Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort fails to start

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 524 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TinEXteR
      last edited by

      Hi:

      I am using a new install with FreeBSD pfSense.localdomain 14.0-CURRENT FreeBSD 14.0-CURRENT #0 devel-main-n255825-17d2b04a49e: Wed Jan 25 16:38:12 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-master-main/obj/amd64/4wxSDEIl/var/jenkins/workspace/pfSense-CE-snapshots-master-main/sources/FreeBSD-src-devel-main/amd64.amd64/sys/pfSense amd64 1400073, snapshot development version.

      I installed it with the most current saved config file, and it is working however I am unable to get Snort to start. I get the following in the log when it tries to start:

      Jan 25 21:22:25 snort 87347 FATAL ERROR: /usr/local/etc/snort/snort_61590_em0/snort.conf(199) Perfmonitor: Invalid argument to "max_file_size". The value must be an integer between 4096 and 2147483647.

      Please let me know if there is any more info needed to help debug this. Any help fixing this issue would be appreciated.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • T
        TinEXteR
        last edited by

        Adding a resolution to the issue for me.

        The error was on line 199 in the config file:
        FATAL ERROR: /usr/local/etc/snort/snort_61590_em0/snort.conf(199)

        198 # Performance Statistics #
        199 preprocessor perfmonitor: time 300 file /var/log/snort/snort_em061590/em0.stats pktcnt 10000 max_file_size 8192

        Previously there was a "0" (zero) at the end of the line. I opened the file in vi, changed the 0 to 8192, saved the file and restarted Snort. Snort is now running normally. Hope this helps.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          I see the problem. It is a typo in the PHP code. There is a period '.' where there should instead be a comma ','. That happened during the modifications required for PHP 8.1 compatibility.

          I will submit a fix to the Netgate team, but it may take a day or two for them to merge it.

          In the meantime, here is a workaround fix:

          1. Edit the file usr/local/pkg/snort/snort_generate_conf.php and locate line #253 in the file.

          2. It reads as follows:

          if (config_get_path('installedpackages/snortglobal/stats_log_limit_size'. '0') != '0')
          1. Change the period to a comma as shown below:
          if (config_get_path('installedpackages/snortglobal/stats_log_limit_size', '0') != '0')
          1. Save the file edit.

          Failure to make this PHP code edit will result in an invalid snort.conf being created each time Snort is started because the snort.conf is recreated each time Snort starts.

          1 Reply Last reply Reply Quote 2
          • bmeeksB
            bmeeks
            last edited by

            I have created and submitted a pull request for the Netgate developer team to review and merge. The request is posted here: https://github.com/pfsense/FreeBSD-ports/pull/1221.

            Once this is merged into the pfSense snapshot branches, a new Snort GUI package version will appear (version 4.1.6_5). It may take a bit to get merged and built because the team is quite busy prepping the upcoming new pfSense releases.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.