
Checking Emerging Threats Open rules md5 file... done.
There is a new set of Emerging Threats Open rules posted.
Downloading emerging.rules.tar.gz... done.
Installing Snort Subscriber ruleset...Copying md5 signature to snort directory... done.
Installing Emerging Threats Open rules...Copying md5 signature to snort directory... done.
Updating rules configuration for: WAN ... done.
Cleaning up temp dirs and files... done.
The Rules update has finished.
Generating snort.conf configuration file from saved settings.
Generating configuration for WAN...
 done.
Generating snort.sh script in /usr/local/etc/rc.d/... done.
Finished rebuilding Snort configuration files.
done.
Executing custom_php_resync_config_command()...
done.
Menu items... done.
Services... done.
Writing configuration... done.
Please visit Services - Snort - Interfaces tab first and select your desired rules. Afterwards visit the Updates tab to download your configured rulesets.Message from snort-2.9.11.1_2:

=========================================================================
Snort uses rcNG startup script and must be enabled via /etc/rc.conf
Please see /usr/local/etc/rc.d/snort
for list of available variables and their description.
Configuration files are located in /usr/local/etc/snort directory.

Please note that, by default, snort will truncate packets larger than the
default snaplen of 15158 bytes.  Additionally, LRO may cause issues with
Stream5 target-based reassembly.  It is recommended to disable LRO, if
your card supports it.

This can be done by appending '-lro' to your ifconfig_ line in rc.conf.
=========================================================================
Message from pfSense-pkg-snort-3.2.9.7_2:

Please visit Services - Snort - Interfaces tab first to add an interface, then select your desired rules packages at the Services - Snort - Global tab. Afterwards visit the Updates tab to download your configured rulesets.
>>> Cleaning up cache... done.
Success

code

Any help?
Thanks

jimp

You need to upgrade to pfSense 2.4.4. Do not try to load new packages on a release that out of date.

https://redmine.pfsense.org/issues/8938

palomar72

@jimp Thank you.
I am going to upgrade pfSense.

palomar72

Solved upgrading to pfSense 2.4.4

Thank you