Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Won't Start

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      awsiemieniec
      last edited by

      @marcelloc:

      Try to uninstall again, then go ti console and remove any snort package or dependencie left behind.
      I think some post on this topic has a detailed info about this.

      (mod: thanks for the moving this post to a new thread).

      Snort will not start.  I have removed/verified pkgs are gone/reinstalled multiple times and am still at a non-working snort state.  My Oink code is plugged in, it downloads the rules.  I've tried: only emerging threat, emerging threat + snot, only snort, just one random snort rule.  I've tried with values plugged into the "Servers" screen and with the same screen all empty (unconfigured).

      Any more suggestions to try?  Didn't work for me in 2.0, either.  This is a fresh build of 2.0.1.
      Snort 2.9.1 pkg v. 2.0.2
      i386

      Thanks,
      AWS

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        Did you configured it with oincmaster code?

        Did you enabled the service?

        Did you configured a interface to listen?

        did you updated rules?

        Did you read this post?
        http://forum.pfsense.org/index.php/topic,44489.msg230969.html#msg230969

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • A
          awsiemieniec
          last edited by

          When I go to the shell and type "snort" this is what scrolls along the screen.  It seems to never stop… which makes me think it's running but there aren't any indications of it in the webConfigurator.

          
          01/02-15:17:02.419844 206.33.55.254:80 -> 10.1.1.10:60692
          TCP TTL:64 TOS:0x0 ID:48822 IpLen:20 DgmLen:1480 DF
          ***AP*** Seq: 0xC5345699  Ack: 0x45A8C94B  Win: 0x201  TcpLen: 20
          =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
          
          01/02-15:17:02.420115 10.1.1.10:60692 -> 206.33.55.254:80
          TCP TTL:128 TOS:0x0 ID:15299 IpLen:20 DgmLen:40 DF
          ***A**** Seq: 0x45A8C94B  Ack: 0xC5345C39  Win: 0x4029  TcpLen: 20
          =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
          
          01/02-15:17:02.421065 206.33.55.254:80 -> 10.1.1.10:60692
          TCP TTL:64 TOS:0x0 ID:64194 IpLen:20 DgmLen:1480 DF
          ***AP*** Seq: 0xC5345C39  Ack: 0x45A8C94B  Win: 0x201  TcpLen: 20
          =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
          
          01/02-15:17:02.421580 206.33.55.254:80 -> 10.1.1.10:60692
          TCP TTL:64 TOS:0x0 ID:423 IpLen:20 DgmLen:1480 DF
          ***AP*** Seq: 0xC53461D9  Ack: 0x45A8C94B  Win: 0x201  TcpLen: 20
          =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
          
          01/02-15:17:02.421714 10.1.1.10:60692 -> 206.33.55.254:80
          TCP TTL:128 TOS:0x0 ID:15300 IpLen:20 DgmLen:40 DF
          ***A**** Seq: 0x45A8C94B  Ack: 0xC5346779  Win: 0x4029  TcpLen: 20
          =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
          
          01/02-15:17:02.423265 206.33.55.254:80 -> 10.1.1.10:60692
          TCP TTL:64 TOS:0x0 ID:11064 IpLen:20 DgmLen:1480 DF
          ***AP*** Seq: 0xC5346779  Ack: 0x45A8C94B  Win: 0x201  TcpLen: 20
          =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
          
          

          AWS

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            snort is running.

            go to status -> services to see snort current status.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • A
              awsiemieniec
              last edited by

              @marcelloc:

              Did you configured it with oincmaster code?

              Did you enabled the service?

              Did you configured a interface to listen?

              did you updated rules?

              Did you read this post?
              http://forum.pfsense.org/index.php/topic,44489.msg230969.html#msg230969

              1.) yes, via http://www.snort.org/.  Was using this same code when this HW was loaded with IPCop.
              2.) yes, checked the box on Snort Interface/If Settings/General Settings/Enable
              3.) yes, WAN
              4.) yes, currently just using snort rules.
              5.) yes, read the post right before posting the question. I disabled the rule, saved, enabled the service and still no luck.

              Thanks for your help.

              1 Reply Last reply Reply Quote 0
              • A
                awsiemieniec
                last edited by

                @marcelloc:

                snort is running.

                go to status -> services to see snort current status.

                Right, that is the first time the service wasn't red…  Back on the snort page/Snort Interfaces where it lists the rule, the left side shows a green square with a white "start" triangle.  That should be an icon of red square with a white "X" to show "stop".  ?  Besides that, I'm also not getting anything blocked ... ?

                But before, I swear, the service wouldn't start!  Now it is.  Guess I just posted 10 minutes too soon out of a 3-day attempt.  :-)  Thanks for your help.

                If I don't get any blocks within a few days I'll post back.  But from what I see scrolling in the shell, I have to agree that it is working.

                AWS

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  Yes, to help whe need information.

                  When you say snort don't start, is not easy to know what is going on.

                  Next post, if any, try to include more information to help people help you.

                  Congratulations for your sucessfull config, don't forget to read about snort suppressing rules.  ;)

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • A
                    awsiemieniec
                    last edited by

                    There is something hinky with my setup of Snort.  Even though I can see the log of Snort running by going to the shell and typing "snort", nothing is being put in the logs for "Alerts" and "Blocked".  If I go to services in webConfiguration I can see that Snort is running so I click the stop button, I get the "snort has been stopped" confirmation banner at the top yet snort is still running in the shell window and the service screen still sees it as running.

                    In short, my issues are:
                    Snort is running but not "Alerting" or "Blocking"
                    Snort won't stop running (is that really a problem, though  :P)

                    It's been 38 hours since I started this thread and finally got Snort to start, but nothing in the logs?  Doesn't seem right.

                    Any ideas?

                    1 Reply Last reply Reply Quote 0
                    • A
                      awsiemieniec
                      last edited by

                      I've found that I can only start Snort via the shell.

                      [2.0.1-RELEASE][root@pfsense.sietg.local]/root(1): snort
                      Running in packet dump mode
                      
                              --== Initializing Snort ==--
                      Initializing Output Plugins!
                      pcap DAQ configured to passive.
                      Acquiring network traffic from "em0".
                      Decoding Ethernet
                      
                              --== Initialization Complete ==--
                      
                         ,,_     -*> Snort! <*-
                        o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135) FreeBSD
                         ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
                                 Copyright (C) 1998-2011 Sourcefire, Inc., et al.
                                 Using libpcap version 1.1.1
                                 Using PCRE version: 8.12 2011-01-15
                                 Using ZLIB version: 1.2.3
                      
                      Commencing packet processing (pid=17507)
                      01/04-07:30:57.593336 70.89.183.189:12489 -> 10.1.1.4:32915
                      TCP TTL:116 TOS:0x0 ID:11817 IpLen:20 DgmLen:52
                      ***A**** Seq: 0x7188B86C  Ack: 0xE14B79FF  Win: 0xFFFB  TcpLen: 32
                      TCP Options (3) => NOP NOP TS: 35750331 2324854222
                      =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
                      
                      01/04-07:30:58.732919 10.1.2.6:58847 -> 10.1.1.5:53
                      UDP TTL:127 TOS:0x0 ID:11072 IpLen:20 DgmLen:64
                      Len: 36
                      =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
                      
                      01/04-07:30:58.733069 10.1.1.5:22958 -> 205.171.3.65:53
                      UDP TTL:128 TOS:0x0 ID:5398 IpLen:20 DgmLen:64
                      Len: 36
                      =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
                      
                      01/04-07:30:58.751585 205.171.3.65:53 -> 10.1.1.5:22958
                      UDP TTL:59 TOS:0x0 ID:43992 IpLen:20 DgmLen:80
                      Len: 52
                      =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
                      
                      01/04-07:30:58.751721 10.1.1.5:53 -> 10.1.2.6:58847
                      UDP TTL:128 TOS:0x0 ID:5399 IpLen:20 DgmLen:80
                      Len: 52
                      =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
                      
                      ^Z
                      Suspended
                      [2.0.1-RELEASE][root@pfsense.sietg.local]/root(2):
                      
                      

                      One thing of note: When snort is starting it says: Acquiring network traffic from "em0".  em0 is my IntelPRO card on my LAN side.  I've configured  snort to look at the WAN side.  Is this correct and I just don't understand what I'm seeing?

                      Thx.
                      AWS

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri--
                        last edited by

                        Might be that you do not know what you are doing!

                        Just put here the system log for sure there is the reason why your snort cannot start.

                        1 Reply Last reply Reply Quote 0
                        • A
                          awsiemieniec
                          last edited by

                          Thanks for the suggestion of looking in the system log.  After attempting start of snort (failure) and reading the log I disable some rules, retry, disable more rules, retry, etc snort starts successfully.  Each rule that was causing an error I disabled and now it's working.

                          Thanks.

                          AWS

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.