Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 289.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      eri--
      last edited by

      It should work after updating to 2.5.4 previously it was removing some files that were not being restored after an update.
      There is some resolution missing for enabled disabled preprocessors.

      After you get it running it will run ok.
      I will have to find some time to get back to solve this last bits and making it less error prone to this install/reinstall and using rules when the preprocessor is not active but for now you just have to find the preprocessors needed and activate them.

      1 Reply Last reply Reply Quote 0
      • K Offline
        kilthro
        last edited by

        So far I havent had any issues with the updated version. I am guessing the auto update worked fine as snort was still running this morning. I dont see any snort reload items in system log. (to be expected with the verbose items being turned off) Not sure if there is a way to find a good compromise of leaving all the other stuff off but still showing with the update runs and if its successful.

        Thanks again for the quick fixes on the problems yesterday.

        1 Reply Last reply Reply Quote 0
        • K Offline
          kilthro
          last edited by

          @tester_02:

          Updated snort today, now it does not start.  Error is…

          snort[4286]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

          I disabled the bad traffic rules (so and non so) and it still fails to start.   reinstalled package again, and no go..   Was working for quite a while.  Had not updated for a month, but thought from the thread here that it was stable.

          I got this too. I had to delete snort, do a find all for snort and remove everything until nothing was returned. Then i reinstalled snort and configured. So far so good!

          1 Reply Last reply Reply Quote 0
          • E Offline
            eri--
            last edited by

            Normally you should have the logs from the update process itself.
            Something like "Starting with your new set of rules…."

            1 Reply Last reply Reply Quote 0
            • K Offline
              kilthro
              last edited by

              I dont see this in the system log. When I go to the updated tab in snort the view updates log button doesnt do anything when clicked. I did a manual update and did see this in the sys log
              Jan 27 11:49:12 php: /snort/snort_download_rules.php: The Rules update has finished…
              Jan 27 11:49:12 php: /snort/snort_download_rules.php: Emerging threat rules are up to date...
              Jan 27 11:49:12 php: /snort/snort_download_rules.php: Snort rules are up to date...
              So i am guessing if the auto update ran I should see something similar? I do not see anything like this around midnight when the update generally runs.

              1 Reply Last reply Reply Quote 0
              • A Offline
                asterix
                last edited by

                Having issues with the latest snort package as well. Initial update killed the package. Uninstalled, did a reboot and reinstalled to make it work. But now the problem is with every reboot snort fails again. As long as its up after reinstall it works. Upon a reboot snort fails and only way to make it work is to uninstall, reboot and reinstall… till the next reboot.

                1 Reply Last reply Reply Quote 0
                • S Offline
                  Supermule Banned
                  last edited by

                  Dont get that error on reboot, but still a shit load of Snort related load messages in the systemlogs….

                  1 Reply Last reply Reply Quote 0
                  • E Offline
                    eri--
                    last edited by

                    You need to reinstall supermule or you have issues.
                    It will only print fatal/errors as i said now. Those things need some attention.

                    asterix
                    i need mor einfo rather than not just starting!

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      Supermule Banned
                      last edited by

                      Its running fine here Ermal and survives the reboot.

                      Wont reinstall if it makes snort crash…

                      1 Reply Last reply Reply Quote 0
                      • A Offline
                        asterix
                        last edited by

                        Get this on startup. Service re-start fails.

                        Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
                        Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
                        Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                        Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                        Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…

                        On manual start it fails with these messages in the system logs

                        Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                        Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
                        Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...

                        1 Reply Last reply Reply Quote 0
                        • E Offline
                          eri--
                          last edited by

                          There is no failure there.
                          The error messages there are just too much noise.

                          1 Reply Last reply Reply Quote 0
                          • A Offline
                            asterix
                            last edited by

                            Well I dont see any other logs in there.. It just fails to start. I am on a VM but that shouldnt be a an issue. Been using a VM for many months with no such issues.

                            1 Reply Last reply Reply Quote 0
                            • M Offline
                              monodactylus
                              last edited by

                              Assuming this is the proper way to start snort from the prompt, you would see the following error:

                              /usr/local/etc/rc.d/snort.sh start
                              pgrep: Pidfile `/var/run/snort_vr152213.pid' is empty
                              /libexec/ld-elf.so.1: Shared object "libmysqlclient.so.18" not found, required by "snort"

                              @asterix:

                              Get this on startup. Service re-start fails.

                              Jan 27 13:47:05 SnortStartup[59927]: Snort START For WAN(52490_em0)…
                              Jan 27 13:47:05 SnortStartup[59542]: Snort SOFT START For WAN(52490_em0)…
                              Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                              Jan 27 13:47:03 php: : The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
                              Jan 27 13:47:01 SnortStartup[47342]: Snort STOP For WAN(52490_em0)…

                              On manual start it fails with these messages in the system logs

                              Jan 27 13:48:38 php: /snort/snort_interfaces.php: Interface Rule START for WAN(em0)...
                              Jan 27 13:48:35 php: /snort/snort_interfaces.php: Resolving and auto-enabling flowbit required rules for WAN...
                              Jan 27 13:48:34 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(WAN)...

                              1 Reply Last reply Reply Quote 0
                              • A Offline
                                asterix
                                last edited by

                                Snort needs to be started automatically when pfSense boots. Even so the GUI service start should throw some errors.

                                The latest package definitely needs a fix.

                                1 Reply Last reply Reply Quote 0
                                • E Offline
                                  eri--
                                  last edited by

                                  Hrm that is a problem with the building of the package.
                                  barnyard2 requires mysql but snort does not require it.

                                  Will see to get it fixed. For now just install this mysql-client-5.1.53.tbz
                                  i386

                                  
                                  pkg_add -v http://files.pfsense.org/packages/8/All/mysql-client-5.1.53.tbz
                                  
                                  

                                  AMD64

                                  
                                  http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz
                                  
                                  

                                  For 2.1 PBI should include that

                                  1 Reply Last reply Reply Quote 0
                                  • S Offline
                                    Supermule Banned
                                    last edited by

                                    I run mine in VM too…. So it shouldnt be a problem.

                                    1 Reply Last reply Reply Quote 0
                                    • L Offline
                                      LiamH
                                      last edited by

                                      Hi,

                                      The uninstall/install after reboot happens on my machine as well, with the same errors…

                                      Another thing - I don't think HOME_NET is being populated correctly on my machine. On my LAN interface, instead of including my network it only includes pfSense IP (and my external IPs, DNS, etc) . I've ended up editing snort.inc and manually adding my network address but I guess this will hold only until next reboot and reinstall. Older posts mentioned the possibility if using the firewall aliases, but I can only choose "default" at the "Home net" dropdown list.

                                      1 Reply Last reply Reply Quote 0
                                      • E Offline
                                        eri--
                                        last edited by

                                        You have to create a whitelist to override.
                                        If you run snort on the LAN interface then there is no reason to trust your hosts, no?

                                        1 Reply Last reply Reply Quote 0
                                        • F Offline
                                          fragged
                                          last edited by

                                          Is this a bug or intentional feature / behavior that Snort doesn't download new rules after a uninstall / install (pfSense snapshot update)? I need to go and download the rules which will then start Snort when finished. Shouldn't this happen during the first start?

                                          I'm fairly sure it ran just fine after a snapshot update before the latest changes. Today I updated from 24th January snapshot to:

                                          2.1-BETA1 (amd64)
                                          built on Sun Jan 27 20:37:59 EST 2013

                                          1 Reply Last reply Reply Quote 0
                                          • E Offline
                                            eri--
                                            last edited by

                                            I put a fix on new pacakge to reapply the update during reinstall if the keep settings is on.
                                            Normally your rules should be preserved during a reinstall but….

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.