[Solved] Snort doesn't start after upgrade 3.2.9.6_1 -> 3.2.9.7_2



  • pfSense 2.4.2-RELEASE
    After snort package upgrade I got:

    The command '/usr/local/bin/snort -R 27439 -D -q --suppress-config-log -l /var/log/snort/snort_bge127439 --pid-path /var/run --nolock-pidfil
    e -G 27439 -c /usr/local/etc/snort/snort_27439_bge1/snort.conf -i bge1' returned exit code '1', the output was 'Shared object "libdl.so.1" not found, required by "snort"'
    code
    

    Here is the ouput of the upgrade:

    >>> Upgrading pfSense-pkg-snort... 
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.
    The following 2 package(s) will be affected (of 0 checked):
    
    Installed packages to be UPGRADED:
    	pfSense-pkg-snort: 3.2.9.6_1 -> 3.2.9.7_2 [pfSense]
    	snort: 2.9.11.1_1 -> 2.9.11.1_2 [pfSense]
    
    Number of packages to be upgraded: 2
    
    1 MiB to be downloaded.
    [1/2] Fetching pfSense-pkg-snort-3.2.9.7_2.txz: .......... done
    [2/2] Fetching snort-2.9.11.1_2.txz: .......... done
    Checking integrity... done (0 conflicting)
    [1/2] Upgrading snort from 2.9.11.1_1 to 2.9.11.1_2...
    [1/2] Extracting snort-2.9.11.1_2: .......... done
    You may need to manually remove /usr/local/etc/snort/classification.config if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/gen-msg.map if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/preproc_rules/decoder.rules if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/preproc_rules/preprocessor.rules if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/preproc_rules/sensitive-data.rules if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/reference.config if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/snort.conf if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/threshold.conf if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/unicode.map if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/file_magic.conf if it is no longer needed.
    You may need to manually remove /usr/local/etc/snort/attribute_table.dtd if it is no longer needed.
    [2/2] Upgrading pfSense-pkg-snort from 3.2.9.6_1 to 3.2.9.7_2...
    [2/2] Extracting pfSense-pkg-snort-3.2.9.7_2: .......... done
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    Saving updated package information...
    overwrite!
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...Saved settings detected.
    Migrating settings to new configuration... done.
    Downloading Snort Subscriber rules md5 file... done.
    Checking Snort Subscriber rules md5 file... done.
    There is a new set of Snort Subscriber rules posted.
    Downloading snortrules-snapshot-29111.tar.gz... done.
    Downloading Emerging Threats Open rules md5 file... done.
    Checking Emerging Threats Open rules md5 file... done.
    There is a new set of Emerging Threats Open rules posted.
    Downloading emerging.rules.tar.gz... done.
    Installing Snort Subscriber ruleset...Copying md5 signature to snort directory... done.
    Installing Emerging Threats Open rules...Copying md5 signature to snort directory... done.
    Updating rules configuration for: WAN ... done.
    Cleaning up temp dirs and files... done.
    The Rules update has finished.
    Generating snort.conf configuration file from saved settings.
    Generating configuration for WAN...
     done.
    Generating snort.sh script in /usr/local/etc/rc.d/... done.
    Finished rebuilding Snort configuration files.
    done.
    Executing custom_php_resync_config_command()...
    done.
    Menu items... done.
    Services... done.
    Writing configuration... done.
    Please visit Services - Snort - Interfaces tab first and select your desired rules. Afterwards visit the Updates tab to download your configured rulesets.Message from snort-2.9.11.1_2:
    
    =========================================================================
    Snort uses rcNG startup script and must be enabled via /etc/rc.conf
    Please see /usr/local/etc/rc.d/snort
    for list of available variables and their description.
    Configuration files are located in /usr/local/etc/snort directory.
    
    Please note that, by default, snort will truncate packets larger than the
    default snaplen of 15158 bytes.  Additionally, LRO may cause issues with
    Stream5 target-based reassembly.  It is recommended to disable LRO, if
    your card supports it.
    
    This can be done by appending '-lro' to your ifconfig_ line in rc.conf.
    =========================================================================
    Message from pfSense-pkg-snort-3.2.9.7_2:
    
    Please visit Services - Snort - Interfaces tab first to add an interface, then select your desired rules packages at the Services - Snort - Global tab. Afterwards visit the Updates tab to download your configured rulesets.
    >>> Cleaning up cache... done.
    Success
    
    code
    

    Any help?
    Thanks


  • Rebel Alliance Developer Netgate

    You need to upgrade to pfSense 2.4.4. Do not try to load new packages on a release that out of date.

    https://redmine.pfsense.org/issues/8938



  • @jimp Thank you.
    I am going to upgrade pfSense.



  • Solved upgrading to pfSense 2.4.4

    Thank you