Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.0.1 - Snort won't start - New Install

    Scheduled Pinned Locked Moved pfSense Packages
    24 Posts 7 Posters 11.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NetworkNubbin
      last edited by

      Hi Everyone,

      I'm having some issues getting snort started. When I press the 'play' button in the webGUI, it fails to start. Watching the processes in action show that the stop/start scripts are run, but the snort service never starts:

      # while [ true ]
      > do
      > ps aux | grep -i snort | grep -v grep
      > sleep 1
      > done
      root   29862  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh stop
      root   29862  0.1  0.2  3656  1544  ??  S    11:23AM   0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh stop
      root   29862  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh stop
      root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
      root   29862  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh stop
      root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
      root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
      root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
      
      

      The service starts manually fine (snort &), but it does not appear to function correctly when I run this (IE no alerts/logs etc).

      What should I do?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • N
        NetworkNubbin
        last edited by

        When I run the start script manually I get:

        /usr/local/etc/rc.d/snort.sh start
        pgrep: Pidfile `/var/run/snort_sis01697.pid' is empty
        pgrep: Pidfile `/var/run/snort_vr08627.pid' is empty
        
        

        If this were linux I'd have a pretty good idea what to drop into those files but…I'm a pretty big noob when it comes to bsd :)

        There's obviously a problem with my config/script, but I don't know what to add to those PID files.

        Running it manually it listens on sis0 without issues:

        ===============================================================================
        Run time for packet processing was 33.842632 seconds
        Snort processed 319 packets.
        Snort ran for 0 days 0 hours 0 minutes 33 seconds
           Pkts/sec:            9
        ===============================================================================
        Packet I/O Totals:
           Received:          380
           Analyzed:          319 ( 83.947%)
            Dropped:            0 (  0.000%)
           Filtered:            0 (  0.000%)
        Outstanding:           61 ( 16.053%)
        
        
        1 Reply Last reply Reply Quote 0
        • F
          Fesoj
          last edited by

          Are there any clues in the system log (Status: System logs: System)?

          1 Reply Last reply Reply Quote 0
          • N
            NetworkNubbin
            last edited by

            @Fesoj:

            Are there any clues in the system log (Status: System logs: System)?

            Hi, yes, there seems to be the generic 'version mismatch' errors:

            Jul 5 14:11:17 snort[937]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
            Jul 5 14:11:17 snort[937]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

            Current snort version is:

            snort -V
            
               ,,_     -*> Snort! <*-
              o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205) FreeBSD
               ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
                       Copyright (C) 1998-2012 Sourcefire, Inc., et al.
                       Using libpcap version 1.3.0
                       Using PCRE version: 8.30 2012-02-04
                       Using ZLIB version: 1.2.3
            
            

            This seems pretty generic, and I'm not sure of the 'right' way of fixing this in pfsense

            1 Reply Last reply Reply Quote 0
            • M
              mschiek01
              last edited by

              from the console shell go to:

              /usr/local/lib/snort/dynamicrules

              Delete anything in this directory

              Start snort from the Gui.

              1 Reply Last reply Reply Quote 0
              • N
                NetworkNubbin
                last edited by

                @mschiek01:

                from the console shell go to:

                /usr/local/lib/snort/dynamicrules

                Delete anything in this directory

                Start snort from the Gui.

                Saw that on another post but…there's nothing there:

                 pwd && ls
                /usr/local/lib/snort/dynamicrules
                
                

                :(

                1 Reply Last reply Reply Quote 0
                • M
                  mschiek01
                  last edited by

                  I am sure you did but I have to ask, you did click on the update rules in the gui after the install and also select an interface for snort to run on and finally selected rules to apply to the interface correct?

                  1 Reply Last reply Reply Quote 0
                  • N
                    NetworkNubbin
                    last edited by

                    @mschiek01:

                    I am sure you did but I have to ask, you did click on the update rules in the gui after the install and also select an interface for snort to run on and finally selected rules to apply to the interface correct?

                    lol…sadly yes :(

                    What's next?

                    1 Reply Last reply Reply Quote 0
                    • _
                      _igor_
                      last edited by

                      same issue here:

                      starting snort from gui doesn't work. logs show this (end of log):

                      Jul 6 12:58:02	snort[37407]: Search-Method = AC-Full-Q
                      Jul 6 12:58:02	snort[37407]: Search-Method = AC-Full-Q
                      Jul 6 12:58:02	snort[37407]: Detection:
                      Jul 6 12:58:02	snort[37407]: Detection:
                      Jul 6 12:58:02	snort[37407]:
                      Jul 6 12:58:02	snort[37407]:
                      Jul 6 12:58:02	snort[37407]: [ 6503:6504 ]
                      Jul 6 12:58:02	snort[37407]: [ 6503:6504 ]
                      Jul 6 12:58:02	snort[37407]: PortVar 'DCERPC_BRIGHTSTORE' defined :
                      Jul 6 12:58:02	snort[37407]: PortVar 'DCERPC_BRIGHTSTORE' defined :
                      

                      /usr/local/lib/snort/dynamicrules is empty -> have installed rules before!

                      1 Reply Last reply Reply Quote 0
                      • M
                        mschiek01
                        last edited by

                        On the interface IF settings tab at the bottom is there anything in the advanced configuration box?

                        Also is this a i386 or a amd64 build

                        1 Reply Last reply Reply Quote 0
                        • _
                          _igor_
                          last edited by

                          @mschiek01: Nop, nothing in there. Redownloaded the rules, but same as before: pidfile empty:

                          /usr/local/etc/rc.d/snort.sh start
                          pgrep: Pidfile `/var/run/snort_pppoe016197.pid' is empty

                          1 Reply Last reply Reply Quote 0
                          • M
                            mschiek01
                            last edited by

                            You didn't say if this is a 64 of 386 build.  If it is a 64 build make sure you did not select any .so "shared object rules" on the categories tab of the interface.

                            1 Reply Last reply Reply Quote 0
                            • _
                              _igor_
                              last edited by

                              oh, sorry. Its amd64 and i have no .so rules activated. Looked twice to be sure.

                              1 Reply Last reply Reply Quote 0
                              • M
                                mschiek01
                                last edited by

                                You can try this:
                                Edit this file
                                /usr/local/etc/snort/snort.conf

                                and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

                                then see if it starts.

                                1 Reply Last reply Reply Quote 0
                                • _
                                  _igor_
                                  last edited by

                                  Did that, but same message appears:

                                  /usr/local/etc/rc.d/snort.sh start
                                  pgrep: Pidfile `/var/run/snort_pppoe016197.pid' is empty

                                  :(((

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mschiek01
                                    last edited by

                                    can you try to start snort from the gui and then post your system log?

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      eri--
                                      last edited by

                                      The pidfile empty message is a normal error just put the system log here to know what is happening to your setup.

                                      1 Reply Last reply Reply Quote 0
                                      • _
                                        _igor_
                                        last edited by

                                        Found it!

                                        The system-log had additional enties which were not shown in the gui:

                                        Jul  6 20:53:13 pf snort[53576]: Initializing rule chains…
                                        Jul  6 20:53:14 pf snort[53576]: FATAL ERROR: /usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-attack_response.rules(224) Please enable the HTTP Inspect preprocessor before using the http content modifiers
                                        Jul  6 20:53:14 pf snort[53576]: FATAL ERROR: /usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-attack_response.rules(224) Please enable the HTTP Inspect preprocessor before using the http content modifiers
                                        Jul  6 20:53:14 pf SnortStartup[53705]: Interface Rule START for 0_16197_pppoe0…
                                        tory.

                                        Enabling the http-inspection resolved the problem. Thanks for your help!

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          NetworkNubbin
                                          last edited by

                                          @mschiek01:

                                          You can try this:
                                          Edit this file
                                          /usr/local/etc/snort/snort.conf

                                          and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

                                          then see if it starts.

                                          Didn't seem to work:

                                          
                                           249 # path to base preprocessor engine
                                           250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
                                          
                                          

                                          Still getting the same old
                                          Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
                                          Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

                                          And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            eri--
                                            last edited by

                                            Please provide system log to see what is wrong.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.