2.0.1 - Snort won't start - New Install
-
You can try this:
Edit this file
/usr/local/etc/snort/snort.confand comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'
then see if it starts.
Didn't seem to work:
249 # path to base preprocessor engine 250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.soStill getting the same old
Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)
Uninstall snort
Delete /usr/local/lib/snort/*
Reinstall snort
Start snort and post the system log if it does not start.
-
With a clean AMD64 install (did not save settings, uninstalled, executed "find /* | grep -i snort | xargs rm -rv" command, rebooted) and valid oinkcode, a rules update is attempted. The Updates TAB indicates that no emergingthreats.net or pfsense.org signatures are installed. The "Install Emergingthreats rules" option is however toggled on under the Global Settings Tab. During an update, the status message is that Emerging Threats rules are up to date..although they are not present in the interface Category Tab.
Unlike the previous attempt (clean install, but had "save settings" toggled on from 2.2.2), this time Snort 2.2.3 does start successfully with all rules (except emergingthreats which as described above are not there) enabled.
The issue of Alert Description displaying "N/A" remains..not sure if it's on a fix matrix or not..
Cheers,
Dennis. -
You can try this:
Edit this file
/usr/local/etc/snort/snort.confand comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'
then see if it starts.
Didn't seem to work:
249 # path to base preprocessor engine 250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.soStill getting the same old
Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)
Uninstall snort
Delete /usr/local/lib/snort/*
Reinstall snort
Start snort and post the system log if it does not start.
Looks like that did it - I suppose we'll never know what was really wrong. Thanks!
-
Bumping this thread.
I updated to 2.1-dev from 2.0.1 a couple of days ago. Using AMD64 build with the latest packages. Snort won't start with the configuration I had setup from before. Error message is the FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DNS (IPV6) version 1.1.4 (-2) which definitely means it's having an issue with the IPv6 part of "Enable DNS Detection" preprocessor. Only catch is that if you disable the preprocessor, it's not actually disabling it.
Steps to reproduce:
Create a new snort interface (Defaults are fine)
enable snort. Everything works fine.
Disable snort.
Edit the interface, go to the preprocessors tab, check the box for "Enable DNS Detection" and save the changes
Try enabling snort again, and it crashes with the error message.
Edit the interface, go to the preprocessors tab, uncheck the box for "Enable DNS Detection" and save the changes
Try to start snort again, and the error message still appears.You can keep creating new rules and they will keep working as long as you don't enable that preprocessor. I was able to enable the HTTP inspect one, need to test the others yet.