2.0.1 - Snort won't start - New Install



  • Hi Everyone,

    I'm having some issues getting snort started. When I press the 'play' button in the webGUI, it fails to start. Watching the processes in action show that the stop/start scripts are run, but the snort service never starts:

    # while [ true ]
    > do
    > ps aux | grep -i snort | grep -v grep
    > sleep 1
    > done
    root   29862  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh stop
    root   29862  0.1  0.2  3656  1544  ??  S    11:23AM   0:00.00 /bin/sh /usr/local/etc/rc.d/snort.sh stop
    root   29862  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh stop
    root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
    root   29862  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh stop
    root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
    root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
    root   31810  0.0  0.2  3656  1544  ??  S    11:23AM   0:00.01 /bin/sh /usr/local/etc/rc.d/snort.sh start
    
    

    The service starts manually fine (snort &), but it does not appear to function correctly when I run this (IE no alerts/logs etc).

    What should I do?

    Thanks in advance!



  • When I run the start script manually I get:

    /usr/local/etc/rc.d/snort.sh start
    pgrep: Pidfile `/var/run/snort_sis01697.pid' is empty
    pgrep: Pidfile `/var/run/snort_vr08627.pid' is empty
    
    

    If this were linux I'd have a pretty good idea what to drop into those files but…I'm a pretty big noob when it comes to bsd :)

    There's obviously a problem with my config/script, but I don't know what to add to those PID files.

    Running it manually it listens on sis0 without issues:

    ===============================================================================
    Run time for packet processing was 33.842632 seconds
    Snort processed 319 packets.
    Snort ran for 0 days 0 hours 0 minutes 33 seconds
       Pkts/sec:            9
    ===============================================================================
    Packet I/O Totals:
       Received:          380
       Analyzed:          319 ( 83.947%)
        Dropped:            0 (  0.000%)
       Filtered:            0 (  0.000%)
    Outstanding:           61 ( 16.053%)
    
    


  • Are there any clues in the system log (Status: System logs: System)?



  • @Fesoj:

    Are there any clues in the system log (Status: System logs: System)?

    Hi, yes, there seems to be the generic 'version mismatch' errors:

    Jul 5 14:11:17 snort[937]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
    Jul 5 14:11:17 snort[937]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

    Current snort version is:

    snort -V
    
       ,,_     -*> Snort! <*-
      o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205) FreeBSD
       ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
               Copyright (C) 1998-2012 Sourcefire, Inc., et al.
               Using libpcap version 1.3.0
               Using PCRE version: 8.30 2012-02-04
               Using ZLIB version: 1.2.3
    
    

    This seems pretty generic, and I'm not sure of the 'right' way of fixing this in pfsense



  • from the console shell go to:

    /usr/local/lib/snort/dynamicrules

    Delete anything in this directory

    Start snort from the Gui.



  • @mschiek01:

    from the console shell go to:

    /usr/local/lib/snort/dynamicrules

    Delete anything in this directory

    Start snort from the Gui.

    Saw that on another post but…there's nothing there:

     pwd && ls
    /usr/local/lib/snort/dynamicrules
    
    

    :(



  • I am sure you did but I have to ask, you did click on the update rules in the gui after the install and also select an interface for snort to run on and finally selected rules to apply to the interface correct?



  • @mschiek01:

    I am sure you did but I have to ask, you did click on the update rules in the gui after the install and also select an interface for snort to run on and finally selected rules to apply to the interface correct?

    lol…sadly yes :(

    What's next?



  • same issue here:

    starting snort from gui doesn't work. logs show this (end of log):

    Jul 6 12:58:02	snort[37407]: Search-Method = AC-Full-Q
    Jul 6 12:58:02	snort[37407]: Search-Method = AC-Full-Q
    Jul 6 12:58:02	snort[37407]: Detection:
    Jul 6 12:58:02	snort[37407]: Detection:
    Jul 6 12:58:02	snort[37407]:
    Jul 6 12:58:02	snort[37407]:
    Jul 6 12:58:02	snort[37407]: [ 6503:6504 ]
    Jul 6 12:58:02	snort[37407]: [ 6503:6504 ]
    Jul 6 12:58:02	snort[37407]: PortVar 'DCERPC_BRIGHTSTORE' defined :
    Jul 6 12:58:02	snort[37407]: PortVar 'DCERPC_BRIGHTSTORE' defined :
    

    /usr/local/lib/snort/dynamicrules is empty -> have installed rules before!



  • On the interface IF settings tab at the bottom is there anything in the advanced configuration box?

    Also is this a i386 or a amd64 build



  • @mschiek01: Nop, nothing in there. Redownloaded the rules, but same as before: pidfile empty:

    /usr/local/etc/rc.d/snort.sh start
    pgrep: Pidfile `/var/run/snort_pppoe016197.pid' is empty



  • You didn't say if this is a 64 of 386 build.  If it is a 64 build make sure you did not select any .so "shared object rules" on the categories tab of the interface.



  • oh, sorry. Its amd64 and i have no .so rules activated. Looked twice to be sure.



  • You can try this:
    Edit this file
    /usr/local/etc/snort/snort.conf

    and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

    then see if it starts.



  • Did that, but same message appears:

    /usr/local/etc/rc.d/snort.sh start
    pgrep: Pidfile `/var/run/snort_pppoe016197.pid' is empty

    :(((



  • can you try to start snort from the gui and then post your system log?



  • The pidfile empty message is a normal error just put the system log here to know what is happening to your setup.



  • Found it!

    The system-log had additional enties which were not shown in the gui:

    Jul  6 20:53:13 pf snort[53576]: Initializing rule chains…
    Jul  6 20:53:14 pf snort[53576]: FATAL ERROR: /usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-attack_response.rules(224) Please enable the HTTP Inspect preprocessor before using the http content modifiers
    Jul  6 20:53:14 pf snort[53576]: FATAL ERROR: /usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-attack_response.rules(224) Please enable the HTTP Inspect preprocessor before using the http content modifiers
    Jul  6 20:53:14 pf SnortStartup[53705]: Interface Rule START for 0_16197_pppoe0…
    tory.

    Enabling the http-inspection resolved the problem. Thanks for your help!



  • @mschiek01:

    You can try this:
    Edit this file
    /usr/local/etc/snort/snort.conf

    and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

    then see if it starts.

    Didn't seem to work:

    
     249 # path to base preprocessor engine
     250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
    
    

    Still getting the same old
    Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
    Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

    And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)



  • Please provide system log to see what is wrong.



  • @NetworkNubbin:

    @mschiek01:

    You can try this:
    Edit this file
    /usr/local/etc/snort/snort.conf

    and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

    then see if it starts.

    Didn't seem to work:

       
     249 # path to base preprocessor engine
     250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
    
    

    Still getting the same old
    Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
    Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

    And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)

    Uninstall snort

    Delete /usr/local/lib/snort/*

    Reinstall snort

    Start snort and post the system log if it does not start.



  • With a clean AMD64 install (did not save settings, uninstalled, executed "find /* | grep -i snort | xargs rm -rv" command, rebooted) and valid oinkcode, a rules update is attempted.  The Updates TAB indicates that no emergingthreats.net or pfsense.org signatures are installed.  The "Install Emergingthreats rules" option is however toggled on under the Global Settings Tab.  During an update, the status message is that Emerging Threats rules are up to date..although they are not present in the interface Category Tab.

    Unlike the previous attempt (clean install, but had "save settings" toggled on from 2.2.2), this time Snort 2.2.3 does start successfully with all rules (except emergingthreats which as described above are not there) enabled.

    The issue of Alert Description displaying "N/A" remains..not sure if it's on a fix matrix or not..

    Cheers,
    Dennis.



  • @mschiek01:

    @NetworkNubbin:

    @mschiek01:

    You can try this:
    Edit this file
    /usr/local/etc/snort/snort.conf

    and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

    then see if it starts.

    Didn't seem to work:

       
     249 # path to base preprocessor engine
     250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
    
    

    Still getting the same old
    Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
    Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

    And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)

    Uninstall snort

    Delete /usr/local/lib/snort/*

    Reinstall snort

    Start snort and post the system log if it does not start.

    Looks like that did it - I suppose we'll never know what was really wrong. Thanks!



  • Bumping this thread.

    I updated to 2.1-dev from 2.0.1 a couple of days ago. Using AMD64 build with the latest packages. Snort won't start with the configuration I had setup from before. Error message is the FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DNS (IPV6) version 1.1.4 (-2) which definitely means it's having an issue with the IPv6 part of "Enable DNS Detection" preprocessor. Only catch is that if you disable the preprocessor, it's not actually disabling it.

    Steps to reproduce:

    Create a new snort interface (Defaults are fine)
    enable snort. Everything works fine.
    Disable snort.
    Edit the interface, go to the preprocessors tab, check the box for "Enable DNS Detection" and save the changes
    Try enabling snort again, and it crashes with the error message.
    Edit the interface, go to the preprocessors tab, uncheck the box for "Enable DNS Detection" and save the changes
    Try to start snort again, and the error message still appears.

    You can keep creating new rules and they will keep working as long as you don't enable that preprocessor. I was able to enable the HTTP inspect one, need to test the others yet.


Locked