Snort doesn't want to start after latest upgrade to Snort 4.1.6_12
-
I am using the Snort package for years without a problem. Tonight after upgrade to the latest version Snort doesn't want t start anymore.
This is what is in the system log:
-
I'm looking into this. Likely the issue is the $EXTERNAL_NET variable definition in the
snort.conffile for the interface. -
Thank you.
Do i have to do something?
Change some setting maybe?It always worked for years till now after the latest upgrade.
In snort.conf
-
@Gerard64 said in Snort doesn't want to start after laters upgrade to Snort 4.1.6_12:
Do i have to do something?
Change some setting maybe?No, the problem is likely in the PHP code. I'm working now to verify on my test virtual machine. If it's what I think, I can give you a quick workaround in a few minutes that will suffice until I can update the package code.
-
Okay, it's a bug I fixed but didn't really fix. I must have somehow managed to leave the "fixed' file out of the Pull Request I sent to Netgate. I will get that fixed, but in the meantime do the following edit on your system to fix it --
Go to DIAGNOSTICS > EDIT FILE and then navigate to this file:
/usr/local/pkg/snort/snort_generate_conf.phpFind lines 41 and 42 in that file that look like this:
else { $external_net = "!$HOME_NET"; }Edit line 42 to add a backslash character immediately before the dollar sign ($) character like this:
else { $external_net = "!\$HOME_NET"; }Save the change to the file, then return to SERVICES > SNORT in the pfSense menu and choose any of your configured Snort interfaces to edit. Don't change anything, but simply scroll down and click the Save button. This will regenerate all the
snort.conffiles for the interfaces and fix the problem. -
B bmeeks referenced this topic on
-
It didn't show up in my test virtual machine initially because I had the "fixed" file installed there. I had to package the Pull Requests for the update as two distinct requests based separately on the 2.7.0 CE branch and the 2.8 CE DEVEL branch. When I created the version of the 2.7.0 CE branch I somehow managed to use the wrong file in that one and thus the bug I thought I had fixed propagated over to the 2.7.0 CE branch.
I will submit a fix and ask the Netgate team to merge ASAP. Still will be at least tomorrow before it shows up, though. In the meantime, the fix I posted above will work.
-
The fix worked
Thank you for the quick fix. -
@Gerard64 said in Snort doesn't want to start after laters upgrade to Snort 4.1.6_12:
The fix worked
Thank you for the quick fix.Sorry for the problem. I was juggling two different source file versions and managed to somehow link the wrong one to the Pull Request for the package update. Will get that fixed.
-
Oh don't be.
We all make mistakes sometimes.
I am grateful for al the work you do for this nice package thank you for that. -
I've posted a new Pull Request for the Netgate developer team to review and merge that contains a permanent fix. It will likely be tomorrow, though, before that merge is completed and a new package built. The new package will be 4.1.6_13.
-
Same issue, I was able to resolve the problem with your posted fix, Thanks for the quick response.
-
@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
/usr/local/pkg/snort/snort_generate_conf.php
Thanks for the quick fix.
It worked for me too! -
-
I had the same issue yesterday after upgrade to 4.6.11 to 4.6.12 and my snort just wont launch and got a fatal ERROR trying to launch snort deamon.
i've tried everything from reconfigure snort or reinstall the package wont help.
the last think i did is try to upgrade my pfsense to the latest 2.7.1-RC and it prompt to downgrade Snort back to version 4.6.11 where it resolves the issue.
I don't dare to update snort again even now it prompt upgrade version 4.6.12 detected. -
@feins said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
I had the same issue yesterday after upgrade to 4.6.11 to 4.6.12 and my snort just wont launch and got a fatal ERROR trying to launch snort deamon.
i've tried everything from reconfigure snort or reinstall the package wont help.
the last think i did is try to upgrade my pfsense to the latest 2.7.1-RC and it prompt to downgrade Snort back to version 4.6.11 where it resolves the issue.
I don't dare to update snort again even now it prompt upgrade version 4.6.12 detected.There is a fix for that FATAL ERROR bug. The 4.1.6_13 package contains the fix. That package should build overnight for the 2.7.1-RC branch. If you see that package version available, upgrading will be fine. Only 4.1.6_12 had the bug. The workaround fix for the bug is in one of my posts a bit farther up this same thread.
Packages are getting built at diffferent times for the various pfSense versions out there now. Some are built immediately after the updated source code is posted, but others only build overnight on scheduled jobs. And some pfSense versions only rebuild packages every few days (this seems to be true for BETA and RC snapshots in particular).
-
@bmeeks Updated to 4.1.6_13 all is good. Thanks again for the quick fix.
-
This problem I think has re-appeared for 4.1.6_14.
Nov 25 08:05:05 php 74892 /tmp/snort_em0_startcmd.php: The command '/usr/local/bin/snort -R _29104 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_em029104 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 29104 -c /usr/local/etc/snort/snort_29104_em0/snort.conf -i em0' returned exit code '1', the output was 'ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "snort"'
Snort has been running 100% until this update for me.
-
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
This problem I think has re-appeared for 4.1.6_14.
Nov 25 08:05:05 php 74892 /tmp/snort_em0_startcmd.php: The command '/usr/local/bin/snort -R _29104 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l /var/log/snort/snort_em029104 --pid-path /var/run --nolock-pidfile --no-interface-pidfile -G 29104 -c /usr/local/etc/snort/snort_29104_em0/snort.conf -i em0' returned exit code '1', the output was 'ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "snort"'
Snort has been running 100% until this update for me.
No, this has absolutely nothing to do with the original Signal 11 crash from the Kill States portion of the Legacy Blocking Mode nor with the $EXTERNAL_NET variable creation in
snort.conf.Look at the error message logged:
ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "snort"'You have a shared library version problem. Have you updated any other package from an incorrect repo. That's one way that could happen.
-
@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
You have a shared library version problem. Have you updated any other package from an incorrect repo. That's one way that could happen.I've only upgraded through the UI/package manager within PFSense. I've tried re-installing with no luck. I was successfully on 4.1.6_13 before updating.
-
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
@bmeeks said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:
You have a shared library version problem. Have you updated any other package from an incorrect repo. That's one way that could happen.I've only upgraded through the UI/package manager within PFSense
What is your pfSense version? That error means you have a mixture of shared library versions on your system.