pfSense Gold Subscription

Author Topic: Snort Won't Start After Upgrade  (Read 50250 times)

0 Members and 1 Guest are viewing this topic.

Offline th3r3isnospoon

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Snort Won't Start After Upgrade
« on: June 07, 2011, 12:14:46 pm »
Hello all-

I just upgraded my pfsense firewall (from a snap on Tuesday May 31 to a snap today 2.0-RC2 (amd64) built on Tue Jun 7 06:12:50 EDT 2011). 

After I update SNORT with my oinkcode, add the interface and categories etc. it will not start.  If I try and start it via command line this is the error I get: '/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "snort"'.

I unchecked all the categories I had selected and tried to restart the SNORT service, didn't make a difference.


Any ideas on how to fix this?


Thanks,

-th3r3isnospoon

Offline asterix

  • Sr. Member
  • ****
  • Posts: 597
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #1 on: June 07, 2011, 10:18:41 pm »
Plus 1 here.. same issue.

I did a clean install of the latest snapshot.. thrice... Same issue.

Something has definitely gone wrong with the Snort package.
« Last Edit: June 07, 2011, 11:15:46 pm by asterix »

Offline LostInIgnorance

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #2 on: June 08, 2011, 07:30:44 am »
I am not having problems with snort at all.  I know one important thing must be done right after an upgrade of pfsense.  You must manually update your rules in the snort>updates tab before trying to start since there's no sync after install.  When it re installs the package, the snort rules get deleted.
Running 2.0 Full i386 on a Soekris 5501-70 with a 80G HD

Offline th3r3isnospoon

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #3 on: June 08, 2011, 10:32:38 am »
I am not having problems with snort at all.  I know one important thing must be done right after an upgrade of pfsense.  You must manually update your rules in the snort>updates tab before trying to start since there's no sync after install.  When it re installs the package, the snort rules get deleted.

Yes sir.  Before I make any changes the first thing I do is update the rules, then do the config.  Guess I will just have to keep messing with it.  Strange thing is, I've always done the same thing after upgrading to the latest snap, this is the first time it broke for me.


-th3r3isnospoon

Offline asterix

  • Sr. Member
  • ****
  • Posts: 597
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #4 on: June 08, 2011, 02:00:12 pm »
any success?

I am now back on June 1st snapshot but haven't install snort yet.

Offline oztiks

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #5 on: June 08, 2011, 04:49:32 pm »
I recently deployed 6 PFS 2.0RC2 boxes. The first two were deployed a week or so ago and I installed snort via the package manager; the other ones were installed a few days after. I have noticed on the more recently built servers I am having the same issue with snort failing to start.

As others have noticed, it appears to be an issue with the dynamic link to libpcap. The WORKING snort I had installed was exactly the same version (2.8.6.1 pkg v. 1.34) as the "broken" snort installs, except the difference is the working snort installation has the following:

Quote
$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
   libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f9000)
   libpcap.so.7 => /lib/libpcap.so.7 (0x800835000)
   libm.so.5 => /lib/libm.so.5 (0x800966000)
   libc.so.7 => /lib/libc.so.7 (0x800a85000)
The non working version has the following:

Quote
$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
   libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f4000)
   libpcap.so.1 => not found (0x0)
   libm.so.5 => /lib/libm.so.5 (0x800830000)
   libc.so.7 => /lib/libc.so.7 (0x80094f000)

My resolution was this:

Quote
ln -s /lib/libpcap.so.7 /lib/libpcap.so.1
the result is:

Quote
$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
   libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x8006f4000)
   libpcap.so.1 => /lib/libpcap.so.1 (0x800830000)
   libm.so.5 => /lib/libm.so.5 (0x800961000)
   libc.so.7 => /lib/libc.so.7 (0x800a80000)

I won't say that this is an "official" fix but it does appear to work without issues and allow snort to function until this is resolved...
Hope this helps someone!



Offline th3r3isnospoon

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #6 on: June 08, 2011, 08:02:40 pm »
Ok, so I tried the above fix.  Didn't work for me. Here's what it says:

[2.0-RC2][admin@pfsense.localdomain]/root(1): ln -s /lib/libpcap.so.7 /lib/libpc                                                                                                                                                             ap.so.1
[2.0-RC2][admin@pfsense.localdomain]/root(2): snort
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 311 591 593 901 1220 1414 1830 2301 2381 28                                                                                                                                                             09 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 82                                                                                                                                                             43 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort_d                                                                                                                                                             ynamicpreprocessor/": No such file or directory.
Fatal Error, Quitting..
[2.0-RC2][admin@pfsense.localdomain]/root(3):


Getting closer anyways :)


-th3r3isnospoon

Offline th3r3isnospoon

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #7 on: June 08, 2011, 08:09:11 pm »
At the bottom of this website, they talk about the same issues: http://michaelok.tumblr.com/

I'll read through it and possibly try some fixes and post back :)


-th3r3isnospoon

Offline rudfinch

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #8 on: June 09, 2011, 03:22:33 am »
Hello all--

I have same error after upgrade to 7-june and 8-june pfsense2-RC2 amd64 full.

after I ln -s /lib/libpcap.so.7 to /usr/local/lib/libpcap.so.1
and try running snort on the web-configurator I got unsupported output plugin: "alert_pf" error on my syslog...

@th3r3isnospoon:
ERROR: parser.c(5165) Could not stat dynamic module path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.
is dynamic lib path error.. the path in pfsense is "/usr/local/lib/snort/dynamicpreprocessor/"

Offline th3r3isnospoon

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #9 on: June 09, 2011, 07:01:16 am »
FWIW, I submitted a bug report.

http://redmine.pfsense.org/issues/1590


-th3r3isnospoon

Offline akm22562

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #10 on: June 09, 2011, 09:05:54 am »
Hi all,

I have the exact same console output.  The interesting thing is syslog.

In the latest release of pfsense 2.0-RC2 I can't get Snort to start.  The syslog reveals the following:

Jun 9 07:12:19    SnortStartup[63658]: Snort HARD Reload For 34679_sis0...
Jun 9 07:12:19    snort[56907]: FATAL ERROR: /usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output plugin: "alert_pf"
Jun 9 07:12:19    snort[56907]: FATAL ERROR: /usr/local/etc/snort/snort_34679_sis0/snort.conf(207) Unknown output plugin: "alert_pf"

Line 207 of the above file is:

   output alert_pf: /usr/local/etc/snort/whitelist/defaultwlist,snort2c

Andrew

Offline asterix

  • Sr. Member
  • ****
  • Posts: 597
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #11 on: June 09, 2011, 05:55:09 pm »
no go.

Are we the only ones facing this issue? Can anyone else confirm the same with a clean install of pfsense and snort package?

Offline oztiks

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #12 on: June 10, 2011, 09:12:20 am »
no go.

Are we the only ones facing this issue? Can anyone else confirm the same with a clean install of pfsense and snort package?

Mine had some clean installs and I did have the issue; which I resolved with my ln fix. I'm not sure why it's not working for others. :(

Offline asterix

  • Sr. Member
  • ****
  • Posts: 597
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #13 on: June 10, 2011, 09:45:48 am »
Latest few snapshots even dynamic DNS is failing and IP shows in red as 0.0.0.0

Looks like both a snapshot and Snort package issue.

Offline rudfinch

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Snort Won't Start After Upgrade
« Reply #14 on: June 10, 2011, 09:19:16 pm »
I looked into snort.inc, looks like snort supposed to fetch perl-threaded-5.12.1_1.tbz as dependency... but couldn't find anywhere... the link to the file seems broken... I don't know if this is the cause of alert_pf error... hope this will be fixed soon. :)
« Last Edit: June 10, 2011, 10:04:23 pm by rudfinch »