Snort not starting after upgrade to 3.2.6



  • Hi, I upgraded this morning the Snort package from 3.2.5 to 3.2.6 on my 2.2.3-RELEASE (amd64). I hit the Reinstall Snort package button in System: Package Manager, which took forever (guess it stuck for more than 10 minutes) at "blaaa, generating the configuration from saved something-something-something" << really sorry I didn't pay atention to that step. Figured had to try also the Reinstall Snort GUI components, which I did, leaving the previous page with the installation.

    Well… since than, no Snort for me anywhere:
    -no widget;
    -no service on the first page;
    -no Snort entry in the menu, under Services.

    Tried to reinstall it again to no avail... what can I do, what other info do you need to nail this down? Any commands I should run?

    Thanks!


  • Banned

    You did the mistake of leaving the install page before it finished.

    Delete the package. Reboot and reinstall from scratch. Report back.



  • I did exactly that after I posted, and had to leave - now, a few hours later, the new installation stopped at the same step too. I did uninstall the Snort package first. Also submitted a crash report that pfsense offered. What else can I do?

    Can someone offer some step-by-step instructions on how to clean uninstall and install Snort in such a case? This is a production machine and don't want to screw things further by deleting random stuff…

    Thanks for your interest in this!


  • Banned

    Try again after

    
    mount -o nosync /
    
    

    (If you reboot in between, you need to run the above again BEFORE trying to reinstall.)



  • Same problem here.

    Installations stops after "Generating configuration for WAN…"

    Systemlog shows that snort is running an blocking IPs, so it seems to work.

    Reinstall of GUI doesn't help, either.



  • This is likely a bug. How can we make the developers aware of this thread? Is this confirmed by enough people, is two a crowd :) ? BTW have quite a "clean" firewall, pristine install of 2.2.0 upgraded to each version till 2.2.3, only openvpn, pfblockerng and snort packages.

    Did quite a few (complete) restarts of the machine in question, uninstalled/reinstalled the Snort package… now I tried to restore from the backup I made just before the upgrade. Snort was removed first. The firewall rebooted by itself as expected. Now I get the dreaded-never-going-away notification on every page (waited lika an hour before I posted this), the one with the drive:

    Packages are currently being reinstalled in the background.
    Do not make changes in the GUI until this is complete.

    And my homepage widgets says:
    Warning: include(/usr/local/www/widgets/widgets/snort_alerts.widget.php): failed to open stream: No such file or directory in /usr/local/www/index.php on line 742 Warning: include(): Failed opening '/usr/local/www/widgets/widgets/snort_alerts.widget.php' for inclusion (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal:/usr/local/pkg') in /usr/local/www/index.php on line 742

    PS - somehow snort was in fact running the first time - just nowhere to be found in the interface.
    PPS - the system logs tells me that everything is fine (or is it?):

    Jul 16 20:09:59	php: rc.bootup: [Snort] Building new sig-msg.map file for WAN...
    Jul 16 20:09:37	php: rc.bootup: [Snort] Enabling any flowbit-required rules for: WAN...
    Jul 16 20:00:39	php: rc.bootup: [Snort] Updating rules configuration for: WAN...
    Jul 16 20:00:38	kernel:
    Jul 16 20:00:35	kernel: Generating snort.conf configuration file from saved settings...
    Jul 16 20:00:35	check_reload_status: Syncing firewall
    Jul 16 20:00:33	php: rc.bootup: [Snort] The Rules update has finished.
    Jul 16 19:55:52	php: rc.bootup: [Snort] Emerging Threats Open rules file update downloaded successfully
    Jul 16 19:55:49	php: rc.bootup: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
    Jul 16 19:55:48	php: rc.bootup: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
    Jul 16 19:55:46	php: rc.bootup: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
    Jul 16 19:55:44	php: rc.bootup: [Snort] Snort VRT rules file update downloaded successfully
    Jul 16 19:54:17	php: rc.bootup: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2973.tar.gz...
    Jul 16 19:54:15	php: rc.bootup: [Snort] Downloading and updating configured rule types...
    Jul 16 19:54:15	php: rc.bootup: [Snort] Settings successfully migrated to new configuration format...
    Jul 16 19:54:15	php: rc.bootup: [Snort] Checking configuration settings version...
    Jul 16 19:54:15	php: rc.bootup: [Snort] Saved settings detected... rebuilding installation with saved settings...
    Jul 16 19:54:15	php: rc.bootup: [Snort] Removed 1 duplicate 'remove_blocked_hosts' cron task(s).
    Jul 16 19:54:15	kernel: Saved settings detected...
    Jul 16 19:54:15	check_reload_status: Syncing firewall
    


  • As I am posting this (look at the forums time stamps) in about another half an hour the message disappeared. And everything seems fine! Still, can't believe this took THAT long on a server class machine (even if a bit older) a 4C Xeon, 4 GBs ECC and 2 RAID1 drives… So one must simply wait, after a restore. Longer than usual.

    Can I tell you a joke, here? I upgraded Fedora from 21 to 22 while reinstalling snort and I finished faster. And you know what? It also worked :D

    Thanks. I will post back if I run in other issues.



  • My issues with Snort (and freeradius and ntopng) are that they do not start after a reboot. I need to manually start all of these services even after install the Watchdog service. if Snort does happen to start on its own, the interfaces do not come back up.


  • Banned

    Would never add Snort/Suricata to the Service Watchdog. That things runs a cronjob every minute – not even remotely enough to start these things on slower HW.



  • @fakemoth:

    As I am posting this (look at the forums time stamps) in about another half an hour the message disappeared. And everything seems fine! Still, can't believe this took THAT long on a server class machine (even if a bit older) a 4C Xeon, 4 GBs ECC and 2 RAID1 drives… So one must simply wait, after a restore. Longer than usual.

    Can I tell you a joke, here? I upgraded Fedora from 21 to 22 while reinstalling snort and I finished faster. And you know what? It also worked :D

    Thanks. I will post back if I run in other issues.

    Are you by chance using a NanoBSD installation?  There is some issue with very slow transitions from read-only to read-write for partitions on CF with NanoBSD.  I don't have a Nano machine to test with.  I have seen other posts here about overall slowness with writing to Nano partitions of late.  This will make the Snort install take what seems like forever because it cycles the partition from read-only to read-write a time or two during the installation and subsequent start of Snort.

    Bill



  • Thumbs up!
    It took 9 (!) Minutes from the last "Generating configuration for WAN…" message to the end of installation.
    And this was on a Virtual Machine on a  i7-3770 CPU @ 3.40GHz Host!
    I can't remember it ever took THIS long (normally about 3-4 minutes at all!!!)

    So yes, it really installs but takes way too long!


  • Banned

    As noted above - try without sync. (Hopefully gone everywhere again with 2.2.4.)


Log in to reply