Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and 1.2RC2

    Scheduled Pinned Locked Moved pfSense Packages
    10 Posts 6 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hdallen55
      last edited by

      I've been running 1.0.1 for a while now with no real problems.  Today I downloaded 1.2 RC, backed-up the config for 1.0.1, installed 1.2 RC2 to the hard drive and restored the config from backup.  Super smooth, no real problems during the install.  I have been running imspector & snort.  Since the move to RC2 Imspector appears to be running but the snort service is showing as not running and can't be started. Is this a known issue with 1.2RC2 or am I missing something?  I unistalled snort from the packages and then reinstalled and am seeing the same issue.

      1 Reply Last reply Reply Quote 0
      • S
        Slam
        last edited by

        The only issue that I know of with Snort is that it doesnt bind to the interface specified on boot-up, have you tried manually enabling it? if that doesnt work, check your log to see if its throwing out any errors.

        Slam

        edit: This should be in the packages section of the forum  ;D

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          seeing anything in your system log?

          1 Reply Last reply Reply Quote 0
          • M
            morbus
            last edited by

            Have you updated the rules?

            Sometimes I find that a rules update will get all the rules and allow snort to start

            1 Reply Last reply Reply Quote 0
            • J
              jochen123
              last edited by

              @Slam:

              The only issue that I know of with Snort is that it doesnt bind to the interface specified on boot-up, have you tried manually enabling it? if that doesnt work, check your log to see if its throwing out any errors.

              Hi,

              I have problem with snort too. After a reboot snort shows alerts, but it doesn't block the IP. After click Save on the Snort - Setting Page, Snort works correctly and block IPs.

              I found this in the system log.

              After reboot:

              Oct 10 22:12:16 	snort[1042]: Log directory = /var/log/snort
              Oct 10 22:12:16 	snort[1042]: 0 out of 512 flowbits in use.
              Oct 10 22:12:16 	snort[1042]: 0 out of 512 flowbits in use.
              Oct 10 22:12:16 	snort[1042]: *** *** interface device lookup found: em0 ***
              Oct 10 22:12:16 	snort[1042]: *** *** interface device lookup found: em0 ***
              Oct 10 22:12:16 	snort[1042]: Initializing daemon mode
              Oct 10 22:12:16 	snort[1042]: Initializing daemon mode
              Oct 10 22:12:16 	snort[1043]: PID path stat checked out ok, PID path set to /var/run/
              Oct 10 22:12:16 	snort[1043]: PID path stat checked out ok, PID path set to /var/run/
              Oct 10 22:12:16 	snort[1043]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_em0.pid" for PID "1043"
              Oct 10 22:12:16 	snort[1043]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_em0.pid" for PID "1043"
              Oct 10 22:12:16 	check_reload_status: check_reload_status is starting
              Oct 10 22:12:17 	snort[1042]: Child exited unexpectedly
              Oct 10 22:12:17 	snort[1042]: Child exited unexpectedly
              Oct 10 22:12:17 	snort[1042]: Daemon parent exiting
              Oct 10 22:12:17 	snort[1042]: Daemon parent exiting
              Oct 10 22:12:17 	login: login on ttyv0 as root
              Oct 10 22:12:34 	SnortStartup[1091]: Ram free BEFORE starting Snort: 19M -- Ram free AFTER starting Snort: 19M -- Mode lowmem -- Snort memory usage:
              

              After click on Save:

              Oct 10 22:18:56 	snort[1844]: Log directory = /var/log/snort
              Oct 10 22:18:56 	snort[1844]: Log directory = /var/log/snort
              Oct 10 22:18:56 	snort[1844]: 0 out of 512 flowbits in use.
              Oct 10 22:18:56 	snort[1844]: 0 out of 512 flowbits in use.
              Oct 10 22:18:56 	kernel: em2: promiscuous mode enabled
              Oct 10 22:18:56 	kernel: em2: promiscuous mode disabled
              Oct 10 22:18:56 	snort[1844]: Initializing daemon mode
              Oct 10 22:18:56 	snort[1844]: Initializing daemon mode
              Oct 10 22:18:56 	kernel: em2: promiscuous mode enabled
              Oct 10 22:18:56 	snort[1845]: PID path stat checked out ok, PID path set to /var/run/
              Oct 10 22:18:56 	snort[1845]: PID path stat checked out ok, PID path set to /var/run/
              Oct 10 22:18:56 	snort[1845]: Writing PID "1845" to file "/var/run//snort_em2.pid"
              Oct 10 22:18:56 	snort[1845]: Writing PID "1845" to file "/var/run//snort_em2.pid"
              Oct 10 22:18:56 	snort[1845]: Daemon initialized, signaled parent pid: 1844
              Oct 10 22:18:56 	snort[1845]: Daemon initialized, signaled parent pid: 1844
              Oct 10 22:18:56 	snort[1844]: Daemon parent exiting
              Oct 10 22:18:56 	snort[1844]: Daemon parent exiting
              Oct 10 22:18:56 	snort[1845]: Snort initialization completed successfully (pid=1845)
              Oct 10 22:18:56 	snort[1845]: Snort initialization completed successfully (pid=1845)
              Oct 10 22:18:56 	snort[1845]: Not Using PCAP_FRAMES
              Oct 10 22:18:56 	snort[1845]: Not Using PCAP_FRAMES
              Oct 10 22:18:56 	snort2c[1848]: snort2c running in daemon mode pid: 1848
              Oct 10 22:18:56 	snort2c[1848]: snort2c running in daemon mode pid: 1848
              Oct 10 22:19:13 	SnortStartup[1942]: Ram free BEFORE starting Snort: 849M -- Ram free AFTER starting Snort: 843M -- Mode lowmem -- Snort memory usage:
              

              Is this the problem you mean? Snort doesn't bind to the interface specified on boot-up?
              What can I do? Swapping em2 to em0?

              Thanks!

              1 Reply Last reply Reply Quote 0
              • S
                Slam
                last edited by

                @jochen123

                The only way to overcome this is to manually hit save if you ever restart your firewall, which is what I currently do, swapping ifaces wont work, I think the problem is deeper than that and the devs are looking in to it, as time allows.

                Slam

                1 Reply Last reply Reply Quote 0
                • J
                  jochen123
                  last edited by

                  Thanks Slam for your answer.

                  what about a skript that do the same thing like hit save on a reboot?

                  1 Reply Last reply Reply Quote 0
                  • S
                    Slam
                    last edited by

                    @jochen123:

                    Thanks Slam for your answer.

                    what about a skript that do the same thing like hit save on a reboot?

                    Yes I suppose that can work, but I dont have a clue where to start on that since my scripting skills are zilch.

                    Good luck

                    Slam

                    1 Reply Last reply Reply Quote 0
                    • H
                      hdallen55
                      last edited by

                      Thanks for all of the information, Guys!

                      My problem was "solved" by a post above, I think.  I had the same errors of "can't find the directory".  Once I clicked "save' on the initial snort config screen that went away.  The service now shows as running under services - it didn't before.

                      But, I'm not sure everything is working and not familiar enough with pfSense, Snort and imspector to know how to check.  Here's what's happening now -
                      Snort is showing as running but if I click to view alerts, under services -> snort, it's completely blank.  I'm pretty sure that snort would be seeing things happen on the external port all through the day but nothing is showing.  I also have Imspector loaded and configured via services -> Imspector to monitor all 4 chat clients.  I have tested with IRC and Windows Messenger yet the Imspector logs are completely blank.

                      Where should I start troubleshooting?

                      TIA,

                      Doug

                      1 Reply Last reply Reply Quote 0
                      • C
                        coolcat1975
                        last edited by

                        hi folks!

                        hiting save also solved the snort probelm here

                        but imspector refuses to work

                        i am using pfsense as transparent bridge only with traffic on wan and opt1

                        has anyone yet found a solution?

                        regards

                        cc

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.