Snort not starting on version 2.0 freebsd 8.0 11/10/09 (clean install)

grandrivers

snort doesn't start on the 8.0 builds not even showing an error in system log any troubleshooting help would be greatly appriciated

jamesdean

grandrivers

Post this command up.

cat /usr/local/etc/rc.d/snort.sh

James

grandrivers

hope this helps shed some light on it

cat /usr/local/etc/rc.d/snort.sh

#!/bin/sh

This file was automatically generated

by the  service handler.

rc_start() {

if [ "ls -A /usr/local/etc/snort/rules" ] ; then
        echo "rules exist"
        else
        echo "rules DONT exist"
        exit 2
        fi

if [ "pgrep -x snort" = "" ] ; then
        /bin/rm /tmp/snort.sh.pid
        fi

if [ "pgrep -x snort" != "" ] ; then
        logger -p daemon.info -i -t SnortStartup "Snort already running…"
        /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
        exit 1
        fi

if ls /tmp/snort.sh.pid > /dev/null
then
    echo "snort.sh is running"
    exit 0
else
    echo "snort.sh is not running"
fi

echo "snort.sh run" > /tmp/snort.sh.pid

echo "snort.sh run" >> /tmp/snort.sh_startup.log

rm -f /var/run/snort_*
BEFORE_MEM=top | grep Wired | awk '{print $12}'
/bin/mkdir -p /var/log/snort
/usr/bin/killall barnyard2
sleep 4
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em0 -q
sleep 4
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em2 -q

echo "Sleeping before final memory sampling..."
WAITSECURE=60
while [ "$MYSNORTLOG" = "" -a $WAITSECURE -gt 0 ] ; do
        sleep 2
        MYSNORTLOG=/usr/sbin/clog /var/log/system.log | grep snort | tail | gre                                            p 'Snort initialization completed successfully'
        WAITSECURE=expr $WAITSECURE - 1
done

AFTER_MEM=top | grep Wired | awk '{print $12}'
        TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
        echo "Ram free BEFORE starting Snort: $BEFORE_MEM – Ram free AFTER star                                            ting Snort: $AFTER_MEM -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE" | lo                                            gger -p daemon.info -i -t SnortStartup

}

rc_stop() {
        /usr/bin/killall snort; killall barnyard2
}

case $1 in
        start)
                rc_start
                ;;
        stop)
                rc_stop
                ;;
        restart)
                rc_stop
                rc_start
                ;;
esac

# cat /usr/local/etc/rc.d/snort.sh

#: Command not found.

#!/bin/sh

/bin/sh: Event not found.

# This file was automatically generated

#: Command not found.

# by the  service handler.

rc_start() {
#: Command not found.

if [ "ls -A /usr/local/etc/snort/rules" ] ; then

rc_start() {

echo "rules exist"
Badly placed ()'s.
        else
#        echo "rules DONT exist"

#        exit 2
        if [ "ls -A /usr/local/etc/snort/rules" ] ; then
        fi
if: Expression Syntax.

if [ "pgrep -x snort" = "" ] ; then
#        echo "rules exist"
rules exist
        /bin/rm /tmp/snort.sh.pid
#        else
        fi
else?        echo "rules DONT exist"

else?        if [ "pgrep -x snort" != "" ] ; then
        exit 2
else?        logger -p daemon.info -i -t SnortStartup "Snort already running…"
        fi
else?
        /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
else?        if [ "pgrep -x snort" = "" ] ; then
        exit 1
else?        /bin/rm /tmp/snort.sh.pid
else?        fi
else?
else?        if [ "pgrep -x snort" != "" ] ; then
else?        logger -p daemon.info -i -t SnortStartup "Snort already running…"
        fi
else?        /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
else?        exit 1
else?        fi
else?
else?
else? if ls /tmp/snort.sh.pid > /dev/null
else? then
else?    echo "snort.sh is running"
else?    exit 0
else? else
else?    echo "snort.sh is not running"
else? fi
else?
else? echo "snort.sh run" > /tmp/snort.sh.pid
else?
else? echo "snort.sh run" >> /tmp/snort.sh_startup.log
else?
rm -f /var/run/snort_*
else? rm -f /var/run/snort_*
BEFORE_MEM=top | grep Wired | awk '{print $12}'
else? BEFORE_MEM=top | grep Wired | awk '{print $12}'
else? /bin/mkdir -p /var/log/snort
else? /usr/bin/killall barnyard2
else? sleep 4
else? snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em0 -q
else? sleep 4
else? snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em2 -q
else?
else? echo "Sleeping before final memory sampling..."
else? WAITSECURE=60
else? while [ "$MYSNORTLOG" = "" -a $WAITSECURE -gt 0 ] ; do
else?        sleep 2
else?        MYSNORTLOG=/usr/sbin/clog /var/log/system.log | grep snort | tail | gre                                            p 'Snort initialization completed successfully'
else?        WAITSECURE=expr $WAITSECURE - 1
else? done

else?
        AFTER_MEM=top | grep Wired | awk '{print $12}'
else?        AFTER_MEM=top | grep Wired | awk '{print $12}'
        TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
else?        TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
else?        echo "Ram free BEFORE starting Snort: $BEFORE_MEM – Ram free AFTER star                                            ting Snort: $AFTER_MEM -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE" | lo                                            gger -p daemon.info -i -t SnortStartup
}
else?

else? case $1 in

start)
else? }
                rc_start
else?
else?                ;;
rc_stop() {
        stop)
else?        /usr/bin/killall snort; killall barnyard2
                rc_stop
else? }
                ;;
else?
else?        restart)
case $1 in
                rc_stop
else?        start)
                rc_start
else?                ;;
                rc_start
else? esac
                ;;
else?        stop)
else?                rc_stop
else?                ;;
else?        restart)
else?                rc_stop
else?                rc_start
else?
                ;;
else? esac
else?
else? #

grandrivers

when I try to start snort this is all that shows in the system log

Oct 31 04:48:27 SnortStartup[18444]: Ram free BEFORE starting Snort: 1785M – Ram free AFTER starting Snort: 1785M -- Mode ac-bnfa -- Snort memory usage:

grandrivers

this is what I get when trying to start snort from console looks like its a missing lib problem

/libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort

grandrivers

anyone have any ideas to help

grandrivers

anyone?

jamesdean

grandrivers

Are you using the latest package ?

Did you try updating the pfsense version ?

James

grandrivers

I am using latest snapshot and the latest snort package and still looks like a missing lib

snort

/libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort"                                                                            "

jamesdean

@grandrivers:

I am using latest snapshot and the latest snort package and still looks like a missing lib

snort

/libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort"                                                                             "

Sorry your questions but I been really busy at work.

That error may be because snort needs to be compiled with for freebsd 8.0.

Please post these commands.

pkg_info

and

find / | grep libpcap.so

James

grandrivers

pkg_info

libdnet-1.11_3      A simple interface to low level networking routines
mysql-client-5.1.34 Multithreaded SQL database (client)
pcre-7.9            Perl Compatible Regular Expressions library
perl-5.8.9_3        Practical Extraction and Report Language
snort-2.8.4.1_1    Lightweight network intrusion detection system

find / | grep libpcap.so

/lib/libpcap.so.7
/usr/local/lib/libpcap.so.3
/usr/local/lib/libpcap.so
/usr/lib/libpcap.so

jamesdean

grand

It seems 8.0 has updated the libpcap libs. So snort binary will have to be built for 8.0.

A quick fix is to soft link so.7 with so.5.

ln /lib/libpcap.so.7 /lib/libpcap.so.5

James

grandrivers

thank you very much I had reversed the order of the libs in the command