Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Snort will not start

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 3 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mike8888
      last edited by mike8888

      Hi there,

      I have a problem with snort will not start when press the start button, the gear spinning for a while, and the status is stopped

      Snort version= pfsense-pkg-snort-3.2.9.11
      In global settings, I only check Snort VRT (and filled Oinkmaster Code with free registered user account), and Sourcefire OpenAppID Detectors, and both successfully updated.

      I was installing snort as part of Netgate Pfsense package
      My Pfsense was built on VMware virtualization server (ESXi 6.7u2)
      Pfsense 2.4.4-RELEASE-p3 (amd64)
      have 2 interfaces (WAN and LAN)
      WAN running on PPPoE
      I don't have (or can't acquire) snort.conf file
      In Snort Interfaces, I use WAN for monitoring, and checked both Resolve Flowbits and Use IPS Policy (Connectivity)

      I setup/configure snort using setup from netgate documentationhttps://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html

      There a message from pfsense system log after failed attempt to start snort:

      /tmp/snort_pppoe02848_startcmd.php: The command '/usr/local/bin/snort -R 2848 -D -q --suppress-config-log -l /var/log/snort/snort_pppoe02848 --pid-path /var/run --nolock-pidfile -G 2848 -c /usr/local/etc/snort/snort_2848_pppoe0/snort.conf -i pppoe0' returned exit code '1', the output was 'Shared object "libibverbs.so.1" not found, required by "libpcap.so.1"'

      (I put full log since snort installed at below)

      I don't know if it was a bug, or maybe I have wrong environment / pfsense error, so if someone here can please help me identify with my problem.

      ps: I also put this in snort mailing list

      regards,
      michael

      May 28 17:20:59 pkg-static snort-2.9.16 installed
      May 28 17:20:59 php /etc/rc.packages: Beginning package installation for snort .
      May 28 03:20:59 check_reload_status Syncing firewall
      May 28 03:20:59 check_reload_status Syncing firewall
      May 28 17:20:59 php /etc/rc.packages: [Snort] Package post-installation tasks completed...
      May 28 17:20:59 php /etc/rc.packages: Successfully installed package: snort.
      May 28 17:20:59 pkg-static pfSense-pkg-snort-3.2.9.11 installed
      May 28 03:21:00 check_reload_status Reloading filter
      May 28 03:21:00 check_reload_status Starting packages
      May 28 03:21:01 php-fpm 35954 /rc.start_packages: Restarting/Starting all packages.
      May 28 03:21:02 php-fpm 35954 /rc.start_packages: [squid] - squid_resync function call pr:1 bp: rpc:no
      May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Adding cronjobs ...
      May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Adding freshclam cronjob.
      May 28 03:21:03 check_reload_status Syncing firewall
      May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Creating 'clamd.sh' rc script.
      May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Reloading ClamAV...
      May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Reloading C-ICAP...
      May 28 03:21:03 php-fpm 35954 /rc.start_packages: [squid] Stopping any running proxy monitors
      May 28 03:21:04 php-fpm 35954 /rc.start_packages: [squid] Reloading for configuration sync...
      May 28 03:21:04 php-fpm 35954 /rc.start_packages: [squid] Starting a proxy monitor script
      May 28 03:21:05 check_reload_status Reloading filter
      May 28 03:21:05 php-fpm 35954 [pfBlockerNG] Starting cron process.
      May 28 03:21:05 kernel em0: promiscuous mode disabled
      May 28 03:21:05 kernel pppoe0: promiscuous mode disabled
      May 28 03:21:05 kernel em0: promiscuous mode enabled
      May 28 03:21:05 kernel pppoe0: promiscuous mode enabled
      May 28 03:26:30 check_reload_status Syncing firewall
      May 28 17:27:46 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29160.tar.gz...
      May 28 17:28:50 php-cgi snort_check_for_rule_updates.php: [Snort] Snort Subscriber rules file update downloaded successfully
      May 28 17:29:01 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort OpenAppID detectors posted. Downloading snort-openappid.tar.gz...
      May 28 17:29:28 php-cgi snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors file update downloaded successfully
      May 28 17:29:39 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort OpenAppID RULES detectors posted. Downloading appid_rules.tar.gz...
      May 28 17:29:50 php-cgi snort_check_for_rule_updates.php: [Snort] Snort OpenAppID RULES detectors file update downloaded successfully
      May 28 17:30:02 php-cgi snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      May 28 03:31:22 check_reload_status Syncing firewall
      May 28 03:31:22 check_reload_status Syncing firewall
      May 28 03:32:04 check_reload_status Syncing firewall
      May 28 03:32:04 php-fpm 63133 /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN ...
      May 28 03:32:04 php-fpm 63133 /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN...
      May 28 03:32:04 php-fpm 63133 /snort/snort_rulesets.php: [Snort] Building new sid-msg.map file for WAN...
      May 28 03:32:32 check_reload_status Syncing firewall
      May 28 03:32:32 php-fpm 68479 /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN ...
      May 28 03:32:32 php-fpm 68479 /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN...
      May 28 03:32:32 php-fpm 68479 /snort/snort_preprocessors.php: [Snort] Building new sid-msg.map file for WAN...
      May 28 03:32:48 php-fpm 35954 /snort/snort_interfaces.php: Starting Snort on WAN(pppoe0) per user request...
      May 28 17:32:48 php /tmp/snort_pppoe02848_startcmd.php: [Snort] Updating rules configuration for: WAN ...
      May 28 17:32:49 php /tmp/snort_pppoe02848_startcmd.php: [Snort] Enabling any flowbit-required rules for: WAN...
      May 28 17:32:49 php /tmp/snort_pppoe02848_startcmd.php: [Snort] Building new sid-msg.map file for WAN...
      May 28 17:32:49 php /tmp/snort_pppoe02848_startcmd.php: [Snort] Snort START for WAN(pppoe0)...
      May 28 17:32:49 php /tmp/snort_pppoe02848_startcmd.php: The command '/usr/local/bin/snort -R 2848 -D -q --suppress-config-log -l /var/log/snort/snort_pppoe02848 --pid-path /var/run --nolock-pidfile -G 2848 -c /usr/local/etc/snort/snort_2848_pppoe0/snort.conf -i pppoe0' returned exit code '1', the output was 'Shared object "libibverbs.so.1" not found, required by "libpcap.so.1"'

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        @mike8888 said in Snort will not star:

        Pfsense 2.4.4-RELEASE-p3 (amd64)

        you need to upgrade to 2.4.5 or downgrade snort

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 1
        • M
          mike8888
          last edited by

          noted that, will try upgrade to 2.4.5

          thanks for the insight

          1 Reply Last reply Reply Quote 0
          • M
            mike8888
            last edited by

            successfully upgrade to 2.4.5 and snort start straight away

            thanks kiokoman

            1 Reply Last reply Reply Quote 0
            • kiokomanK
              kiokoman LAYER 8
              last edited by

              nice 👍

              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
              Please do not use chat/PM to ask for help
              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by bmeeks

                @mike8888:
                Never attempt to upgrade any installed package when there is a pfSense update showing on the Dashboard as "available" for your box. When new pfSense versions are released, all of the packages are recompiled to take advantage of the new pfSense version. That means in some cases shared library dependencies get changed with the new pfSense version update. That's what happened with the 2.4.5 release. Several of the dependent libraries used by the Snort binary changed in pfSense 2.4.5, and thus the Snort package was recompiled to accomodate those changes.

                That means the updated Snort package will no longer run on the older pfSense version because Snort got recompiled with the changes when the new pfSense release was compiled. Therefore the rule, NEVER upgrade packages until your pfSense is current. Always check the firewall Dashboard to see if your pfSense version is current. If not, DO NOT install or attempt to update any already installed packages until AFTER you have updated pfSense itself!

                1 Reply Last reply Reply Quote 2
                • M
                  mike8888
                  last edited by

                  @bmeeks ok, got it

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.