Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort won't start

    Scheduled Pinned Locked Moved pfSense Packages
    20 Posts 6 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MMacD
      last edited by

      I haven't been able to start snort and still can't after letting pfsense do the upgrade.  Is there something not obvious that I need to do?  Snort claimed, after fetching the new ruleset, to have restarted but the interface shows the green start button, not the expected red stop one.

      1 Reply Last reply Reply Quote 0
      • F
        fragged
        last edited by

        Please post what snort says in the system log.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Also try doing a full remove and then install of Snort.  On the Installed Packages tab, click the "X" to completely remove the package.  Then go to the Available Packages tab and install it again.  If you have clicked the "keep Snort settings after de-install" option for Snort on the GLOBAL tab, then when you remove and install again all your setting will come back automatically.

          1 Reply Last reply Reply Quote 0
          • M
            MMacD
            last edited by

            @fragged:

            Please post what snort says in the system log.

            It looks okay to me, but that might be my ignorance:

            Jan 26 00:05:22 snort[63074]:
            Jan 26 00:05:22 snort[63074]:
            Jan 26 00:05:22 snort[63074]: PortVar 'MODBUS_PORTS' defined :
            Jan 26 00:05:22 snort[63074]: PortVar 'MODBUS_PORTS' defined :
            Jan 26 00:05:22 snort[63074]: [ 502 ]
            Jan 26 00:05:22 snort[63074]: [ 502 ]
            Jan 26 00:05:22 snort[63074]:
            Jan 26 00:05:22 snort[63074]:
            Jan 26 00:05:22 snort[63074]: Detection:
            Jan 26 00:05:22 snort[63074]: Detection:
            Jan 26 00:05:22 snort[63074]: Search-Method = AC-Std
            Jan 26 00:05:22 snort[63074]: Search-Method = AC-Std
            Jan 26 00:05:22 snort[63074]: Search-Method-Optimizations = enabled
            Jan 26 00:05:22 snort[63074]: Search-Method-Optimizations = enabled
            Jan 26 00:05:22 snort[63074]: Maximum pattern length = 20
            Jan 26 00:05:22 snort[63074]: Maximum pattern length = 20
            Jan 26 00:05:24 php: : Snort has restarted with your new set of rules…
            Jan 26 00:05:24 php: : The Rules update has finished...

            1 Reply Last reply Reply Quote 0
            • S
              Supermule Banned
              last edited by

              Change your power scheme to AC.Sparsebands and see if it helps…

              1 Reply Last reply Reply Quote 0
              • M
                MMacD
                last edited by

                So I reinstalled, and got some "can't find" messages that don't sound good, but nevertheless it all seems to run to completion

                Jan 26 11:48:21 syslogd: kernel boot file is /boot/kernel/kernel
                Jan 26 11:48:33 check_reload_status: Syncing firewall
                Jan 26 11:48:33 check_reload_status: Syncing firewall
                Jan 26 11:48:41 php: /pkg_mgr_install.php: Beginning package installation for snort.
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!
                Jan 26 11:48:52 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
                Jan 26 11:48:52 check_reload_status: Syncing firewall
                Jan 26 11:48:52 check_reload_status: Reloading filter
                Jan 26 11:48:53 check_reload_status: Syncing firewall
                Jan 26 11:49:03 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(Inet)…
                Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
                Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_ssl_preproc file. Snort might error out!
                Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_dns_preproc file. Snort might error out!
                Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_pop_preproc file. Snort might error out!
                Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_imap_preproc file. Snort might error out!
                Jan 26 11:49:03 php: /snort/snort_interfaces.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
                Jan 26 11:49:03 snort[32122]: Found pid path directive (/var/run)
                Jan 26 11:49:03 snort[32122]: Found pid path directive (/var/run)
                Jan 26 11:49:03 snort[32122]: Running in IDS mode
                Jan 26 11:49:03 snort[32122]: Running in IDS mode
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: –== Initializing Snort ==--
                Jan 26 11:49:03 snort[32122]: –== Initializing Snort ==--
                Jan 26 11:49:03 snort[32122]: Initializing Output Plugins!
                Jan 26 11:49:03 snort[32122]: Initializing Output Plugins!
                Jan 26 11:49:03 snort[32122]: Initializing Preprocessors!
                Jan 26 11:49:03 snort[32122]: Initializing Preprocessors!
                Jan 26 11:49:03 snort[32122]: Initializing Plug-ins!
                Jan 26 11:49:03 snort[32122]: Initializing Plug-ins!
                Jan 26 11:49:03 snort[32122]: PortVar 'DNS_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'DNS_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 53 ]
                Jan 26 11:49:03 snort[32122]: [ 53 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'SMTP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'SMTP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 25 ]
                Jan 26 11:49:03 snort[32122]: [ 25 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'MAIL_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'MAIL_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 25 143 465 691 ]
                Jan 26 11:49:03 snort[32122]: [ 25 143 465 691 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'HTTP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'HTTP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 80 901 3128 8080 9000 ]
                Jan 26 11:49:03 snort[32122]: [ 80 901 3128 8080 9000 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'ORACLE_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'ORACLE_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 1521 ]
                Jan 26 11:49:03 snort[32122]: [ 1521 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'MSSQL_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'MSSQL_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 1433 ]
                Jan 26 11:49:03 snort[32122]: [ 1433 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'TELNET_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'TELNET_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 23 ]
                Jan 26 11:49:03 snort[32122]: [ 23 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'SNMP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'SNMP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 161 ]
                Jan 26 11:49:03 snort[32122]: [ 161 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'FTP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'FTP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 21 ]
                Jan 26 11:49:03 snort[32122]: [ 21 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'SSH_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'SSH_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 22 ]
                Jan 26 11:49:03 snort[32122]: [ 22 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'POP2_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'POP2_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 109 ]
                Jan 26 11:49:03 snort[32122]: [ 109 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'POP3_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'POP3_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 110 ]
                Jan 26 11:49:03 snort[32122]: [ 110 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'IMAP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'IMAP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 143 ]
                Jan 26 11:49:03 snort[32122]: [ 143 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'SIP_PROXY_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'SIP_PROXY_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 5060:5090 16384:32768 ]
                Jan 26 11:49:03 snort[32122]: [ 5060:5090 16384:32768 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'SIP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'SIP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 5060:5090 16384:32768 ]
                Jan 26 11:49:03 snort[32122]: [ 5060:5090 16384:32768 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'AUTH_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'AUTH_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 113 ]
                Jan 26 11:49:03 snort[32122]: [ 113 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'FINGER_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'FINGER_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 79 ]
                Jan 26 11:49:03 snort[32122]: [ 79 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'IRC_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'IRC_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 6665:6669 7000 ]
                Jan 26 11:49:03 snort[32122]: [ 6665:6669 7000 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'SMB_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'SMB_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 139 445 ]
                Jan 26 11:49:03 snort[32122]: [ 139 445 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'NNTP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'NNTP_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 119 ]
                Jan 26 11:49:03 snort[32122]: [ 119 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'RLOGIN_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'RLOGIN_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 513 ]
                Jan 26 11:49:03 snort[32122]: [ 513 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'RSH_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'RSH_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 514 ]
                Jan 26 11:49:03 snort[32122]: [ 514 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'SSL_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'SSL_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 443 465 563 636 989:990 992:995 ]
                Jan 26 11:49:03 snort[32122]: [ 443 465 563 636 989:990 992:995 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'FILE_DATA_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'FILE_DATA_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 80 110 143 901 3128 8080 9000 ]
                Jan 26 11:49:03 snort[32122]: [ 80 110 143 901 3128 8080 9000 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'SHELLCODE_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'SHELLCODE_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 0:79 81:65535 ]
                Jan 26 11:49:03 snort[32122]: [ 0:79 81:65535 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'SUN_RPC_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'SUN_RPC_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 111 32770:32779 ]
                Jan 26 11:49:03 snort[32122]: [ 111 32770:32779 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_IP_TCP' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_IP_TCP' defined :
                Jan 26 11:49:03 snort[32122]: [ 139 445 ]
                Jan 26 11:49:03 snort[32122]: [ 139 445 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCADG_IP_UDP' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCADG_IP_UDP' defined :
                Jan 26 11:49:03 snort[32122]: [ 138 1024:65535 ]
                Jan 26 11:49:03 snort[32122]: [ 138 1024:65535 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
                Jan 26 11:49:03 snort[32122]: [ 135 139 445 593 1024:65535 ]
                Jan 26 11:49:03 snort[32122]: [ 135 139 445 593 1024:65535 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
                Jan 26 11:49:03 snort[32122]: [ 135 1024:65535 ]
                Jan 26 11:49:03 snort[32122]: [ 135 1024:65535 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
                Jan 26 11:49:03 snort[32122]: [ 135 593 1024:65535 ]
                Jan 26 11:49:03 snort[32122]: [ 135 593 1024:65535 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_TCP' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_TCP' defined :
                Jan 26 11:49:03 snort[32122]: [ 2103 2105 2107 ]
                Jan 26 11:49:03 snort[32122]: [ 2103 2105 2107 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_BRIGHTSTORE' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_BRIGHTSTORE' defined :
                Jan 26 11:49:03 snort[32122]: [ 6503:6504 ]
                Jan 26 11:49:03 snort[32122]: [ 6503:6504 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'DNP3_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'DNP3_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 20000 ]
                Jan 26 11:49:03 snort[32122]: [ 20000 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: PortVar 'MODBUS_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: PortVar 'MODBUS_PORTS' defined :
                Jan 26 11:49:03 snort[32122]: [ 502 ]
                Jan 26 11:49:03 snort[32122]: [ 502 ]
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]:
                Jan 26 11:49:03 snort[32122]: Detection:
                Jan 26 11:49:03 snort[32122]: Detection:
                Jan 26 11:49:03 snort[32122]: Search-Method = AC-Std
                Jan 26 11:49:03 snort[32122]: Search-Method = AC-Std
                Jan 26 11:49:03 snort[32122]: Search-Method-Optimizations = enabled
                Jan 26 11:49:03 snort[32122]: Search-Method-Optimizations = enabled
                Jan 26 11:49:03 snort[32122]: Maximum pattern length = 20
                Jan 26 11:49:03 snort[32122]: Maximum pattern length = 20
                Jan 26 11:49:03 snort[32122]: Found pid path directive (/var/run)
                Jan 26 11:49:03 snort[32122]: Found pid path directive (/var/run)
                Jan 26 11:49:03 snort[32122]: Tagged Packet Limit: 256
                Jan 26 11:49:03 snort[32122]: Tagged Packet Limit: 256
                Jan 26 11:49:03 snort[32122]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine…
                Jan 26 11:49:03 snort[32122]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine…
                Jan 26 11:49:03 snort[32122]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
                Jan 26 11:49:03 snort[32122]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
                Jan 26 11:49:03 snort[32122]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
                Jan 26 11:49:03 snort[32122]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
                Jan 26 11:49:03 snort[32122]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules…
                Jan 26 11:49:03 snort[32122]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules…
                Jan 26 11:49:03 snort[32122]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicrules.
                Jan 26 11:49:03 snort[32122]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicrules.
                Jan 26 11:49:03 snort[32122]: Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules
                Jan 26 11:49:03 snort[32122]: Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules
                Jan 26 11:49:03 snort[32122]: WARNING: ip4 normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: WARNING: ip4 normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: WARNING: tcp normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: WARNING: tcp normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: WARNING: icmp4 normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: WARNING: icmp4 normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: WARNING: ip6 normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: WARNING: ip6 normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: WARNING: icmp6 normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: WARNING: icmp6 normalizations disabled because not inline.
                Jan 26 11:49:03 snort[32122]: Frag3 global config:
                Jan 26 11:49:03 snort[32122]: Frag3 global config:
                Jan 26 11:49:03 snort[32122]: Max frags: 65536
                Jan 26 11:49:03 snort[32122]: Max frags: 65536
                Jan 26 11:49:03 snort[32122]: Fragment memory cap: 4194304 bytes
                Jan 26 11:49:03 snort[32122]: Fragment memory cap: 4194304 bytes
                Jan 26 11:49:03 snort[32122]: Frag3 engine config:
                Jan 26 11:49:03 snort[32122]: Frag3 engine config:
                Jan 26 11:49:03 snort[32122]: Bound Address: default
                Jan 26 11:49:03 snort[32122]: Bound Address: default
                Jan 26 11:49:03 snort[32122]: Target-based policy: BSD
                Jan 26 11:49:03 snort[32122]: Target-based policy: BSD
                Jan 26 11:49:03 snort[32122]: Fragment timeout: 180 seconds
                Jan 26 11:49:03 snort[32122]: Fragment timeout: 180 seconds
                Jan 26 11:49:03 snort[32122]: Fragment min_ttl: 1
                Jan 26 11:49:03 snort[32122]: Fragment min_ttl: 1
                Jan 26 11:49:03 snort[32122]: Fragment Anomalies: Alert
                Jan 26 11:49:03 snort[32122]: Fragment Anomalies: Alert
                Jan 26 11:49:03 snort[32122]: Overlap Limit: 10
                Jan 26 11:49:03 snort[32122]: Overlap Limit: 10
                Jan 26 11:49:03 snort[32122]: Min fragment Length: 100
                Jan 26 11:49:03 snort[32122]: Min fragment Length: 100
                Jan 26 11:49:03 snort[32122]: Stream5 global config:
                Jan 26 11:49:03 snort[32122]: Stream5 global config:
                Jan 26 11:49:03 snort[32122]: Track TCP sessions: ACTIVE
                Jan 26 11:49:03 snort[32122]: Track TCP sessions: ACTIVE
                Jan 26 11:49:03 snort[32122]: Max TCP sessions: 262144
                Jan 26 11:49:03 snort[32122]: Max TCP sessions: 262144
                Jan 26 11:49:03 snort[32122]: Memcap (for reassembly packet storage): 8388608
                Jan 26 11:49:03 snort[32122]: Memcap (for reassembly packet storage): 8388608
                Jan 26 11:49:03 snort[32122]: Track UDP sessions: ACTIVE
                Jan 26 11:49:03 snort[32122]: Track UDP sessions: ACTIVE
                Jan 26 11:49:03 snort[32122]: Max UDP sessions: 131072
                Jan 26 11:49:03 snort[32122]: Max UDP sessions: 131072
                Jan 26 11:49:03 snort[32122]: Track ICMP sessions: INACTIVE
                Jan 26 11:49:03 snort[32122]: Track ICMP sessions: INACTIVE
                Jan 26 11:49:03 snort[32122]: Track IP sessions: INACTIVE
                Jan 26 11:49:03 snort[32122]: Track IP sessions: INACTIVE
                Jan 26 11:49:03 snort[32122]: Log info if session memory consumption exceeds 1048576
                Jan 26 11:49:03 snort[32122]: Log info if session memory consumption exceeds 1048576
                Jan 26 11:49:03 snort[32122]: Send up to 2 active responses
                Jan 26 11:49:03 snort[32122]: Send up to 2 active responses
                Jan 26 11:49:03 snort[32122]: Wait at least 5 seconds between responses
                Jan 26 11:49:03 snort[32122]: Wait at least 5 seconds between responses
                Jan 26 11:49:03 snort[32122]: Protocol Aware Flushing: ACTIVE
                Jan 26 11:49:03 snort[32122]: Protocol Aware Flushing: ACTIVE
                Jan 26 11:49:03 snort[32122]: Maximum Flush Point: 16000
                Jan 26 11:49:03 snort[32122]: Maximum Flush Point: 16000
                Jan 26 11:49:03 snort[32122]: Stream5 TCP Policy config:
                Jan 26 11:49:03 snort[32122]: Stream5 TCP Policy config:
                Jan 26 11:49:03 snort[32122]: Bound Address: default
                Jan 26 11:49:03 snort[32122]: Bound Address: default
                Jan 26 11:49:03 snort[32122]: Reassembly Policy: BSD
                Jan 26 11:49:03 snort[32122]: Reassembly Policy: BSD
                Jan 26 11:49:03 snort[32122]: Timeout: 180 seconds
                Jan 26 11:49:03 snort[32122]: Timeout: 180 seconds
                Jan 26 11:49:03 snort[32122]: Limit on TCP Overlaps: 10
                Jan 26 11:49:03 snort[32122]: Limit on TCP Overlaps: 10
                Jan 26 11:49:03 snort[32122]: Maximum number of bytes to queue per session: 1048576
                Jan 26 11:49:03 snort[32122]: Maximum number of bytes to queue per session: 1048576
                Jan 26 11:49:03 snort[32122]: Maximum number of segs to queue per session: 2621
                Jan 26 11:49:03 snort[32122]: Maximum number of segs to queue per session: 2621
                Jan 26 11:49:03 snort[32122]: Reassembly Ports:
                Jan 26 11:49:03 snort[32122]: Reassembly Ports:
                Jan 26 11:49:03 snort[32122]: 0 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 0 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 1 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 1 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 2 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 2 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 3 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 3 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 4 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 4 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 5 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 5 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 6 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 6 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 7 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 7 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 8 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 8 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 9 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 9 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 10 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 10 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 11 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 11 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 12 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 12 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 13 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 13 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 14 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 14 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 15 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 15 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 16 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 16 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 17 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 17 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 18 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 18 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 19 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: 19 client (Footprint) server (Footprint)
                Jan 26 11:49:03 snort[32122]: additional ports configured but not printed.
                Jan 26 11:49:03 snort[32122]: additional ports configured but not printed.
                Jan 26 11:49:03 snort[32122]: Stream5 UDP Policy config:
                Jan 26 11:49:03 snort[32122]: Stream5 UDP Policy config:
                Jan 26 11:49:03 snort[32122]: Timeout: 180 seconds
                Jan 26 11:49:03 snort[32122]: Timeout: 180 seconds

                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by

                  uninstall and reinstall again.
                  You seem to have some issues there.
                  Normally it can run if the rule do not reference the preprocessors.

                  1 Reply Last reply Reply Quote 0
                  • M
                    MMacD
                    last edited by

                    Okay, reinstalled again, switched to the low-end (AC-BNFA) mode (which is probably all 4GB on a D2500 is good for anyway, on a 1MB DSL)

                    Removing snort components…
                    Menu items... done.
                    Services... done.
                    Loading package instructions...
                    Deinstall commands... done.
                    Removing package instructions...done.
                    Auxiliary files... done.
                    Package XML... done.
                    Configuration... done.
                    Beginning package installation for snort...
                    Downloading package configuration file... done.
                    Saving updated package information... done.
                    Downloading snort and its dependencies...
                    Checking for package installation... Loading package configuration... done.
                    Configuring package components...
                    Additional files... done.
                    Loading package instructions...
                    Custom commands...
                    Executing custom_php_install_command()...done.
                    Executing custom_php_resync_config_command()...done.
                    Custom commands...
                    Executing custom_php_install_command()...done.
                    Executing custom_php_resync_config_command()...done.
                    Menu items... done.
                    Services... done.
                    Writing configuration... done.

                    Package reinstalled.

                    Jan 26 17:27:47 syslogd: kernel boot file is /boot/kernel/kernel
                    Jan 26 17:27:57 check_reload_status: Syncing firewall
                    Jan 26 17:27:57 check_reload_status: Syncing firewall
                    Jan 26 17:28:06 php: /pkg_mgr_install.php: Beginning package installation for snort.
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!
                    Jan 26 17:28:13 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
                    Jan 26 17:28:13 check_reload_status: Syncing firewall
                    Jan 26 17:28:13 check_reload_status: Reloading filter
                    Jan 26 17:28:13 check_reload_status: Syncing firewall

                    1 Reply Last reply Reply Quote 0
                    • E
                      eri--
                      last edited by

                      Yeah you need to fetch updates again.

                      1 Reply Last reply Reply Quote 0
                      • M
                        MMacD
                        last edited by

                        I've reinstalled again, same result

                        Whose problem are these missing libsf files, pfsense's or snort's?  And how serious are they?

                        1 Reply Last reply Reply Quote 0
                        • M
                          MMacD
                          last edited by

                          I just ssh'd over to the firewall box to see whether I could start snort by hand.

                          The executable is meant to be in /bin, but there's nothing there.

                          There is something in /usr/local/bin, but it appears to be a log generator…or at least it appears to be generating log entries.

                          There's no job named snort in the proc list.

                          I really need some help here.

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks
                            last edited by

                            @MMacD:

                            I just ssh'd over to the firewall box to see whether I could start snort by hand.

                            The executable is meant to be in /bin, but there's nothing there.

                            There is something in /usr/local/bin, but it appears to be a log generator…or at least it appears to be generating log entries.

                            There's no job named snort in the proc list.

                            I really need some help here.

                            MMacD:

                            Just so I am clear.  When you say "…I reinstalled again..."; do you mean you clicked the "X" icon to totally remove the package, and then went back to the Available Packages tab and installed like a clean install?  The reinstall icon (titled PKG) on the Installed Packages tab does not always work properly.

                            If you did not do a complete remove with the "X" and then fresh install, try that.

                            If you already did a complete remove, then try it again but reboot after removing but before installing again.  I had to do that in one my 2.1-BETA snapshot virtual machines I test with.  Don't know exactly what's wrong at this point, but from your description and the missing file error message, it sounds like Snort is only partially installed on your system at this point.

                            1 Reply Last reply Reply Quote 0
                            • M
                              MMacD
                              last edited by

                              Yes, I just clicked the "pkg" to reinstall, I didn't try stripping it down first.

                              I'll try stripping next, tho I'll be surprised if I get a different result since I'll be executing the same code (I'm running the 2.0.1 release, not any beta code)

                              Is there some documentation available that details what changes have been made to the stock way freebsd does things?  I've already tripped over some of the custom changes, and since I didn't understand the rationale for them, I can't predict where or what kind of other changes I should expect.

                              1 Reply Last reply Reply Quote 0
                              • M
                                MMacD
                                last edited by

                                Okay, I stripped it out, rebooted, and reinstalled.

                                Jan 31 07:16:32 php: : Restarting/Starting all packages.
                                Jan 31 07:16:33 kernel: ugen2.2: <logitech>at usbus2 (disconnected)
                                Jan 31 07:16:33 kernel: ukbd0: at uhub2, port 1, addr 2 (disconnected)
                                Jan 31 07:16:33 kernel: ums0: at uhub2, port 1, addr 2 (disconnected)
                                Jan 31 07:16:33 kernel: uhid0: at uhub2, port 1, addr 2 (disconnected)
                                Jan 31 07:16:33 kernel: ugen2.3: <logitech>at usbus2 (disconnected)
                                Jan 31 07:16:33 kernel: ukbd1: at uhub2, port 2, addr 3 (disconnected)
                                Jan 31 07:16:33 kernel: uhid1: at uhub2, port 2, addr 3 (disconnected)
                                Jan 31 07:17:21 apinger: Error while feeding rrdtool: Broken pipe
                                Jan 31 07:18:04 check_reload_status: Syncing firewall
                                Jan 31 07:18:05 php: /pkg_mgr_install.php: Beginning package installation for snort.
                                Jan 31 07:18:05 check_reload_status: Syncing firewall
                                Jan 31 07:18:13 apinger: ALARM: WAN(10.9.53.1) *** delay ***
                                Jan 31 07:18:21 apinger: /usr/local/bin/rrdtool respawning too fast, waiting 300s.
                                Jan 31 07:18:23 check_reload_status: Reloading filter
                                Jan 31 07:19:03 apinger: alarm canceled: WAN(10.9.53.1) *** delay ***
                                Jan 31 07:19:13 check_reload_status: Reloading filter
                                Jan 31 07:20:40 php: /pkg_mgr_install.php: Snort MD5 Attempts: 5
                                Jan 31 07:20:40 php: /pkg_mgr_install.php: Please wait… You may only check for New Rules every 15 minutes...
                                Jan 31 07:20:41 php: /pkg_mgr_install.php: There is a new set of Emergingthreats rules posted. Downloading...
                                Jan 31 07:20:41 php: /pkg_mgr_install.php: Emergingthreats rules file update downloaded succsesfully
                                Jan 31 07:20:41 php: /pkg_mgr_install.php: Updating rules configuration for: WAN ...
                                Jan 31 07:21:06 php: /pkg_mgr_install.php: Snort has restarted with your new set of rules...
                                Jan 31 07:21:06 php: /pkg_mgr_install.php: The Rules update has finished...
                                Jan 31 07:21:20 check_reload_status: Syncing firewall
                                Jan 31 07:21:20 check_reload_status: Reloading filter
                                Jan 31 07:21:21 check_reload_status: Syncing firewall
                                Jan 31 07:22:42 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(Inet)...

                                It looks to me as though it thinks it's running, but unless it's hidden from top and ps, or is running under another name, it's not running.  I ssh'd over and called both top and ps -auxww and there's no job whose command has the substring 'snort' or any reasonable variation.</logitech></logitech>

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @MMacD:

                                  Okay, I stripped it out, rebooted, and reinstalled.

                                  It looks to me as though it thinks it's running, but unless it's hidden from top and ps, or is running under another name, it's not running.  I ssh'd over and called both top and ps -auxww and there's no job whose command has the substring 'snort' or any reasonable variation.

                                  From the menu in the GUI, select Snort to open the Snort tab view, and then look at the icon for the interface.  If it is the red X, then Snort is running.  If it's the green arrow, Snort is stopped.  If green, click the icon to attempt a start.  Things should grind along for about 20 seconds, and then the icon should change to the red X to indicate Snort is running.

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    MMacD
                                    last edited by

                                    @bmeeks:

                                    From the menu in the GUI, select Snort to open the Snort tab view, and then look at the icon for the interface.  If it is the red X, then Snort is running.  If it's the green arrow, Snort is stopped.  If green, click the icon to attempt a start.  Things should grind along for about 20 seconds, and then the icon should change to the red X to indicate Snort is running.

                                    That's how I discovered I had a problem:  it stays green (as it just now did when I tried again).  I get a "waiting for firewall" message and then after 10 seconds or so it goes away.

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      joako
                                      last edited by

                                      After I uninstall I can no longer re-install.

                                      It should be fixed so that an update always functions and does never require a remove first.

                                      Beginning package installation for snort…
                                      Downloading package configuration file... done.
                                      Saving updated package information... done.
                                      Downloading snort and its dependencies...
                                      Checking for package installation...
                                      Downloading http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/mysql-client-5.1.53.tbz.
                                      of mysql-client-5.1.53 failed!

                                      Installation aborted.Backing up libraries...
                                      Removing package...
                                      Starting package deletion for mysql-client-5.1.53...done.
                                      Starting package deletion for barnyard2-1.9_2...done.
                                      Starting package deletion for libnet11-1.1.2.1_3,1...done.
                                      Starting package deletion for libdnet-1.11_3...done.
                                      Starting package deletion for libpcap-1.1.1_1...done.
                                      Starting package deletion for daq-0.6.2...done.
                                      Starting package deletion for snort-2.9.2.3...done.
                                      Removing snort components...
                                      Menu items... done.
                                      Services... done.
                                      Loading package instructions...
                                      Include file snort.inc could not be found for inclusion.
                                      Deinstall commands...
                                      Not executing custom deinstall hook because an include is missing.
                                      Removing package instructions...done.
                                      Auxiliary files... done.
                                      Package XML... done.
                                      Configuration... done.
                                      Cleaning up... Failed to install package.

                                      Installation halted.

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        MMacD
                                        last edited by

                                        I can start snort by hand, so it's not completely broken.  But to trace the problem I need better documentation.  Normally my first place in tracing no-starts would be /etc/rc.conf and /local/etc/rc.conf.  But they don't exist, and there's no documentation that I can find that explains the pfsense custom setup.

                                        So I'm stuck.

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks
                                          last edited by

                                          @MMacD:

                                          I can start snort by hand, so it's not completely broken.  But to trace the problem I need better documentation.  Normally my first place in tracing no-starts would be /etc/rc.conf and /local/etc/rc.conf.  But they don't exist, and there's no documentation that I can find that explains the pfsense custom setup.

                                          So I'm stuck.

                                          I'm not a BSD guru, and I did not write these functions, but if you look in the file /usr/local/pkg/snort/snort.inc you will find the various shared functions used by the Snort package.  In there are several that start and stop Snort by calling the snort.sh script that another function in that include file creates.  Maybe looking at those will give you some clues about where to look on your filesystem.

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            joako
                                            last edited by

                                            Have you looked under Status > System log? All the snort messages should be logged there.

                                            Turns out the issue I had posted about previously was just a temprary downtime of files.pfsense.org. After about an hour I was able to install again.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.