[SOLVED] Snort not starting after removal of Nmap
-
This is more of a comment than a question. I have snort 2.9.2.3 pkg v. 2.5.1 installed on my box, but it was broken. Looking in the log files showed no info. After cruising through some threads, I found the command to start snort from the shell.
/usr/local/etc/rc.d/snort.sh start
After running that I get this error message:
pgrep: Pidfile `/var/run/snort_snip.pid' is empty
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"So pcap is missing from my system. Tried reinstall from the packages, didn't fix it. Tried pkg_delete -f snort* pcre* to delete snort first, that didn't work either. (maybe I also needed pcap* ??, or a complete uninstall / install)
I found some material referencing pcap being used by nmap. I installed nmap again and saw it install pcap.
Ran:
/usr/local/etc/rc.d/snort.sh start
and everything starts up just fine again.
Just a heads up to anyone else who might have this problem. Snort doesn't seem to install pcap, but it still relies on it to function. Once things get changed to PBIs this shouldn't be an issue but maybe this post will help others sort out the issue quickly. If snort fails to start but doesn't give any warnings, trying to start from the shell should give you an idea what is broken.