Snort Installation in 1.2.3 - Snort will not load
Snort: 2.8.6 v. 1.27
Hello all, I'm new to this forum and to pfSense. I've tried several open source UTM solutions, in fact my company markets (and I am technically responsible for) Untangle, and this is one of the most problem-free and robust solutions I've seen. I hope that I am posting this in the right place and that someone finds it relevant; I'm sure this is a rookie mistake I made here but I figure there must be at least one other person who has/will come up against this problem.
After installation and basic configuration of pfSense I made a b-line for Snort (IDS/IPS is one area I feel Untangle, for example, is deficient in) and found the package installation mechanism to be simple, quick and error-free. I read James' FAQ and followed the tutorial for setup (thank you, btw); however, the most common options for each tab were not really covered (no doubt due to the fact that every install has different requirements) and so I groped through the settings as best I could and after updating rules I anxiously pressed the start button…nada. Snort would not start, and I was having a heck of a time figuring out why. The designated log location (/var/log/snort) held no useful logs relating to startup so I looked through the system logs but still could not find much relating to Snort startup, I'm sure I probably wasn't looking in the right place or something.
Anyway, long story short, I found that I could only start Snort without rules...not very useful. (You guys with pfSense/Snort experience probably already know the problem) So I examined the /usr/local/etc/rc.d/snort.sh file and found the basic command that was being issued to fire Snort up, modified it by removing the option to daemonize and be quiet, for example, and let it rip. The problem clarified itself considerably when I saw Snort crash after announcing that at least one of the rules that I was using requires the HTTP preprocessor to be enabled. I went to the 'Preprocessors' tab in the configuration for my snort interface and it was right there; I enabled it, saved,etc. I then bounced to packages and, apprehensively, I hit the start button for Snort, bang, it fires right up and Snort is happily rooting through network traffic (being easier than I would have expected on my hardware resources, too).
So if any other pfSense/Snort noobs can't get Snort running after following instructions, you may want to go and enable the HTTP preprocessor...it works wonders, lol.
I am enjoying pfSense quite a bit and look forward to maybe leaning towards it for future deployments. Still testing and exploring.
Preprocessors are what snort uses to identify an intrusion attempt. Rules are dependent on its preprocessors. Some categories and rules use different ones hence the reason snort was failing to start until the HTTP Preprocessor was enabled. The system log should say what rule fails because of what preprocessor.
Cool. Figured it was rookie mistake. Thanks for taking the time to explain :)