Snort won't start
-
I haven't been able to start snort and still can't after letting pfsense do the upgrade. Is there something not obvious that I need to do? Snort claimed, after fetching the new ruleset, to have restarted but the interface shows the green start button, not the expected red stop one.
-
Please post what snort says in the system log.
-
Also try doing a full remove and then install of Snort. On the Installed Packages tab, click the "X" to completely remove the package. Then go to the Available Packages tab and install it again. If you have clicked the "keep Snort settings after de-install" option for Snort on the GLOBAL tab, then when you remove and install again all your setting will come back automatically.
-
Please post what snort says in the system log.
It looks okay to me, but that might be my ignorance:
Jan 26 00:05:22 snort[63074]:
Jan 26 00:05:22 snort[63074]:
Jan 26 00:05:22 snort[63074]: PortVar 'MODBUS_PORTS' defined :
Jan 26 00:05:22 snort[63074]: PortVar 'MODBUS_PORTS' defined :
Jan 26 00:05:22 snort[63074]: [ 502 ]
Jan 26 00:05:22 snort[63074]: [ 502 ]
Jan 26 00:05:22 snort[63074]:
Jan 26 00:05:22 snort[63074]:
Jan 26 00:05:22 snort[63074]: Detection:
Jan 26 00:05:22 snort[63074]: Detection:
Jan 26 00:05:22 snort[63074]: Search-Method = AC-Std
Jan 26 00:05:22 snort[63074]: Search-Method = AC-Std
Jan 26 00:05:22 snort[63074]: Search-Method-Optimizations = enabled
Jan 26 00:05:22 snort[63074]: Search-Method-Optimizations = enabled
Jan 26 00:05:22 snort[63074]: Maximum pattern length = 20
Jan 26 00:05:22 snort[63074]: Maximum pattern length = 20
Jan 26 00:05:24 php: : Snort has restarted with your new set of rules…
Jan 26 00:05:24 php: : The Rules update has finished... -
Change your power scheme to AC.Sparsebands and see if it helps…
-
So I reinstalled, and got some "can't find" messages that don't sound good, but nevertheless it all seems to run to completion
Jan 26 11:48:21 syslogd: kernel boot file is /boot/kernel/kernel
Jan 26 11:48:33 check_reload_status: Syncing firewall
Jan 26 11:48:33 check_reload_status: Syncing firewall
Jan 26 11:48:41 php: /pkg_mgr_install.php: Beginning package installation for snort.
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!
Jan 26 11:48:52 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
Jan 26 11:48:52 check_reload_status: Syncing firewall
Jan 26 11:48:52 check_reload_status: Reloading filter
Jan 26 11:48:53 check_reload_status: Syncing firewall
Jan 26 11:49:03 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(Inet)…
Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_ssl_preproc file. Snort might error out!
Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_dns_preproc file. Snort might error out!
Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_pop_preproc file. Snort might error out!
Jan 26 11:49:03 php: /snort/snort_interfaces.php: Could not find the libsf_imap_preproc file. Snort might error out!
Jan 26 11:49:03 php: /snort/snort_interfaces.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
Jan 26 11:49:03 snort[32122]: Found pid path directive (/var/run)
Jan 26 11:49:03 snort[32122]: Found pid path directive (/var/run)
Jan 26 11:49:03 snort[32122]: Running in IDS mode
Jan 26 11:49:03 snort[32122]: Running in IDS mode
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: –== Initializing Snort ==--
Jan 26 11:49:03 snort[32122]: –== Initializing Snort ==--
Jan 26 11:49:03 snort[32122]: Initializing Output Plugins!
Jan 26 11:49:03 snort[32122]: Initializing Output Plugins!
Jan 26 11:49:03 snort[32122]: Initializing Preprocessors!
Jan 26 11:49:03 snort[32122]: Initializing Preprocessors!
Jan 26 11:49:03 snort[32122]: Initializing Plug-ins!
Jan 26 11:49:03 snort[32122]: Initializing Plug-ins!
Jan 26 11:49:03 snort[32122]: PortVar 'DNS_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'DNS_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 53 ]
Jan 26 11:49:03 snort[32122]: [ 53 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'SMTP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'SMTP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 25 ]
Jan 26 11:49:03 snort[32122]: [ 25 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'MAIL_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'MAIL_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 25 143 465 691 ]
Jan 26 11:49:03 snort[32122]: [ 25 143 465 691 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'HTTP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'HTTP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 80 901 3128 8080 9000 ]
Jan 26 11:49:03 snort[32122]: [ 80 901 3128 8080 9000 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'ORACLE_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'ORACLE_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 1521 ]
Jan 26 11:49:03 snort[32122]: [ 1521 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'MSSQL_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'MSSQL_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 1433 ]
Jan 26 11:49:03 snort[32122]: [ 1433 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'TELNET_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'TELNET_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 23 ]
Jan 26 11:49:03 snort[32122]: [ 23 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'SNMP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'SNMP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 161 ]
Jan 26 11:49:03 snort[32122]: [ 161 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'FTP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'FTP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 21 ]
Jan 26 11:49:03 snort[32122]: [ 21 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'SSH_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'SSH_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 22 ]
Jan 26 11:49:03 snort[32122]: [ 22 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'POP2_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'POP2_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 109 ]
Jan 26 11:49:03 snort[32122]: [ 109 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'POP3_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'POP3_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 110 ]
Jan 26 11:49:03 snort[32122]: [ 110 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'IMAP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'IMAP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 143 ]
Jan 26 11:49:03 snort[32122]: [ 143 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'SIP_PROXY_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'SIP_PROXY_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 5060:5090 16384:32768 ]
Jan 26 11:49:03 snort[32122]: [ 5060:5090 16384:32768 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'SIP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'SIP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 5060:5090 16384:32768 ]
Jan 26 11:49:03 snort[32122]: [ 5060:5090 16384:32768 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'AUTH_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'AUTH_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 113 ]
Jan 26 11:49:03 snort[32122]: [ 113 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'FINGER_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'FINGER_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 79 ]
Jan 26 11:49:03 snort[32122]: [ 79 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'IRC_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'IRC_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 6665:6669 7000 ]
Jan 26 11:49:03 snort[32122]: [ 6665:6669 7000 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'SMB_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'SMB_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 139 445 ]
Jan 26 11:49:03 snort[32122]: [ 139 445 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'NNTP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'NNTP_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 119 ]
Jan 26 11:49:03 snort[32122]: [ 119 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'RLOGIN_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'RLOGIN_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 513 ]
Jan 26 11:49:03 snort[32122]: [ 513 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'RSH_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'RSH_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 514 ]
Jan 26 11:49:03 snort[32122]: [ 514 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'SSL_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'SSL_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 443 465 563 636 989:990 992:995 ]
Jan 26 11:49:03 snort[32122]: [ 443 465 563 636 989:990 992:995 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'FILE_DATA_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'FILE_DATA_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 80 110 143 901 3128 8080 9000 ]
Jan 26 11:49:03 snort[32122]: [ 80 110 143 901 3128 8080 9000 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'SHELLCODE_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'SHELLCODE_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 0:79 81:65535 ]
Jan 26 11:49:03 snort[32122]: [ 0:79 81:65535 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'SUN_RPC_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'SUN_RPC_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 111 32770:32779 ]
Jan 26 11:49:03 snort[32122]: [ 111 32770:32779 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_IP_TCP' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_IP_TCP' defined :
Jan 26 11:49:03 snort[32122]: [ 139 445 ]
Jan 26 11:49:03 snort[32122]: [ 139 445 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCADG_IP_UDP' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCADG_IP_UDP' defined :
Jan 26 11:49:03 snort[32122]: [ 138 1024:65535 ]
Jan 26 11:49:03 snort[32122]: [ 138 1024:65535 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Jan 26 11:49:03 snort[32122]: [ 135 139 445 593 1024:65535 ]
Jan 26 11:49:03 snort[32122]: [ 135 139 445 593 1024:65535 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Jan 26 11:49:03 snort[32122]: [ 135 1024:65535 ]
Jan 26 11:49:03 snort[32122]: [ 135 1024:65535 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Jan 26 11:49:03 snort[32122]: [ 135 593 1024:65535 ]
Jan 26 11:49:03 snort[32122]: [ 135 593 1024:65535 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_TCP' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_NCACN_TCP' defined :
Jan 26 11:49:03 snort[32122]: [ 2103 2105 2107 ]
Jan 26 11:49:03 snort[32122]: [ 2103 2105 2107 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Jan 26 11:49:03 snort[32122]: [ 6503:6504 ]
Jan 26 11:49:03 snort[32122]: [ 6503:6504 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'DNP3_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'DNP3_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 20000 ]
Jan 26 11:49:03 snort[32122]: [ 20000 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: PortVar 'MODBUS_PORTS' defined :
Jan 26 11:49:03 snort[32122]: PortVar 'MODBUS_PORTS' defined :
Jan 26 11:49:03 snort[32122]: [ 502 ]
Jan 26 11:49:03 snort[32122]: [ 502 ]
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]:
Jan 26 11:49:03 snort[32122]: Detection:
Jan 26 11:49:03 snort[32122]: Detection:
Jan 26 11:49:03 snort[32122]: Search-Method = AC-Std
Jan 26 11:49:03 snort[32122]: Search-Method = AC-Std
Jan 26 11:49:03 snort[32122]: Search-Method-Optimizations = enabled
Jan 26 11:49:03 snort[32122]: Search-Method-Optimizations = enabled
Jan 26 11:49:03 snort[32122]: Maximum pattern length = 20
Jan 26 11:49:03 snort[32122]: Maximum pattern length = 20
Jan 26 11:49:03 snort[32122]: Found pid path directive (/var/run)
Jan 26 11:49:03 snort[32122]: Found pid path directive (/var/run)
Jan 26 11:49:03 snort[32122]: Tagged Packet Limit: 256
Jan 26 11:49:03 snort[32122]: Tagged Packet Limit: 256
Jan 26 11:49:03 snort[32122]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine…
Jan 26 11:49:03 snort[32122]: Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine…
Jan 26 11:49:03 snort[32122]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
Jan 26 11:49:03 snort[32122]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicengine.
Jan 26 11:49:03 snort[32122]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
Jan 26 11:49:03 snort[32122]: Finished Loading all dynamic engine libs from /usr/local/lib/snort/dynamicengine
Jan 26 11:49:03 snort[32122]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules…
Jan 26 11:49:03 snort[32122]: Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules…
Jan 26 11:49:03 snort[32122]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicrules.
Jan 26 11:49:03 snort[32122]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort/dynamicrules.
Jan 26 11:49:03 snort[32122]: Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules
Jan 26 11:49:03 snort[32122]: Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules
Jan 26 11:49:03 snort[32122]: WARNING: ip4 normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: WARNING: ip4 normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: WARNING: tcp normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: WARNING: tcp normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: WARNING: icmp4 normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: WARNING: icmp4 normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: WARNING: ip6 normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: WARNING: ip6 normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: WARNING: icmp6 normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: WARNING: icmp6 normalizations disabled because not inline.
Jan 26 11:49:03 snort[32122]: Frag3 global config:
Jan 26 11:49:03 snort[32122]: Frag3 global config:
Jan 26 11:49:03 snort[32122]: Max frags: 65536
Jan 26 11:49:03 snort[32122]: Max frags: 65536
Jan 26 11:49:03 snort[32122]: Fragment memory cap: 4194304 bytes
Jan 26 11:49:03 snort[32122]: Fragment memory cap: 4194304 bytes
Jan 26 11:49:03 snort[32122]: Frag3 engine config:
Jan 26 11:49:03 snort[32122]: Frag3 engine config:
Jan 26 11:49:03 snort[32122]: Bound Address: default
Jan 26 11:49:03 snort[32122]: Bound Address: default
Jan 26 11:49:03 snort[32122]: Target-based policy: BSD
Jan 26 11:49:03 snort[32122]: Target-based policy: BSD
Jan 26 11:49:03 snort[32122]: Fragment timeout: 180 seconds
Jan 26 11:49:03 snort[32122]: Fragment timeout: 180 seconds
Jan 26 11:49:03 snort[32122]: Fragment min_ttl: 1
Jan 26 11:49:03 snort[32122]: Fragment min_ttl: 1
Jan 26 11:49:03 snort[32122]: Fragment Anomalies: Alert
Jan 26 11:49:03 snort[32122]: Fragment Anomalies: Alert
Jan 26 11:49:03 snort[32122]: Overlap Limit: 10
Jan 26 11:49:03 snort[32122]: Overlap Limit: 10
Jan 26 11:49:03 snort[32122]: Min fragment Length: 100
Jan 26 11:49:03 snort[32122]: Min fragment Length: 100
Jan 26 11:49:03 snort[32122]: Stream5 global config:
Jan 26 11:49:03 snort[32122]: Stream5 global config:
Jan 26 11:49:03 snort[32122]: Track TCP sessions: ACTIVE
Jan 26 11:49:03 snort[32122]: Track TCP sessions: ACTIVE
Jan 26 11:49:03 snort[32122]: Max TCP sessions: 262144
Jan 26 11:49:03 snort[32122]: Max TCP sessions: 262144
Jan 26 11:49:03 snort[32122]: Memcap (for reassembly packet storage): 8388608
Jan 26 11:49:03 snort[32122]: Memcap (for reassembly packet storage): 8388608
Jan 26 11:49:03 snort[32122]: Track UDP sessions: ACTIVE
Jan 26 11:49:03 snort[32122]: Track UDP sessions: ACTIVE
Jan 26 11:49:03 snort[32122]: Max UDP sessions: 131072
Jan 26 11:49:03 snort[32122]: Max UDP sessions: 131072
Jan 26 11:49:03 snort[32122]: Track ICMP sessions: INACTIVE
Jan 26 11:49:03 snort[32122]: Track ICMP sessions: INACTIVE
Jan 26 11:49:03 snort[32122]: Track IP sessions: INACTIVE
Jan 26 11:49:03 snort[32122]: Track IP sessions: INACTIVE
Jan 26 11:49:03 snort[32122]: Log info if session memory consumption exceeds 1048576
Jan 26 11:49:03 snort[32122]: Log info if session memory consumption exceeds 1048576
Jan 26 11:49:03 snort[32122]: Send up to 2 active responses
Jan 26 11:49:03 snort[32122]: Send up to 2 active responses
Jan 26 11:49:03 snort[32122]: Wait at least 5 seconds between responses
Jan 26 11:49:03 snort[32122]: Wait at least 5 seconds between responses
Jan 26 11:49:03 snort[32122]: Protocol Aware Flushing: ACTIVE
Jan 26 11:49:03 snort[32122]: Protocol Aware Flushing: ACTIVE
Jan 26 11:49:03 snort[32122]: Maximum Flush Point: 16000
Jan 26 11:49:03 snort[32122]: Maximum Flush Point: 16000
Jan 26 11:49:03 snort[32122]: Stream5 TCP Policy config:
Jan 26 11:49:03 snort[32122]: Stream5 TCP Policy config:
Jan 26 11:49:03 snort[32122]: Bound Address: default
Jan 26 11:49:03 snort[32122]: Bound Address: default
Jan 26 11:49:03 snort[32122]: Reassembly Policy: BSD
Jan 26 11:49:03 snort[32122]: Reassembly Policy: BSD
Jan 26 11:49:03 snort[32122]: Timeout: 180 seconds
Jan 26 11:49:03 snort[32122]: Timeout: 180 seconds
Jan 26 11:49:03 snort[32122]: Limit on TCP Overlaps: 10
Jan 26 11:49:03 snort[32122]: Limit on TCP Overlaps: 10
Jan 26 11:49:03 snort[32122]: Maximum number of bytes to queue per session: 1048576
Jan 26 11:49:03 snort[32122]: Maximum number of bytes to queue per session: 1048576
Jan 26 11:49:03 snort[32122]: Maximum number of segs to queue per session: 2621
Jan 26 11:49:03 snort[32122]: Maximum number of segs to queue per session: 2621
Jan 26 11:49:03 snort[32122]: Reassembly Ports:
Jan 26 11:49:03 snort[32122]: Reassembly Ports:
Jan 26 11:49:03 snort[32122]: 0 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 0 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 1 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 1 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 2 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 2 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 3 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 3 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 4 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 4 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 5 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 5 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 6 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 6 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 7 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 7 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 8 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 8 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 9 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 9 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 10 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 10 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 11 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 11 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 12 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 12 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 13 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 13 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 14 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 14 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 15 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 15 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 16 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 16 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 17 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 17 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 18 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 18 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 19 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: 19 client (Footprint) server (Footprint)
Jan 26 11:49:03 snort[32122]: additional ports configured but not printed.
Jan 26 11:49:03 snort[32122]: additional ports configured but not printed.
Jan 26 11:49:03 snort[32122]: Stream5 UDP Policy config:
Jan 26 11:49:03 snort[32122]: Stream5 UDP Policy config:
Jan 26 11:49:03 snort[32122]: Timeout: 180 seconds
Jan 26 11:49:03 snort[32122]: Timeout: 180 seconds -
uninstall and reinstall again.
You seem to have some issues there.
Normally it can run if the rule do not reference the preprocessors. -
Okay, reinstalled again, switched to the low-end (AC-BNFA) mode (which is probably all 4GB on a D2500 is good for anyway, on a 1MB DSL)
Removing snort components…
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation... Loading package configuration... done.
Configuring package components...
Additional files... done.
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...done.
Executing custom_php_resync_config_command()...done.
Custom commands...
Executing custom_php_install_command()...done.
Executing custom_php_resync_config_command()...done.
Menu items... done.
Services... done.
Writing configuration... done.Package reinstalled.
Jan 26 17:27:47 syslogd: kernel boot file is /boot/kernel/kernel
Jan 26 17:27:57 check_reload_status: Syncing firewall
Jan 26 17:27:57 check_reload_status: Syncing firewall
Jan 26 17:28:06 php: /pkg_mgr_install.php: Beginning package installation for snort.
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_ftptelnet_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_ssl_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_dns_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_pop_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Could not find the libsf_imap_preproc file. Snort might error out!
Jan 26 17:28:13 php: /pkg_mgr_install.php: Seems preprocessor/decoder rules are missing, enabling autogeneration of them
Jan 26 17:28:13 check_reload_status: Syncing firewall
Jan 26 17:28:13 check_reload_status: Reloading filter
Jan 26 17:28:13 check_reload_status: Syncing firewall -
Yeah you need to fetch updates again.
-
I've reinstalled again, same result
Whose problem are these missing libsf files, pfsense's or snort's? And how serious are they?
-
I just ssh'd over to the firewall box to see whether I could start snort by hand.
The executable is meant to be in /bin, but there's nothing there.
There is something in /usr/local/bin, but it appears to be a log generator…or at least it appears to be generating log entries.
There's no job named snort in the proc list.
I really need some help here.
-
I just ssh'd over to the firewall box to see whether I could start snort by hand.
The executable is meant to be in /bin, but there's nothing there.
There is something in /usr/local/bin, but it appears to be a log generator…or at least it appears to be generating log entries.
There's no job named snort in the proc list.
I really need some help here.
MMacD:
Just so I am clear. When you say "…I reinstalled again..."; do you mean you clicked the "X" icon to totally remove the package, and then went back to the Available Packages tab and installed like a clean install? The reinstall icon (titled PKG) on the Installed Packages tab does not always work properly.
If you did not do a complete remove with the "X" and then fresh install, try that.
If you already did a complete remove, then try it again but reboot after removing but before installing again. I had to do that in one my 2.1-BETA snapshot virtual machines I test with. Don't know exactly what's wrong at this point, but from your description and the missing file error message, it sounds like Snort is only partially installed on your system at this point.
-
Yes, I just clicked the "pkg" to reinstall, I didn't try stripping it down first.
I'll try stripping next, tho I'll be surprised if I get a different result since I'll be executing the same code (I'm running the 2.0.1 release, not any beta code)
Is there some documentation available that details what changes have been made to the stock way freebsd does things? I've already tripped over some of the custom changes, and since I didn't understand the rationale for them, I can't predict where or what kind of other changes I should expect.
-
Okay, I stripped it out, rebooted, and reinstalled.
Jan 31 07:16:32 php: : Restarting/Starting all packages.
Jan 31 07:16:33 kernel: ugen2.2: <logitech>at usbus2 (disconnected)
Jan 31 07:16:33 kernel: ukbd0: at uhub2, port 1, addr 2 (disconnected)
Jan 31 07:16:33 kernel: ums0: at uhub2, port 1, addr 2 (disconnected)
Jan 31 07:16:33 kernel: uhid0: at uhub2, port 1, addr 2 (disconnected)
Jan 31 07:16:33 kernel: ugen2.3: <logitech>at usbus2 (disconnected)
Jan 31 07:16:33 kernel: ukbd1: at uhub2, port 2, addr 3 (disconnected)
Jan 31 07:16:33 kernel: uhid1: at uhub2, port 2, addr 3 (disconnected)
Jan 31 07:17:21 apinger: Error while feeding rrdtool: Broken pipe
Jan 31 07:18:04 check_reload_status: Syncing firewall
Jan 31 07:18:05 php: /pkg_mgr_install.php: Beginning package installation for snort.
Jan 31 07:18:05 check_reload_status: Syncing firewall
Jan 31 07:18:13 apinger: ALARM: WAN(10.9.53.1) *** delay ***
Jan 31 07:18:21 apinger: /usr/local/bin/rrdtool respawning too fast, waiting 300s.
Jan 31 07:18:23 check_reload_status: Reloading filter
Jan 31 07:19:03 apinger: alarm canceled: WAN(10.9.53.1) *** delay ***
Jan 31 07:19:13 check_reload_status: Reloading filter
Jan 31 07:20:40 php: /pkg_mgr_install.php: Snort MD5 Attempts: 5
Jan 31 07:20:40 php: /pkg_mgr_install.php: Please wait… You may only check for New Rules every 15 minutes...
Jan 31 07:20:41 php: /pkg_mgr_install.php: There is a new set of Emergingthreats rules posted. Downloading...
Jan 31 07:20:41 php: /pkg_mgr_install.php: Emergingthreats rules file update downloaded succsesfully
Jan 31 07:20:41 php: /pkg_mgr_install.php: Updating rules configuration for: WAN ...
Jan 31 07:21:06 php: /pkg_mgr_install.php: Snort has restarted with your new set of rules...
Jan 31 07:21:06 php: /pkg_mgr_install.php: The Rules update has finished...
Jan 31 07:21:20 check_reload_status: Syncing firewall
Jan 31 07:21:20 check_reload_status: Reloading filter
Jan 31 07:21:21 check_reload_status: Syncing firewall
Jan 31 07:22:42 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(Inet)...It looks to me as though it thinks it's running, but unless it's hidden from top and ps, or is running under another name, it's not running. I ssh'd over and called both top and ps -auxww and there's no job whose command has the substring 'snort' or any reasonable variation.</logitech></logitech>
-
Okay, I stripped it out, rebooted, and reinstalled.
It looks to me as though it thinks it's running, but unless it's hidden from top and ps, or is running under another name, it's not running. I ssh'd over and called both top and ps -auxww and there's no job whose command has the substring 'snort' or any reasonable variation.
From the menu in the GUI, select Snort to open the Snort tab view, and then look at the icon for the interface. If it is the red X, then Snort is running. If it's the green arrow, Snort is stopped. If green, click the icon to attempt a start. Things should grind along for about 20 seconds, and then the icon should change to the red X to indicate Snort is running.
-
From the menu in the GUI, select Snort to open the Snort tab view, and then look at the icon for the interface. If it is the red X, then Snort is running. If it's the green arrow, Snort is stopped. If green, click the icon to attempt a start. Things should grind along for about 20 seconds, and then the icon should change to the red X to indicate Snort is running.
That's how I discovered I had a problem: it stays green (as it just now did when I tried again). I get a "waiting for firewall" message and then after 10 seconds or so it goes away.
-
After I uninstall I can no longer re-install.
It should be fixed so that an update always functions and does never require a remove first.
Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.53.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/mysql-client-5.1.53.tbz.
of mysql-client-5.1.53 failed!Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for mysql-client-5.1.53...done.
Starting package deletion for barnyard2-1.9_2...done.
Starting package deletion for libnet11-1.1.2.1_3,1...done.
Starting package deletion for libdnet-1.11_3...done.
Starting package deletion for libpcap-1.1.1_1...done.
Starting package deletion for daq-0.6.2...done.
Starting package deletion for snort-2.9.2.3...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.Installation halted.
-
I can start snort by hand, so it's not completely broken. But to trace the problem I need better documentation. Normally my first place in tracing no-starts would be /etc/rc.conf and /local/etc/rc.conf. But they don't exist, and there's no documentation that I can find that explains the pfsense custom setup.
So I'm stuck.
-
I can start snort by hand, so it's not completely broken. But to trace the problem I need better documentation. Normally my first place in tracing no-starts would be /etc/rc.conf and /local/etc/rc.conf. But they don't exist, and there's no documentation that I can find that explains the pfsense custom setup.
So I'm stuck.
I'm not a BSD guru, and I did not write these functions, but if you look in the file /usr/local/pkg/snort/snort.inc you will find the various shared functions used by the Snort package. In there are several that start and stop Snort by calling the snort.sh script that another function in that include file creates. Maybe looking at those will give you some clues about where to look on your filesystem.
-
Have you looked under Status > System log? All the snort messages should be logged there.
Turns out the issue I had posted about previously was just a temprary downtime of files.pfsense.org. After about an hour I was able to install again.
