Snort Won't Start After Upgrade
-
I guess I don't understand what needs to be done as per your suggestion. Do I just reinstall the package?
-
i should look up how to use diff, but i manually edited the file instead:
Sep 3 13:56:25 snort[44707]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(302) => Invalid option 'preprocessor' to portscan preprocessor.
Sep 3 13:56:25 snort[44707]: FATAL ERROR: /usr/local/etc/snort/snort_39737_em3/snort.conf(302) => Invalid option 'preprocessor' to portscan preprocessor. -
Great! pfsense 2.0-RC3 (i386) built on Sat Sep 3 21:08:08 EDT 2011 - Snort 2.9.0.5 pkg v. 2.0
Barnyard now configures correctly and doesn't corrupt previous settings (but is not installed and started like Jare stated correctly).The snort_netbios.rules fatal error still exists:
snort[33208]: FATAL ERROR: /usr/local/etc/snort/snort_54739_em1/rules/snort_netbios.rules(72) GID 1 SID 2511 in rule duplicates previous rule, with different protocol.
When the rule duplicates a previous rule, then the protocol should be the same(?) Otherwise it's not duplicate…
I use the same rulesets (snort.org/emergingthreats.net/pfsense.org) with pfsense 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009 - Snort 2.8.6.1 pkg v. 1.34 and the error does not come up... (?)
-
I just upgraded to 2.0-RC3 (i386) built on Sat Sep 3 21:08:08 EDT 2011 and continue to get the following error which is different from before but the result is same i.e. Snort not starting. No change in ruleset.
Sep 4 06:59:48 SnortStartup[24402]: Interface Rule START for 0_21540_em0_vlan10…
Reinstalling the Snort package results in the previous error message.
Sep 4 07:04:33 SnortStartup[43419]: Snort HARD Reload For 21540_em0_vlan10…
-
Try resintalling the package.
-
Not sure if it is an improvement, but after I uninstalled and installed Snort, I get the following after clicking the 'Update Rules' button:
Parse error: syntax error, unexpected '}' in /usr/local/www/snort/snort_download_rules.php on line 481
-
I try to update now and i get this error
Parse error: syntax error, unexpected '}' in /usr/local/www/snort/snort_download_rules.php on line 481
Is there a way to fix it ? -
Hi. In case you didn't find the solution for the line 481 error, all you need to do is remove the } on line 481. Then update will work again..
-
Hi. In case you didn't find the solution for the line 481 error, all you need to do is remove the } on line 481. Then update will work again..
was able to write that
-
My findings so far:
The package doesn't remove correctly. It still shows up on my Services page. Uninstalling the package twice seems to fix this issue.
Once rules are updated, I have to re-save my Categories then start the interface.
Snort rules seem to detecting attacks and auto-blocking is working :-)
Can't clear the alerts page, already reported and ticket.
Portscan Detection Preprocessor is not working, this was already reported 2 days ago. (This is a biggie for me since I'm always being scanned for open ports) -
Manually editing the snort_download_rules.php file to remove the extra '}' allows the rules to update again. However, I am no closer to having Snort start. I get the same message as before:
Sep 4 13:21:54 SnortStartup[49255]: Snort HARD Reload For 21540_em0_vlan10…
Sep 4 13:21:54 SnortStartup[46000]: Snort Startup files Sync… -
Fixed the syntax error.
hmishra - i am not sure what you mean by not being able to start snort!
Cino, i am not sure what changed to have snort not detect autoblocking.
Maybe a new directive is needed?! But the config is right afaik. -
Cino,
can you try a full reinstall of the package i recompiled the port with some options removed that might impact this.
-
Ok i just tried, the update glitch is gone.
But i still get the :
FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
error when i start snort. ive tried disabling all preprocessor, and same error. it is still downloading the 2.8 rules instead of teh 2.9. Can this be caused by the "keep settings through reinstall" feature. or maybe the ET rules … hmm ill check that asaprunning : 2.0-RC3 (i386) built on Fri Sep 2 14:17:09 EDT 2011
Thanks for your time & efforts
-
My problem now is more like "selective Snort starting". What I mean is that selecting certain rule categories will not let Snort start successfully. Not selecting them will allow Snort to start.
These are the rule categories that do not work for me on 2.0-RC3 using the i386 build –
-
snort_spyware-put.rules
-
snort_web-activex.rules
-
snort_web-client.rules
Also, for some of the rule categories that do work, if I select any of the matching Shared Objects rule categories then Snort will not start successfully. One example of this behavior is as follows.
-
snort_bad-traffic.rules
-
snort_bad-traffic.so.rules
If I select just snort_bad-traffic.rules, then Snort starts. If I try to add snort_bad-traffic.so.rules, then Snort will not start.
-
-
ermal,
I mean, nowhere I have evidence that Snort is even running on my system!
Previously, I always found Snort on my list of running services as well as in System Acticity.
 -
Yeah i know about the status->services problem.
A ps -ax | grep snort should tell you.check before in this thread.
-
duh ! :-\ 1st i had skiped over yer post and 2nd, find / -name "snort" works better then find / -name "snrot" :-X
Thanks again for your great work and devotion to this project.
-
Thanks ermal. I think 'ps -ax | grep snort' reveals that snort is not running…..
43792 0 S+ 0:00.02 grep snort
Doesn't the above mean grep ran and a running instance of snort was not found?
-
@ermal:
Cino, i am not sure what changed to have snort not detect autoblocking.
Maybe a new directive is needed?! But the config is right afaik.i stated that auto-blocking is working when a rule is trigger.. port scanning wasn't being detected….
I'm about to do a firmware update. i'll fully uninstall snort and re-install after my firmware is updated and see how snort is working.
