Snort not running when setup on 2 interfaces
-
Hi all,
I have a 2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:43:51 EST 2011
FreeBSD 8.1-RELEASE-p6Snort 2.9.1 pkg v. 2.1.1
running.
Today I installed Snort by selecting it from the available packages.
I set it up to run on the WAN-interface and on one virtual interface.When I start the Snort-Service ("Status", "Services" and there the "snort"-service, it does not start at all.
The only message that makes a little sense in the logs is this:
Jan 29 22:37:41 SnortStartup[47577]: Snort HARD START For 16900_em3_vlan20... Jan 29 22:37:41 SnortStartup[47250]: Snort HARD STOP For 16900_em3_vlan20...When I go to "Services", then "Snort" and click on the little green icon on the very left side of one of the interfaces, Sort comes up, nothing special to see in the logs.
After that, when I try to start the next interface it starts the 2nd interface but at the same time stops the first.
This is what I see in the logs (of course there is more but the rest of the messages there are just for loading and applying rules)Jan 29 22:46:32 snort[56004]: Could not remove pid file /var/log/snort/run/snort_em3_vlan2016900.pid: No such file or directory Jan 29 22:46:32 snort[56004]: Could not remove pid file /var/log/snort/run/snort_em3_vlan2016900.pid: No such file or directoryDoes anybody have an idea what I am doing wrong?
Regards
T -
Did you configured oincmaster code and updated the rules?
-
Yes
-
Full system logs please!
-
ok,
1. starting from "Status-Services" now starts Snort on WAN (Icon is green), but absolutely nothing in the System-Log (Status-System Logs-System)
2. starting from "Services-Snort":…
now it gets interesting:
I get this error when trying to display the page at "Services-Snort":Warning: fopen(/usr/local/etc/snort/snort_16900_em3_vlan20/snort.conf): failed to open stream: Not a directory in /usr/local/pkg/snort/snort.inc on line 1251 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 108 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 109 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 110 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 111 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 112 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 124But still absolutely nothing in the logs… strange. Also after a fresh login no snort service running.
Yesterday I experienced different problems. I did not change anything between my first post and this post, because I was sleeping :-) .
Ok, what about a reboot?
EDIT: I think the webfrontend is not talking with the backend anymore... logfiles are not updated there.
If you tell me which logfile you need from the console I will be happy to post it here. Looks like there are several problems now (my initial problem and the webfrontend)EDIT2 (After a reboot): There are no logfiles at /var/log/snort or /var/log/snort/snort_sys_0ng0
The directory /var/log/snort only contains 1 file "alert" and 2 empty directories "barnyyard2" and "run"On boot I saw a lot of error messages that some directories/files not being found, but I am unable to locate the logfiles which contains the messages displayed on the console at boot.
Regards
T -
Can you please state your pfSense version?
-
@ermal:
Can you please state your pfSense version?
less /etc/version ```gives me a``` 2.0.1-RELEASEless /etc/platform ```shows``` pfsenseBest regards
T