Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Latest SNORT fails to start

    Scheduled Pinned Locked Moved pfSense Packages
    10 Posts 6 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Pistolero
      last edited by

      Hi JamesDean,

      First off, let me THANK YOU for your hard work and kick-ass SNORT package.

      I am having an issue with the latest build I installed this morning (Running 1.2.3 Release with SNORT 2.8.6.1 pkg 1.3.4). I can't get SNORT to start. All I see are these errors in the system log:

      Sep 10 07:22:23 SnortStartup[6459]: Interface Rule START for 0_18690_em0…
      Sep 10 07:22:23 snort[6457]: FATAL ERROR: /usr/local/etc/snort/snort_18690_em0/snort.conf(41) Missing argument to HOME_NET
      Sep 10 07:22:23 snort[6457]: FATAL ERROR: /usr/local/etc/snort/snort_18690_em0/snort.conf(41) Missing argument to HOME_NET
      Sep 10 07:22:23 snort[6457]: Parsing Rules file "/usr/local/etc/snort/snort_18690_em0/snort.conf"
      Sep 10 07:22:23 snort[6457]: Parsing Rules file "/usr/local/etc/snort/snort_18690_em0/snort.conf"

      I tried looking into the snort.conf file, but since I really have no clue what to do there, I saw nothing glaringly wrong… Could you please assist?

      PS: Also, the UPDATE RULES button seems not to work any longer in Opera. :-[

      1 Reply Last reply Reply Quote 0
      • P
        pneumoboy
        last edited by

        I just upgraded as well and I am seeing the exact same thing. I have only done preliminary troubleshooting.

        I attempted to update the rules using Firefox and IE, but neither worked (nothing happens - no errors). Also the tabs across the top of the update screen (for Rule Update, Custom, GUI) don't seem to work.

        I did attempt to uninstall SNORT, followed by a reinstall with no improvement.

        Running 1.2.3 Release with SNORT 2.8.6.1 pkg 1.3.4

        PS: Thanks for all the hard work!

        1 Reply Last reply Reply Quote 0
        • J
          jamesdean
          last edited by

          Sorry about that.
          Doing code clean up.

          Fixed….

          You can do a reinstall now.

          James

          1 Reply Last reply Reply Quote 0
          • P
            Pistolero
            last edited by

            Thankee-Sai! Should I remove and re-install now?

            1 Reply Last reply Reply Quote 0
            • P
              Pistolero
              last edited by

              THANK YOU, it works!

              FYI, since the last build (1.3.3) I show N/A SNORT.ORG rule version after updates. I do have an oinkcode and everything… (screenie attached)

              Am I still getting the snort.org rule updates?

              sshot-570.png
              sshot-570.png_thumb

              1 Reply Last reply Reply Quote 0
              • P
                pneumoboy
                last edited by

                Works for me too. Thanks JamesDean.

                1 Reply Last reply Reply Quote 0
                • J
                  jamesdean
                  last edited by

                  @Pistolero:

                  THANK YOU, it works!

                  FYI, since the last build (1.3.3) I show N/A SNORT.ORG rule version after updates. I do have an oinkcode and everything… (screenie attached)

                  Am I still getting the snort.org rule updates?

                  I'll updated on the next release.

                  Thank you
                  James

                  1 Reply Last reply Reply Quote 0
                  • X
                    XIII
                    last edited by

                    When it breaks usually jamesdean already knows its broken, I just wait a few hours then try again, if it still doesnt work he has usually posted something on the forum stating whats wrong. He is very quick at fixing problems with the packages he manages. Thank you for all your hard work with this package.

                    -Chris Stutzman
                    Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                    Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                    freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                    Check out the pfSense Wiki

                    1 Reply Last reply Reply Quote 0
                    • D
                      darklogic
                      last edited by

                      Resolved my issue, but I believe I came accross another issue that causes false positives. When I enable SMTP Normalizer under the SNORT Preprocessors. I will get this alert and then the host will get blocked, for example.

                      IP: XX.XX.XX.XX  Alert Description: (SMTP) Attempted response buffer overflow 766 chars

                      The odd thing about this alert and block is it only happens when our network is e-mailing a remote network mail server, but the attack alert looks like it came from the network we are transmitting the e-mail to???

                      No, our network is not infected with some spammer bot, 2nd, our LAN rules only allow outbound SMTP from only one machine and that is our mail server, 3rd, the attack looks like it comes from the remote network but will only generate when someone sends an e-mail to someone from out of our network.

                      Why is this a problem, well one they did not send us the e-mail we did, 2nd reason is if they want to reply back to the sent out e-mail, the e-mail will not make it to our mail servers until their IP gets released from the block list.

                      Can anyone else reproduce this issue or have exsperienced this with the SMTP normalizer preprocessor. I noticed something odd with the SCAN preprocessor as well, but not sure enough to commit.

                      Thanks for any help.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tnorbut13
                        last edited by

                        I am experiencing the same issue.  Can't find anything on the boards about it.  Anybody?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.