Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not starting after upgrade to 3.2.6

    Scheduled Pinned Locked Moved IDS/IPS
    12 Posts 6 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fakemoth
      last edited by

      I did exactly that after I posted, and had to leave - now, a few hours later, the new installation stopped at the same step too. I did uninstall the Snort package first. Also submitted a crash report that pfsense offered. What else can I do?

      Can someone offer some step-by-step instructions on how to clean uninstall and install Snort in such a case? This is a production machine and don't want to screw things further by deleting random stuff…

      Thanks for your interest in this!

      Don't take the name of root in vain!

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        Try again after

        
        mount -o nosync /
        
        

        (If you reboot in between, you need to run the above again BEFORE trying to reinstall.)

        1 Reply Last reply Reply Quote 0
        • M Offline
          Mitterwald
          last edited by

          Same problem here.

          Installations stops after "Generating configuration for WAN…"

          Systemlog shows that snort is running an blocking IPs, so it seems to work.

          Reinstall of GUI doesn't help, either.

          1 Reply Last reply Reply Quote 0
          • F Offline
            fakemoth
            last edited by

            This is likely a bug. How can we make the developers aware of this thread? Is this confirmed by enough people, is two a crowd :) ? BTW have quite a "clean" firewall, pristine install of 2.2.0 upgraded to each version till 2.2.3, only openvpn, pfblockerng and snort packages.

            Did quite a few (complete) restarts of the machine in question, uninstalled/reinstalled the Snort package… now I tried to restore from the backup I made just before the upgrade. Snort was removed first. The firewall rebooted by itself as expected. Now I get the dreaded-never-going-away notification on every page (waited lika an hour before I posted this), the one with the drive:

            Packages are currently being reinstalled in the background.
            Do not make changes in the GUI until this is complete.

            And my homepage widgets says:
            Warning: include(/usr/local/www/widgets/widgets/snort_alerts.widget.php): failed to open stream: No such file or directory in /usr/local/www/index.php on line 742 Warning: include(): Failed opening '/usr/local/www/widgets/widgets/snort_alerts.widget.php' for inclusion (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal:/usr/local/pkg') in /usr/local/www/index.php on line 742

            PS - somehow snort was in fact running the first time - just nowhere to be found in the interface.
            PPS - the system logs tells me that everything is fine (or is it?):

            Jul 16 20:09:59	php: rc.bootup: [Snort] Building new sig-msg.map file for WAN...
            Jul 16 20:09:37	php: rc.bootup: [Snort] Enabling any flowbit-required rules for: WAN...
            Jul 16 20:00:39	php: rc.bootup: [Snort] Updating rules configuration for: WAN...
            Jul 16 20:00:38	kernel:
            Jul 16 20:00:35	kernel: Generating snort.conf configuration file from saved settings...
            Jul 16 20:00:35	check_reload_status: Syncing firewall
            Jul 16 20:00:33	php: rc.bootup: [Snort] The Rules update has finished.
            Jul 16 19:55:52	php: rc.bootup: [Snort] Emerging Threats Open rules file update downloaded successfully
            Jul 16 19:55:49	php: rc.bootup: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
            Jul 16 19:55:48	php: rc.bootup: [Snort] Snort GPLv2 Community Rules file update downloaded successfully
            Jul 16 19:55:46	php: rc.bootup: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
            Jul 16 19:55:44	php: rc.bootup: [Snort] Snort VRT rules file update downloaded successfully
            Jul 16 19:54:17	php: rc.bootup: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2973.tar.gz...
            Jul 16 19:54:15	php: rc.bootup: [Snort] Downloading and updating configured rule types...
            Jul 16 19:54:15	php: rc.bootup: [Snort] Settings successfully migrated to new configuration format...
            Jul 16 19:54:15	php: rc.bootup: [Snort] Checking configuration settings version...
            Jul 16 19:54:15	php: rc.bootup: [Snort] Saved settings detected... rebuilding installation with saved settings...
            Jul 16 19:54:15	php: rc.bootup: [Snort] Removed 1 duplicate 'remove_blocked_hosts' cron task(s).
            Jul 16 19:54:15	kernel: Saved settings detected...
            Jul 16 19:54:15	check_reload_status: Syncing firewall
            

            Don't take the name of root in vain!

            1 Reply Last reply Reply Quote 0
            • F Offline
              fakemoth
              last edited by

              As I am posting this (look at the forums time stamps) in about another half an hour the message disappeared. And everything seems fine! Still, can't believe this took THAT long on a server class machine (even if a bit older) a 4C Xeon, 4 GBs ECC and 2 RAID1 drives… So one must simply wait, after a restore. Longer than usual.

              Can I tell you a joke, here? I upgraded Fedora from 21 to 22 while reinstalling snort and I finished faster. And you know what? It also worked :D

              Thanks. I will post back if I run in other issues.

              Don't take the name of root in vain!

              1 Reply Last reply Reply Quote 0
              • Z Offline
                zerodamage
                last edited by

                My issues with Snort (and freeradius and ntopng) are that they do not start after a reboot. I need to manually start all of these services even after install the Watchdog service. if Snort does happen to start on its own, the interfaces do not come back up.

                1 Reply Last reply Reply Quote 0
                • D Offline
                  doktornotor Banned
                  last edited by

                  Would never add Snort/Suricata to the Service Watchdog. That things runs a cronjob every minute – not even remotely enough to start these things on slower HW.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB Offline
                    bmeeks
                    last edited by

                    @fakemoth:

                    As I am posting this (look at the forums time stamps) in about another half an hour the message disappeared. And everything seems fine! Still, can't believe this took THAT long on a server class machine (even if a bit older) a 4C Xeon, 4 GBs ECC and 2 RAID1 drives… So one must simply wait, after a restore. Longer than usual.

                    Can I tell you a joke, here? I upgraded Fedora from 21 to 22 while reinstalling snort and I finished faster. And you know what? It also worked :D

                    Thanks. I will post back if I run in other issues.

                    Are you by chance using a NanoBSD installation?  There is some issue with very slow transitions from read-only to read-write for partitions on CF with NanoBSD.  I don't have a Nano machine to test with.  I have seen other posts here about overall slowness with writing to Nano partitions of late.  This will make the Snort install take what seems like forever because it cycles the partition from read-only to read-write a time or two during the installation and subsequent start of Snort.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      Mitterwald
                      last edited by

                      Thumbs up!
                      It took 9 (!) Minutes from the last "Generating configuration for WAN…" message to the end of installation.
                      And this was on a Virtual Machine on a  i7-3770 CPU @ 3.40GHz Host!
                      I can't remember it ever took THIS long (normally about 3-4 minutes at all!!!)

                      So yes, it really installs but takes way too long!

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        As noted above - try without sync. (Hopefully gone everywhere again with 2.2.4.)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.