Unable to install Snort



  • Trying to install snort. After a reboot select Snort, Confirm install

    I get:

    "Beginning package installation for snort .
    Downloading package configuration file… done.
    Saving updated package information... done.
    Downloading snort and its dependencies...
    Checking for package installation... "

    I have waited over 30 minutes.. nothing more happens.

    Under installed packages I have "Verson 2.9.7.2 pkg v3.2.4"
    Obviously not really installed.
    I can either: reboot and then uninstall or uninstall then reboot
    I get:

    "Removing package...
    Starting package deletion for snort-2.9.7.2-i386...done.
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file snort.inc could not be found for inclusion.
    Deinstall commands...
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    done.

    Package deleted."

    Try again to install the package and get the same result.


    NOW IF I DO NOT reboot after the first failed install and then uninstall snort (I Get the same desinstall as above)

    Then try to install again I get farther along. It downloads the package - Goes through the percentage count.

    "Beginning package installation for snort .
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading snort and its dependencies...
    Checking for package installation...
    Downloading https://files.pfsense.org/packages/10/All/snort-2.9.7.2-i386.pbi ...  (extracting)"

    But it stops here -- have waited over 30 minutes and still nothing more happens. Obviously not installed.

    I have repeated this process several times with various steps using reboots and not rebooting. The results seem to be repeatable.

    System is a Checkpoint U10 running full 2.2-RELEASE (i386)
    Has 1 gb of ram and 40gb hard disk
    Memory usage was 9% of 982mb
    Disk usage was (ufs): 1% of 28G and (ufs in RAM): 3% of 3.4M

    Is the package just broke?
    Any Ideas?



  • No, the package is not broken and it works fine for the vast majority of users, especially on plain vanilla hardware with full installs on a hard disk.  Installs on a Nano-based system can sometimes be problematic, but you said you had a full install.  It should work on your system.

    Your description of it seeming to hang during extraction of the PBI indicates something is happening before the Snort package code even gets started executing.  The very first thing that happens is the pfSense Package Manager downloads the PBI (that's like a big ZIP file with all the binary parts and pieces) and then expands it to install the binary parts and pieces in the /usr/pbi/snort-i386 directory tree (it will create that directory).  Do you see any messages in your system log that may give some more clues?

    Bill



  • Bill,
    Sorry for the tone .. just a bit flustered…

    This really is a cool system....

    No ... nothing more in the log than 
    Apr 1 12:16:22 php-fpm[8828]: /pkg_mgr_install.php: Beginning package installation for snort .

    However based on your feedback I reset to factory defaults and reloaded my config.
    This time I got much farther..

    Apr 1 18:07:47 php-fpm[8828]: /pkg_mgr_install.php: Successfully installed package: snort.
    Apr 1 18:07:47 check_reload_status: Syncing firewall
    Apr 1 18:07:47 php-fpm[8828]: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
    Apr 1 18:07:47 check_reload_status: Syncing firewall
    Apr 1 18:06:30 check_reload_status: Syncing firewall
    Apr 1 18:06:29 php-fpm[8828]: /pkg_mgr_install.php: Beginning package installation for snort .

    However no Snort GUI under services…  Yes I waited for it to complete and stayed on the page... but again after 30 minutes I gave up.

    After some more reading I decided to try 'Reinstall Snort's GUI components'
    Ah... success ... Now I have the GUI..... in services
    and configured a LAN interface,  used the Snort VRT free Registered User rules.
    That interface  started ok.

    I configured a WAN interface the same way but I get an error when it is started

    Apr 1 19:27:11 php-fpm[80545]: /snort/snort_interfaces.php: The command '/usr/pbi/snort-i386/bin/snort -R 61288 -D -q –suppress-config-log -l /var/log/snort/snort_em161288 --pid-path /var/run --nolock-pidfile -G 61288 -c /usr/pbi/snort-i386/etc/snort/snort_61288_em1/snort.conf -i em1' returned exit code '1', the output was ''
    Apr 1 19:27:11 snort[9610]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_61288_em1/rules/snort.rules(904) Unknown rule option: 'stream_size

    I cannot find rule 904 in the list.

    Any Ideas?



  • Bill,
    After a total reinstall of pfSense from scratch … Snort installed like above .. Failed first time and installed on second try but no GUI... Ran the 'Reinstall Snort's GUI components' to get the GUI. Created a LAN interface and then made a WAN  'Add new interface mapping based on this one'
    Now it works .... no errors so far.....

    Thanks....



  • @Evad:

    Bill,
    After a total reinstall of pfSense from scratch … Snort installed like above .. Failed first time and installed on second try but no GUI... Ran the 'Reinstall Snort's GUI components' to get the GUI. Created a LAN interface and then made a WAN  'Add new interface mapping based on this one'
    Now it works .... no errors so far.....

    Thanks....

    Glad it's working for you now, but it should not have been that much trouble the install.  Something is up somewhere and I just need to find what it is.

    As for your failure to start error with this message:

    
     snort[9610]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_61288_em1/rules/snort.rules(904) Unknown rule option: 'stream_size
    
    

    That indicates a needed preprocessor was not enabled.  Most likely it was the Stream5 preprocessor.  Don't know why that would be.  It is enabled by default.  The particular rule containing that rule option is on line 904 (that's what the 904 represents) in the file /usr/pbi/snort-i386/etc/snort/snort_61288_em1/rules/snort.rules.  Open that file in a text editor and go to line 904 to find the rule that generated the error.

    Bill


Log in to reply