Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.0.1 - Snort won't start - New Install

    Scheduled Pinned Locked Moved pfSense Packages
    24 Posts 7 Posters 11.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mschiek01
      last edited by

      @NetworkNubbin:

      @mschiek01:

      You can try this:
      Edit this file
      /usr/local/etc/snort/snort.conf

      and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

      then see if it starts.

      Didn't seem to work:

         
       249 # path to base preprocessor engine
       250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
      
      

      Still getting the same old
      Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
      Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

      And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)

      Uninstall snort

      Delete /usr/local/lib/snort/*

      Reinstall snort

      Start snort and post the system log if it does not start.

      1 Reply Last reply Reply Quote 0
      • D
        dwood
        last edited by

        With a clean AMD64 install (did not save settings, uninstalled, executed "find /* | grep -i snort | xargs rm -rv" command, rebooted) and valid oinkcode, a rules update is attempted.  The Updates TAB indicates that no emergingthreats.net or pfsense.org signatures are installed.  The "Install Emergingthreats rules" option is however toggled on under the Global Settings Tab.  During an update, the status message is that Emerging Threats rules are up to date..although they are not present in the interface Category Tab.

        Unlike the previous attempt (clean install, but had "save settings" toggled on from 2.2.2), this time Snort 2.2.3 does start successfully with all rules (except emergingthreats which as described above are not there) enabled.

        The issue of Alert Description displaying "N/A" remains..not sure if it's on a fix matrix or not..

        Cheers,
        Dennis.

        1 Reply Last reply Reply Quote 0
        • N
          NetworkNubbin
          last edited by

          @mschiek01:

          @NetworkNubbin:

          @mschiek01:

          You can try this:
          Edit this file
          /usr/local/etc/snort/snort.conf

          and comment out line #254 'dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so'

          then see if it starts.

          Didn't seem to work:

             
           249 # path to base preprocessor engine
           250 #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
          
          

          Still getting the same old
          Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)
          Jul 6 16:52:36 snort[2491]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1)

          And yes the DCE/RPC preprocessor is enabled, unlike my wanton thread hijacker :)

          Uninstall snort

          Delete /usr/local/lib/snort/*

          Reinstall snort

          Start snort and post the system log if it does not start.

          Looks like that did it - I suppose we'll never know what was really wrong. Thanks!

          1 Reply Last reply Reply Quote 0
          • B
            bman212121
            last edited by

            Bumping this thread.

            I updated to 2.1-dev from 2.0.1 a couple of days ago. Using AMD64 build with the latest packages. Snort won't start with the configuration I had setup from before. Error message is the FATAL ERROR: Failed to initialize dynamic preprocessor: SF_DNS (IPV6) version 1.1.4 (-2) which definitely means it's having an issue with the IPv6 part of "Enable DNS Detection" preprocessor. Only catch is that if you disable the preprocessor, it's not actually disabling it.

            Steps to reproduce:

            Create a new snort interface (Defaults are fine)
            enable snort. Everything works fine.
            Disable snort.
            Edit the interface, go to the preprocessors tab, check the box for "Enable DNS Detection" and save the changes
            Try enabling snort again, and it crashes with the error message.
            Edit the interface, go to the preprocessors tab, uncheck the box for "Enable DNS Detection" and save the changes
            Try to start snort again, and the error message still appears.

            You can keep creating new rules and they will keep working as long as you don't enable that preprocessor. I was able to enable the HTTP inspect one, need to test the others yet.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.