Snort Won't Start After Upgrade



  • Hello all-

    I just upgraded my pfsense firewall (from a snap on Tuesday May 31 to a snap today 2.0-RC2 (amd64) built on Tue Jun 7 06:12:50 EDT 2011).

    After I update SNORT with my oinkcode, add the interface and categories etc. it will not start.  If I try and start it via command line this is the error I get: ‘/libexec/ld-elf.so.1: Shared object “libpcap.so.1” not found, required by “snort”’.

    I unchecked all the categories I had selected and tried to restart the SNORT service, didn’t make a difference.

    Any ideas on how to fix this?

    Thanks,

    -th3r3isnospoon



  • Plus 1 here… same issue.

    I did a clean install of the latest snapshot… thrice… Same issue.

    Something has definitely gone wrong with the Snort package.



  • I am not having problems with snort at all.  I know one important thing must be done right after an upgrade of pfsense.  You must manually update your rules in the snort>updates tab before trying to start since there’s no sync after install.  When it re installs the package, the snort rules get deleted.



  • @LostInIgnorance:

    I am not having problems with snort at all.  I know one important thing must be done right after an upgrade of pfsense.  You must manually update your rules in the snort>updates tab before trying to start since there’s no sync after install.  When it re installs the package, the snort rules get deleted.

    Yes sir.  Before I make any changes the first thing I do is update the rules, then do the config.  Guess I will just have to keep messing with it.  Strange thing is, I’ve always done the same thing after upgrading to the latest snap, this is the first time it broke for me.

    -th3r3isnospoon



  • any success?

    I am now back on June 1st snapshot but haven’t install snort yet.



  • I recently deployed 6 PFS 2.0RC2 boxes. The first two were deployed a week or so ago and I installed snort via the package manager; the other ones were installed a few days after. I have noticed on the more recently built servers I am having the same issue with snort failing to start.

    As others have noticed, it appears to be an issue with the dynamic link to libpcap. The WORKING snort I had installed was exactly the same version (2.8.6.1 pkg v. 1.34) as the “broken” snort installs, except the difference is the working snort installation has the following:

    $ ldd /usr/local/bin/snort
    /usr/local/bin/snort:
    libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f9000)
    libpcap.so.7 => /lib/libpcap.so.7 (0x800835000)
    libm.so.5 => /lib/libm.so.5 (0x800966000)
    libc.so.7 => /lib/libc.so.7 (0x800a85000)

    The non working version has the following:

    $ ldd /usr/local/bin/snort
    /usr/local/bin/snort:
    libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f4000)
    libpcap.so.1 => not found (0x0)
    libm.so.5 => /lib/libm.so.5 (0x800830000)
    libc.so.7 => /lib/libc.so.7 (0x80094f000)

    My resolution was this:

    ln -s /lib/libpcap.so.7 /lib/libpcap.so.1

    the result is:

    $ ldd /usr/local/bin/snort
    /usr/local/bin/snort:
    libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f4000)
    libpcap.so.1 => /lib/libpcap.so.1 (0x800830000)
    libm.so.5 => /lib/libm.so.5 (0x800961000)
    libc.so.7 => /lib/libc.so.7 (0x800a80000)

    I won’t say that this is an “official” fix but it does appear to work without issues and allow snort to function until this is resolved…
    Hope this helps someone!



  • Ok, so I tried the above fix.  Didn’t work for me. Here’s what it says:

    [2.0-RC2][admin@pfsense.localdomain]/root(1): ln -s /lib/libpcap.so.7 /lib/libpc                                                                                                                                                            ap.so.1
    [2.0-RC2][admin@pfsense.localdomain]/root(2): snort
    Running in IDS mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file "/usr/local/etc/snort/snort.conf"
    PortVar ‘HTTP_PORTS’ defined :  [ 80 311 591 593 901 1220 1414 1830 2301 2381 28                                                                                                                                                            09 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 82                                                                                                                                                            43 8280 8888 9090:9091 9443 9999 11371 ]
    PortVar ‘SHELLCODE_PORTS’ defined :  [ 0:79 81:65535 ]
    PortVar ‘ORACLE_PORTS’ defined :  [ 1024:65535 ]
    PortVar ‘SSH_PORTS’ defined :  [ 22 ]
    PortVar ‘FTP_PORTS’ defined :  [ 21 2100 3535 ]
    Detection:
      Search-Method = AC-Full-Q
        Split Any/Any group = enabled
        Search-Method-Optimizations = enabled
        Maximum pattern length = 20
    ERROR: parser.c(5165) Could not stat dynamic module path “/usr/local/lib/snort_d                                                                                                                                                            ynamicpreprocessor/”: No such file or directory.
    Fatal Error, Quitting…
    [2.0-RC2][admin@pfsense.localdomain]/root(3):

    Getting closer anyways 🙂

    -th3r3isnospoon



  • At the bottom of this website, they talk about the same issues: http://michaelok.tumblr.com/

    I’ll read through it and possibly try some fixes and post back 🙂

    -th3r3isnospoon



  • Hello all–

    I have same error after upgrade to 7-june and 8-june pfsense2-RC2 amd64 full.

    after I ln -s /lib/libpcap.so.7 to /usr/local/lib/libpcap.so.1
    and try running snort on the web-configurator I got unsupported output plugin: “alert_pf” error on my syslog…

    @th3r3isnospoon:
    ERROR: parser.c(5165) Could not stat dynamic module path “/usr/local/lib/snort_dynamicpreprocessor/”: No such file or directory.
    is dynamic lib path error… the path in pfsense is “/usr/local/lib/snort/dynamicpreprocessor/”



  • FWIW, I submitted a bug report.

    http://redmine.pfsense.org/issues/1590

    -th3r3isnospoon



  • Hi all,

    I have the exact same console output.  The interesting thing is syslog.

    In the latest release of pfsense 2.0-RC2 I can’t get Snort to start.  The syslog reveals the following:

    Jun 9 07:12:19 SnortStartup[63658]: Snort HARD Reload For 34679_sis0…
    Jun 9 07:12:19 snort[56907]: FATAL ERROR: /usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output plugin: "alert_pf"
    Jun 9 07:12:19 snort[56907]: FATAL ERROR: /usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output plugin: “alert_pf”

    Line 207 of the above file is:

    output alert_pf: /usr/local/etc/snort/whitelist/defaultwlist,snort2c

    Andrew



  • no go.

    Are we the only ones facing this issue? Can anyone else confirm the same with a clean install of pfsense and snort package?



  • @asterix:

    no go.

    Are we the only ones facing this issue? Can anyone else confirm the same with a clean install of pfsense and snort package?

    Mine had some clean installs and I did have the issue; which I resolved with my ln fix. I’m not sure why it’s not working for others. 😞



  • Latest few snapshots even dynamic DNS is failing and IP shows in red as 0.0.0.0

    Looks like both a snapshot and Snort package issue.



  • I looked into snort.inc, looks like snort supposed to fetch perl-threaded-5.12.1_1.tbz as dependency… but couldn’t find anywhere… the link to the file seems broken… I don’t know if this is the cause of alert_pf error… hope this will be fixed soon. 🙂



  • Can anyone fix the Snort install package?



  • It’s possible the maintainer is on vacation.  I sent him a pm a while back and have not yet received a response.



  • Any updates on the Snort package fix?



  • I haven’t heard or seen anything yet  😕

    Hopefully soon….

    -th3r3isnospoon



  • Over a week since the package is in broken state  😠

    Has no one installed snort since last 7 days?



  • @asterix:

    Over a week since the package is in broken state  😠

    Has no one installed snort since last 7 days?

    Apparently not….Hope this is fixed soon…

    -th3r3isnospoon



  • Down with Snort since past 10 days !!  😠



  • I am having the same problem and it appears this person might have the same issue as well.
    http://forum.pfsense.org/index.php/topic,37952.0.html

    I feel so naked without my Snort.  ;D

    pfSense 2.0 RC2 build date June 15th
    Snort 2.8.6.1 pkg 1.34

    Also one more thing to add.  According to the pfSense_Snort Twitter account it looks like he is planning a release pretty soon of Snort 2.9.0.4 pkg 1.37.  Hopefully that has a fix for the issue we are seeing.



  • I too am having the same issue. Based on the number of reads I’m thinking we’re not alone.



  • Same thing here on a new install:

    Version:
    2.0-RC3 (amd64)
    built on Tue Jun 21 23:37:22 EDT 2011

    Intel® Atom™ CPU 330 @ 1.60GHz
    Current: 799 MHz, Max: 1599 MHz

    When starting Snort:
    snort[26473]: FATAL ERROR: /usr/local/etc/snort/snort_31943_re1/snort.conf(351) Unknown output plugin: “alert_pf”

    Cheers,
    D.



  • The Snort package is broken since over 2 weeks now. First I thought it was a snapshot issue but after trying multiple snapshots, I confirmed it’s a snort package issue.



  • With a clean RC3 install, the error message is now different than with RC2

    Clean RC2 install:
    snort[26473]: FATAL ERROR: /usr/local/etc/snort/snort_31943_re1/snort.conf(351) Unknown output plugin: “alert_pf”

    Clean RC3 install:
    Jun 23 01:50:39 SnortStartup[5379]: Snort HARD Reload For 22075_re1…
    Jun 23 01:50:38 SnortStartup[1825]: Snort Startup files Sync…

    Is there a method to “manually” install a newer version of snort without using the package?  Looking at various dates on the “JamesDean” twitter feeds, the last update was on Mar 16, indicating 2.9.0.4 was due in a few days.  This being June, safe bet that “jamesdean” is otherwise occupied…so would love to figure out a fix that doesn’t use the package if that is at all possible.

    Btw, I’ve been posting my adventures (including a hardware list and various notes) with pfSense over at smallnetbuilder:  http://forums.smallnetbuilder.com/showthread.php?t=5379



  • Any progress on this issue resolution?



  • I upgraded to built on Mon Jun 27 06:38:49 EDT 2011 on my Alix board.
    Before I deleted the interface and reset snort. After the upgrade Snort
    started but I wasn’t able to choose any rules even thoug the update went
    well. But after stopping the interface and restarting it the rules where ther
    to choose from. Back in business  ;D



  • Tried that. Doesn’t work for me.



  • I am updating snort-dev binaries, I have to remove snort from pfsense packages 2.0 x86 for a day or two. Its broken anyway.

    The new GUI is done, Im on the last strep, that is setting up pfSense ports to build binaries automatically.



  • Thanks for the update.  I’d guess AMD64 is next?

    I know the time committment required to do the work you’re doing.  I’m sure I speak for literally 1000s when I say thanks for your efforts 🙂  I’m a recent pfsense convert and despite the current bugs, still loving it.

    Cheers,
    Dennis.



  • Thanks, jamesdean, that sounds great! Take your time to fix your issues. Great job you do with this great package!



  • I am also running into this.

    I have managed to copy a working package over from a pfsense 1.2.3 install for the timebeing but I’m hoping this gets fixed for 2.0 x64 asap, I’ll owe ya a beer. 🙂



  • @jamesdean:

    I am updating snort-dev binaries, I have to remove snort from pfsense packages 2.0 x86 for a day or two. Its broken anyway.

    The new GUI is done, Im on the last strep, that is setting up pfSense ports to build binaries automatically.

    Thank you for your effort. Extended to 5 days now?

    Did you mean for a week or two? The standard snort package was not broken… may be the snort-dev package. Now I can install the broken snort-dev package but not the working snort package… well  ::)



  • @james.dean:

    Did you mean for a week or two? The standard snort package was not broken… may be the snort-dev package. Now I can install the broken snort-dev package but not the working snort package… well  ::)

    You got the snort-dev package to work?



  • @amrogers3:

    @james.dean:

    Did you mean for a week or two? The standard snort package was not broken… may be the snort-dev package. Now I can install the broken snort-dev package but not the working snort package… well  ::)

    You got the snort-dev package to work?

    What from the standard snort package was not broken may be the snort-dev package (is) didn’t you understand?  ::) Two weeks ago I could download the standard package and it worked… no for my freshly flashed device I cannot longer install the standard package just because of some GUI improvements? I thought the snort-dev was for testing… not the standard one… we will wait another week or two…



  • Now I’m totally confused so I’ll try to phrase this in a way that is easy to understand…

    I just upgraded from release 1.2.3 with SNORT installed and running to release to 2.0-RC3 built on Mon Jul 4 16:48:37 EDT 2011.

    Snort was not installed or running; which isn’t a big deal.

    When I go to the system/packages menu, it Snort isn’t listed as an available package. Snort-dev is, but is shown as unstable and I would rather eat broken glass than install anything that’s “unstable”.

    My question is, “What happened to the stable version of Snort?” It was available the last time I tried pfSense 2.0. If it’s not available through the “available packages” is there a way to get a working copy manually outside of the package manager?



  • The dev took it down since there are issues with it installing on 2.0 boxes that never had snort installed on it. I can’t speak for the dev, but since he is trying to release a new verison for 2.0; it doesn’t make sense to fix the old version. I would rather him finish coding the new then fix the old…



  • @james.dean:

    What from the standard snort package was not broken may be the snort-dev package (is) didn’t you understand?  ::) Two weeks ago I could download the standard package and it worked… no for my freshly flashed device I cannot longer install the standard package just because of some GUI improvements? I thought the snort-dev was for testing… not the standard one… we will wait another week or two…

    I thought 2.0 is only being put out as a Release Candidate, meaning things like this are to be expected.


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy