Fatal error in Snort version 2.9.2.3 pkg v. 2.5.1



  • Hi, I have just upgraded to Snort 2.9.2.3 pkg v. 2.5.1 and Snort fails to start with the following error:

    snort[32558]: FATAL ERROR: Failed to load /usr/local/etc/snort/snort_48765_em0/dynamicrules/exploit.so: /usr/local/etc/snort/snort_48765_em0/dynamicrules/exploit.so: Undefined symbol "byteTest"

    The strange thing is that the exploit.so is not even being used. Any way to correct this urgently as I cannot start Snort?

    Thanks!



  • What happens if you disable all rules except the preprocessors?



  • Just tried - same error :-(



  • I have started completely removing and then re-installing the Snort package of late.  That makes sure a new binary is also downloaded.  I believe s simple update or re-install from the GUI just updates the PHP code stuff and does not update the underlying Snort binary.

    I have my Snort configured to save settings across removal and re-install, so I just remove the package and then re-install it from the GUI.  With the latest update to 2.5.1, I was also affected by the new SSL preprocessor breakout, but checking that preprocessor and restarting fixed it for me.

    P.S. – I have the expoit.so rule enabled and it works fine for me.  I have Snort on 32-bit 2.0.1 pfSense.



  • When I reinstalled, Snort did start with no rules. However, when I add a category, it will no longer start with the same error.  Now, even if I remove all the rules again, it still will not start! Very strange!! :-)



  • trvsecurity,

    what type of processor are you using? I have 2 virtual machines running, where I do not observe your problem, but so far I haven't downloaded and activated the Snort.org rules. I could take a snapshot, install the rules and see what happens.



  • Hi again

    I fully reinstalled Snort and now I can't download Snort rules (Update failed). Snort will start when no Snort rules are present so it does seem related to that.

    We have a Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz processor



  • trvsecurity, I was aiming at 32 or 64-bit, because different binaries are involved.



  • 32 bit

    Now I keep getting:

    php: /snort/snort_download_rules.php: Snort rules file downloaded failed…



  • I don't have any problem downloading the Snort.org and ET rules and installing them.

    Maybe, you should remove the snort package. Find residual files and dirs with find / -name 'snort*', delete them, maybe reboot the machine, and finally install snort again.



  • @trvsecurity:

    32 bit

    Now I keep getting:

    php: /snort/snort_download_rules.php: Snort rules file downloaded failed…

    You have to wait 15 minutes and then try again.



  • I uninstalled and rebooted and all the ETC files had gone.  I cannot delete all Snort files as I need the back up config to come back after reinstall.  Still cannot download Snort rules.

    Can you tell me what directories I should delete after uninstall while maintaning the config back up?



  • You can savely remove all snort files. The config is saved in XML.



  • Done.  When I uninstall, all the files in /usr/local/etc/snort/ go away. Then I reinstall and I still can't download the Snort rules.

    I have never had this issue before.

    In the logs, I see:

    php: /snort/snort_download_rules.php: There is a new set of Snort.org rules posted. Downloading…

    Then 3 seconds later:

    php: /snort/snort_download_rules.php: Snort rules file downloaded failed...



  • trvsecurity ,

    I am just guessing. Is your oinkcode ok?



  • yes - definitely not the cause.  Just put it in again, and the problem continues.



  • Next idea: do you have a virtual machine to play with? Setting this up using VirtualBox takes less than an hour.



  • @trvsecurity:

    yes - definitely not the cause.  Just put it in again, and the problem continues.

    Maybe they put you on blacklist.
    It gets cleared in 1/2 hours.

    Though reinstall teh package i put code to remove the dynamic rules in case they are not enabled in categories tab.



  • I think you are right! I left it for a while and now everything is working fine! Thaks to ALL! Case closed!


Log in to reply