Snort Stable 2.9.2.3 pkg v. 2.2 Failed

feadin

Was daq-0.6.2.tbz introduced recently? Since daq depends on libpcap-1.2.1 and snort on libpcap-1.1.1_1 maybe that be the source of the problems? I don't know if libdnet uses libpcap or daq (at time of compilation or later), but if it does maybe there is the issue.

sronsen

Been running Snort 2.9.2.3 pkg v. 2.2 (AMD64) for more than 2 full days.  Everything appears to be working properly, with the exception of the dashboard widget, which I noted in an earlier post.  However, it now appears that Snort is shutting down and not restarting twice-a-day.  I suspect this coincides with my 12 hour update update schedule, but I can't confirm since update attempts are not logged.  The shutdowns leave no log entries either.

I am able to restart Snort manually after these incidents.

Can anyone confirm this behavior on another system?

breusshe

@ermal:

The issue with old code that is present when you upgrade to a new version will be there even when you reinstall since the damage from old code will be done.

Feadin,

that is why for 2.1 we are moving to PBIs to make especially this dependency issues go away once and for good.
For now you have to clean your environment from other packages you have as well and reinstall again.

So, my question is… how does one clean the environment to stop this error:

/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout

(e.g. what do I uninstall and install to stop this?)

mschiek01

@sronsen:

Been running Snort 2.9.2.3 pkg v. 2.2 (AMD64) for more than 2 full days.  Everything appears to be working properly, with the exception of the dashboard widget, which I noted in an earlier post.  However, it now appears that Snort is shutting down and not restarting twice-a-day.  I suspect this coincides with my 12 hour update update schedule, but I can't confirm since update attempts are not logged.  The shutdowns leave no log entries either.

I am able to restart Snort manually after these incidents.

Can anyone confirm this behavior on another system?

I had this problem.  It appears to have been a problem with the cron job that deletes blocked ip's after a set time.  I fixed it by going into the general tab and selecting never, then saved, then reselected the amount of time I wanted and clicked save again.  This deleted and recreated the cron job.  When this was happen there was nothing in the logs either.

feadin

Just an update. I installed a clean pfSense 2.0.1 on a new VM, right after that I installed the snort package and it says the usual (screenshot attached)


ronnieredd

/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout

Is it possible that the 32bit version got put in the 64 repo for the latest snort package?
I could be way off base and I apologize if I'm making more noise than you need right now to fix this.
I am not much in the way of a freebsd coder.
BTW: Thank you for the attention you guys are giving this. I (the company I work for) paid for pfsense support for a couple of boxes so far and paid for 2 sensors of snort.
As soon as I can, I'll be personally buying some beer and chips for a couple of you guys via your "donate" buttons.

sronsen

@mschiek01:

@sronsen:

Been running Snort 2.9.2.3 pkg v. 2.2 (AMD64) for more than 2 full days.  Everything appears to be working properly, with the exception of the dashboard widget, which I noted in an earlier post.  However, it now appears that Snort is shutting down and not restarting twice-a-day.  I suspect this coincides with my 12 hour update update schedule, but I can't confirm since update attempts are not logged.  The shutdowns leave no log entries either.

I am able to restart Snort manually after these incidents.

Can anyone confirm this behavior on another system?

I had this problem.  It appears to have been a problem with the cron job that deletes blocked ip's after a set time.  I fixed it by going into the general tab and selecting never, then saved, then reselected the amount of time I wanted and clicked save again.  This deleted and recreated the cron job.  When this was happen there was nothing in the logs either.

This seems to have worked.  Snort has gone thru an automated rules update without stopping after following these steps.  BTW, Snort updates are logged to /tmp/snort_update.log, although previous entries record that Snort restarted.  I don't think that's accurate.  It just indicates that a restart was executed, not necessarily successfully.  However, the log does report the date/time of the activity which, if no Snort alerts are received after a scheduled update, may lend evidence that there's a cron job failure.

mschiek - thanks for the help.

Update:  Fix one problem - find another.  An hour after successfully updating, logged error:

kernel: pid 25427 (snort), uid 0: exited on signal 10

The shutdown was preceded with this entry at the same recorded time:

snort[25427]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 109.169.37.117:5065 -> [my address]:5060

Any ideas as to what's going on?

mschiek01

@sronsen:

@mschiek01:

@sronsen:

Been running Snort 2.9.2.3 pkg v. 2.2 (AMD64) for more than 2 full days.  Everything appears to be working properly, with the exception of the dashboard widget, which I noted in an earlier post.  However, it now appears that Snort is shutting down and not restarting twice-a-day.  I suspect this coincides with my 12 hour update update schedule, but I can't confirm since update attempts are not logged.  The shutdowns leave no log entries either.

I am able to restart Snort manually after these incidents.

Can anyone confirm this behavior on another system?

I had this problem.  It appears to have been a problem with the cron job that deletes blocked ip's after a set time.  I fixed it by going into the general tab and selecting never, then saved, then reselected the amount of time I wanted and clicked save again.  This deleted and recreated the cron job.  When this was happen there was nothing in the logs either.

This seems to have worked.  Snort has gone thru an automated rules update without stopping after following these steps.  BTW, Snort updates are logged to /tmp/snort_update.log, although previous entries record that Snort restarted.  I don't think that's accurate.  It just indicates that a restart was executed, not necessarily successfully.  However, the log does report the date/time of the activity which, if no Snort alerts are received after a scheduled update, may lend evidence that there's a cron job failure.

mschiek - thanks for the help.

Update:  Fix one problem - find another.  An hour after successfully updating, logged error:

kernel: pid 25427 (snort), uid 0: exited on signal 10

The shutdown was preceded with this entry at the same recorded time:

snort[25427]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 109.169.37.117:5065 -> [my address]:5060

Any ideas as to what's going on?

I have had that error as well and I have not figured out as of yet what is causing it. After this error the snort process on the interface starts normally and it has not stopped again which is even more confusing.

BTW-  What do you have your mem performance settings set at?, also how many wan interfaces do you have?  I am just trying to figure out a common thread to this.

Guest

Greetings to the community!

This is my first posting - I was reading here and using pfSense for several months now. Its a good opportunity to say thank you very much for your efforts and this really great system.

Since the Snort updates of course I too get errors. Package 2.2 was ok, but also went down on my amd64 installation without obvious reason (after about 16 hours working and blocking). Since the new version 2.9.2.3 pkg v 2.2.1 it does not start at all.
My logs show an unknown preprocessor fatal error. Maybe it helps:

Jun 15 21:59:02 gatekeeper snort[33708]: FATAL ERROR: /usr/local/etc/snort/snort_26132_em1/snort.conf(180) Unknown preprocessor: "ftp_telnet".
Jun 15 21:59:02 gatekeeper SnortStartup[33762]: Interface Rule START for 0_26132_em1…

If I disable ftp/telnet preprocessor the next fatal error pops-up with smtp.

Greetings and again a big Thank you to all developers!

Jud3x

tritron

Jun 15 21:59:02 gatekeeper snort[33708]: FATAL ERROR: /usr/local/etc/snort/snort_26132_em1/snort.conf(180) Unknown preprocessor: "ftp_telnet".
Jun 15 21:59:02 gatekeeper SnortStartup[33762]: Interface Rule START for 0_26132_em1…
This just means your install had failed and or the package was missing files.
In order to solve the issue you have to remove snort pkg_delete snort it should show you that files are missing and you want to delite any snort leftover files next go to packages and reinstall snort readownload rules and your snort should be working .
There are posted directions in this forum on how to remove snort.

sronsen

@breusshe:

@ermal:

The issue with old code that is present when you upgrade to a new version will be there even when you reinstall since the damage from old code will be done.

Feadin,

that is why for 2.1 we are moving to PBIs to make especially this dependency issues go away once and for good.
For now you have to clean your environment from other packages you have as well and reinstall again.

So, my question is… how does one clean the environment to stop this error:

/libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout

(e.g. what do I uninstall and install to stop this?)

I've been going thru installs and uninstalls trying to find a combination of releases and fixes which will run for more than 12 hours.  I noted that a new version 2.2.1 (AMD64) was released today but it's giving me a /usr/local/lib/libdnet.1: unsupported file layout error when I attempt to start Snort from the console.  I've tried the solutions posted in this thread, but they have failed.

Anyone know what the problem is?

Guest

@tritron:

Jun 15 21:59:02 gatekeeper snort[33708]: FATAL ERROR: /usr/local/etc/snort/snort_26132_em1/snort.conf(180) Unknown preprocessor: "ftp_telnet".
Jun 15 21:59:02 gatekeeper SnortStartup[33762]: Interface Rule START for 0_26132_em1…
This just means your install had failed and or the package was missing files.
In order to solve the issue you have to remove snort pkg_delete snort it should show you that files are missing and you want to delite any snort leftover files next go to packages and reinstall snort readownload rules and your snort should be working .
There are posted directions in this forum on how to remove snort.

Well, thx for the hint. Did that  - error is gone, but snort does not start at all now.
BTW, pfsense rules dont get downloaded at the moment.

I think I will wait some days/weeks til new package version comes out. This seems to be a big mess at the moment.  :(

Greats, jud3x

tritron

I would try to save all snort settings. Click on edit and then save and then try to download snort rules. Is your system rw ?

sronsen

@mschiek01:

@sronsen:

@mschiek01:

@sronsen:

Been running Snort 2.9.2.3 pkg v. 2.2 (AMD64) for more than 2 full days.  Everything appears to be working properly, with the exception of the dashboard widget, which I noted in an earlier post.  However, it now appears that Snort is shutting down and not restarting twice-a-day.  I suspect this coincides with my 12 hour update update schedule, but I can't confirm since update attempts are not logged.  The shutdowns leave no log entries either.

I am able to restart Snort manually after these incidents.

Can anyone confirm this behavior on another system?

I had this problem.  It appears to have been a problem with the cron job that deletes blocked ip's after a set time.  I fixed it by going into the general tab and selecting never, then saved, then reselected the amount of time I wanted and clicked save again.  This deleted and recreated the cron job.  When this was happen there was nothing in the logs either.

This seems to have worked.  Snort has gone thru an automated rules update without stopping after following these steps.  BTW, Snort updates are logged to /tmp/snort_update.log, although previous entries record that Snort restarted.  I don't think that's accurate.  It just indicates that a restart was executed, not necessarily successfully.  However, the log does report the date/time of the activity which, if no Snort alerts are received after a scheduled update, may lend evidence that there's a cron job failure.

mschiek - thanks for the help.

Update:  Fix one problem - find another.  An hour after successfully updating, logged error:

kernel: pid 25427 (snort), uid 0: exited on signal 10

The shutdown was preceded with this entry at the same recorded time:

snort[25427]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 109.169.37.117:5065 -> [my address]:5060

Any ideas as to what's going on?

I have had that error as well and I have not figured out as of yet what is causing it. After this error the snort process on the interface starts normally and it has not stopped again which is even more confusing.

BTW-  What do you have your mem performance settings set at?, also how many wan interfaces do you have?  I am just trying to figure out a common thread to this.

My mem performance settings are set to defaults.  I'm running w/4 GB RAM, which is relevant.  I have 1 WAN interface, 1 LAN and 1 optional designated for WIFI.

chowtamah

When I try to remove snort, I get this
–-----------------------------------------------------
Removing package...
Skipping package deletion for mysql-client-5.1.53 because it is a dependency.
Starting package deletion for barnyard2-1.9_2...done.
Starting package deletion for mysql-client-5.1...done.
Skipping package deletion for libnet11-1.1.2.1_3,1 because it is a dependency.
Skipping package deletion for libdnet-1.11_3 because it is a dependency.
Skipping package deletion for libpcap-1.1.1_1 because it is a dependency.
Skipping package deletion for daq-0.6.2 because it is a dependency.
Starting package deletion for snort-2.9.2.3...done.
Skipping package deletion for pcre-8 because it is a dependency.
Starting package deletion for perl-threaded-5.12.4_4...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up...
Package deleted.

---

Before re-installing the snort, should I delete these files manually?

Guest

@tritron:

I would try to save all snort settings. Click on edit and then save and then try to download snort rules. Is your system rw ?

Yes, it is rw.

In fact I am getting the same error as many others:

ibexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout

Greets, jud3x

dwood

Been able to get the previous iterations of 2.9.2.3 this work to work on AMD64 (with clean installs etc), but no joy with the latest install from last night.  All preprocessors checked off, only one rule chosen (and not a .so)  The log doesn't show errors, however Snort won't start.

Services: Snort 2.9.2.3 pkg v. 2.2.1

Jun 16 11:24:58
SnortStartup[32550]: Interface Rule START for 0_36642_re1…
Jun 16 11:24:58
SnortStartup[26572]: Toggle for 36642_re1…
Jun 16 11:24:49
php: /snort/snort_download_rules.php: Snort has restarted with your new set of rules...
Jun 16 11:24:49
SnortStartup[20414]: Snort HARD START For 36642_re1…
Jun 16 11:24:27
php: /snort/snort_download_rules.php: Emergingthreats rules file update downloaded succsesfully
Jun 16 11:24:25
php: /snort/snort_download_rules.php: Snort rules file update downloaded succsesfully

For those of you that may be wondering how to start SNORT from the PFSENSE command line (OK, I didn't know myself so posting here for Google) :-)

Make sure that in the pfsense GUI, under System: Advanced: Admin Access that the Enable Secure Shell checkbox is enabled.  From windows (in my case as I don't a keyboard/monitor attached to the running pfsense box) use the free download Putty.exe.  Run it entering your pfsense router IP, port 22 for SSH.  Make sure that in the pfsense GUI, under System: Advanced: Admin Access that the Enable Secure Shell checkbox is enabled.
Log in to pfsense and choose option 8 (SHELL)
Type this in: /usr/local/bin/snort and hit the ENTER key to execute.

In my case the result:   "ibexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout"  would indicate the same problem as posted previously, that doesn't show up on the pfsense GUI log.

sronsen

There doesn't appear to be an open bug tracker ticket on the /libexec/ld-elf.so.1: /usr/local/lib/libdnet.1: unsupported file layout issue.

Can someone with access to that system create a formal notification of the problem?  This has been reported to this forum several times over the past two days, but no one seems to have a solution.

Thanks.

fragged

I tried starting snort from console:
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(5): /usr/local/bin/snort
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

From GUI I get:
SnortStartup[36515]: Snort HARD START For 28453_em0…

So it seems like I'm having problems with libcap not installing correctly even when I remove and reinstall snort.

breusshe

@fragged:

I tried starting snort from console:
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(5): /usr/local/bin/snort
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

From GUI I get:
SnortStartup[36515]: Snort HARD START For 28453_em0…

So it seems like I'm having problems with libcap not installing correctly even when I remove and reinstall snort.

I believe this is a different issue that was addressed in another part of the forums.  Search for the error you are getting (the libpcap.so.1 not found part) and you should find it.  Essentially, you need to make a couple of symlinks to fix this.