Snort 2.9.4.1 Pkg 2.5.4 – Fix for SO rules version mismatch and failed startup
-
There is a small typo in the name of the Snort VRT rules file in the new Snort 2.9.4.1 package released today. I will submit a Pull Request to the developers for a permanent fix, but in the meantime if you are experiencing startup failures caused by a Shared Objects rule version mismatch, here is a workaround.
Use the Diagnostics…Edit File menu option and browse to /usr/local/pkg/snort and open the file snort.inc in the editor.
Near the top of that file, find the line that reads as follows:
$snort_rules_file = "snortrules-snapshot-2940.tar.gz";
Change that line to read as follows instead:
$snort_rules_file = "snortrules-snapshot-2941.tar.gz";
Click Save in the dialog to save the change.
Go to the Snort Service and update the rules again. That should allow Snort to start. The error is caused by the new code downloading the rule package for 2.9.4.0 Snort instead of 2.9.4.1. The Shared Objects (SO) pre-compiled rules changed in 2.9.4.1 and were compiled with a newer library.
Bill
-
DAMN GOOD Bill!!
-
Getting this error still.. despite changing the snort.inc file.
snort[51278]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
-
Same problem however if you go to /usr/local/lib/snort/dynamicrules/ and delete everything it starts fine.
-
Same problem however if you go to /usr/local/lib/snort/dynamicrules/ and delete everything it starts fine.
Sorry not sure if I made it clear.
Delete the files
Change the code
Download the rules
Start snort -
I just executed a Pull Request to the pfSense developers with a fix for this problem. As soon as one of them sees and accepts it, this error should be fixed.
UPDATE – This change has been pushed to production. If you are experiencing the "FATAL ERROR" problem with dynamic shared object rules, then reinstall the GUI components of the Snort package. After reinstalling the GUI components, THEN update your rules using the UPDATE tab in Snort.
Bill
-
Snort started fine after this mod (thanks!), however it is blocking my WAN connection so had to disable snort for now.
-
Still not working for me, Bill. Reinstalled and did the reinstall of GUI Components as well and I'm getting error during rule update. After update Installed Signature Ruleset for Snort.org still says N/A
Mar 21 22:26:15 php: /snort/snort_download_rules.php: The Rules update has finished... Mar 21 22:26:15 php: /snort/snort_download_rules.php: Snort has restarted with your new set of rules... Mar 21 22:26:13 SnortStartup[58102]: Snort START For HTTP Inspect(30901_em1)... Mar 21 22:26:13 snort[58095]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17. Mar 21 22:25:51 SnortStartup[56657]: Snort START For HTTP Inspect(30901_em1)... Mar 21 22:25:51 snort[56363]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17. Mar 21 22:25:47 php: /snort/snort_download_rules.php: Resolving and auto-enabling flowbit required rules for WAN... Mar 21 22:25:46 php: /snort/snort_download_rules.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN... Mar 21 22:25:45 php: /snort/snort_download_rules.php: Updating rules configuration for: WAN ... Mar 21 22:25:45 php: /snort/snort_download_rules.php: Emergingthreats rules file update downloaded succsesfully Mar 21 22:25:43 php: /snort/snort_download_rules.php: There is a new set of Emergingthreats rules posted. Downloading... Mar 21 22:25:42 php: /snort/snort_download_rules.php: Please wait... You may only check for New Rules every 15 minutes... Mar 21 22:25:42 php: /snort/snort_download_rules.php: Snort MD5 Attempts: 5 Mar 21 22:24:01 check_reload_status: Reloading filter Mar 21 22:24:01 check_reload_status: Syncing firewall Mar 21 22:23:58 php: /pkg_mgr_install.php: Resolving and auto-enabling flowbit required rules for WAN... Mar 21 22:23:57 php: /pkg_mgr_install.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN... Mar 21 22:23:56 php: /pkg_mgr_install.php: The dir for /usr/pbi/snort-amd64/etc/snort/snort_30901_em1/snort.conf does not exist. Cannot add symlink to /usr/local/etc/snort/snort_30901_em1/snort.conf. Mar 21 22:23:56 php: /pkg_mgr_install.php: The dir for /usr/pbi/snort-amd64/etc/snort/snort_30901_em1/threshold.conf does not exist. Cannot add symlink to /usr/local/etc/snort/snort_30901_em1/threshold.conf. Mar 21 22:23:53 php: /pkg_mgr_install.php: Resolving and auto-enabling flowbit required rules for WAN... Mar 21 22:23:51 php: /pkg_mgr_install.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN... Mar 21 22:23:50 php: /pkg_mgr_install.php: The Rules update has finished... Mar 21 22:23:50 php: /pkg_mgr_install.php: Snort has restarted with your new set of rules... Mar 21 22:23:28 php: /pkg_mgr_install.php: Resolving and auto-enabling flowbit required rules for WAN... Mar 21 22:23:26 php: /pkg_mgr_install.php: Checking for and disabling any rules dependent upon disabled preprocessors for WAN... Mar 21 22:23:25 php: /pkg_mgr_install.php: Updating rules configuration for: WAN ... Mar 21 22:23:25 php: /pkg_mgr_install.php: Emergingthreats rules file update downloaded succsesfully Mar 21 22:23:25 php: /pkg_mgr_install.php: There is a new set of Emergingthreats rules posted. Downloading... Mar 21 22:23:25 php: /pkg_mgr_install.php: Please wait... You may only check for New Rules every 15 minutes... Mar 21 22:23:25 php: /pkg_mgr_install.php: Snort MD5 Attempts: 5 Mar 21 22:21:49 php: /pkg_mgr_install.php: Beginning package installation for snort . -
Snort.org ruleset not updating here as well. Service starts but gives a dozen of these in system logs.
Mar 21 22:32:12 snort[37838]: Non ip() parameter passed with white list, skipping…
Mar 21 22:32:12 snort[37838]: Non ip() parameter passed with white list, skipping…
Mar 21 22:32:12 snort[37838]: Non ip() parameter passed with white list, skipping… -
OK, Removed Snort package, then ran "find /* | grep -i snort | xargs rm -rv" to remove all left over traces of Snort and now I'm up to speed with Asterix with the exact error and issue. Is this Snort.org's problem? Seems it takes forever to download the md5 file during the update process.
-
Rule updates have been slow for me as well. Could be a Snort.org problem. I am also getting the "non IP in whitelist" errors. Don't know yet what is causing them. I did not create the binary update to 2.9.4.1. I've just worked on the GUI parts. The "non IP in whitelist" error could be coming from either place. That is, it could be the new Snort binary itself, or an interaction with the GUI and the new binary. The GUI code is essentially unchanged from Snort 2.9.2.3 to 2.9.4.1.
I will try and determine exactly what is causing them. Very likely, if the whitelist is not being parsed correctly, that WAN IP addresses will get blocked by Snort.
Bill
-
Anyone else seeing WAN connections being blocked? I have a dual WAN setup, AMD64 2.0.2
-
In regards to the md5 file problem, I might be way off on this but on the Snort.org site, there are no 2.9.4.1 ruleset updates for Registered Users, only Subscribers. Wondering if that 30 day wait between Registered and Subscribed is the reason.
https://www.snort.org/snort-rules/
-
Yeah the WAN drop happened to me once but that was a few hours ago. I have an idea to why the snort.org aren't working. Snort tries to get the snapshot 2941. Subscribers can get v2941 but register users can only get v2940. Being as I am a registered user, can only get v2940
-
read my mind
In regards to the md5 file problem, I might be way off on this but on the Snort.org site, there are no 2.9.4.1 ruleset updates for Registered Users, only Subscribers. Wondering if that 30 day wait between Registered and Subscribed is the reason.
https://www.snort.org/snort-rules/
-
Good catch on the 2.9.4.1 snapshot versus 2.9.4.0. Subscribers can get 2.9.4.1, but Registered users can only get the 2.9.4.0. That may be a difficult nut to crack because it appears the 2.9.4.1 code must use the 2.9.4.1 rules tarball to work.
As for the other error on parsing the whitelist, I've identified the source of the error message as the Spoink plug-in that Snort on pfSense uses to actually do the blocking. This is a third-party module that Ermal heavily modified to work within pfSense. It is now, for some reason, apparently choking on parsing the whitelist file supplied to it. Don't know why yet. Sent Ermal a request just now to check it out and see if he sees something.
I will investigate options for the 2.9.4.0 versus 2.9.4.1 rules update issue. That one may not sort itself out until April 1 when the 2.9.4.1 rules officially become "30 days old".
Bill
-
-
WAN blocked a couple of times now. Uninstalling Snort for now.
-
Also, Snort continues to block WAN connections, even with interfaces disabled in the snort GUI. You need to uninstall it, or kill snort via command line.
-
Hello all
Steps worked for me :
Install Snort.org rules - Do NOT Install
Resolve Flowbits - Unchecked( So Emerging Threats rules only )
rm /usr/local/lib/snort/dynamicrules/*
Start. Working!
