Snort fails to start
-
Hello!
I'm trying to use Snort in the pfSense but after I made the initial setup, it is not starting. I checked the system logs and notice the following but not really sure what this means:
/tmp/snort_ix0.2_startcmd.php: The command '/usr/local/bin/snort -R _21459 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_ix0.221459 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 21459 -c /usr/local/etc/snort/snort_21459_ix0.2/snort.conf -i ix0.2' returned exit code '1', the output was ''
FATAL ERROR: /usr/local/etc/snort/snort_21459_ix0.2/snort.conf(130) Bad overlap_limit in frag3 config. Positive integer parameter required.
The ix0.2 interface is my WAN interface. The config for the frag3 is the default one for the Snort. I haven't changed it
Has anyone else had this issue?
Thanks
-
Obviously there is an improper value in the field. The default value is "0" (zero).
Post back with the content of the
/usr/local/etc/snort/snort_21459_ix0.2/snort.conffile. Specifically the value on line 130 in that file. Let's see what is actually there.Also post a screenshot of the Frag3 settings in the GUI. Somehow an illegal value seems to be getting sent to Snort.
-
@bmeeks Thanks for the reply
Attached is the file. It is quite bigAnd this is the screenshot with the Frag3 settings
-
@jcascante said in Snort fails to start:
@bmeeks Thanks for the reply
Attached is the file. It is quite bigAnd this is the screenshot with the Frag3 settings
I see the error in your
snort.conffile. The "overlap-limit" parameter is empty, and that is not allowed.To see why, I need to see the Frag3 Engine configuration page. So on the page where you captured the screenshot above, click the pencil icon to the right of the "default" Server Configuration. That will open a second web page where the individual Frag3 settings for the default server will be shown. Let's see what the Overlap-Limit parameter is set for there. The default should be zero. Make sure an actual value is showing there and the field is not empty.
-
@bmeeks
Yes, I see that too. There is no value in the snort.conf fileOn the other side, in the Frag3 settings, the parameter is zero
Can I edit the snort.conf file and set zero in the "overlap-limit"?
-
@jcascante said in Snort fails to start:
@bmeeks
Yes, I see that too. There is no value in the snort.conf fileCan I edit the snort.conf file and set zero in the "overlap-limit"?
That file is overwritten each time you save changes and/or stop/restart Snort from the GUI. So any manual edit you make won't last.
Not sure why the zero is not getting written there properly. On the Engine Settings page (the one you last posted the screenshot of), try inputting a large number like 1024 or something. See if that takes and then lets Snort start up.
-
@bmeeks
Understood!
I will try to do that and let you know if it works -
@jcascante said in Snort fails to start:
@bmeeks
Understood!
I will try to do that and let you know if it worksIf that works, then try typing the zero back in there and saving the change. Then see if Snort starts. Really strange why it is not working unless there is actually a blank in the
config.xmlfile for that parameter. That section of code has not been changed in a quite a long time. -
@bmeeks
Hello, just to let you know the workaround works
I put a higher value in the "overlap-limit", then save the configuration, returned the value to zero, check the snort.conf file and this time it saved the value. Finally, I started the service and now it's workingThanks for your help
-
@jcascante said in Snort fails to start:
@bmeeks
Hello, just to let you know the workaround works
I put a higher value in the "overlap-limit", then save the configuration, returned the value to zero, check the snort.conf file and this time it saved the value. Finally, I started the service and now it's workingThanks for your help
Glad you got it working. That was an unusual issue. Sounds like something weird got saved in the
config.xmlfile for that particular parameter.
