Snort not starting on version 2.0 freebsd 8.0 11/10/09 (clean install)



  • snort doesn't start on the 8.0 builds not even showing an error in system log any troubleshooting help would be greatly appriciated



  • grandrivers

    Post this command up.

    cat /usr/local/etc/rc.d/snort.sh

    James



  • hope this helps shed some light on it

    cat /usr/local/etc/rc.d/snort.sh

    #!/bin/sh

    This file was automatically generated

    by the  service handler.

    rc_start() {

    if [ "ls -A /usr/local/etc/snort/rules" ] ; then
            echo "rules exist"
            else
            echo "rules DONT exist"
            exit 2
            fi

    if [ "pgrep -x snort" = "" ] ; then
            /bin/rm /tmp/snort.sh.pid
            fi

    if [ "pgrep -x snort" != "" ] ; then
            logger -p daemon.info -i -t SnortStartup "Snort already running…"
            /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
            exit 1
            fi

    if ls /tmp/snort.sh.pid > /dev/null
    then
        echo "snort.sh is running"
        exit 0
    else
        echo "snort.sh is not running"
    fi

    echo "snort.sh run" > /tmp/snort.sh.pid

    echo "snort.sh run" >> /tmp/snort.sh_startup.log

    rm -f /var/run/snort_*
    BEFORE_MEM=top | grep Wired | awk '{print $12}'
    /bin/mkdir -p /var/log/snort
    /usr/bin/killall barnyard2
    sleep 4
    snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em0 -q
    sleep 4
    snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em2 -q

    echo "Sleeping before final memory sampling..."
    WAITSECURE=60
    while [ "$MYSNORTLOG" = "" -a $WAITSECURE -gt 0 ] ; do
            sleep 2
            MYSNORTLOG=/usr/sbin/clog /var/log/system.log | grep snort | tail | gre                                            p 'Snort initialization completed successfully'
            WAITSECURE=expr $WAITSECURE - 1
    done

    AFTER_MEM=top | grep Wired | awk '{print $12}'
            TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
            echo "Ram free BEFORE starting Snort: $BEFORE_MEM – Ram free AFTER star                                            ting Snort: $AFTER_MEM -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE" | lo                                            gger -p daemon.info -i -t SnortStartup

    }

    rc_stop() {
            /usr/bin/killall snort; killall barnyard2
    }

    case $1 in
            start)
                    rc_start
                    ;;
            stop)
                    rc_stop
                    ;;
            restart)
                    rc_stop
                    rc_start
                    ;;
    esac

    # cat /usr/local/etc/rc.d/snort.sh

    #: Command not found.

    #!/bin/sh

    /bin/sh: Event not found.

    # This file was automatically generated

    #: Command not found.

    # by the  service handler.

    rc_start() {
    #: Command not found.

    if [ "ls -A /usr/local/etc/snort/rules" ] ; then

    rc_start() {

    echo "rules exist"
    Badly placed ()'s.
            else
    #        echo "rules DONT exist"

    #        exit 2
            if [ "ls -A /usr/local/etc/snort/rules" ] ; then
            fi
    if: Expression Syntax.

    if [ "pgrep -x snort" = "" ] ; then
    #        echo "rules exist"
    rules exist
            /bin/rm /tmp/snort.sh.pid
    #        else
            fi
    else?        echo "rules DONT exist"

    else?        if [ "pgrep -x snort" != "" ] ; then
            exit 2
    else?        logger -p daemon.info -i -t SnortStartup "Snort already running…"
            fi
    else?
            /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
    else?        if [ "pgrep -x snort" = "" ] ; then
            exit 1
    else?        /bin/rm /tmp/snort.sh.pid
    else?        fi
    else?
    else?        if [ "pgrep -x snort" != "" ] ; then
    else?        logger -p daemon.info -i -t SnortStartup "Snort already running…"
            fi
    else?        /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
    else?        exit 1
    else?        fi
    else?
    else?
    else? if ls /tmp/snort.sh.pid > /dev/null
    else? then
    else?    echo "snort.sh is running"
    else?    exit 0
    else? else
    else?    echo "snort.sh is not running"
    else? fi
    else?
    else? echo "snort.sh run" > /tmp/snort.sh.pid
    else?
    else? echo "snort.sh run" >> /tmp/snort.sh_startup.log
    else?
    rm -f /var/run/snort_*
    else? rm -f /var/run/snort_*
    BEFORE_MEM=top | grep Wired | awk '{print $12}'
    else? BEFORE_MEM=top | grep Wired | awk '{print $12}'
    else? /bin/mkdir -p /var/log/snort
    else? /usr/bin/killall barnyard2
    else? sleep 4
    else? snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em0 -q
    else? sleep 4
    else? snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em2 -q
    else?
    else? echo "Sleeping before final memory sampling..."
    else? WAITSECURE=60
    else? while [ "$MYSNORTLOG" = "" -a $WAITSECURE -gt 0 ] ; do
    else?        sleep 2
    else?        MYSNORTLOG=/usr/sbin/clog /var/log/system.log | grep snort | tail | gre                                            p 'Snort initialization completed successfully'
    else?        WAITSECURE=expr $WAITSECURE - 1
    else? done

    else?
            AFTER_MEM=top | grep Wired | awk '{print $12}'
    else?        AFTER_MEM=top | grep Wired | awk '{print $12}'
            TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
    else?        TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
    else?        echo "Ram free BEFORE starting Snort: $BEFORE_MEM – Ram free AFTER star                                            ting Snort: $AFTER_MEM -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE" | lo                                            gger -p daemon.info -i -t SnortStartup
    }
    else?

    else? case $1 in

    start)
    else? }
                    rc_start
    else?
    else?                ;;
    rc_stop() {
            stop)
    else?        /usr/bin/killall snort; killall barnyard2
                    rc_stop
    else? }
                    ;;
    else?
    else?        restart)
    case $1 in
                    rc_stop
    else?        start)
                    rc_start
    else?                ;;
                    rc_start
    else? esac
                    ;;
    else?        stop)
    else?                rc_stop
    else?                ;;
    else?        restart)
    else?                rc_stop
    else?                rc_start
    else?
                    ;;
    else? esac
    else?
    else? #



  • when I try to start snort this is all that shows in the system log

    Oct 31 04:48:27 SnortStartup[18444]: Ram free BEFORE starting Snort: 1785M – Ram free AFTER starting Snort: 1785M -- Mode ac-bnfa -- Snort memory usage:



  • this is what I get when trying to start snort from console looks like its a missing lib problem

    /libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort



  • anyone have any ideas to help



  • anyone?



  • grandrivers

    Are you using the latest package ?

    Did you try updating the pfsense version ?

    James



  • I am using latest snapshot and the latest snort package and still looks like a missing lib

    snort

    /libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort"                                                                            "



  • @grandrivers:

    I am using latest snapshot and the latest snort package and still looks like a missing lib

    snort

    /libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort"                                                                             "

    Sorry your questions but I been really busy at work.

    That error may be because snort needs to be compiled with for freebsd 8.0.

    Please post these commands.

    pkg_info

    and

    find / | grep libpcap.so

    James



  • pkg_info

    libdnet-1.11_3      A simple interface to low level networking routines
    mysql-client-5.1.34 Multithreaded SQL database (client)
    pcre-7.9            Perl Compatible Regular Expressions library
    perl-5.8.9_3        Practical Extraction and Report Language
    snort-2.8.4.1_1    Lightweight network intrusion detection system

    find / | grep libpcap.so

    /lib/libpcap.so.7
    /usr/local/lib/libpcap.so.3
    /usr/local/lib/libpcap.so
    /usr/lib/libpcap.so



  • grand

    It seems 8.0 has updated the libpcap libs. So snort binary will have to be built for 8.0.

    A quick fix is to soft link so.7 with so.5.

    ln /lib/libpcap.so.7 /lib/libpcap.so.5

    James



  • thank you very much I had reversed the order of the libs in the command


Log in to reply