Project

General

Profile

Bug #6736

Snort fails to start after upgrade to 2.3.2-RELEASE

Added by Marco Verleun about 3 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
08/22/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3.2
Affected Architecture:
amd64

Description

After upgrading to 2.3.2-Release from 2.3.1-5 snort fails to start with a FATAL error: Aug 22 11:20:01 pfSense snort12846: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.

The full output of snort -T -c snort.conf is as follows:
Running in Test mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "snort.conf"
PortVar 'DNS_PORTS' defined : [ 53 ]
PortVar 'SMTP_PORTS' defined : [ 25 ]
PortVar 'MAIL_PORTS' defined : [ 25 465 587 691 ]
PortVar 'HTTP_PORTS' defined : [ 36 80:90 311 383 591 593 631 901 1220 1414 1533 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999:10000 11371 15489 29991 33300 34412 34443:34444 41080 44440 50000 50002 51423 55555 56712 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'MSSQL_PORTS' defined : [ 1433 ]
PortVar 'TELNET_PORTS' defined : [ 23 ]
PortVar 'SNMP_PORTS' defined : [ 161 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'POP2_PORTS' defined : [ 109 ]
PortVar 'POP3_PORTS' defined : [ 110 ]
PortVar 'IMAP_PORTS' defined : [ 143 ]
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
PortVar 'AUTH_PORTS' defined : [ 113 ]
PortVar 'FINGER_PORTS' defined : [ 79 ]
PortVar 'IRC_PORTS' defined : [ 6665:6669 7000 ]
PortVar 'SMB_PORTS' defined : [ 139 445 ]
PortVar 'NNTP_PORTS' defined : [ 119 ]
PortVar 'RLOGIN_PORTS' defined : [ 513 ]
PortVar 'RSH_PORTS' defined : [ 514 ]
PortVar 'SSL_PORTS' defined : [ 443 465 563 636 989 992:995 7801:7802 7900:7920 ]
PortVar 'FILE_DATA_PORTS' defined : [ 36 80:90 110 143 311 383 591 593 631 901 1220 1414 1533 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999:10000 11371 15489 29991 33300 34412 34443:34444 41080 44440 50000 50002 51423 55555 56712 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'SUN_RPC_PORTS' defined : [ 111 32770:32779 ]
PortVar 'DCERPC_NCACN_IP_TCP' defined : [ 139 445 ]
PortVar 'DCERPC_NCADG_IP_UDP' defined : [ 138 1024:65535 ]
PortVar 'DCERPC_NCACN_IP_LONG' defined : [ 135 139 445 593 1024:65535 ]
PortVar 'DCERPC_NCACN_UDP_LONG' defined : [ 135 1024:65535 ]
PortVar 'DCERPC_NCACN_UDP_SHORT' defined : [ 135 593 1024:65535 ]
PortVar 'DCERPC_NCACN_TCP' defined : [ 2103 2105 2107 ]
PortVar 'DCERPC_BRIGHTSTORE' defined : [ 6503:6504 ]
PortVar 'DNP3_PORTS' defined : [ 20000 ]
PortVar 'MODBUS_PORTS' defined : [ 502 ]
PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
Detection:
Search-Method = AC-BNFA-Q
Maximum pattern length = 20
Search-Method-Optimizations = enabled
Tagged Packet Limit: 256
Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine...
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Finished Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-ie.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/exploit-kit.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-executable.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-flash.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-image.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-java.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-multimedia.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-office.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-pdf.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/indicator-shellcode.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/malware-cnc.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/malware-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/netbios.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-linux.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-windows.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/policy-social.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/pua-p2p.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-dns.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-nntp.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-snmp.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-tftp.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-voip.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-apache.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-iis.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-mail.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-mysql.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-oracle.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-other.so... done
Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-webapp.so... done
Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor...
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_ssl_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_sip_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_pop_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_imap_preproc.so... done
Loading dynamic preprocessor library /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor/libsf_appid_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/local/etc/snort/snort_27581_pppoe0/snort_dynamicpreprocessor
ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.
Fatal Error, Quitting..

Further investigation showed that the snort ruleset was not updated. FORCE UPDATING did update the ruleset and now everything is working fine.

History

#1 Updated by Diggory Gray almost 3 years ago

Get the same issue when updateing from pfSense 2.3.1_5 to 2.3.2_1

In my logs when SNORT tries to start I also get:

FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.4 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 2.6.

I've tried the 'update' and 'force update' on the rulesets, but I still get the fatal error when SNORT attempts to start.

Also tried re-installing the SNORT package - doesn't help.
SNORT package version is apparently the latest - v3.2.9.1_14

Using SNORT with an ETPro subsciption and without Barnyard.
Only using one instance of SNORT (On the WAN interface).

#2 Updated by Donald Johnson over 2 years ago

2.3.4-RELEASE (amd64)
built on Wed May 03 15:13:29 CDT 2017
FreeBSD 10.3-RELEASE-p19

snort security 3.2.9.2_16
Package Dependencies:
snort-2.9.8.3  barnyard2-1.13_1 

Snort VRT Rules    b34ac715d65f428d951ddc17ea7caa14    Wednesday, 17-May-17 18:10:50 NZST
Snort GPLv2 Community Rules    Not Enabled    Not Enabled
Emerging Threats Open Rules    715a406215134851441b135e50ffc66c    Wednesday, 17-May-17 18:10:54 NZST
Snort OpenAppID Detectors    501bb173f827a55d5a576816e1243958    Wednesday, 17-May-17 18:10:50 NZST
Snort OpenAppID RULES Detectors    7e4562de5575404146dfa3e60066a7af    Wednesday, 17-May-17 18:10:50 NZST

FATAL ERROR: /usr/local/etc/snort/snort_6049_em0/rules/snort.rules(22405) Unknown rule option: 'modbus_data'.

Started seeing this bug, have to enable SCADA preprocessor (Enable Modbus Detection) on all interfaces to have the sensors start.
https://xxx.xxx.xxx.xxx:4444/snort/snort_preprocessors.php?id=1

Also available in: Atom PDF