Snort Won't Start After Upgrade
-
Still the function "Block offenders" is not working. Kinda beats the purpose of having Snort as it shows you the alerts but is not able to to take the right action when needed.
I have upgraded to 8GB today and 50/8 bandwidth. Haven't installed the snort package as it doesn't make a difference as it's yet not fully functional on amd64.
-
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from starting -
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from startingJust curious…
Do you have a separate box for the mySQL server that Barnyard uses? As for the Netbios rules, I believe performing the steps I listed just a couple of posts ago should fix that problem.
-
Kind of bummed.
Just got the Internet installed at the new place and upgrade to the latest snap / uninstalled and reinstalled SNORT and it still doesn't work.
I am now getting a different error: snort[110]: FATAL ERROR: /usr/local/etc/snort/snort_36327_em0/snort.conf(351) Unknown output plugin: "alert_pf"
Any ideas?
Thanks,
-th3r3isnospoon
-
Kind of bummed.
Just got the Internet installed at the new place and upgrade to the latest snap / uninstalled and reinstalled SNORT and it still doesn't work.
I am now getting a different error: snort[110]: FATAL ERROR: /usr/local/etc/snort/snort_36327_em0/snort.conf(351) Unknown output plugin: "alert_pf"
Any ideas?
Thanks,
-th3r3isnospoon
I'd try running the rules updater again. Maybe something went wrong during the update. If that doesn't help, try reinstalling the package and then do another rules update (again).
-
Kind of bummed.
Just got the Internet installed at the new place and upgrade to the latest snap / uninstalled and reinstalled SNORT and it still doesn't work.
I am now getting a different error: snort[110]: FATAL ERROR: /usr/local/etc/snort/snort_36327_em0/snort.conf(351) Unknown output plugin: "alert_pf"
Any ideas?
Thanks,
-th3r3isnospoon
I'd try running the rules updater again. Maybe something went wrong during the update. If that doesn't help, try reinstalling the package and then do another rules update (again).
Tried that, still doesn't work.
I just updated to the Aug 30th snap and am now getting this error: snort[12676]: FATAL ERROR: /usr/local/etc/snort/snort_50067_em0/snort.conf(351) Unknown output plugin: "alert_pf"
-th3r3isnospoon
-
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from startingSame here. Without trying to use Barnyard everything works fine. When I tried to enable Barnyard I get the following error while saving the settings for it:
Warning: fopen(/usr/local/etc/snort/snort__rl2/barnyard2.conf): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 1439The right path for the snort configuration is:
[2.0-RC3][root@kainak]/usr/local/etc/snort(3): ls -l | grep rl2 drwxrwx--- 3 snort snort 512 Aug 30 20:36 snort_46454_rl2 [2.0-RC3][root@kainak]/usr/local/etc/snort(4):And the problematic line 1439 from /usr/local/pkg/snort/snort.inc is:
$bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w");Looks like it's missing $snort_uuid for some reason. :-\
-
Here's the issue on redmine: http://redmine.pfsense.org/issues/1753
If you un-check 'block offenders', SNORT will start. Guess for now on the AMD64 builds, you can have SNORT running, you will just have to watch the logs and block attacks via firewall rules.
-th3r3isnospoon
-
Here's the issue on redmine: http://redmine.pfsense.org/issues/1753
If you un-check 'block offenders', SNORT will start. Guess for now on the AMD64 builds, you can have SNORT running, you will just have to watch the logs and block attacks via firewall rules.
-th3r3isnospoon
So why use snort at all.
-
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from startingJust curious…
Do you have a separate box for the mySQL server that Barnyard uses? As for the Netbios rules, I believe performing the steps I listed just a couple of posts ago should fix that problem.
Yes, I have a separate MySQL server. The Netbios rules are duplicate with EM ones, looks like psfense has to deduplicate rules before snort tries to load them. All other rules load up just fine.
Just updated to 2.0RC3 28-08 i386
Snort 2.8.6.1 pkg v. 2.0 has still the same problems.
Barnyard not working (when setting up it will corrupt the Snort settings)
netbios rules block Snort from startingSame here. Without trying to use Barnyard everything works fine. When I tried to enable Barnyard I get the following error while saving the settings for it:
Warning: fopen(/usr/local/etc/snort/snort__rl2/barnyard2.conf): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 1439The right path for the snort configuration is:
[2.0-RC3][root@kainak]/usr/local/etc/snort(3): ls -l | grep rl2 drwxrwx--- 3 snort snort 512 Aug 30 20:36 snort_46454_rl2 [2.0-RC3][root@kainak]/usr/local/etc/snort(4):And the problematic line 1439 from /usr/local/pkg/snort/snort.inc is:
$bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w");Looks like it's missing $snort_uuid for some reason. :-\
Correct. Besides that it looks like barnyard.conf is not created and Barnyard is not installed at all…
If I try to find Barnyard it is not even there (even after removing/reinstalling snort package). -
Can you please try with a new version of the package posted?
For now i386 port should be stable on most things.The amd64 is pending a rebuild of the port. will be done in an hour or so.
This includes even fixes for those "alert_pf" error messages you were getting.
-
I was having issues with it starting after I updated as well. I was able to get things going again after I unchecked block offenders and then selected start. I then went back and checked block offenders, saved, and then stopped and started the interface. This seemed to work for me.
I hope it does the same for others. Note: I am not running barnyard.
Also, could someone tell me what this update addresses?
Thanks
-
With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn [2.0-RC3][root@kainak]/usr/local/bin(7): -
@ermal receiving this error on the new i386 ver:
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1) -
@ermal receiving this error on the new i386 ver:
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Sep 1 14:00:40 snort[37788]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)Getting this same error.
-
Is this amd64 or i386?
-
With the new package (2.9 pkg v. 2.0) I'm now able to save the barnyard settings without the issues mentioned above, but the barnyard2 binary appears still to be missing:
[2.0-RC3][root@kainak]/usr/local/bin(6): ls -l | grep -i barn [2.0-RC3][root@kainak]/usr/local/bin(7):Where do you see 2.9 pkg v. 2.0?
The version i see still is 2.8.6.1 pkg v. 2.0 platform: 2.0
Edit: Never mind.. Just noticed it just for i386 version.
-
@ermal:
Is this amd64 or i386?
i386
-
You are sure there is no old library on that folder that is not compatible with newest snort?
I cannot replicate this.Do this to test.
Uninstall snort
Remove the snort/lib folder
Reinstall snortSee if it happens again.
-
That did the trick! I had to removed /usr/local/lib/snort/*
I'll do more testing later today and over the weekend and report back with my findings.
P.S Still can't clear alerts but I don't know if you worked on that work not… using FF6