Snort 2.9.7.0 upgrade & install fails on pfSense 2.2



  • I just upgraded to pfSense 2.2 and thought I should upgrade my packages too, including Snort. The upgrade failed, so I rebooted and tried a new install of the package which fails too with the following error. I'm running on a Netgate FW-7541 rack mount appliance with an SSD and lots of free disk space. The earlier version of Snort was running fine on pfSense 2.2.

    I don't know what the "Out of file descriptors" error means.

    Beginning package installation for snort .
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading snort and its dependencies... 
    Checking for package installation... 
     Downloading https://files.pfsense.org/packages/8/All/snort-2.9.7.0-i386.pbi ...  (extracting)
     Out of file descriptors
    of snort-2.9.7.0-i386 failed!
    
    Installation aborted.Removing package...
    Starting package deletion for snort-2.9.7.0-i386...done.
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file snort.inc could not be found for inclusion.
    Deinstall commands... 
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    done.
    Failed to install package.
    
    Installation halted.
    


  • I just tried upgrading my other packages like nmap too and got the same error, "Out of file descriptors".  That tells me the problem is very likely not the package itself (snort or nap), but something else.

    Any thoughts on what the issue is?




  • Moderator

    @snak-pak:

    I don't know what the "Out of file descriptors" error means.

    
     Downloading https://files.pfsense.org/packages/8/All/snort-2.9.7.0-i386.pbi ...  (extracting)
    
     Out of file descriptors
    
     snort-2.9.7.0-i386 failed!
    
    

    I would suggest a reboot and see if it clears that issue up…

    There was a similar bug :
    https://redmine.pfsense.org/issues/3749



  • @BBcan177:

    I would suggest a reboot and see if it clears that issue up…

    There was a similar bug :
    https://redmine.pfsense.org/issues/3749

    Thanks for the link, I got it working now and think the issues are related to the above bug.

    After upgrading to pfSense 2.2, waiting for the automatic reboot, and then rebooting a couple more times just to be safe I noticed that the dashboard indicated uptime was still 137 days. Weird. The system must not have rebooted properly after the OS upgrade, and additionally the reboot command from the pfSense menu must not be working correctly either. My system is rack mount so I rarely visit the box…. I halted the system, pulled the power and then restarted. Now all is well again and I can install packages including snort and nap.

    Kelly



  • Did you use a watchdog for snort?  I uninstalled that too and rebooted.  I'm not sure if the reboot fixed it, or if the uninstall of the watchdog service and reboot fixed it.


  • Moderator

    @wiz561:

    Did you use a watchdog for snort?  I uninstalled that too and rebooted.  I'm not sure if the reboot fixed it, or if the uninstall of the watchdog service and reboot fixed it.

    I don't think the watchguard service is compatible with snort/suricata. If you have multiple interfaces it will restart them all. I also think it might try to restart the interfaces during "updates" of rules potentially causing duplicate pids.



  • @BBcan177:

    @wiz561:

    Did you use a watchdog for snort?  I uninstalled that too and rebooted.  I'm not sure if the reboot fixed it, or if the uninstall of the watchdog service and reboot fixed it.

    I don't think the watchguard service is compatible with snort/suricata. If you have multiple interfaces it will restart them all. I also think it might try to restart the interfaces during "updates" of rules potentially causing duplicate pids.

    BBcan177 is correct.  Snort and Suricata do not play well with the Service Watchdog package at this time.  I have been considering some other options within the two packages themselves to provide the same heartbeat checkup as the Service Watchdog package.

    Bill


Log in to reply