Netgate m1n1wall

Author Topic: Snort Won't Start After Upgrade  (Read 50228 times)

0 Members and 1 Guest are viewing this topic.

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3363
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #135 on: August 03, 2011, 04:21:59 pm »
That is IDS integration which might need some people to help out in funding to make properly usable.

Offline hmishra

  • Jr. Member
  • **
  • Posts: 45
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #136 on: August 03, 2011, 05:23:18 pm »
I am having the same issue now of not seeing Snort menu entry under Services, even after successful install. I have uninstalled and installed the Snort package a couple times already as per the earlier suggestion.

I see the following error messages on system log which I thought were relevant:

Aug 3 17:28:50    SnortStartup[36465]: Snort HARD Reload For 21540_em0_vlan10...
Aug 3 17:28:50    snort[36189]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_21540_em0_vlan10//usr/local/etc/snort/snort_21540_em0_vlan10/rules/emerging-botcc.rules": No such file or directory.
Aug 3 17:28:50    snort[36189]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_21540_em0_vlan10//usr/local/etc/snort/snort_21540_em0_vlan10/rules/emerging-botcc.rules": No such file or directory.

Now even if there were some issues with the category 'emerging-botcc.rules', I cannot uncheck those now since I cannot bring up Snort setting to uncheck those.
« Last Edit: August 03, 2011, 05:33:41 pm by hmishra »

Offline mschiek01

  • Full Member
  • ***
  • Posts: 153
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #137 on: August 03, 2011, 06:37:29 pm »
mschiek01: Remove the package and install it again.
Do not use the reinstall features but really delete and install the pacakge.

That will fix your issue and it should not happen again after that.

That fixed the issue.

Thanks again for addressing this quickly.

Offline hmishra

  • Jr. Member
  • **
  • Posts: 45
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #138 on: August 03, 2011, 06:49:59 pm »
Ok, Snort is running now. I had to export the config xml and edit out the rule categories which were generating exceptions on system log as stated before. Once I restored it, Snort is now running although I still feel that Snort should not die if choosing what it considers as a invalid category.

Anyway, now I have a different issue which I am not sure if it is Snort install related since I also updated to the latest snapshot. Now, I can install Squid or Squidguard or Cron individually, but if I install more than one, the other gets bumped off of the services list. Even the menu entry for the previous package is lost. In other words, only one service can be active at a time from among installable packages. This is just a rough observation since I haven't tried all different combinations of packages.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #139 on: August 03, 2011, 08:01:10 pm »
That is IDS integration which might need some people to help out in funding to make properly usable.

What IDS integration are you talking about?

So far so good! Whitelist looks to be working. I notice the format of the file has change. Suppress file seems to load without errors, have not tested yet. thank you again!

« Last Edit: August 03, 2011, 08:04:09 pm by Cino »

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #140 on: August 03, 2011, 08:03:37 pm »
Ok, Snort is running now. I had to export the config xml and edit out the rule categories which were generating exceptions on system log as stated before. Once I restored it, Snort is now running although I still feel that Snort should not die if choosing what it considers as a invalid category.

Anyway, now I have a different issue which I am not sure if it is Snort install related since I also updated to the latest snapshot. Now, I can install Squid or Squidguard or Cron individually, but if I install more than one, the other gets bumped off of the services list. Even the menu entry for the previous package is lost. In other words, only one service can be active at a time from among installable packages. This is just a rough observation since I haven't tried all different combinations of packages.

how long since you updated? try it again since it seems to be fix for me

Offline hmishra

  • Jr. Member
  • **
  • Posts: 45
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #141 on: August 03, 2011, 08:21:17 pm »
Just tried it, still no joy. Having installed Snort first, I tried to install Cron and that bumped off the Snort menu entry under Services.

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3363
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #142 on: August 04, 2011, 12:48:01 am »
You need to update to latest snapshot to fix the issues with the menu.

@Cino,

IDS integration is the Block offenders option

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #143 on: August 04, 2011, 07:15:10 am »
@Ermal The suppress list is working. Snort stayed up last night. Need to do some more testing but block ip's didn't clear after the set time i selected. My time is set to block for 1 hour, I had IPs in there that were blocked 8 hours ago.

Edit: I did some more testing and its not removing IPs from the Block list. I looked to see if there was an cron job but there wasn't. Some reason I thinking there was a cron job that was based on the 'Remove blocked hosts every' field
« Last Edit: August 04, 2011, 08:32:50 am by Cino »

Offline mdovey

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #144 on: August 04, 2011, 10:58:32 am »
The "add another entry" button under the "Add your own custom ips" for Whitelists doesn't appear to be working. So I can only add 1 ip to a whitelist!

I've tried under Opera 11.50 and IE9

Matthew

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #145 on: August 04, 2011, 11:29:23 am »
The "add another entry" button under the "Add your own custom ips" for Whitelists doesn't appear to be working. So I can only add 1 ip to a whitelist!

I've tried under Opera 11.50 and IE9

Matthew

This is new, i can confirm that its doing the same thing for me using FF 5... Strange it wasn't doing this last night... I did notice last night that any IPs i did add, wouldn't show up under 'Values' in the 'Services:Snort:Whitelist' tab

When i try to add an IP, this is the link the button is pointing too: https://192.168.0.1:445/snort/snort_interfaces_whitelist_edit.php?id=1#

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3363
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #146 on: August 04, 2011, 01:44:25 pm »
Fixed even the row helper.

The expire of the hosts from the table should be done by a cron job.
Please try with the latest package and give a save under Global Settings fro that.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #147 on: August 04, 2011, 03:59:21 pm »
Fixed even the row helper.

The expire of the hosts from the table should be done by a cron job.
Please try with the latest package and give a save under Global Settings fro that.

Adding IPs work again. I still dont see added the IPs under the main page in the values field. I'm thinking there is a limit of 10 entries because it doesn't display pass 10 entries. No biggie for me since it is adding them to the file correctly..

the cron job is back and its working for 1hr :-)

Thank you again for all your help Emarl!

PS I dont have Barnyard2 so I can't test but I think we have tested everything within the package... I still have to create another interface and see how that reacts with snort being bind to 2+ interfaces

Offline hansmuff

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #148 on: August 04, 2011, 04:32:05 pm »
I have pfsense 2.0 RC3 64-bit installed. I un-installed Snort when it broke and just re-installed from the packages menu. Does that give me the latest release, because I have the same problem I've been having when Snort initially stopped working.

My Snort version is 2.8.6.1 pkg v. 2.0

The error in the syslog is "Aug 4 17:27:07    SnortStartup[17989]: Snort HARD Reload For 25369_fxp0...
Aug 4 17:27:07    snort[17310]: FATAL ERROR: /usr/local/etc/snort/snort_25369_fxp0/snort.conf(316) Unknown output plugin: "alert_pf""

My apologies if I'm doing this wrong.

Online asterix

  • Sr. Member
  • ****
  • Posts: 597
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #149 on: August 04, 2011, 05:44:55 pm »
Latest amd64 snapshot. Clean install.

Snort not starting.


Aug 4 18:43:49   SnortStartup[10250]: Snort HARD Reload For 35360_em0...
Aug 4 18:43:49   SnortStartup[6313]: Snort Startup files Sync...
Aug 4 18:43:22   SnortStartup[47731]: Snort HARD Reload For 35360_em0...
Aug 4 18:43:21   SnortStartup[43782]: Snort Startup files Sync...



Did a uninstall/install of Snort (not re-install) thrice... no-go

Aug 4 18:53:13   SnortStartup[2775]: Snort HARD Reload For 33845_em0...
Aug 4 18:53:13   SnortStartup[62907]: Snort Startup files Sync...
Aug 4 18:52:54   SnortStartup[33560]: Interface Rule START for 0_33845_em0...
Aug 4 18:52:53   SnortStartup[21740]: Toggle for 33845_em0...
Aug 4 18:52:47   check_reload_status: Syncing firewall
Aug 4 18:52:32   check_reload_status: Syncing firewall
Aug 4 18:52:10   SnortStartup[23637]: Snort HARD Reload For 35360_em0...
Aug 4 18:52:10   SnortStartup[20060]: Snort Startup files Sync...
Aug 4 18:51:29   check_reload_status: Syncing firewall
Aug 4 18:50:47   check_reload_status: Syncing firewall
Aug 4 18:50:47   check_reload_status: Reloading filter
Aug 4 18:50:46   check_reload_status: Syncing firewall
Aug 4 18:50:09   check_reload_status: Syncing firewall
Aug 4 18:50:08   php: /pkg_mgr_install.php: Beginning package installation for snort.
« Last Edit: August 04, 2011, 05:54:27 pm by asterix »