Snort package on 64 doesn't work



  • Hi,

    I have just installed Snort (2.8.6.1 pkg v. 2.0 )Package on 2.0-RC3 (amd64)built on Tue Aug 2 22:54:59 EDT 2011  , package installation finished successfully but no service or snort section under services.
    Any idea ?

    Thanks



  • try a newer amd64 snapshot



  • Doesn't work on the latest snapshot either.

    Aug 7 14:16:34 SnortStartup[31599]: Interface Rule START for 0_42850_em0…
    Aug 7 14:16:34 SnortStartup[17768]: Toggle for 42850_em0…
    Aug 7 14:15:15 SnortStartup[47800]: Interface Rule START for 0_42850_em0…
    Aug 7 14:15:15 SnortStartup[34052]: Toggle for 42850_em0…



  • @asterix:

    Doesn't work on the latest snapshot either.

    Aug 7 14:16:34 SnortStartup[31599]: Interface Rule START for 0_42850_em0…
    Aug 7 14:16:34 SnortStartup[17768]: Toggle for 42850_em0…
    Aug 7 14:15:15 SnortStartup[47800]: Interface Rule START for 0_42850_em0…
    Aug 7 14:15:15 SnortStartup[34052]: Toggle for 42850_em0…

    I tested amd64 the other night and it does work, does have an issue with blocking offenders.

    can you post screen shots of all your tabs?



  • Hi
    I just updated to 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011  , now there snort service appearing but won't start

    Aug 8 10:57:16 	SnortStartup[44272]: Snort Startup files Sync...
    Aug 8 10:57:16 	SnortStartup[48499]: Snort HARD Reload For 30288_em0...
    Aug 8 10:57:49 	SnortStartup[22020]: Toggle for 30288_em0...
    Aug 8 10:57:49 	SnortStartup[29702]: Interface Rule START for 0_30288_em0...
    Aug 8 10:57:59 	SnortStartup[33829]: Toggle for 30288_em0...
    Aug 8 10:57:59 	SnortStartup[42557]: Interface Rule START for 0_30288_em0...
    Aug 8 10:58:43 	SnortStartup[4817]: Snort Startup files Sync...
    Aug 8 10:58:44 	SnortStartup[9404]: Snort HARD Reload For 30288_em0...
    


  • post your settings.. i was able to get snort to work on amd64 a couple of days ago…. i did find that you can't have block offenders checked, but that created a different error in the log.  I went back to i386 on my box.. We will probably need someone to help test the am64 with the dev to work out the bugs as the package was just redone last week but only i386 was tested.



  • Hi, even on i386, while the block offenders entries get added, the cron job to remove after the set period e.g. 1 hour is not getting added any more. Could someone post those entries here so I can manually enter them?

    Additionally, is this feature working for others with the latest snapshot and latest Snort package?

    Thank you.



  • its working for my on i386..

    make you save the global page then goto the interface page and save there… can't hurt, change the setting, save, then change it to the setting you want... but here is my cron settings

    */5  *  *  *  *  root  /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c



  • Thanks Cino! I really appreciate it. I will try the saving of the setting again once I get back home.

    In the meantime, in case the cron job does not get added with the steps above, could you also post the cron entry for Snort auto update? That is missing as well since it was part of the same cron entry, just another command.

    Thanks!



  • @hmishra:

    Thanks Cino! I really appreciate it. I will try the saving of the setting again once I get back home.

    In the meantime, in case the cron job does not get added with the steps above, could you also post the cron entry for Snort auto update? That is missing as well since it was part of the same cron entry, just another command.

    Thanks!

    Anytime :-)

    3  */12  *  *  *  root  /usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log



  • Cino,

    Your suggestion worked! Unchecking block offender, Save, rechecking and Save introduced the missing cron jobs for even the auto update of Snort rules.

    Thanks!



  • good to hear!!! I try to re-save all my settings when I update the package to make sure it takes all the settings.



  • I am not able to get snort to start also I also unchecked my block offender and re-checked it and it did not work.  Also I deleted the interface in snort and recreated and also did not work. I am running AMD64 version also; does anyone else have anymore tips to fix this?



  • @VeGeTa-X:

    I am not able to get snort to start also I also unchecked my block offender and re-checked it and it did not work.  Also I deleted the interface in snort and recreated and also did not work. I am running AMD64 version also; does anyone else have anymore tips to fix this?

    SSH into pfsense and run:

    
     /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_<number>_<interface>/snort.conf -i <interface></interface></interface></number> 
    

    The error(s) should appear



  • I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below

    /libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"



  • @VeGeTa-X:

    I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below

    /libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

    make sure /usr/lib/libpcap.so is there then run..

    
    ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1
    
    

    And try again



  • thx linking both files worked i just had to turn off block offender and restart and it worked. Thx again for your help



  • I have one more question when I enable block offenders snort does not work and when I disable it snort works.  I found the link below saying that snort package is missing some kind of spoink code?

    http://redmine.pfsense.org/issues/1753



  • @seattle-it:

    @VeGeTa-X:

    I ran your command " /usr/local/bin/snort -u snort -g snort -v -l /var/log/snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_61267_re0/snort.conf -i re0 " and I received the error message below

    /libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

    make sure /usr/lib/libpcap.so is there then run..

    
    ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1
    
    

    And try again

    Can't thank you enough! Snort is working again after so long, such an easy fix!



  • it seems a bit weird  snort is running but I am not receiving any alerts



  • are your preprocessors turned on? goto https://www.grc.com/x/ne.dll?bh0bkyd2 to test snort… you should get a scan alert



  • yes all options are turned on for preprocessors and did a all port scan on the site below and no alerts.



  • i have no idea ???  It worked for me last weekend… Are your running 2.0RC3 or 2.1-Dev?



  • I am running 2.0rc3 64bit



  • @VeGeTa-X:

    I have one more question when I enable block offenders snort does not work and when I disable it snort works.  I found the link below saying that snort package is missing some kind of spoink code?

    http://redmine.pfsense.org/issues/1753

    spoink is an Open BSD output plugin that adds the offending host to the block list in snort. I was always under the impression that pfsense used snort2c to do that job. Seems I was wrong.



  • @VeGeTa-X:

    I am running 2.0rc3 64bit

    i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me



  • @Cino:

    @VeGeTa-X:

    I am running 2.0rc3 64bit

    i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

    Running 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011. Checked "Send alerts to main System logs". I'm getting alerts within the Alerts tab as well as the main system logs.



  • @Ibor:

    @Cino:

    @VeGeTa-X:

    I am running 2.0rc3 64bit

    i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

    Running 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011. Checked "Send alerts to main System logs". I'm getting alerts within the Alerts tab as well as the main system logs.

    So it is working on 2.0RC3..Good to know



  • Can a couple of more folks confirm Snort works on latest amd64 2.0 RC3 snapshots? I tried it on earlier this week and it was not working. Had done clean installs a few times but was never successful to get Snort running. Now on 32-bit 2.0 RC3 as Snort is kinda broken even on 1.2.3 with Snort.org rules not updating. Not a happy camper !!



  • @asterix:

    Can a couple of more folks confirm Snort works on latest amd64 2.0 RC3 snapshots? I tried it on earlier this week and it was not working. Had done clean installs a few times but was never successful to get Snort running. Now on 32-bit 2.0 RC3 as Snort is kinda broken even on 1.2.3 with Snort.org rules not updating. Not a happy camper !!

    Its works on 2.0RC3 i386… 2 bugs that I know of, Barnyard2 and you can't clear the alerts but you can clear the block list... There are post for a workaround on barnyard2



  • amd64?



  • @Cino:

    @Ibor:

    @Cino:

    @VeGeTa-X:

    I am running 2.0rc3 64bit

    i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

    Running 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011. Checked "Send alerts to main System logs". I'm getting alerts within the Alerts tab as well as the main system logs.

    So it is working on 2.0RC3..Good to know

    BUT only after entering/executing the following code!! Without it, Snort will not work!

    
    ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1
    
    


  • @Ibor:

    @Cino:

    @Ibor:

    @Cino:

    @VeGeTa-X:

    I am running 2.0rc3 64bit

    i'll have to start a vm for 2.0rc3… I tried 2.1 Dev last weekend and it worked for me

    Running 2.0-RC3 (amd64) built on Sat Aug 6 23:18:46 EDT 2011. Checked "Send alerts to main System logs". I'm getting alerts within the Alerts tab as well as the main system logs.

    So it is working on 2.0RC3..Good to know

    BUT only after entering/executing the following code!! Without it, Snort will not work!

    
    ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1
    
    

    I wonder if its because of all the packages i have install, maybe one of them ran that command for me…



  • So basically snort on amd64 is still broken.



  • @asterix:

    So basically snort on amd64 is still broken.

    well if it runs after running a command or two, it wouldn't be broken then! Any why not just run i386? Unless your pumping heavy traffic thru the box and need a lot of memory, I see no benefit running AMD64.

    I hate to say this but if your so bent out of shape for snort, then go install another fw distro and deal with their bloatware instead of whining on every snort thread that its not working. There are tickets opened on the issue and the dev's will get to them when they can. You can always donate money to help push it along if you like.



  • Big props to the "C" man on this.  For the first time since starting to experiment with replacing our Draytek boxes/smartmonitor with pfsense, I have a working SNORT (2.8.6.1 pkg v. 2.0)  interface.

    Running the command from an SSH shell worked:```
    ln -s /usr/lib/libpcap.so /usr/lib/libpcap.so.1

    
    I'm on a fresh install of 2.0-RC3 (amd64) built on Fri Aug 12 14:47:46 EDT 2011\.  With SNORT running on both WAN interfaces and a pile of rules selectd, The Atom 330@1.6GHz is showing 15 to 20% usage, and the 2GB of RAM is 72% utilized  
    
    So the next step is to get it working so that having "Block Offenders" enabled works.  Right now, the service will not start with that box checked…which in my rookie understanding of SNORT means it's not really doing anything for me yet.  I have two WAN connections, RE1 (DHCP) and RE2 (PPPOE), so would be happy to provide error logs.
    
    With "Block Offenders" checked, the system log returns: snort[37235]: FATAL ERROR: /usr/local/etc/snort/snort_32334_re1/snort.conf(351) Unknown output plugin: "alert_pf"


  • Does "Block Offenders" in snort with with pfsense i386?



  • @VeGeTa-X:

    Does "Block Offenders" in snort with with pfsense i386?

    it works on i386, just not on amd64



  • @Cino:

    @asterix:

    So basically snort on amd64 is still broken.

    well if it runs after running a command or two, it wouldn't be broken then! Any why not just run i386? Unless your pumping heavy traffic thru the box and need a lot of memory, I see no benefit running AMD64.

    I have i386 on one of the boxes. For the box I want Snort on.. i386 is of no use as it can detect about 3.5GB. It made sense earlier when I started with 2GB RAM. I have 4GB RAM now and will be bumping it to 8GB this week. Traffic is extremely heavy, non-stop 24/7.. serving over 30 users on 4 different VLANs. Current bandwidth is 30/4. Will be switching to FTTH 50/25 (or more) soon.



  • Is the code for the 64 bit build available somewhere? I've got a few quiet days this week and would like to see if I can sort the "block offenders" problem on that package.


Log in to reply