Snort Won't Start

awsiemieniec

@marcelloc:

Try to uninstall again, then go ti console and remove any snort package or dependencie left behind.
I think some post on this topic has a detailed info about this.

(mod: thanks for the moving this post to a new thread).

Snort will not start.  I have removed/verified pkgs are gone/reinstalled multiple times and am still at a non-working snort state.  My Oink code is plugged in, it downloads the rules.  I've tried: only emerging threat, emerging threat + snot, only snort, just one random snort rule.  I've tried with values plugged into the "Servers" screen and with the same screen all empty (unconfigured).

Any more suggestions to try?  Didn't work for me in 2.0, either.  This is a fresh build of 2.0.1.
Snort 2.9.1 pkg v. 2.0.2
i386

Thanks,
AWS

marcelloc

Did you configured it with oincmaster code?

Did you enabled the service?

Did you configured a interface to listen?

did you updated rules?

Did you read this post?
http://forum.pfsense.org/index.php/topic,44489.msg230969.html#msg230969

awsiemieniec

When I go to the shell and type "snort" this is what scrolls along the screen.  It seems to never stop… which makes me think it's running but there aren't any indications of it in the webConfigurator.

01/02-15:17:02.419844 206.33.55.254:80 -> 10.1.1.10:60692
TCP TTL:64 TOS:0x0 ID:48822 IpLen:20 DgmLen:1480 DF
***AP*** Seq: 0xC5345699  Ack: 0x45A8C94B  Win: 0x201  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/02-15:17:02.420115 10.1.1.10:60692 -> 206.33.55.254:80
TCP TTL:128 TOS:0x0 ID:15299 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x45A8C94B  Ack: 0xC5345C39  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/02-15:17:02.421065 206.33.55.254:80 -> 10.1.1.10:60692
TCP TTL:64 TOS:0x0 ID:64194 IpLen:20 DgmLen:1480 DF
***AP*** Seq: 0xC5345C39  Ack: 0x45A8C94B  Win: 0x201  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/02-15:17:02.421580 206.33.55.254:80 -> 10.1.1.10:60692
TCP TTL:64 TOS:0x0 ID:423 IpLen:20 DgmLen:1480 DF
***AP*** Seq: 0xC53461D9  Ack: 0x45A8C94B  Win: 0x201  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/02-15:17:02.421714 10.1.1.10:60692 -> 206.33.55.254:80
TCP TTL:128 TOS:0x0 ID:15300 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x45A8C94B  Ack: 0xC5346779  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/02-15:17:02.423265 206.33.55.254:80 -> 10.1.1.10:60692
TCP TTL:64 TOS:0x0 ID:11064 IpLen:20 DgmLen:1480 DF
***AP*** Seq: 0xC5346779  Ack: 0x45A8C94B  Win: 0x201  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

AWS

marcelloc

snort is running.

go to status -> services to see snort current status.

awsiemieniec

@marcelloc:

Did you configured it with oincmaster code?

Did you enabled the service?

Did you configured a interface to listen?

did you updated rules?

Did you read this post?
http://forum.pfsense.org/index.php/topic,44489.msg230969.html#msg230969

1.) yes, via http://www.snort.org/.  Was using this same code when this HW was loaded with IPCop.
2.) yes, checked the box on Snort Interface/If Settings/General Settings/Enable
3.) yes, WAN
4.) yes, currently just using snort rules.
5.) yes, read the post right before posting the question. I disabled the rule, saved, enabled the service and still no luck.

Thanks for your help.

awsiemieniec

@marcelloc:

snort is running.

go to status -> services to see snort current status.

Right, that is the first time the service wasn't red…  Back on the snort page/Snort Interfaces where it lists the rule, the left side shows a green square with a white "start" triangle.  That should be an icon of red square with a white "X" to show "stop".  ?  Besides that, I'm also not getting anything blocked ... ?

But before, I swear, the service wouldn't start!  Now it is.  Guess I just posted 10 minutes too soon out of a 3-day attempt.  :-)  Thanks for your help.

If I don't get any blocks within a few days I'll post back.  But from what I see scrolling in the shell, I have to agree that it is working.

AWS

marcelloc

Yes, to help whe need information.

When you say snort don't start, is not easy to know what is going on.

Next post, if any, try to include more information to help people help you.

Congratulations for your sucessfull config, don't forget to read about snort suppressing rules.  ;)

awsiemieniec

There is something hinky with my setup of Snort.  Even though I can see the log of Snort running by going to the shell and typing "snort", nothing is being put in the logs for "Alerts" and "Blocked".  If I go to services in webConfiguration I can see that Snort is running so I click the stop button, I get the "snort has been stopped" confirmation banner at the top yet snort is still running in the shell window and the service screen still sees it as running.

In short, my issues are:
Snort is running but not "Alerting" or "Blocking"
Snort won't stop running (is that really a problem, though  :P)

It's been 38 hours since I started this thread and finally got Snort to start, but nothing in the logs?  Doesn't seem right.

Any ideas?

awsiemieniec

I've found that I can only start Snort via the shell.

[2.0.1-RELEASE][root@pfsense.sietg.local]/root(1): snort
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "em0".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135) FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3

Commencing packet processing (pid=17507)
01/04-07:30:57.593336 70.89.183.189:12489 -> 10.1.1.4:32915
TCP TTL:116 TOS:0x0 ID:11817 IpLen:20 DgmLen:52
***A**** Seq: 0x7188B86C  Ack: 0xE14B79FF  Win: 0xFFFB  TcpLen: 32
TCP Options (3) => NOP NOP TS: 35750331 2324854222
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/04-07:30:58.732919 10.1.2.6:58847 -> 10.1.1.5:53
UDP TTL:127 TOS:0x0 ID:11072 IpLen:20 DgmLen:64
Len: 36
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/04-07:30:58.733069 10.1.1.5:22958 -> 205.171.3.65:53
UDP TTL:128 TOS:0x0 ID:5398 IpLen:20 DgmLen:64
Len: 36
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/04-07:30:58.751585 205.171.3.65:53 -> 10.1.1.5:22958
UDP TTL:59 TOS:0x0 ID:43992 IpLen:20 DgmLen:80
Len: 52
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/04-07:30:58.751721 10.1.1.5:53 -> 10.1.2.6:58847
UDP TTL:128 TOS:0x0 ID:5399 IpLen:20 DgmLen:80
Len: 52
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

^Z
Suspended
[2.0.1-RELEASE][root@pfsense.sietg.local]/root(2):

One thing of note: When snort is starting it says: Acquiring network traffic from "em0".  em0 is my IntelPRO card on my LAN side.  I've configured  snort to look at the WAN side.  Is this correct and I just don't understand what I'm seeing?

Thx.
AWS

eri--

Might be that you do not know what you are doing!

Just put here the system log for sure there is the reason why your snort cannot start.

awsiemieniec

Thanks for the suggestion of looking in the system log.  After attempting start of snort (failure) and reading the log I disable some rules, retry, disable more rules, retry, etc snort starts successfully.  Each rule that was causing an error I disabled and now it's working.

Thanks.

AWS