[SOLVED] Snort will not start

mike8888

Hi there,

I have a problem with snort will not start when press the start button, the gear spinning for a while, and the status is stopped

Snort version= pfsense-pkg-snort-3.2.9.11
In global settings, I only check Snort VRT (and filled Oinkmaster Code with free registered user account), and Sourcefire OpenAppID Detectors, and both successfully updated.

I was installing snort as part of Netgate Pfsense package
My Pfsense was built on VMware virtualization server (ESXi 6.7u2)
Pfsense 2.4.4-RELEASE-p3 (amd64)
have 2 interfaces (WAN and LAN)
WAN running on PPPoE
I don't have (or can't acquire) snort.conf file
In Snort Interfaces, I use WAN for monitoring, and checked both Resolve Flowbits and Use IPS Policy (Connectivity)

I setup/configure snort using setup from netgate documentationhttps://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html

There a message from pfsense system log after failed attempt to start snort:

/tmp/snort_pppoe02848_startcmd.php: The command '/usr/local/bin/snort -R 2848 -D -q --suppress-config-log -l /var/log/snort/snort_pppoe02848 --pid-path /var/run --nolock-pidfile -G 2848 -c /usr/local/etc/snort/snort_2848_pppoe0/snort.conf -i pppoe0' returned exit code '1', the output was 'Shared object "libibverbs.so.1" not found, required by "libpcap.so.1"'

(I put full log since snort installed at below)

I don't know if it was a bug, or maybe I have wrong environment / pfsense error, so if someone here can please help me identify with my problem.

ps: I also put this in snort mailing list

regards,
michael

May 28 17:20:59 pkg-static snort-2.9.16 installed
May 28 17:20:59 php /etc/rc.packages: Beginning package installation for snort .
May 28 03:20:59 check_reload_status Syncing firewall
May 28 03:20:59 check_reload_status Syncing firewall
May 28 17:20:59 php /etc/rc.packages: [Snort] Package post-installation tasks completed...
May 28 17:20:59 php /etc/rc.packages: Successfully installed package: snort.
May 28 17:20:59 pkg-static pfSense-pkg-snort-3.2.9.11 installed
May 28 03:21:00 check_reload_status Reloading filter
May 28 03:21:00 check_reload_status Starting packages
May 28 03:21:01 php-fpm 35954 /rc.start_packages: Restarting/Starting all packages.
May 28 03:21:02 php-fpm 35954 /rc.start_packages: [squid] - squid_resync function call pr:1 bp: rpc:no
May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Adding cronjobs ...
May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Adding freshclam cronjob.
May 28 03:21:03 check_reload_status Syncing firewall
May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Creating 'clamd.sh' rc script.
May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Reloading ClamAV...
May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Reloading C-ICAP...
May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Stopping any running proxy monitors
May 28 03:21:04 php-fpm 35954 /rc.start_packages: [squid] Reloading for configuration sync...
May 28 03:21:04 php-fpm 35954 /rc.start_packages: [squid] Starting a proxy monitor script
May 28 03:21:05 check_reload_status Reloading filter
May 28 03:21:05 php-fpm 35954 [pfBlockerNG] Starting cron process.
May 28 03:21:05 kernel em0: promiscuous mode disabled
May 28 03:21:05 kernel pppoe0: promiscuous mode disabled
May 28 03:21:05 kernel em0: promiscuous mode enabled
May 28 03:21:05 kernel pppoe0: promiscuous mode enabled
May 28 03:26:30 check_reload_status Syncing firewall
May 28 17:27:46 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29160.tar.gz...
May 28 17:28:50 php-cgi snort_check_for_rule_updates.php: [Snort] Snort Subscriber rules file update downloaded successfully
May 28 17:29:01 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort OpenAppID detectors posted. Downloading snort-openappid.tar.gz...
May 28 17:29:28 php-cgi snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors file update downloaded successfully
May 28 17:29:39 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort OpenAppID RULES detectors posted. Downloading appid_rules.tar.gz...
May 28 17:29:50 php-cgi snort_check_for_rule_updates.php: [Snort] Snort OpenAppID RULES detectors file update downloaded successfully
May 28 17:30:02 php-cgi snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
May 28 03:31:22 check_reload_status Syncing firewall
May 28 03:31:22 check_reload_status Syncing firewall
May 28 03:32:04 check_reload_status Syncing firewall
May 28 03:32:04 php-fpm 63133 /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN ...
May 28 03:32:04 php-fpm 63133 /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN...
May 28 03:32:04 php-fpm 63133 /snort/snort_rulesets.php: [Snort] Building new sid-msg.map file for WAN...
May 28 03:32:32 check_reload_status Syncing firewall
May 28 03:32:32 php-fpm 68479 /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN ...
May 28 03:32:32 php-fpm 68479 /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN...
May 28 03:32:32 php-fpm 68479 /snort/snort_preprocessors.php: [Snort] Building new sid-msg.map file for WAN...
May 28 03:32:48 php-fpm 35954 /snort/snort_interfaces.php: Starting Snort on WAN(pppoe0) per user request...
May 28 17:32:48 php /tmp/snort_pppoe02848_startcmd.php: [Snort] Updating rules configuration for: WAN ...
May 28 17:32:49 php /tmp/snort_pppoe02848_startcmd.php: [Snort] Enabling any flowbit-required rules for: WAN...
May 28 17:32:49 php /tmp/snort_pppoe02848_startcmd.php: [Snort] Building new sid-msg.map file for WAN...
May 28 17:32:49 php /tmp/snort_pppoe02848_startcmd.php: [Snort] Snort START for WAN(pppoe0)...
May 28 17:32:49 php /tmp/snort_pppoe02848_startcmd.php: The command '/usr/local/bin/snort -R 2848 -D -q --suppress-config-log -l /var/log/snort/snort_pppoe02848 --pid-path /var/run --nolock-pidfile -G 2848 -c /usr/local/etc/snort/snort_2848_pppoe0/snort.conf -i pppoe0' returned exit code '1', the output was 'Shared object "libibverbs.so.1" not found, required by "libpcap.so.1"'

kiokoman

@mike8888 said in Snort will not star:

Pfsense 2.4.4-RELEASE-p3 (amd64)

you need to upgrade to 2.4.5 or downgrade snort

mike8888

noted that, will try upgrade to 2.4.5

thanks for the insight

mike8888

successfully upgrade to 2.4.5 and snort start straight away

thanks kiokoman

kiokoman

nice

bmeeks

@mike8888:
Never attempt to upgrade any installed package when there is a pfSense update showing on the Dashboard as "available" for your box. When new pfSense versions are released, all of the packages are recompiled to take advantage of the new pfSense version. That means in some cases shared library dependencies get changed with the new pfSense version update. That's what happened with the 2.4.5 release. Several of the dependent libraries used by the Snort binary changed in pfSense 2.4.5, and thus the Snort package was recompiled to accomodate those changes.

That means the updated Snort package will no longer run on the older pfSense version because Snort got recompiled with the changes when the new pfSense release was compiled. Therefore the rule, NEVER upgrade packages until your pfSense is current. Always check the firewall Dashboard to see if your pfSense version is current. If not, DO NOT install or attempt to update any already installed packages until AFTER you have updated pfSense itself!

mike8888

@bmeeks ok, got it