2.0.1 - Snort won't start - New Install

NetworkNubbin

Hi Everyone,

I'm having some issues getting snort started. When I press the 'play' button in the webGUI, it fails to start. Watching the processes in action show that the stop/start scripts are run, but the snort service never starts:

# while [ true ]
> do
> ps aux | grep -i snort | grep -v grep
> sleep 1
> done
root   29862  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh stop
root   29862  0.1  0.2  3656  1544  ??  S    11:23AM   0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh stop
root   29862  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh stop
root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
root   29862  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh stop
root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start

The service starts manually fine (snort &), but it does not appear to function correctly when I run this (IE no alerts/logs etc).

What should I do?

Thanks in advance!

NetworkNubbin

When I run the start script manually I get:

/usr/local/etc/rc.d/snort.sh start
pgrep: Pidfile `/var/run/snort_sis01697.pid' is empty
pgrep: Pidfile `/var/run/snort_vr08627.pid' is empty

If this were linux I'd have a pretty good idea what to drop into those files but…I'm a pretty big noob when it comes to bsd :)

There's obviously a problem with my config/script, but I don't know what to add to those PID files.

Running it manually it listens on sis0 without issues:

===============================================================================
Run time for packet processing was 33.842632 seconds
Snort processed 319 packets.
Snort ran for 0 days 0 hours 0 minutes 33 seconds
   Pkts/sec:            9
===============================================================================
Packet I/O Totals:
   Received:          380
   Analyzed:          319 ( 83.947%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:           61 ( 16.053%)

Fesoj

Are there any clues in the system log (Status: System logs: System)?

NetworkNubbin

@Fesoj:

Are there any clues in the system log (Status: System logs: System)?

Hi, yes, there seems to be the generic 'version mismatch' errors:

Jul 5 14:11:17 snort[937]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Jul 5 14:11:17 snort[937]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

Current snort version is:

snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205) FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.3

This seems pretty generic, and I'm not sure of the 'right' way of fixing this in pfsense

mschiek01

from the console shell go to:

/usr/local/lib/snort/dynamicrules

Delete anything in this directory

Start snort from the Gui.

NetworkNubbin

@mschiek01:

from the console shell go to:

/usr/local/lib/snort/dynamicrules

Delete anything in this directory

Start snort from the Gui.

Saw that on another post but…there's nothing there:

 pwd && ls
/usr/local/lib/snort/dynamicrules

:(

mschiek01

I am sure you did but I have to ask, you did click on the update rules in the gui after the install and also select an interface for snort to run on and finally selected rules to apply to the interface correct?

NetworkNubbin

@mschiek01:

I am sure you did but I have to ask, you did click on the update rules in the gui after the install and also select an interface for snort to run on and finally selected rules to apply to the interface correct?

lol…sadly yes :(

What's next?

_igor_

same issue here:

starting snort from gui doesn't work. logs show this (end of log):

Jul 6 12:58:02	snort[37407]: Search-Method = AC-Full-Q
Jul 6 12:58:02	snort[37407]: Search-Method = AC-Full-Q
Jul 6 12:58:02	snort[37407]: Detection:
Jul 6 12:58:02	snort[37407]: Detection:
Jul 6 12:58:02	snort[37407]:
Jul 6 12:58:02	snort[37407]:
Jul 6 12:58:02	snort[37407]: [ 6503:6504 ]
Jul 6 12:58:02	snort[37407]: [ 6503:6504 ]
Jul 6 12:58:02	snort[37407]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Jul 6 12:58:02	snort[37407]: PortVar 'DCERPC_BRIGHTSTORE' defined :

/usr/local/lib/snort/dynamicrules is empty -> have installed rules before!

mschiek01

On the interface IF settings tab at the bottom is there anything in the advanced configuration box?

Also is this a i386 or a amd64 build

_igor_

@mschiek01: Nop, nothing in there. Redownloaded the rules, but same as before: pidfile empty:

/usr/local/etc/rc.d/snort.sh start
pgrep: Pidfile `/var/run/snort_pppoe016197.pid' is empty

mschiek01

You didn't say if this is a 64 of 386 build.  If it is a 64 build make sure you did not select any .so "shared object rules" on the categories tab of the interface.

_igor_

oh, sorry. Its amd64 and i have no .so rules activated. Looked twice to be sure.

mschiek01

You can try this:
Edit this file
/usr/local/etc/snort/snort.conf

and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

then see if it starts.

_igor_

Did that, but same message appears:

/usr/local/etc/rc.d/snort.sh start
pgrep: Pidfile `/var/run/snort_pppoe016197.pid' is empty

:(((

mschiek01

can you try to start snort from the gui and then post your system log?

eri--

The pidfile empty message is a normal error just put the system log here to know what is happening to your setup.

_igor_

Found it!

The system-log had additional enties which were not shown in the gui:

Jul  6 20:53:13 pf snort[53576]: Initializing rule chains…
Jul  6 20:53:14 pf snort[53576]: FATAL ERROR: /usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-attack_response.rules(224) Please enable the HTTP Inspect preprocessor before using the http content modifiers
Jul  6 20:53:14 pf snort[53576]: FATAL ERROR: /usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-attack_response.rules(224) Please enable the HTTP Inspect preprocessor before using the http content modifiers
Jul  6 20:53:14 pf SnortStartup[53705]: Interface Rule START for 0_16197_pppoe0…
tory.

Enabling the http-inspection resolved the problem. Thanks for your help!

NetworkNubbin

@mschiek01:

You can try this:
Edit this file
/usr/local/etc/snort/snort.conf

and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

then see if it starts.

Didn't seem to work:

 249 # path to base preprocessor engine
 250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

Still getting the same old
Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)

eri--

Please provide system log to see what is wrong.