Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to install Snort

    IDS/IPS
    2
    5
    1619
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Evad
      last edited by

      Trying to install snort. After a reboot select Snort, Confirm install

      I get:

      "Beginning package installation for snort .
      Downloading package configuration file… done.
      Saving updated package information... done.
      Downloading snort and its dependencies...
      Checking for package installation... "

      I have waited over 30 minutes.. nothing more happens.

      Under installed packages I have "Verson 2.9.7.2 pkg v3.2.4"
      Obviously not really installed.
      I can either: reboot and then uninstall or uninstall then reboot
      I get:

      "Removing package...
      Starting package deletion for snort-2.9.7.2-i386...done.
      Removing snort components...
      Menu items... done.
      Services... done.
      Loading package instructions...
      Include file snort.inc could not be found for inclusion.
      Deinstall commands...
      Not executing custom deinstall hook because an include is missing.
      Removing package instructions...done.
      Auxiliary files... done.
      Package XML... done.
      Configuration... done.
      done.

      Package deleted."

      Try again to install the package and get the same result.

      NOW IF I DO NOT reboot after the first failed install and then uninstall snort (I Get the same desinstall as above)

      Then try to install again I get farther along. It downloads the package - Goes through the percentage count.

      "Beginning package installation for snort .
      Downloading package configuration file... done.
      Saving updated package information... done.
      Downloading snort and its dependencies...
      Checking for package installation...
      Downloading https://files.pfsense.org/packages/10/All/snort-2.9.7.2-i386.pbi ...  (extracting)"

      But it stops here -- have waited over 30 minutes and still nothing more happens. Obviously not installed.

      I have repeated this process several times with various steps using reboots and not rebooting. The results seem to be repeatable.

      System is a Checkpoint U10 running full 2.2-RELEASE (i386)
      Has 1 gb of ram and 40gb hard disk
      Memory usage was 9% of 982mb
      Disk usage was (ufs): 1% of 28G and (ufs in RAM): 3% of 3.4M

      Is the package just broke?
      Any Ideas?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        No, the package is not broken and it works fine for the vast majority of users, especially on plain vanilla hardware with full installs on a hard disk.  Installs on a Nano-based system can sometimes be problematic, but you said you had a full install.  It should work on your system.

        Your description of it seeming to hang during extraction of the PBI indicates something is happening before the Snort package code even gets started executing.  The very first thing that happens is the pfSense Package Manager downloads the PBI (that's like a big ZIP file with all the binary parts and pieces) and then expands it to install the binary parts and pieces in the /usr/pbi/snort-i386 directory tree (it will create that directory).  Do you see any messages in your system log that may give some more clues?

        Bill

        1 Reply Last reply Reply Quote 0
        • E
          Evad
          last edited by

          Bill,
          Sorry for the tone .. just a bit flustered…

          This really is a cool system....

          No ... nothing more in the log than 
          Apr 1 12:16:22 php-fpm[8828]: /pkg_mgr_install.php: Beginning package installation for snort .

          However based on your feedback I reset to factory defaults and reloaded my config.
          This time I got much farther..

          Apr 1 18:07:47 php-fpm[8828]: /pkg_mgr_install.php: Successfully installed package: snort.
          Apr 1 18:07:47 check_reload_status: Syncing firewall
          Apr 1 18:07:47 php-fpm[8828]: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
          Apr 1 18:07:47 check_reload_status: Syncing firewall
          Apr 1 18:06:30 check_reload_status: Syncing firewall
          Apr 1 18:06:29 php-fpm[8828]: /pkg_mgr_install.php: Beginning package installation for snort .

          However no Snort GUI under services…  Yes I waited for it to complete and stayed on the page... but again after 30 minutes I gave up.

          After some more reading I decided to try 'Reinstall Snort's GUI components'
          Ah... success ... Now I have the GUI..... in services
          and configured a LAN interface,  used the Snort VRT free Registered User rules.
          That interface  started ok.

          I configured a WAN interface the same way but I get an error when it is started

          Apr 1 19:27:11 php-fpm[80545]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-i386/bin/snort -R 61288 -D -q –suppress-config-log -l /var/log/snort/snort_em161288 --pid-path /var/run --nolock-pidfile -G 61288 -c /usr/pbi/snort-i386/etc/snort/snort_61288_em1/snort.conf -i em1' returned exit code '1', the output was ''
          Apr 1 19:27:11 snort[9610]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_61288_em1/rules/snort.rules(904) Unknown rule option: 'stream_size

          I cannot find rule 904 in the list.

          Any Ideas?

          1 Reply Last reply Reply Quote 0
          • E
            Evad
            last edited by

            Bill,
            After a total reinstall of pfSense from scratch … Snort installed like above .. Failed first time and installed on second try but no GUI... Ran the 'Reinstall Snort's GUI components' to get the GUI. Created a LAN interface and then made a WAN  'Add new interface mapping based on this one'
            Now it works .... no errors so far.....

            Thanks....

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @Evad:

              Bill,
              After a total reinstall of pfSense from scratch … Snort installed like above .. Failed first time and installed on second try but no GUI... Ran the 'Reinstall Snort's GUI components' to get the GUI. Created a LAN interface and then made a WAN  'Add new interface mapping based on this one'
              Now it works .... no errors so far.....

              Thanks....

              Glad it's working for you now, but it should not have been that much trouble the install.  Something is up somewhere and I just need to find what it is.

              As for your failure to start error with this message:

              
 snort[9610]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_61288_em1/rules/snort.rules(904) Unknown rule option: 'stream_size

              That indicates a needed preprocessor was not enabled.  Most likely it was the Stream5 preprocessor.  Don't know why that would be.  It is enabled by default.  The particular rule containing that rule option is on line 904 (that's what the 904 represents) in the file /usr/pbi/snort-i386/etc/snort/snort_61288_em1/rules/snort.rules.  Open that file in a text editor and go to line 904 to find the rule that generated the error.

              Bill

              1 Reply Last reply Reply Quote 0
              • First post
                Last post