Snort and pfblockerNG-devel


  • Hi Bill,

    yesterday pfblockerNG-devel has get an update (2.2.5_33 -> 2.2.5_34) and this morning I saw that after the Wan periodic reconnection (occurs each night on 01:10 by executing this script: /var/etc/pppoe_restart_pppoe0) that Snort isn't running anymore. Started by hand it runs flawlessly. Then I made a test executing the above script by the cli and Snort did not start again.
    Then I reinstalled Snort and ... everything is running after a reconnect as expected.
    Maybe you can tell me (only for my mind sake) what could happend when pfblocker has updated that interfered with Snort?

    Thanks again,
    fireodo


  • Well, without some kind of error message indicating why Snort did not restart, I can't really help you. When you have a situation like that, if Snort will not restart from the GUI, then exit to a shell prompt and run this command:

    /usr/local/bin/snort -V
    

    That should result in Snort starting, quickly showing the version and then exiting. Otherwise, some potentially useful error messages will appear.

    Posting the output of that plus anything you find relevant in the system log can help me diagnose the potential problem. Just telling me Snort would not restart gives me nothing to work with.

    My first guess, and this is purely a guess since there are no error messages to confirm my suspicion, is that the pfBlockerNG-devel package update swapped out some shared library that Snort uses. That could have caused a library version conflict. Reinstalling Snort would have brought back the correct library setup. But this is just a pure guess without any supporting evidence since I don't know what error message was being printed.


  • @bmeeks said in Snort and pfblockerNG-devel:

    Well, without some kind of error message indicating why Snort did not restart, I can't really help you. When you have a situation like that, if Snort will not restart from the GUI, then exit to a shell prompt and run this command:

    There was no error - it simply was not starting automatically as expected! Starting manually was without errors.

    My first guess, and this is purely a guess since there are no error messages to confirm my suspicion, is that the pfBlockerNG-devel package update swapped out some shared library that Snort uses. That could have caused a library version conflict. Reinstalling Snort would have brought back the correct library setup. But this is just a pure guess without any supporting evidence since I don't know what error message was being printed.

    This is something I thought too - thanks for confirming my thoughts!

    Have a fine Weekend,
    fireodo