3. Snort and 1.2RC2

Snort and 1.2RC2

  • H

    I've been running 1.0.1 for a while now with no real problems.  Today I downloaded 1.2 RC, backed-up the config for 1.0.1, installed 1.2 RC2 to the hard drive and restored the config from backup.  Super smooth, no real problems during the install.  I have been running imspector & snort.  Since the move to RC2 Imspector appears to be running but the snort service is showing as not running and can't be started. Is this a known issue with 1.2RC2 or am I missing something?  I unistalled snort from the packages and then reinstalled and am seeing the same issue.

    0
  • S

    The only issue that I know of with Snort is that it doesnt bind to the interface specified on boot-up, have you tried manually enabling it? if that doesnt work, check your log to see if its throwing out any errors.

    Slam

    edit: This should be in the packages section of the forum  ;D

    0
  • C

    seeing anything in your system log?

    0
  • M

    Have you updated the rules?

    Sometimes I find that a rules update will get all the rules and allow snort to start

    0
  • J

    @Slam:

    The only issue that I know of with Snort is that it doesnt bind to the interface specified on boot-up, have you tried manually enabling it? if that doesnt work, check your log to see if its throwing out any errors.

    Hi,

    I have problem with snort too. After a reboot snort shows alerts, but it doesn't block the IP. After click Save on the Snort - Setting Page, Snort works correctly and block IPs.

    I found this in the system log.

    After reboot:

    Oct 10 22:12:16 	snort[1042]: Log directory = /var/log/snort
Oct 10 22:12:16 	snort[1042]: 0 out of 512 flowbits in use.
Oct 10 22:12:16 	snort[1042]: 0 out of 512 flowbits in use.
Oct 10 22:12:16 	snort[1042]: *** *** interface device lookup found: em0 ***
Oct 10 22:12:16 	snort[1042]: *** *** interface device lookup found: em0 ***
Oct 10 22:12:16 	snort[1042]: Initializing daemon mode
Oct 10 22:12:16 	snort[1042]: Initializing daemon mode
Oct 10 22:12:16 	snort[1043]: PID path stat checked out ok, PID path set to /var/run/
Oct 10 22:12:16 	snort[1043]: PID path stat checked out ok, PID path set to /var/run/
Oct 10 22:12:16 	snort[1043]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_em0.pid" for PID "1043"
Oct 10 22:12:16 	snort[1043]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_em0.pid" for PID "1043"
Oct 10 22:12:16 	check_reload_status: check_reload_status is starting
Oct 10 22:12:17 	snort[1042]: Child exited unexpectedly
Oct 10 22:12:17 	snort[1042]: Child exited unexpectedly
Oct 10 22:12:17 	snort[1042]: Daemon parent exiting
Oct 10 22:12:17 	snort[1042]: Daemon parent exiting
Oct 10 22:12:17 	login: login on ttyv0 as root
Oct 10 22:12:34 	SnortStartup[1091]: Ram free BEFORE starting Snort: 19M -- Ram free AFTER starting Snort: 19M -- Mode lowmem -- Snort memory usage:

    After click on Save:

    Oct 10 22:18:56 	snort[1844]: Log directory = /var/log/snort
Oct 10 22:18:56 	snort[1844]: Log directory = /var/log/snort
Oct 10 22:18:56 	snort[1844]: 0 out of 512 flowbits in use.
Oct 10 22:18:56 	snort[1844]: 0 out of 512 flowbits in use.
Oct 10 22:18:56 	kernel: em2: promiscuous mode enabled
Oct 10 22:18:56 	kernel: em2: promiscuous mode disabled
Oct 10 22:18:56 	snort[1844]: Initializing daemon mode
Oct 10 22:18:56 	snort[1844]: Initializing daemon mode
Oct 10 22:18:56 	kernel: em2: promiscuous mode enabled
Oct 10 22:18:56 	snort[1845]: PID path stat checked out ok, PID path set to /var/run/
Oct 10 22:18:56 	snort[1845]: PID path stat checked out ok, PID path set to /var/run/
Oct 10 22:18:56 	snort[1845]: Writing PID "1845" to file "/var/run//snort_em2.pid"
Oct 10 22:18:56 	snort[1845]: Writing PID "1845" to file "/var/run//snort_em2.pid"
Oct 10 22:18:56 	snort[1845]: Daemon initialized, signaled parent pid: 1844
Oct 10 22:18:56 	snort[1845]: Daemon initialized, signaled parent pid: 1844
Oct 10 22:18:56 	snort[1844]: Daemon parent exiting
Oct 10 22:18:56 	snort[1844]: Daemon parent exiting
Oct 10 22:18:56 	snort[1845]: Snort initialization completed successfully (pid=1845)
Oct 10 22:18:56 	snort[1845]: Snort initialization completed successfully (pid=1845)
Oct 10 22:18:56 	snort[1845]: Not Using PCAP_FRAMES
Oct 10 22:18:56 	snort[1845]: Not Using PCAP_FRAMES
Oct 10 22:18:56 	snort2c[1848]: snort2c running in daemon mode pid: 1848
Oct 10 22:18:56 	snort2c[1848]: snort2c running in daemon mode pid: 1848
Oct 10 22:19:13 	SnortStartup[1942]: Ram free BEFORE starting Snort: 849M -- Ram free AFTER starting Snort: 843M -- Mode lowmem -- Snort memory usage:

    Is this the problem you mean? Snort doesn't bind to the interface specified on boot-up?
    What can I do? Swapping em2 to em0?

    Thanks!

    0
  • S

    @jochen123

    The only way to overcome this is to manually hit save if you ever restart your firewall, which is what I currently do, swapping ifaces wont work, I think the problem is deeper than that and the devs are looking in to it, as time allows.

    Slam

    0
  • J

    Thanks Slam for your answer.

    what about a skript that do the same thing like hit save on a reboot?

    0
  • S

    @jochen123:

    Thanks Slam for your answer.

    what about a skript that do the same thing like hit save on a reboot?

    Yes I suppose that can work, but I dont have a clue where to start on that since my scripting skills are zilch.

    Good luck

    Slam

    0
  • H

    Thanks for all of the information, Guys!

    My problem was "solved" by a post above, I think.  I had the same errors of "can't find the directory".  Once I clicked "save' on the initial snort config screen that went away.  The service now shows as running under services - it didn't before.

    But, I'm not sure everything is working and not familiar enough with pfSense, Snort and imspector to know how to check.  Here's what's happening now -
    Snort is showing as running but if I click to view alerts, under services -> snort, it's completely blank.  I'm pretty sure that snort would be seeing things happen on the external port all through the day but nothing is showing.  I also have Imspector loaded and configured via services -> Imspector to monitor all 4 chat clients.  I have tested with IRC and Windows Messenger yet the Imspector logs are completely blank.

    Where should I start troubleshooting?

    TIA,

    Doug

    0
  • C

    hi folks!

    hiting save also solved the snort probelm here

    but imspector refuses to work

    i am using pfsense as transparent bridge only with traffic on wan and opt1

    has anyone yet found a solution?

    regards

    cc

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy