Snort 2.9.2.3 pkg v. 2.4.2 Not Starting..

pftdm007

Hey,

just upgraded to the "latest" snort and I am having issues with it as it will no longer start.  Funny thing is that there are NO error messages in the system logs.  Usually, Snort would generate tons of messages (loading crap, doing this, doing that, etc) but now I only see:

Jul 14 11:26:55 	SnortStartup[24678]: Snort START For wan-side(3249_re0)...
Jul 14 11:26:53 	SnortStartup[11158]: Snort STOP For wan-side(3249_re0)...

Nothing else.. No FATAL ERRORS.  The thing is, the services widget on the home screen says that Snort is "Stopped", so is the "Status > Services" page.  Snort is also not blocking anything.  This led me to believe that it is not running.

Can anybody help me troubleshoot this?  I am not a Snort expert so I would appreciate anything.
Thanks!

Cino

what version of pfsense are you running?

Snort 2.9.2.3 pkg v. 2.4.2 is working fine for me and few others so i'm thinking its with your setup.

Do this:
uninstall snort
drop to shell and run
find /* | grep -i snort | xargs rm -rv
install snort
update rules
goto the interface edit page, save it, also go thru all the config pages and save them (rules,preprocess,whitelist,etc)
click on the green arrow to start it

pftdm007

Hey Cino!  Thanks for replying!

I am using pfsense 2.0.1-RELEASE (amd64) built on Mon Dec 12 18:43:51 EST 2011…. Yes I believe its with my setup.  I will try what you suggested and post back.

Thanks again!

EDIT:  Just ran the command you suggested, and here's the output:

/usr/local/lib/snort/dynamicrules/bad-traffic.so
/usr/local/lib/snort/dynamicrules/chat.so
/usr/local/lib/snort/dynamicrules/dos.so
/usr/local/lib/snort/dynamicrules/exploit.so
/usr/local/lib/snort/dynamicrules/icmp.so
/usr/local/lib/snort/dynamicrules/imap.so
/usr/local/lib/snort/dynamicrules/misc.so
/usr/local/lib/snort/dynamicrules/multimedia.so
/usr/local/lib/snort/dynamicrules/netbios.so
/usr/local/lib/snort/dynamicrules/nntp.so
/usr/local/lib/snort/dynamicrules/p2p.so
/usr/local/lib/snort/dynamicrules/smtp.so
/usr/local/lib/snort/dynamicrules/snmp.so
/usr/local/lib/snort/dynamicrules/specific-threats.so
/usr/local/lib/snort/dynamicrules/web-activex.so
/usr/local/lib/snort/dynamicrules/web-client.so
/usr/local/lib/snort/dynamicrules/web-iis.so
/usr/local/lib/snort/dynamicrules/web-misc.so
/usr/local/lib/snort/dynamicrules
/usr/local/lib/snort
rm: /usr/local/lib/snort/dynamicrules: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/bad-traffic.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/chat.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/dos.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/exploit.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/icmp.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/imap.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/misc.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/multimedia.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/netbios.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/nntp.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/p2p.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/smtp.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/snmp.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/specific-threats.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/web-activex.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/web-client.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/web-iis.so: No such file or directory
rm: /usr/local/lib/snort/dynamicrules/web-misc.so: No such file or directory

Not sure if its OK to see this…

pftdm007

Mmm ok… I have performed the steps as you suggested.  It worked, Snort started.  Then I performed a reboot to confirm it would automatically start and it ran for a few seconds before crashing and giving this in the system logs:

Jul 15 15:49:11 	apinger: /usr/local/bin/rrdtool respawning too fast, waiting 300s.
Jul 15 15:48:58 	snort[23566]: FATAL ERROR: Unable to load pf args: Unknown error: 0
Jul 15 15:48:58 	snort[23566]: FATAL ERROR: Unable to load pf args: Unknown error: 0
Jul 15 15:48:57 	snort[23566]: [ Port Based Pattern Matching Memory ]
Jul 15 15:48:57 	snort[23566]: [ Port Based Pattern Matching Memory ]
Jul 15 15:48:57 	snort[23566]:
Jul 15 15:48:57 	snort[23566]:
Jul 15 15:48:47 	snort[23566]: 143 out of 1024 flowbits in use.
Jul 15 15:48:47 	snort[23566]: 143 out of 1024 flowbits in use.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.otf' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.otf' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.maki' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.maki' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'backdoor.asylum.connect' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'backdoor.asylum.connect' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.exe' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.exe' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'sslv2.server_hello.request' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'sslv2.server_hello.request' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.doc' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.doc' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.xls' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.xls' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'backdoor.fearless.runtime' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'backdoor.fearless.runtime' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.xml' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.xml' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.wma' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.wma' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.BotccIP' is set but not ever checked.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.BotccIP' is set but not ever checked.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.flv' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.flv' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.bmp' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.bmp' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.chm' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.chm' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.avi.video' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.avi.video' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.mswmm' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.mswmm' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.rtf' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.rtf' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'AOLAdmin1.1.connection' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'AOLAdmin1.1.connection' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ABSystemSpy_Inforetrieve1' is set but not ever checked.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ABSystemSpy_Inforetrieve1' is set but not ever checked.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.CompIP' is set but not ever checked.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.CompIP' is set but not ever checked.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.wav' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.wav' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.gif' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.gif' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.quicktime.mp4' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.quicktime.mp4' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.psfont' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.psfont' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.caff' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.caff' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.cov' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.cov' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.manifest' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.manifest' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.pub' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.pub' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.pct' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.pct' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.gadu.loggedin' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.gadu.loggedin' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.class' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.class' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'asp.upload' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'asp.upload' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.ppt' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.ppt' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.visio' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'file.visio' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.MSSQL' is checked but not ever set.
Jul 15 15:48:47 	snort[23566]: WARNING: flowbits key 'ET.MSSQL' is checked but not ever set.

Also worthwhile to mention, I have these settings in my "advanced config pass through":

portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

Cannot remember why I had to put this, but if I recall, it was because I had problems accessing certain sites..

eri--

Please follow-up in the 2.4.2 issues thread.
For the error you are having need to reinstall snort binary.