Cant start snort 2.9.6.2 pkg v3.1.1 x86 - FATAL ERROR: pf.conf => Table snort2c



  • Hi,

    i have instaled snort and it can start because:

    php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 38552 -D -q -l /var/log/snort/snort_bge038552 –pid-path /var/run --nolock-pidfile -G 38552 -c /usr/pbi/snort-i386/etc/snort/snort_38552_bge0/snort.conf -i bge0' returned exit code '1', the output was ''

    FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter: No such file or directory

    next i totaly reinstaled, new intaled snort, againt configure, but without any luck. Can you pleas navigate me, how to resolve this problem?

    Thx, Marian.

    PS: sorry for my bad english

    pfsense v2.1.4 i386, 2G RAM AMD HP N54L

    edit: when i disable "Block Offenders" snort will start....



  • @marian78:

    FATAL ERROR: pf.conf => Table snort2c don't exists in packet filter: No such file or directory

    pfsense v2.1.4 i386, 2G RAM AMD HP N54L

    That error indicates some kind of messed up installation of pfSense.  That table is part of the firewall rules by default on pfSense installs.  Did you perhaps remove it somehow?  This is not a Snort package problem, but rather something has happened to your core firewall config.  Snort needs that table present in order to block offender IP addresses.

    Bill



  • hi, thx for answer.

    i have standard i386 instalation with pfblocker, ntopng, arpwatch, servicewatchdog, squid3-dev (with SSL, transparent, enabled c-icap), openvpnclient, traficshaping, enabled ssh. That is all, no cli modding….  :(

    i have instaled only 2GB ram, is it enough? may be the cause of memory..... or?


  • Moderator

    From the shell, you could try to manually create this missing table.

    pfctl -t snort2c -T add 1.1.1.1

    This will create the table and add a dummy 1.1.1.1 ip address. You could clear this ip later if you wish.



  • hi, again thx for reply sir.

    now I'm at work when I get home, I'll try.  :)



  • @marian78:

    hi, again thx for reply sir.

    now I'm at work when I get home, I'll try.  :)

    BBcan177's fix should work, but the bigger question is what happened to that table to begin with.  That table is part of the default install with pfSense.  It should exist whether the Snort package is installed or not.

    Bill



  • Tt is a new installation from yesterday.
    when I last configured squid3dev as transparent SSL proxy server, I noticed that I can not run snort..  :'(

    i dont know what happend, i only use pfsense UI….



  • @marian78:

    Tt is a new installation from yesterday.
    when I last configured squid3dev as transparent SSL proxy server, I noticed that I can not run snort..  :'(

    i dont know what happend, i only use pfsense UI….

    Hmm…wonder if the squid3dev package makes any adjustments to default pfSense tables...???

    This is the first time I've seen this particular error reported.

    Bill



  • @BBcan177:

    From the shell, you could try to manually create this missing table.

    pfctl -t snort2c -T add 1.1.1.1

    This will create the table and add a dummy 1.1.1.1 ip address. You could clear this ip later if you wish.

    Hi man (genius), this helped. i will send 4 beers and 2 strippers to your working table. Thx.  ;D  But after reboot i have this problem again.  :'(



  • @marian78:

    @BBcan177:

    From the shell, you could try to manually create this missing table.

    pfctl -t snort2c -T add 1.1.1.1

    This will create the table and add a dummy 1.1.1.1 ip address. You could clear this ip later if you wish.

    Hi man (genius), this helped. i will send 4 beers and 2 strippers to your working table. Thx.  ;D  But after reboot i have this problem again.  :'(

    Yes…something has altered your default pfSense startup scripts in some manner.  That <snort2c>table is supposed to be auto-created on pfSense boot up.  Is there any way you could backup your config and reinstall pfSense on that box?  That should fix the problem with the default table being missing.

    Bill</snort2c>



  • hi,

    i played with all settings and i examine, that for now all problem are from "traffic shaper". When i delete all rules for shaper, all works ok and after reboot too. Strange…  :o

    For now i will stay without "traffic shaper". Is not important to me.



  • @marian78:

    hi,

    i played with all settings and i examine, that for now all problem are from "traffic shaper". When i delete all rules for shaper, all works ok and after reboot too. Strange…  :o

    For now i will stay without "traffic shaper". Is not important to me.

    That's an interesting discovery.  The traffic shaper might be changing some of the filter defaults when it's enabled.  Thank you for the feedback.  I might need to discuss this offline with the pfSense guys to see what's up and if there is something I need to do in the Snort and Suricata packages to compensate.

    Bill



  • thx, sir, i stay tuned….  ;)

    edit: i attached instaled packages...




  • Glanced over the thread, so I might have missed something.

    Maybe you run into this: https://forum.pfsense.org/index.php?topic=70107.msg383032#msg383032



  • hi, for now i dont use traffic shaping, maybe that was the problem, i have table also corupted….



  • Also found that if the bandwidths are set incorrectly on the traffic shaping,i.e 400Mb/s instead of 80Mb/s it causes the tables to disappear?changing the value re-instates the sshlockout and default lockouts w/o rebooting.
    The snort2c table may have to be manually recreated after this as per above post.


Log in to reply