Snort - Could not find the libsf_imap_prepoc file



  • Hi,

    I am running pfSense 2.2.1 manobsd (2g) and my challenge is that Snort version 2.9.7.2 pkg v3.2.4 stops running and can not be started again after a rule set update.

    The log stats Could not find the libsf_imap_prepoc file. Snort might mirror out.

    When I uninstall Snort and install it again it runs until the next rule update. I tried to remove all Snort configs before installing again but it makes no difference. I have seen a similar error back in 2012 where Snort could not find it own config files but this was fixed and snort have been running until pfSense update 2.2.1.

    Any ideas?

    Best Regards
    Jan



  • Hi,

    I found the reason for Snort not starting and solved the problem.

    I am running on a nano pfSense and the standard size of the /tmp ram drive is 40 MB. The Snort VRT rules requires 52 MB in peak during unpacking (what I could measure with df -hi).

    The way to fix it is go to System -> Advanced -> Misc -> size of /tmp and give it 100 MB (if you have it)

    Uninstall Snort. Reinstall it and everything works.

    On another nano installation I had to login to shell, enable rw, and delete left over snort packages before I could install it again.

    The above disk limitation can result in Snort not starting, Snort only starting on one interface, Snort crashing after rule update.

    I suggest that the Snort package states that nano installations at less needs a 100 MB /tmp drive for stable operation.

    Best Regards
    Jan



  • Thank you for this feedback.  There are some other posts in the Package forum where the advice for Nano users is to bump up the size of /tmp (and possibly /var) because the default partition sizes are too small to download and unzip the ever larger rules tarballs.  Unfortunately, today there is no mechanism within the pfSense Package Manager system for a package to specify prerequisites that must be satisfied in order for the package to be eligible for installation.  Some example parameters that would be useful are installed RAM and free disk space on critical partitions.

    As a general statement, Snort or Suricata on a NanoBSD install will require a lot of careful attention and quite possibly some customizations such as you describe of increasing the default partition size for /tmp and also /var.

    Bill


Log in to reply