Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not running when setup on 2 interfaces

    pfSense Packages
    3
    7
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TU1976
      last edited by

      Hi all,

      I have a 2.0.1-RELEASE (amd64)
      built on Mon Dec 12 18:43:51 EST 2011
      FreeBSD 8.1-RELEASE-p6

      Snort 2.9.1 pkg v. 2.1.1

      running.

      Today I installed Snort by selecting it from the available packages.
      I set it up to run on the WAN-interface and on one virtual interface.

      When I start the Snort-Service ("Status", "Services" and there the "snort"-service, it does not start at all.

      The only message that makes a little sense in the logs is this:

      Jan 29 22:37:41	SnortStartup[47577]: Snort HARD START For 16900_em3_vlan20...
Jan 29 22:37:41	SnortStartup[47250]: Snort HARD STOP For 16900_em3_vlan20...

      When I go to "Services", then "Snort" and click on the little green icon on the very left side of one of the interfaces, Sort comes up, nothing special to see in the logs.

      After that, when I try to start the next interface it starts the 2nd interface but at the same time stops the first.
      This is what I see in the logs (of course there is more but the rest of the messages there are just for loading and applying rules)

      Jan 29 22:46:32	snort[56004]: Could not remove pid file /var/log/snort/run/snort_em3_vlan2016900.pid: No such file or directory
Jan 29 22:46:32	snort[56004]: Could not remove pid file /var/log/snort/run/snort_em3_vlan2016900.pid: No such file or directory

      Does anybody  have an idea what I am doing wrong?

      Regards
      T

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        Did you configured oincmaster code and updated the rules?

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • T
          TU1976
          last edited by

          Yes

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Full system logs please!

            1 Reply Last reply Reply Quote 0
            • T
              TU1976
              last edited by

              ok,

              1. starting from "Status-Services" now starts Snort on WAN (Icon is green), but absolutely nothing in the System-Log (Status-System Logs-System)
              2. starting from "Services-Snort":

              …

              now it gets interesting:
              I get this error when trying to display the page at "Services-Snort":

              Warning: fopen(/usr/local/etc/snort/snort_16900_em3_vlan20/snort.conf): failed to open stream: Not a directory in /usr/local/pkg/snort/snort.inc on line 1251 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 108 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 109 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 110 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 111 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 112 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/pkg/snort/snort.inc:1251) in /usr/local/www/snort/snort_interfaces.php on line 124

              But still absolutely nothing in the logs… strange. Also after a fresh login no snort service running.

              Yesterday I experienced different problems. I did not change anything between my first post and this post, because I was sleeping :-) .

              Ok, what about a reboot?

              EDIT: I think the webfrontend is not talking with the backend anymore... logfiles are not updated there.
              If you tell me which logfile you need from the console I will be happy to post it here. Looks like there are several problems now (my initial problem and the webfrontend)

              EDIT2 (After a reboot): There are no logfiles at /var/log/snort or /var/log/snort/snort_sys_0ng0
              The directory /var/log/snort only contains 1 file "alert" and 2 empty directories "barnyyard2" and "run"

              On boot I saw a lot of error messages that some directories/files not being found, but I am unable to locate the logfiles which contains the messages displayed on the console at boot.

              Regards
              T

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                Can you please state your pfSense version?

                1 Reply Last reply Reply Quote 0
                • T
                  TU1976
                  last edited by

                  @ermal:

                  Can you please state your pfSense version?

                  less /etc/version
```gives me a```
2.0.1-RELEASE

                  less /etc/platform
```shows```
pfsense

                  Best regards
                  T

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.