Snort and 1.2RC2
-
I've been running 1.0.1 for a while now with no real problems. Today I downloaded 1.2 RC, backed-up the config for 1.0.1, installed 1.2 RC2 to the hard drive and restored the config from backup. Super smooth, no real problems during the install. I have been running imspector & snort. Since the move to RC2 Imspector appears to be running but the snort service is showing as not running and can't be started. Is this a known issue with 1.2RC2 or am I missing something? I unistalled snort from the packages and then reinstalled and am seeing the same issue.
-
The only issue that I know of with Snort is that it doesnt bind to the interface specified on boot-up, have you tried manually enabling it? if that doesnt work, check your log to see if its throwing out any errors.
Slam
edit: This should be in the packages section of the forum ;D
-
seeing anything in your system log?
-
Have you updated the rules?
Sometimes I find that a rules update will get all the rules and allow snort to start
-
The only issue that I know of with Snort is that it doesnt bind to the interface specified on boot-up, have you tried manually enabling it? if that doesnt work, check your log to see if its throwing out any errors.
Hi,
I have problem with snort too. After a reboot snort shows alerts, but it doesn't block the IP. After click Save on the Snort - Setting Page, Snort works correctly and block IPs.
I found this in the system log.
After reboot:
Oct 10 22:12:16 snort[1042]: Log directory = /var/log/snort Oct 10 22:12:16 snort[1042]: 0 out of 512 flowbits in use. Oct 10 22:12:16 snort[1042]: 0 out of 512 flowbits in use. Oct 10 22:12:16 snort[1042]: *** *** interface device lookup found: em0 *** Oct 10 22:12:16 snort[1042]: *** *** interface device lookup found: em0 *** Oct 10 22:12:16 snort[1042]: Initializing daemon mode Oct 10 22:12:16 snort[1042]: Initializing daemon mode Oct 10 22:12:16 snort[1043]: PID path stat checked out ok, PID path set to /var/run/ Oct 10 22:12:16 snort[1043]: PID path stat checked out ok, PID path set to /var/run/ Oct 10 22:12:16 snort[1043]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_em0.pid" for PID "1043" Oct 10 22:12:16 snort[1043]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_em0.pid" for PID "1043" Oct 10 22:12:16 check_reload_status: check_reload_status is starting Oct 10 22:12:17 snort[1042]: Child exited unexpectedly Oct 10 22:12:17 snort[1042]: Child exited unexpectedly Oct 10 22:12:17 snort[1042]: Daemon parent exiting Oct 10 22:12:17 snort[1042]: Daemon parent exiting Oct 10 22:12:17 login: login on ttyv0 as root Oct 10 22:12:34 SnortStartup[1091]: Ram free BEFORE starting Snort: 19M -- Ram free AFTER starting Snort: 19M -- Mode lowmem -- Snort memory usage:After click on Save:
Oct 10 22:18:56 snort[1844]: Log directory = /var/log/snort Oct 10 22:18:56 snort[1844]: Log directory = /var/log/snort Oct 10 22:18:56 snort[1844]: 0 out of 512 flowbits in use. Oct 10 22:18:56 snort[1844]: 0 out of 512 flowbits in use. Oct 10 22:18:56 kernel: em2: promiscuous mode enabled Oct 10 22:18:56 kernel: em2: promiscuous mode disabled Oct 10 22:18:56 snort[1844]: Initializing daemon mode Oct 10 22:18:56 snort[1844]: Initializing daemon mode Oct 10 22:18:56 kernel: em2: promiscuous mode enabled Oct 10 22:18:56 snort[1845]: PID path stat checked out ok, PID path set to /var/run/ Oct 10 22:18:56 snort[1845]: PID path stat checked out ok, PID path set to /var/run/ Oct 10 22:18:56 snort[1845]: Writing PID "1845" to file "/var/run//snort_em2.pid" Oct 10 22:18:56 snort[1845]: Writing PID "1845" to file "/var/run//snort_em2.pid" Oct 10 22:18:56 snort[1845]: Daemon initialized, signaled parent pid: 1844 Oct 10 22:18:56 snort[1845]: Daemon initialized, signaled parent pid: 1844 Oct 10 22:18:56 snort[1844]: Daemon parent exiting Oct 10 22:18:56 snort[1844]: Daemon parent exiting Oct 10 22:18:56 snort[1845]: Snort initialization completed successfully (pid=1845) Oct 10 22:18:56 snort[1845]: Snort initialization completed successfully (pid=1845) Oct 10 22:18:56 snort[1845]: Not Using PCAP_FRAMES Oct 10 22:18:56 snort[1845]: Not Using PCAP_FRAMES Oct 10 22:18:56 snort2c[1848]: snort2c running in daemon mode pid: 1848 Oct 10 22:18:56 snort2c[1848]: snort2c running in daemon mode pid: 1848 Oct 10 22:19:13 SnortStartup[1942]: Ram free BEFORE starting Snort: 849M -- Ram free AFTER starting Snort: 843M -- Mode lowmem -- Snort memory usage:Is this the problem you mean? Snort doesn't bind to the interface specified on boot-up?
What can I do? Swapping em2 to em0?Thanks!
-
The only way to overcome this is to manually hit save if you ever restart your firewall, which is what I currently do, swapping ifaces wont work, I think the problem is deeper than that and the devs are looking in to it, as time allows.
Slam
-
Thanks Slam for your answer.
what about a skript that do the same thing like hit save on a reboot?
-
Thanks Slam for your answer.
what about a skript that do the same thing like hit save on a reboot?
Yes I suppose that can work, but I dont have a clue where to start on that since my scripting skills are zilch.
Good luck
Slam
-
Thanks for all of the information, Guys!
My problem was "solved" by a post above, I think. I had the same errors of "can't find the directory". Once I clicked "save' on the initial snort config screen that went away. The service now shows as running under services - it didn't before.
But, I'm not sure everything is working and not familiar enough with pfSense, Snort and imspector to know how to check. Here's what's happening now -
Snort is showing as running but if I click to view alerts, under services -> snort, it's completely blank. I'm pretty sure that snort would be seeing things happen on the external port all through the day but nothing is showing. I also have Imspector loaded and configured via services -> Imspector to monitor all 4 chat clients. I have tested with IRC and Windows Messenger yet the Imspector logs are completely blank.Where should I start troubleshooting?
TIA,
Doug
-
hi folks!
hiting save also solved the snort probelm here
but imspector refuses to work
i am using pfsense as transparent bridge only with traffic on wan and opt1
has anyone yet found a solution?
regards
cc