Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.4.1 Pkg 2.5.4 – Fix for SO rules version mismatch and failed startup

    Scheduled Pinned Locked Moved pfSense Packages
    73 Posts 21 Posters 27.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      There is a small typo in the name of the Snort VRT rules file in the new Snort 2.9.4.1 package released today.  I will submit a Pull Request to the developers for a permanent fix, but in the meantime if you are experiencing startup failures caused by a Shared Objects rule version mismatch, here is a workaround.

      Use the Diagnostics…Edit File menu option and browse to /usr/local/pkg/snort and open the file snort.inc in the editor.

      Near the top of that file, find the line that reads as follows:

      $snort_rules_file = "snortrules-snapshot-2940.tar.gz";

      Change that line to read as follows instead:

      $snort_rules_file = "snortrules-snapshot-2941.tar.gz";

      Click Save in the dialog to save the change.

      Go to the Snort Service and update the rules again.  That should allow Snort to start.  The error is caused by the new code downloading the rule package for 2.9.4.0 Snort instead of 2.9.4.1.  The Shared Objects (SO) pre-compiled rules changed in 2.9.4.1 and were compiled with a newer library.

      Bill

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        DAMN GOOD  Bill!!

        1 Reply Last reply Reply Quote 0
        • A
          asterix
          last edited by

          Getting this error still.. despite changing the snort.inc file.

          snort[51278]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.

          1 Reply Last reply Reply Quote 0
          • M
            mschiek01
            last edited by

            Same problem however if you go to /usr/local/lib/snort/dynamicrules/  and delete everything it starts fine.

            1 Reply Last reply Reply Quote 0
            • M
              mschiek01
              last edited by

              @mschiek01:

              Same problem however if you go to /usr/local/lib/snort/dynamicrules/  and delete everything it starts fine.

              Sorry not sure if I made it clear.

              Delete the files
              Change the code
              Download the rules
              Start snort

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                I just executed a Pull Request to the pfSense developers with a fix for this problem.  As soon as one of them sees and accepts it, this error should be fixed.

                UPDATE – This change has been pushed to production.  If you are experiencing the "FATAL ERROR" problem with dynamic shared object rules, then reinstall the GUI components of the Snort package.  After reinstalling the GUI components, THEN update your rules using the UPDATE tab in Snort.

                Bill

                1 Reply Last reply Reply Quote 0
                • D
                  dwood
                  last edited by

                  Snort started fine after this mod  (thanks!), however it is blocking my WAN connection so had to disable snort for now.

                  1 Reply Last reply Reply Quote 0
                  • AhnHELA
                    AhnHEL
                    last edited by

                    Still not working for me, Bill.  Reinstalled and did the reinstall of GUI Components as well and I'm getting error during rule update.  After update Installed Signature Ruleset for Snort.org still says N/A

                    Mar 21 22:26:15 	php: /snort/snort_download_rules.php: The Rules update has finished...
                    Mar 21 22:26:15 	php: /snort/snort_download_rules.php: Snort has restarted with your new set of rules...
                    Mar 21 22:26:13 	SnortStartup[58102]: Snort START For HTTP Inspect(30901_em1)...
                    Mar 21 22:26:13 	snort[58095]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
                    Mar 21 22:25:51 	SnortStartup[56657]: Snort START For HTTP Inspect(30901_em1)...
                    Mar 21 22:25:51 	snort[56363]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
                    Mar 21 22:25:47 	php: /snort/snort_download_rules.php: Resolving and auto-enabling flowbit required rules for WAN...
                    Mar 21 22:25:46 	php: /snort/snort_download_rules.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
                    Mar 21 22:25:45 	php: /snort/snort_download_rules.php: Updating rules configuration for: WAN ...
                    Mar 21 22:25:45 	php: /snort/snort_download_rules.php: Emergingthreats rules file update downloaded succsesfully
                    Mar 21 22:25:43 	php: /snort/snort_download_rules.php: There is a new set of Emergingthreats rules posted. Downloading...
                    Mar 21 22:25:42 	php: /snort/snort_download_rules.php: Please wait... You may only check for New Rules every 15 minutes...
                    Mar 21 22:25:42 	php: /snort/snort_download_rules.php: Snort MD5 Attempts: 5
                    Mar 21 22:24:01 	check_reload_status: Reloading filter
                    Mar 21 22:24:01 	check_reload_status: Syncing firewall
                    Mar 21 22:23:58 	php: /pkg_mgr_install.php: Resolving and auto-enabling flowbit required rules for WAN...
                    Mar 21 22:23:57 	php: /pkg_mgr_install.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
                    Mar 21 22:23:56 	php: /pkg_mgr_install.php: The dir for /usr/pbi/snort-amd64/etc/snort/snort_30901_em1/snort.conf does not exist. Cannot add symlink to /usr/local/etc/snort/snort_30901_em1/snort.conf.
                    Mar 21 22:23:56 	php: /pkg_mgr_install.php: The dir for /usr/pbi/snort-amd64/etc/snort/snort_30901_em1/threshold.conf does not exist. Cannot add symlink to /usr/local/etc/snort/snort_30901_em1/threshold.conf.
                    Mar 21 22:23:53 	php: /pkg_mgr_install.php: Resolving and auto-enabling flowbit required rules for WAN...
                    Mar 21 22:23:51 	php: /pkg_mgr_install.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
                    Mar 21 22:23:50 	php: /pkg_mgr_install.php: The Rules update has finished...
                    Mar 21 22:23:50 	php: /pkg_mgr_install.php: Snort has restarted with your new set of rules...
                    Mar 21 22:23:28 	php: /pkg_mgr_install.php: Resolving and auto-enabling flowbit required rules for WAN...
                    Mar 21 22:23:26 	php: /pkg_mgr_install.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN...
                    Mar 21 22:23:25 	php: /pkg_mgr_install.php: Updating rules configuration for: WAN ...
                    Mar 21 22:23:25 	php: /pkg_mgr_install.php: Emergingthreats rules file update downloaded succsesfully
                    Mar 21 22:23:25 	php: /pkg_mgr_install.php: There is a new set of Emergingthreats rules posted. Downloading...
                    Mar 21 22:23:25 	php: /pkg_mgr_install.php: Please wait... You may only check for New Rules every 15 minutes...
                    Mar 21 22:23:25 	php: /pkg_mgr_install.php: Snort MD5 Attempts: 5
                    Mar 21 22:21:49 	php: /pkg_mgr_install.php: Beginning package installation for snort .
                    

                    AhnHEL (Angel)

                    1 Reply Last reply Reply Quote 0
                    • A
                      asterix
                      last edited by

                      Snort.org ruleset not updating here as well. Service starts but gives a dozen of these in system logs.

                      Mar 21 22:32:12 snort[37838]: Non ip() parameter passed with white list, skipping…
                      Mar 21 22:32:12 snort[37838]: Non ip() parameter passed with white list, skipping…
                      Mar 21 22:32:12 snort[37838]: Non ip() parameter passed with white list, skipping…

                      1 Reply Last reply Reply Quote 0
                      • AhnHELA
                        AhnHEL
                        last edited by

                        OK, Removed Snort package, then ran "find /* | grep -i snort | xargs rm -rv" to remove all left over traces of Snort and now I'm up to speed with Asterix with the exact error and issue.  Is this Snort.org's problem?  Seems it takes forever to download the md5 file during the update process.

                        AhnHEL (Angel)

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          Rule updates have been slow for me as well.  Could be a Snort.org problem.  I am also getting the "non IP in whitelist" errors.  Don't know yet what is causing them.  I did not create the binary update to 2.9.4.1.  I've just worked on the GUI parts.  The "non IP in whitelist" error could be coming from either place.  That is, it could be the new Snort binary itself, or an interaction with the GUI and the new binary.  The GUI code is essentially unchanged from Snort 2.9.2.3 to 2.9.4.1.

                          I will try and determine exactly what is causing them.  Very likely, if the whitelist is not being parsed correctly, that WAN IP addresses will get blocked by Snort.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • D
                            dwood
                            last edited by

                            Anyone else seeing WAN connections being blocked?  I have a dual WAN setup, AMD64 2.0.2

                            1 Reply Last reply Reply Quote 0
                            • AhnHELA
                              AhnHEL
                              last edited by

                              In regards to the md5 file problem, I might be way off on this but on the Snort.org site, there are no 2.9.4.1 ruleset updates for Registered Users, only Subscribers.   Wondering if that 30 day wait between Registered and Subscribed is the reason.

                              https://www.snort.org/snort-rules/

                              AhnHEL (Angel)

                              1 Reply Last reply Reply Quote 0
                              • S
                                shinzo
                                last edited by

                                Yeah the WAN drop happened to me once but that was a few hours ago.  I have an idea to why the snort.org aren't working.  Snort tries to get the snapshot 2941.  Subscribers can get v2941 but register users can only get v2940.  Being as I am a registered user, can only get v2940

                                1 Reply Last reply Reply Quote 0
                                • S
                                  shinzo
                                  last edited by

                                  read my mind

                                  @AhnHEL:

                                  In regards to the md5 file problem, I might be way off on this but on the Snort.org site, there are no 2.9.4.1 ruleset updates for Registered Users, only Subscribers.   Wondering if that 30 day wait between Registered and Subscribed is the reason.

                                  https://www.snort.org/snort-rules/

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by

                                    Good catch on the 2.9.4.1 snapshot versus 2.9.4.0.  Subscribers can get 2.9.4.1, but Registered users can only get the 2.9.4.0.  That may be a difficult nut to crack because it appears the 2.9.4.1 code must use the 2.9.4.1 rules tarball to work.

                                    As for the other error on parsing the whitelist, I've identified the source of the error message as the Spoink plug-in that Snort on pfSense uses to actually do the blocking.  This is a third-party module that Ermal heavily modified to work within pfSense.  It is now, for some reason, apparently choking on parsing the whitelist file supplied to it.  Don't know why yet.  Sent Ermal a request just now to check it out and see if he sees something.

                                    I will investigate options for the 2.9.4.0 versus 2.9.4.1 rules update issue.  That one may not sort itself out until April 1 when the 2.9.4.1 rules officially become "30 days old".

                                    Bill

                                    1 Reply Last reply Reply Quote 0
                                    • AhnHELA
                                      AhnHEL
                                      last edited by

                                      @bmeeks
                                      Are you sure its April 1st?  Thought it might be April 19th with the datestamp on the current rulesets.

                                      @Shinzo
                                      ;D

                                      AhnHEL (Angel)

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        asterix
                                        last edited by

                                        WAN blocked a couple of times now. Uninstalling Snort for now.

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          dwood
                                          last edited by

                                          Also, Snort continues to block WAN connections, even with interfaces disabled in the snort GUI.  You need to uninstall it, or kill snort via command line.

                                          1 Reply Last reply Reply Quote 0
                                          • V
                                            vizavi
                                            last edited by

                                            Hello all
                                            Steps worked for me :
                                            Install Snort.org rules - Do NOT Install
                                            Resolve Flowbits  - Unchecked

                                            ( So Emerging Threats rules only )

                                            rm /usr/local/lib/snort/dynamicrules/*
                                            Start. Working!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.