SNORT - Package does not install - Starting Snort using rebuilt configuration…
-
2.2-RELEASE (amd64)
built on Thu Jan 22 14:05:03 CST 2015
FreeBSD 10.1-RELEASE-p4Hardware is FW-7541 from Netgate (Atom D25 Dual Core) with 4GB RAM and 120GB SSD.
Installed pfSense update and during the package re-installation it never completed. Went to Backup/Restore and released the package hold.
Noticed that Snort was no longer in the Services menu, went to manually remove and re-install package. The package installation hangs on the following step: Starting Snort using rebuilt configuration… Please wait while Snort is started...
Logs show that Snort starts on the two interfaces (WAN and LAN) after about 13 minutes each. I left the install running overnight and the package installation sticks at the same spot.
I have since repeated the steps numerous times with the same result. How do I manually remove the old configuration so that it installs a fresh package? Can this config be saved?
Logs below:
Feb 26 17:26:26 php-fpm[90004]: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…
Feb 26 17:26:26 SnortStartup[78973]: Snort START for WAN(62541_em5)…
Feb 26 17:38:21 SnortStartup[24977]: Snort START for LAN(636_em4)…
Feb 26 17:38:21 kernel: em5: promiscuous mode enabled
Feb 26 17:50:26 kernel: em4: promiscuous mode enabled
Feb 26 18:05:13 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules are up to date…
Feb 26 18:05:13 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
Feb 26 18:05:17 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
Feb 26 18:05:21 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
Feb 26 18:05:37 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
Feb 26 18:05:39 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
Feb 26 18:05:44 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
Feb 26 18:06:01 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
Feb 26 18:06:03 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
Feb 26 18:06:08 php: snort_check_for_rule_updates.php: [Snort] Snort STOP for WAN(em5)…
Feb 26 18:06:09 snort[24420]: *** Caught Term-Signal
Feb 26 18:06:09 kernel: em5: promiscuous mode disabled
Feb 26 18:06:11 php: snort_check_for_rule_updates.php: [Snort] Snort STOP for LAN(em4)…
Feb 26 18:06:12 snort[3712]: *** Caught Term-Signal
Feb 26 18:06:12 kernel: em4: promiscuous mode disabled
Feb 26 18:06:15 php: snort_check_for_rule_updates.php: [Snort] Snort START for WAN(em5)…
Feb 26 18:06:15 php: snort_check_for_rule_updates.php: [Snort] Snort START for LAN(em4)…
Feb 26 18:06:18 php: snort_check_for_rule_updates.php: [Snort] Snort has restarted with your new set of rules…
Feb 26 18:06:19 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Feb 26 18:06:19 check_reload_status: Syncing firewall
Feb 26 18:19:51 kernel: em4: promiscuous mode enabled
Feb 26 18:19:53 kernel: em5: promiscuous mode enabled
Feb 27 00:05:11 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules are up to date…
Feb 27 00:05:11 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
Feb 27 00:05:11 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Feb 27 00:05:12 check_reload_status: Syncing firewall
Feb 27 06:05:07 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules are up to date…
Feb 27 06:05:08 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
Feb 27 06:05:08 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Feb 27 06:05:08 check_reload_status: Syncing firewall -
Try this. Go to the System > Packages > Installed Packages screen and click the XML icon beside the Snort entry. That will reinstall the GUI components.
See if that puts the entry back under SERVICES.
If not, run this command for me from the firewall console:
php /usr/local/pkg/snort/snort_post_install.php
Post back if that command produces any kind of error message.
Bill
-
I have tired the GUI install previously with the same end result. I will try it again now in the interest of completeness. So that I can document the logs this time.
I will try the php command after and report back.
Thank you for your assistance.
-
Same result, "Please wait while Snort is started… " with both methods.
The interfaces are started, but don't finish for 30 minutes or so, and the install never completes. If snort is already running this process stops the interfaces and then restarts then, and hangs.
It seems like it never detects that the interfaces have started...
UPDATE: From the command prompt, I did actually receive one additional message - "Snort has been started using the rebuilt configuration..."
However the GUI Components are still not present, via Services menu or the Status - > Services
-
Same result, "Please wait while Snort is started… " with both methods.
The interfaces are started, but don't finish for 30 minutes or so, and the install never completes. If snort is already running this process stops the interfaces and then restarts then, and hangs.
It seems like it never detects that the interfaces have started...
UPDATE: From the command prompt, I did actually receive one additional message - "Snort has been started using the rebuilt configuration..."
However the GUI Components are still not present, via Services menu or the Status - > Services
Hmm…that is strange. Snort has a post-install hook function that is called by the pfSense package manager system. The post-install function reads any saved configuration and recreates the snort.conf runtime files and then starts all configured Snort interfaces. After that completes, it returns control to the pfSense package manager which then does the final steps of package installation. One of those final steps is adding the information to the config.xml file that in turn creates the menu entry under SERVICES.
Based on the information you saw when running the post-install code manually, it appears the Snort package parts and pieces are completing successfully, but the final part of package manager is not creating the menu entry.
You can manually create the entry by editing the config.xml file as follows:
Go to DIAGNOSTICS > EDIT FILE and open the file /conf/config.xml
Scroll down in the file and find the section for <installedpackages>and make sure it contains a Snort section like the one below:
<installedpackages><menu> <menu> <name>Snort</name> <tooltiptext>Set up snort specific settings</tooltiptext> Services <url>/snort/snort_interfaces.php</url> </menu> Note there may be additional menu choices in your configuration. It depends on which additional packages you have installed. Paste in the Snort section if it is missing and save the file. The Snort section I am talking about is between the <menu> and </menu> tags. Be careful not to mess up the XML syntax. If you do, you can kill pfSense. If you are not experienced reading and editing XML files, I recommend you do NOT try this fix. Make a configuration backup before you attempt the fix. **Edit:** if you have a Support Contract with your Netgate device, you can contact them for help getting the package installation to complete. Bill</menu></installedpackages> ```</installedpackages>
-
Bill,
That has made it possible for me to configure SNORT again. Snort is still missing from Status -> Services. Do you happen to have a handy reference for the config.xml changes to resolve that?
Thanks,
Sean
UPDATE: I changed the Performance mode to AC-BFNA and now the interfaces start in 30 seconds. I used the GUI re-install now and it has fully restored everything back to normal now. Thanks again for your assistance.
-
UPDATE: I changed the Performance mode to AC-BFNA and now the interfaces start in 30 seconds. I used the GUI re-install now and it has fully restored everything back to normal now. Thanks again for your assistance.
Ah…your Snort process was probably running out of memory and/or using swap and getting super slow. Any Performance Mode other than AC-BFNA or AC-BFNA-NQ is a problem it seems. Lots of folks have reported issues when changing it to something else. Most of the other settings will eat memory like crazy, especially with lots of enabled rules.
Bill