Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 4.0_7 Not starting

    Scheduled Pinned Locked Moved
    Development
    3
    6
    472
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      I did a update to the latest version of Snort 4.0_7 not starting on reboot of Pfsense
      2.5.0-DEVELOPMENT latest snapshot !

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        any log about it?

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Nothing in the log about snort at all

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @A Former User
            last edited by bmeeks

            @cdx304 said in Snort 4.0_7 Not starting:

            Nothing in the log about snort at all

            There is nothing at all in the pfSense system log? There should be an entry there indicating the cause of the failure to start. In the rare instance where this has happened in the past, you might find a library dependency is wrong. You can check that by doing this:

            1. Open a CLI (command line interface) session with the firewall either directly via the console or over the network via SSH.
            2. Attempt to start Snort and have it print version information with this command -
            /usr/local/bin/snort -V

            Post back if any errors print. Otherwise, if Snort prints the version information to the screen and exits, then the basic install is good. Post back either way and we can continue troubleshooting from there.

            See this later updated post for an update on the reported issue.

            You should also find an entry similar to this one in the pfSense system log --

            Oct 3 10:13:35	snort	4335	FATAL ERROR: /usr/local/etc/snort/snort_48750_/snort.conf(0) Unable to open rules file "/usr/local/etc/snort/snort_48750_/snort.conf": No such file or directory.

            The exact values will of course be unique to your firewall, but you should find a "FATAL ERROR:" line that looks much like the one above.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by bmeeks

              Follow-up to my earlier post --

              I did some checking and found that the new code is creating an incorrect /usr/local/etc/rc.d/snort.sh shell script. That script is used to start Snort initially after package installation and after a firewall reboot. The shell script is created with an incorrect path entry.

              I will get a fix out shortly. In the meantime, you should be able to start Snort manually on each interface using the icons on the INTERFACES tab. At least that works for me in a test virtual machine. However, if you reboot the firewall, then the Snort instances will need to be manually restarted until I get the fix posted.

              If you want to "quick fix it" for yourself while waiting on the update, make the following change in the file /usr/local/pkg/snort/snort.inc at line 3252 --

              	if (($value['enable'] <> 'on') || ($if_real = ""))

              Change that line to read instead as --

              	if (($value['enable'] <> 'on') || ($if_real == ""))

              Notice the single equals sign ("=") should be a double-equals sign instead ("==").

              Make that change, save the file, then go to the INTERFACE SETTINGS tab for a Snort interface and click Save to regenerate the snort.sh shell script.

              I will get this fix posted soon.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                The fix for the issue identified in this thread is now available in the Snort-4.0_8 package version. The update is available for install for users of pfSense-2.5 snapshots only.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post