SNORT 2.9.2.3 WONT START AFTER UPGRADE



  • Hi all I'm running Pfsense 2.01 X64 with 2 WAN, 1 LAN and  Snort 2.9.2.3 Pkg 2.5.1
    I have being running Pfsense with Snort about a year now but this is the first time I've done an upgrade and the Snort module will not start and it gives no error messages in the system logs (confusing).
    I've been reading the forums and I've tried some of the fixes that some users get but some of the fixes are already in this new version of Snort because I've held back on upgrading Snort for about  1 month + now.

    I was running Snort 2.9.1 Pkg 2.1.1 quite fine but now I'm trying to upgrade to the new Version 2.9.2.3 Pkg 2.5.1 and the service wont start. when i go to Status - -> Services and try to start Snort it says "snort has been started" but a red X (stopped) is still showing that nothing has changed.

    This is the only thing that shows in the System Logs when i go to Status - -> Services and try to start Snort
    SnortStartup[56600]: Snort STOP For ISP1 WAN INTERNET(64427_em0)…
    Aug 22 15:36:55 SnortStartup[58106]: Snort STOP For LAN(46633_re0)…
    Aug 22 15:36:55 SnortStartup[58418]: Snort START For ISP1 WAN INTERNET(64427_em0)…
    Aug 22 15:36:57 SnortStartup[59863]: Snort STOP For ISP2 4G WAN INTERNET(52789_rl0)…
    Aug 22 15:36:57 SnortStartup[60965]: Snort START For LAN(46633_re0)…
    Aug 22 15:37:00 SnortStartup[62240]: Snort START For ISP2 4G WAN INTERNET(52789_rl0)
    ..

    (1) I've tried REINSTALLING snort but that didn't work, it still wont start.
    (2) I've UNINSTALLED Snort run "find /*|grep -i snort | xargs rm -rv" to delete old Snort packages then restart and INSTALL Snort and update the rules and it still didn't start.
    (3) I have RESET all my settings, Remove the Interfaces add them back then INSTALL snort again and set it up from scratch and it still didn't start and still nothing much in the logs (sigh).

    I'm no "Snort Expert" but i love using Pfsense + Snort and i feel naked and exposed without Snort.
    Where else on the system can i look for clues as to whats causing the problems apart from system log and how do i begin to troubleshoot this problem??

    My snort config is the default that come with it (haven't touched it) and i have enabled HTTP Inspect (0) and ticked some of the boxes in the  General Preprocessor Settings (No high tech or heavy modifications).

    Any Help Appreciated.
    Thanks Much



  • Sometimes the status screen doesn't always show up correctly. If you go under services -> snort do you have the red boxes next to interface rules? If you do the easiest way to tell if snort is working is just enable the ICMP preprocessors and try to ping your box. That usually makes snort mad enough to at least trip an alert or block you. Also you can drop to the console and type "top" and just see if it's listed as running.

    I normally only start snort right from the interfaces under Services -> snort. Clicking the green arrow will start snort and it should turn to red. If you already have the red X's then it should be enabled already.



  • @bman212121:

    Sometimes the status screen doesn't always show up correctly. If you go under services -> snort do you have the red boxes next to interface rules?

    When i go to  Services –> Snort my LAN and WAN interface has GREEN boxes
    When i go in the console and type "top" Snort is not listed in the running processes

    When i try to start Snort from Status --> Services its says snort is started but a Red X is still there and if i go  Services --> Snort after that my LAN and WAN interface has GREEN boxes (very strange).

    Something is a miss i just don't know what it is, another thing i notice is that when Pfsense starts after a reboot there is no log of Snort initializing or loading in the logs (system.log).
    Thanks for your input.

    *** For the record i did a clean install of Pfsense this morning on a Virtual Machine then install and configured snort on it and its working properly. when i go to Status –> Services Snort is on Green Triangle and when i go to Services - - > Snort my LAN & WAN interface has a Red Box. i also see snort running in the processes.
    Thanks Again



  • When I run the start script manually I get:
    [2.0.1-RELEASE][root@pfsense.localdomain.local]/root(9): /usr/local/etc/rc.d/snort.sh start
    pgrep: Pidfile /var/run/snort_em064427.pid' is empty /libexec/ld-elf.so.1: /usr/local/lib/libpcre.so.1: unsupported file layout pgrep: Pidfile/var/run/snort_re046633.pid' is empty
    /libexec/ld-elf.so.1: /usr/local/lib/libpcre.so.1: unsupported file layout
    pgrep: Pidfile `/var/run/snort_rl052789.pid' is empty
    /libexec/ld-elf.so.1: /usr/local/lib/libpcre.so.1: unsupported file layout

    Has Anyone ever experienced this issue before and maybe can give me some feedback/solutions.
    Any Help Appcreciated
    Thanks in advance



  • @humps:

    When I run the start script manually I get:
    [2.0.1-RELEASE][root@pfsense.localdomain.local]/root(9): /usr/local/etc/rc.d/snort.sh start
    pgrep: Pidfile `/var/run/snort_em064427.pid' is empty
    /libexec/ld-elf.so.1: /usr/local/lib/libpcre.so.1: unsupported file layout

    After Googling the error message: "/libexec/ld-elf.so.1: /usr/local/lib/libpcre.so.1: unsupported file layout"
    I stumbled on this post:  http://forum.pfsense.org/index.php?topic=50761.0
    The Instructions helped me to get snort running again, hopefully i can get it sorted out from here.

    For the Record these are the Instructions by jimp that fixed my starting problems:

    Try this:

    uninstall, then from the shell:

    pkg_delete -f snort* pcre*

    Then try to reinstall.

    I checked the version of PCRE on the package server, and the one required by snort is built for amd64 so I'm not sure how you'd have pulled in the wrong one.

    Thanks Again



  • Glad you got it working! :)



  • Hi,

    I have the same (similar) problem.
    When I enter
    [2.0.1-RELEASE][admin@fire.box]/root(2): /usr/local/etc/rc.d/snort.sh start

    I get the following error message

    pgrep: Pidfile `/var/run/snort_pppoe03086.pid' is empty

    Any clue?

    Matthias


Locked