Project

General

Profile

Actions

Bug #6736

closed

Snort fails to start after upgrade to 2.3.2-RELEASE

Added by Marco Verleun over 5 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
08/22/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.3.2
Affected Plus Version:
Affected Architecture:
amd64

Description

After upgrading to 2.3.2-Release from 2.3.1-5 snort fails to start with a FATAL error: Aug 22 11:20:01 pfSense snort12846: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.

The full output of snort -T -c snort.conf is as follows:
Running in Test mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "snort.conf"
PortVar 'DNS_PORTS' defined : [ 53 ]
PortVar 'SMTP_PORTS' defined : [ 25 ]
PortVar 'MAIL_PORTS' defined : [ 25 465 587 691 ]
PortVar 'HTTP_PORTS' defined : [ 36 80:90 311 383 591 593 631 901 1220 1414 1533 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999:10000 11371 15489 29991 33300 34412 34443:34444 41080 44440 50000 50002 51423 55555 56712 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'MSSQL_PORTS' defined : [ 1433 ]
PortVar 'TELNET_PORTS' defined : [ 23 ]
PortVar 'SNMP_PORTS' defined : [ 161 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'POP2_PORTS' defined : [ 109 ]
PortVar 'POP3_PORTS' defined : [ 110 ]
PortVar 'IMAP_PORTS' defined : [ 143 ]
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
PortVar 'AUTH_PORTS' defined : [ 113 ]
PortVar 'FINGER_PORTS' defined : [ 79 ]
PortVar 'IRC_PORTS' defined : [ 6665:6669 7000 ]
PortVar 'SMB_PORTS' defined : [ 139 445 ]
PortVar 'NNTP_PORTS' defined : [ 119 ]
PortVar 'RLOGIN_PORTS' defined : [ 513 ]
PortVar 'RSH_PORTS' defined : [ 514 ]
PortVar 'SSL_PORTS' defined : [ 443 465 563 636 989 992:995 7801:7802 7900:7920 ]
PortVar 'FILE_DATA_PORTS' defined : [ 36 80:90 110 143 311 383 591 593 631 901 1220 1414 1533 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999:10000 11371 15489 29991 33300 34412 34443:34444 41080 44440 50000 50002 51423 55555 56712 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'SUN_RPC_PORTS' defined : [ 111 32770:32779 ]
PortVar 'DCERPC_NCACN_IP_TCP' defined : [ 139 445 ]
PortVar 'DCERPC_NCADG_IP_UDP' defined : [ 138 1024:65535 ]
PortVar 'DCERPC_NCACN_IP_LONG' defined : [ 135 139 445 593 1024:65535 ]
PortVar 'DCERPC_NCACN_UDP_LONG' defined : [ 135 1024:65535 ]
PortVar 'DCERPC_NCACN_UDP_SHORT' defined : [ 135 593 1024:65535 ]
PortVar 'DCERPC_NCACN_TCP' defined : [ 2103 2105 2107 ]
PortVar 'DCERPC_BRIGHTSTORE' defined : [ 6503:6504 ]
PortVar 'DNP3_PORTS' defined : [ 20000 ]
PortVar 'MODBUS_PORTS' defined : [ 502 ]
PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
Detection:
Search-Method = AC-BNFA-Q
Maximum pattern length = 20
Search-Method-Optimizations = enabled
Tagged Packet Limit: 256
Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine...
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Finished Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-ie.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/exploit-kit.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-executable.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-flash.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-image.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-java.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-multimedia.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-office.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-pdf.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/indicator-shellcode.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/malware-cnc.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/malware-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/netbios.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-linux.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-windows.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/policy-social.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/pua-p2p.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-dns.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-nntp.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-snmp.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-tftp.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-voip.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-apache.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-iis.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-mail.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-mysql.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-oracle.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-webapp.so... done
Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor...
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_ssl_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_sip_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_pop_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_imap_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_appid_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor
ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
Fatal Error, Quitting..

Further investigation showed that the snort ruleset was not updated. FORCE UPDATING did update the ruleset and now everything is working fine.

Actions #1

Updated by Diggory Gray about 5 years ago

Get the same issue when updateing from pfSense 2.3.1_5 to 2.3.2_1

In my logs when SNORT tries to start I also get:

FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.

I've tried the 'update' and 'force update' on the rulesets, but I still get the fatal error when SNORT attempts to start.

Also tried re-installing the SNORT package - doesn't help.
SNORT package version is apparently the latest - v3.2.9.1_14

Using SNORT with an ETPro subsciption and without Barnyard.
Only using one instance of SNORT (On the WAN interface).

Actions #2

Updated by Donald Johnson over 4 years ago

2.3.4-RELEASE (amd64)
built on Wed May 03 15:13:29 CDT 2017
FreeBSD 10.3-RELEASE-p19

snort security 3.2.9.2_16
Package Dependencies:
snort-2.9.8.3  barnyard2-1.13_1 

Snort VRT Rules    b34ac715d65f428d951ddc17ea7caa14    Wednesday, 17-May-17 18:10:50 NZST
Snort GPLv2 Community Rules    Not Enabled    Not Enabled
Emerging Threats Open Rules    715a406215134851441b135e50ffc66c    Wednesday, 17-May-17 18:10:54 NZST
Snort OpenAppID Detectors    501bb173f827a55d5a576816e1243958    Wednesday, 17-May-17 18:10:50 NZST
Snort OpenAppID RULES Detectors    7e4562de5575404146dfa3e60066a7af    Wednesday, 17-May-17 18:10:50 NZST

FATAL ERROR: /usr/local/etc/snort/snort_6049_em0/rules/snort.rules(22405) Unknown rule option: 'modbus_data'.

Started seeing this bug, have to enable SCADA preprocessor (Enable Modbus Detection) on all interfaces to have the sensors start.
https://xxx.xxx.xxx.xxx:4444/snort/snort_preprocessors.php?id=1

Actions #3

Updated by Kris Phillips about 1 year ago

  • Status changed from New to Closed

Closing this very old bug report out, as this issue is from an unsupported version of pfSense and there is no issues with snort started on 2.4.5p1.

Actions

Also available in: Atom PDF