Snort not starting on version 2.0 freebsd 8.0 11/10/09 (clean install)
-
snort doesn't start on the 8.0 builds not even showing an error in system log any troubleshooting help would be greatly appriciated
-
grandrivers
Post this command up.
cat /usr/local/etc/rc.d/snort.sh
James
-
hope this helps shed some light on it
cat /usr/local/etc/rc.d/snort.sh
#!/bin/sh
This file was automatically generated
by the service handler.
rc_start() {
if [ "
ls -A /usr/local/etc/snort/rules
" ] ; then
echo "rules exist"
else
echo "rules DONT exist"
exit 2
fiif [ "
pgrep -x snort
" = "" ] ; then
/bin/rm /tmp/snort.sh.pid
fiif [ "
pgrep -x snort
" != "" ] ; then
logger -p daemon.info -i -t SnortStartup "Snort already running…"
/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
exit 1
fiif ls /tmp/snort.sh.pid > /dev/null
then
echo "snort.sh is running"
exit 0
else
echo "snort.sh is not running"
fiecho "snort.sh run" > /tmp/snort.sh.pid
echo "snort.sh run" >> /tmp/snort.sh_startup.log
rm -f /var/run/snort_*
BEFORE_MEM=top | grep Wired | awk '{print $12}'
/bin/mkdir -p /var/log/snort
/usr/bin/killall barnyard2
sleep 4
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em0 -q
sleep 4
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em2 -qecho "Sleeping before final memory sampling..."
WAITSECURE=60
while [ "$MYSNORTLOG" = "" -a $WAITSECURE -gt 0 ] ; do
sleep 2
MYSNORTLOG=/usr/sbin/clog /var/log/system.log | grep snort | tail | gre p 'Snort initialization completed successfully'
WAITSECURE=expr $WAITSECURE - 1
doneAFTER_MEM=
top | grep Wired | awk '{print $12}'
TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
echo "Ram free BEFORE starting Snort: $BEFORE_MEM – Ram free AFTER star ting Snort: $AFTER_MEM -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE" | lo gger -p daemon.info -i -t SnortStartup}
rc_stop() {
/usr/bin/killall snort; killall barnyard2
}case $1 in
start)
rc_start
;;
stop)
rc_stop
;;
restart)
rc_stop
rc_start
;;
esac# cat /usr/local/etc/rc.d/snort.sh
#: Command not found.
#!/bin/sh
/bin/sh: Event not found.
# This file was automatically generated
#: Command not found.
# by the service handler.
rc_start() {
#: Command not found.if [ "
ls -A /usr/local/etc/snort/rules
" ] ; thenrc_start() {
echo "rules exist"
Badly placed ()'s.
else
# echo "rules DONT exist"# exit 2
if [ "ls -A /usr/local/etc/snort/rules
" ] ; then
fi
if: Expression Syntax.if [ "
pgrep -x snort
" = "" ] ; then
# echo "rules exist"
rules exist
/bin/rm /tmp/snort.sh.pid
# else
fi
else? echo "rules DONT exist"else? if [ "
pgrep -x snort
" != "" ] ; then
exit 2
else? logger -p daemon.info -i -t SnortStartup "Snort already running…"
fi
else?
/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
else? if [ "pgrep -x snort
" = "" ] ; then
exit 1
else? /bin/rm /tmp/snort.sh.pid
else? fi
else?
else? if [ "pgrep -x snort
" != "" ] ; then
else? logger -p daemon.info -i -t SnortStartup "Snort already running…"
fi
else? /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
else? exit 1
else? fi
else?
else?
else? if ls /tmp/snort.sh.pid > /dev/null
else? then
else? echo "snort.sh is running"
else? exit 0
else? else
else? echo "snort.sh is not running"
else? fi
else?
else? echo "snort.sh run" > /tmp/snort.sh.pid
else?
else? echo "snort.sh run" >> /tmp/snort.sh_startup.log
else?
rm -f /var/run/snort_*
else? rm -f /var/run/snort_*
BEFORE_MEM=top | grep Wired | awk '{print $12}'
else? BEFORE_MEM=top | grep Wired | awk '{print $12}'
else? /bin/mkdir -p /var/log/snort
else? /usr/bin/killall barnyard2
else? sleep 4
else? snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em0 -q
else? sleep 4
else? snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i em2 -q
else?
else? echo "Sleeping before final memory sampling..."
else? WAITSECURE=60
else? while [ "$MYSNORTLOG" = "" -a $WAITSECURE -gt 0 ] ; do
else? sleep 2
else? MYSNORTLOG=/usr/sbin/clog /var/log/system.log | grep snort | tail | gre p 'Snort initialization completed successfully'
else? WAITSECURE=expr $WAITSECURE - 1
else? doneelse?
AFTER_MEM=top | grep Wired | awk '{print $12}'
else? AFTER_MEM=top | grep Wired | awk '{print $12}'
TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
else? TOTAL_USAGE=top | grep snort | grep -v grep | awk '{ print $6 }'
else? echo "Ram free BEFORE starting Snort: $BEFORE_MEM – Ram free AFTER star ting Snort: $AFTER_MEM -- Mode ac-bnfa -- Snort memory usage: $TOTAL_USAGE" | lo gger -p daemon.info -i -t SnortStartup
}
else?else? case $1 in
start)
else? }
rc_start
else?
else? ;;
rc_stop() {
stop)
else? /usr/bin/killall snort; killall barnyard2
rc_stop
else? }
;;
else?
else? restart)
case $1 in
rc_stop
else? start)
rc_start
else? ;;
rc_start
else? esac
;;
else? stop)
else? rc_stop
else? ;;
else? restart)
else? rc_stop
else? rc_start
else?
;;
else? esac
else?
else? # -
when I try to start snort this is all that shows in the system log
Oct 31 04:48:27 SnortStartup[18444]: Ram free BEFORE starting Snort: 1785M – Ram free AFTER starting Snort: 1785M -- Mode ac-bnfa -- Snort memory usage:
-
this is what I get when trying to start snort from console looks like its a missing lib problem
/libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort
-
anyone have any ideas to help
-
anyone?
-
grandrivers
Are you using the latest package ?
Did you try updating the pfsense version ?
James
-
-
I am using latest snapshot and the latest snort package and still looks like a missing lib
snort
/libexec/ld-elf.so.1: Shared object "libpcap.so.5" not found, required by "snort" "
Sorry your questions but I been really busy at work.
That error may be because snort needs to be compiled with for freebsd 8.0.
Please post these commands.
pkg_info
and
find / | grep libpcap.so
James
-
pkg_info
libdnet-1.11_3 A simple interface to low level networking routines
mysql-client-5.1.34 Multithreaded SQL database (client)
pcre-7.9 Perl Compatible Regular Expressions library
perl-5.8.9_3 Practical Extraction and Report Language
snort-2.8.4.1_1 Lightweight network intrusion detection systemfind / | grep libpcap.so
/lib/libpcap.so.7
/usr/local/lib/libpcap.so.3
/usr/local/lib/libpcap.so
/usr/lib/libpcap.so -
grand
It seems 8.0 has updated the libpcap libs. So snort binary will have to be built for 8.0.
A quick fix is to soft link so.7 with so.5.
ln /lib/libpcap.so.7 /lib/libpcap.so.5
James
-
thank you very much I had reversed the order of the libs in the command