Snort 2.9.2.3 pkg v. 2.2.1 is not starting when i enable "block offenders"
-
My pfsense device is running 2.0.1 version and i just installed the snort package 2.9.2.3 pkg v. 2.2.1.
Seems to work fine until i enable the "block offenders" choice. When i do that snort is NOT starting and i have the following error in logs:
snort[47671]: FATAL ERROR: /usr/local/etc/snort/snort_62371_fxp0/snort.conf(244) Unknown output plugin: "alert_pf"
Anybody else is having the same problem or is it just me?
-
Same versions for my setup, snort won't start with "block offenders" enabled, and same error:
snort[34856]: FATAL ERROR: /usr/local/etc/snort/snort_17275_fxp0/snort.conf(239) Unknown output plugin: "alert_pf"
-
Just as an aside: did you check with ps if snort isn't actually running? I thought snort wasn't running, because it didn't show up as being active, but in the end, it still blocked some traffic and things started working again, as soon as I tuned the "block offenders" option off…
-
You probably have to remove snort from console / ssh with pkg_delete snort <version>as it's not correctly installed.</version>
-
Hi,
Same issue here and same setup/install as koukobin on an i386 platform. (1st post)
Prior to trying pfsense again (had more or less the other problems previously encountered by other people) I ran this process from another post (sorry cannot locate the original posting):
–---
You may want to try doing a pkg_info to see all installed packages and then manually removing every related package with pkg_delete -f. The important packages you should remove are libpcap, libnet, libdnet, daq and of course snort as far as I remember. Also make sure you're not behind a proxy which may be caching the old filesI also had to remove the barnyard package (although I wasn't using that). Rebooted, installed snort, entered oink code, configured interface, downloaded rulesets (not enabling any) then got the above error. Also tried manually starting snort in the gui and rebooting but still the same error. Although when I rebooted and my services started snort was reported as "Starting.....done but in the gui still not showing as running.
-
I manually deleted from console snort and all related packages such as libpcap, libnet, libdnet, daq and then reinstall snort but still the same problem (FATAL ERROR: Unknown output plugin: "alert_pf" when "block offenders is enabled)
Actually snort is starting, although into services –> snort seems as it doesn't.
I am able to see the process running in console (ps aux | grep snort) as rcfa suggested, and also noticed that its producing alerts.
So i think there must be a problem with the "block offenders" option, because as i see its not only me that has this problem.
-
I haven't followed the Snort-threads in recent months, but I seem to remember that a few months ago Ermal rewrote / enhanced the spoink http://spoink.sourceforge.net/ output-plugin specifically for pfSense. However, judging from a quick look at https://github.com/bsdperimeter/pfsense-tools/tree/master/pfPorts/snort it seems that pfSense's latest snort is built with the unofficial SnortSam http://www.snortsam.net/news.html patch.
Apparently a decision was made to track the more widely deployed SnortSam agent, rather than try to maintain a pfsense-specific patch of Snort.
Hopefully the developers will shed some light into this.
-
Try to remove and reinstall again, I uploaded a new build of the i386 snort package a couple hours ago, it may be fixed now.
-
You are the men !!! Cool its working !
Thanks
-
Upon closer examination, it seems that Ermal's spoink patch is also used.
Could one of pfsense Snort pkg managers please share some info about how spoink & SnortSam are used ?
TIA!
-
Try to remove and reinstall again, I uploaded a new build of the i386 snort package a couple hours ago, it may be fixed now.
Thanks jimp, have removed from the process I mentioned earlier and reinstalled. The service and interface are now showing as running and the Unknown output plugin: "alert_pf" error is now no more.
Cheers
-
On my 2.0.1 stopping the interface in the GUI still leaves the process running and starts a second one.
Process also gets duplified on manual rule update.Greets
-
Try to remove and reinstall again, I uploaded a new build of the i386 snort package a couple hours ago, it may be fixed now.
That worked for me, too, and now I am able to start the snort service with blocking mode enabled. However, stopping the snort interface in the snort gui does not stop the service, and starting it again starts a new service. Please post a note here when this has been fixed.
Thanks so much for providing the Snort package!! I've been using it for a couple years now and have been very pleased with it.
-
Try to remove and reinstall again, I uploaded a new build of the i386 snort package a couple hours ago, it may be fixed now.
That worked for me, too, and now I am able to start the snort service with blocking mode enabled. However, stopping the snort interface in the snort gui does not stop the service, and starting it again starts a new service. Please post a note here when this has been fixed.
Thanks so much for providing the Snort package!! I've been using it for a couple years now and have been very pleased with it.
See this post:
http://forum.pfsense.org/index.php/topic,50758.0.htmlI started this thread for the problem with the snort service not quitting for a restart, but starting a new one anyways. I think everyone is having this issue since the latest version came out.
