Snort & PPPoE: Snort refuses to start(?)

bmeeks

Yep, this is that shared library problem I mentioned another user had.  It came from a conflicting package install.  This does not happen on the 2.1 version of pfSense due to the way PBI packages work.  It does bite folks from time to time on 2.0.x, though.

I will be out of town the next three days and unavailable to help, but I see marcelloc has chimed in.  Perhaps he can help you sort it out.  If not, I will be back online in about 3 days.

Bill

Boags

@bmeeks:

Yep, this is that shared library problem I mentioned another user had.  It came from a conflicting package install.  This does not happen on the 2.1 version of pfSense due to the way PBI packages work.  It does bite folks from time to time on 2.0.x, though.

I will be out of town the next three days and unavailable to help, but I see marcelloc has chimed in.  Perhaps he can help you sort it out.  If not, I will be back online in about 3 days.

Bill

Thank you for your patience and your professional and friendly support Bill.

A bit of search on the libpcap.so issue lead me to the fix with the following commands:

1.) ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
2.) ln -s /usr/local/lib/snort/dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
3.) ln -s /usr/local/lib/snort/dynamicengine /usr/local/lib/snort_dynamicengine
4.) ln -s /usr/local/lib/snort/dynamicrules /usr/local/lib/snort_dynamicrules
5.) manually update the Snort rules.
6.) touch /usr/local/etc/snort/rules/local.rules

Snort is finally up and running. What a relief. I've missed it :)

Also thank you marcelloc.

Cheers :)

Mr. Jingles

EDIT: solved, please see below.

Then I am jumping in again  ;D

For some reason, yesterday at noon snort stopped. No exit signals in the logs, nothing. I tried a 1001 things, including, finally, uninstalling and reinstalling snort, but it still wouldn't run. Searching in this fine forum I found this thread, and executed the two commands mentioned here:

[2.0.3-RELEASE][root@pfsense.localdomain]/root(1): /usr/local/bin/snort -V
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"

And:

[2.0.3-RELEASE][root@pfsense.localdomain]/root(3): find / -name "libpcap.so*"
/lib/libpcap.so.7
/usr/local/lib/libpcap.so.1.3.0
/usr/local/lib/libpcap.so.1.2.1
/usr/lib/libpcap.so

I would have expected that the complete reinstall of Snort would have taken care of this, but obviously not ( ???).

I also don't really understand why the file 'suddenly' is missing, as I didn't do anything on the box for a week or so.

Might I ask if what Boags posted right above here is really 1000% safe? Normally I wouldn't care if something goes completely wrong and I'd even have to reinstall the complete box, but I have just set up OpenVPN for my wife who left to travel to the other side of the world, and I don't want to risk her not being able to interconnect home.

Thank you in advance for an answer  ;D

Bye,

EDIT: solved:
While browsing this fine forum I found this thread: http://forum.pfsense.org/index.php/topic,62928.135.html

Where Shinzo posted this:

So funny thing happend, from what i can make out from the logs.  Snort rules updated last night.  After that it ran the snortstart and it stopped running.  Nothing in the logs showed me why it wasnt working but i typed snort into the command line and its giving me a

"/libexec/ld-elf.so.1" shared object "libpcap.so.1" not found, required by snort." So i can only assume the shared object ran off some where Tongue and no i didn't delete it

To continue my story, i found out what deleted it.  bandwidthd was maxing out my cpu the other day so i figured i remove it.  When i uninstalled it, it took the libpcap file with it too, i reinstalled bandwidthd but left it disabled and snort is running fine again

Exactly my problem, although I hadn't deinstalled bandwithd first. So I did that now, and reinstalled, et voila, Snort is working again  ;D

bmeeks

@Hollander:

To continue my story, i found out what deleted it.  bandwidthd was maxing out my cpu the other day so i figured i remove it.  When i uninstalled it, it took the libpcap file with it too, i reinstalled bandwidthd but left it disabled and snort is running fine again

Exactly my problem, although I hadn't deinstalled bandwithd first. So I did that now, and reinstalled, et voila, Snort is working again  ;D

I assume this is on a 2.0.x box?  Shared libraries such as pcap, MySQL and others can be a real pain.  That's what is so nice about the PBI setup on 2.1 boxes.  In effect each app has its own sort of "application jail" where it can install and remove shared libraries as necessary without impacting other applications that may have some of the same shared libraries.  In actuality, these libraries are no longer "shared" in the classic sense with the PBI setup. Each application has its own independent copy of them.

Bill

Mr. Jingles

@bmeeks:

I assume this is on a 2.0.x box?  Shared libraries such as pcap, MySQL and others can be a real pain.  That's what is so nice about the PBI setup on 2.1 boxes.  In effect each app has its own sort of "application jail" where it can install and remove shared libraries as necessary without impacting other applications that may have some of the same shared libraries.  In actuality, these libraries are no longer "shared" in the classic sense with the PBI setup. Each application has its own independent copy of them.

Bill

Thank you for your answer, Bill, and yes, you are right, this is 2.0.3. I can really appreciate what is in 2.1, and that is why I am eagerly awaiting that it is officially released  :P