Snort mailing list archives

Re: Snort Services Failed to Start

From: greg.mcnathansonsnuf003 () gmx-topmail de
Date: Wed, 25 Jun 2014 01:13:05 +0200
I finally got snort 2.9.6.1 running.
Thank you very much Joel for your help. Your hint led me to the solution of this problem.
 
 I didn't clean the directory /usr/local/src/snort_dynamicsrc.
 
Actually I forgot to do a "make clean" after "make uninstall".
 
Greg
 
 
 

Gesendet: Dienstag, 24. Juni 2014 um 17:16 Uhr
Von: "Joel Esler (jesler)" <jesler () cisco com>
An: "greg.mcnathansonsnuf003 () gmx-topmail de" <greg.mcnathansonsnuf003 () gmx-topmail de>
Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
Betreff: Re: [Snort-users] Snort Services Failed to Start

I’m just telling you what the error means:
 

Jun 24 13:00:31 discovery snort[789]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SSH version 1.1.3 (-2)
Jun 24 13:00:31 discovery snort[784]: Starting snort: ERROR size 840 != 864
 
So, Snort is trying to load an old preprocessor.  Need to find where it is trying to load it from (in your snort.conf) 
and delete it.
  

On Jun 24, 2014, at 11:13 AM, <greg.mcnathansonsnuf003 () gmx-topmail de> <greg.mcnathansonsnuf003 () gmx-topmail de> 
wrote: 

Hello Joel,
 
thanks for your help.
 
I'm sure  /usr/local/lib/snort_dynamicpreprocessor  contains only files from 2.9.6.1, because I deleted the dir before 
installation.
 
ls -l /usr/local/lib/snort_dynamicpreprocessor
 

total 13704
-rw-r--r--. 1 root root 2929744 Jun  2 23:54 libsf_dce2_preproc.a
-rwxr-xr-x. 1 root root    1275 Jun  2 23:54 libsf_dce2_preproc.la
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_dce2_preproc.so -> libsf_dce2_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_dce2_preproc.so.0 -> libsf_dce2_preproc.so.0.0.0
-rwxr-xr-x. 1 root root 1670215 Jun  2 23:54 libsf_dce2_preproc.so.0.0.0
-rw-r--r--. 1 root root  351914 Jun  2 23:54 libsf_dnp3_preproc.a
-rwxr-xr-x. 1 root root    1275 Jun  2 23:54 libsf_dnp3_preproc.la
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_dnp3_preproc.so -> libsf_dnp3_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_dnp3_preproc.so.0 -> libsf_dnp3_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  246414 Jun  2 23:54 libsf_dnp3_preproc.so.0.0.0
-rw-r--r--. 1 root root  127602 Jun  2 23:54 libsf_dns_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_dns_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_dns_preproc.so -> libsf_dns_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_dns_preproc.so.0 -> libsf_dns_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  132305 Jun  2 23:54 libsf_dns_preproc.so.0.0.0
-rw-r--r--. 1 root root 1096660 Jun  2 23:54 libsf_ftptelnet_preproc.a
-rwxr-xr-x. 1 root root    1310 Jun  2 23:54 libsf_ftptelnet_preproc.la
lrwxrwxrwx. 1 root root      32 Jun  2 23:54 libsf_ftptelnet_preproc.so -> libsf_ftptelnet_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      32 Jun  2 23:54 libsf_ftptelnet_preproc.so.0 -> libsf_ftptelnet_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  650168 Jun  2 23:54 libsf_ftptelnet_preproc.so.0.0.0
-rw-r--r--. 1 root root  361626 Jun  2 23:54 libsf_gtp_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_gtp_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_gtp_preproc.so -> libsf_gtp_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_gtp_preproc.so.0 -> libsf_gtp_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  231840 Jun  2 23:54 libsf_gtp_preproc.so.0.0.0
-rw-r--r--. 1 root root  480042 Jun  2 23:54 libsf_imap_preproc.a
-rwxr-xr-x. 1 root root    1275 Jun  2 23:54 libsf_imap_preproc.la
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_imap_preproc.so -> libsf_imap_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_imap_preproc.so.0 -> libsf_imap_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  354247 Jun  2 23:54 libsf_imap_preproc.so.0.0.0
-rw-r--r--. 1 root root  314326 Jun  2 23:54 libsf_modbus_preproc.a
-rwxr-xr-x. 1 root root    1289 Jun  2 23:54 libsf_modbus_preproc.la
lrwxrwxrwx. 1 root root      29 Jun  2 23:54 libsf_modbus_preproc.so -> libsf_modbus_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      29 Jun  2 23:54 libsf_modbus_preproc.so.0 -> libsf_modbus_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  193645 Jun  2 23:54 libsf_modbus_preproc.so.0.0.0
-rw-r--r--. 1 root root  473890 Jun  2 23:54 libsf_pop_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_pop_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_pop_preproc.so -> libsf_pop_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_pop_preproc.so.0 -> libsf_pop_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  348693 Jun  2 23:54 libsf_pop_preproc.so.0.0.0
-rw-r--r--. 1 root root  255888 Jun  2 23:54 libsf_reputation_preproc.a
-rwxr-xr-x. 1 root root    1317 Jun  2 23:54 libsf_reputation_preproc.la
lrwxrwxrwx. 1 root root      33 Jun  2 23:54 libsf_reputation_preproc.so -> libsf_reputation_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      33 Jun  2 23:54 libsf_reputation_preproc.so.0 -> libsf_reputation_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  268676 Jun  2 23:54 libsf_reputation_preproc.so.0.0.0
-rw-r--r--. 1 root root  459080 Jun  2 23:54 libsf_sdf_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_sdf_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_sdf_preproc.so -> libsf_sdf_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_sdf_preproc.so.0 -> libsf_sdf_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  256103 Jun  2 23:54 libsf_sdf_preproc.so.0.0.0
-rw-r--r--. 1 root root  567996 Jun  2 23:54 libsf_sip_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_sip_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_sip_preproc.so -> libsf_sip_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_sip_preproc.so.0 -> libsf_sip_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  336522 Jun  2 23:54 libsf_sip_preproc.so.0.0.0
-rw-r--r--. 1 root root  767290 Jun  2 23:54 libsf_smtp_preproc.a
-rwxr-xr-x. 1 root root    1275 Jun  2 23:54 libsf_smtp_preproc.la
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_smtp_preproc.so -> libsf_smtp_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_smtp_preproc.so.0 -> libsf_smtp_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  473661 Jun  2 23:54 libsf_smtp_preproc.so.0.0.0
-rw-r--r--. 1 root root  124594 Jun  2 23:54 libsf_ssh_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_ssh_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_ssh_preproc.so -> libsf_ssh_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_ssh_preproc.so.0 -> libsf_ssh_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  130553 Jun  2 23:54 libsf_ssh_preproc.so.0.0.0
-rw-r--r--. 1 root root  160256 Jun  2 23:54 libsf_ssl_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_ssl_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_ssl_preproc.so -> libsf_ssl_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_ssl_preproc.so.0 -> libsf_ssl_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  147687 Jun  2 23:54 libsf_ssl_preproc.so.0.0.0
 
In snort.conf the path is correctly set:
 

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor
 
 
What else can I do?
 
 
Greg
 
 
 

Gesendet: Dienstag, 24. Juni 2014 um 16:16 Uhr
Von: "Joel Esler (jesler)" <jesler () cisco com>
An: "greg.mcnathansonsnuf003 () gmx-topmail de" <greg.mcnathansonsnuf003 () gmx-topmail de>
Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
Betreff: Re: [Snort-users] Snort Services Failed to Start

Looks like you are using the 2.9.5.6 dynamic preprocessors with Snort 2.9.6.1.  You’ll probably want to delete things 
in /usr/local/lib/snort_dynamicpreprocessor and reinstall 2.9.6.1
 
 

On Jun 24, 2014, at 9:12 AM, greg.mcnathansonsnuf003 () gmx-topmail de wrote: 

Hi snort experts,
 
is there any solution for this?
I have the same problem as Steven Vona.
 
Starting snort: ERROR size 840 != 864
 
I updated from snort 2.9.5.6 to version 2.9.6.1 on a Fedora 20 machine (x86_64). (Kernel 3.14.4-200.fc20.x86_64)
 
journactl -b -0 -u snort.service
 
...
Jun 24 13:00:30 discovery snort[789]: Loading all dynamic preprocessor libs from 
/usr/local/lib/snort_dynamicpreprocessor...
Jun 24 13:00:30 discovery snort[789]: Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so...
Jun 24 13:00:30 discovery snort[789]: done
...
Jun 24 13:00:31 discovery snort[789]: Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...
Jun 24 13:00:31 discovery snort[789]: done
Jun 24 13:00:31 discovery snort[789]: Finished Loading all dynamic preprocessor libs from 
/usr/local/lib/snort_dynamicpreprocessor
Jun 24 13:00:31 discovery snort[789]: Log directory = /var/log/snort
....
Jun 24 13:00:31 discovery snort[789]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 
32779
Jun 24 13:00:31 discovery snort[789]: alert_fragments: INACTIVE
Jun 24 13:00:31 discovery snort[789]: alert_large_fragments: INACTIVE
Jun 24 13:00:31 discovery snort[789]: alert_incomplete: INACTIVE
Jun 24 13:00:31 discovery snort[789]: alert_multiple_requests: INACTIVE
Jun 24 13:00:31 discovery snort[789]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SSH version 1.1.3 (-2)
Jun 24 13:00:31 discovery snort[784]: Starting snort: ERROR size 840 != 864
Jun 24 13:00:31 discovery snort[784]: [FAILED]
Jun 24 13:00:31 discovery snort[822]: Stopping snort: [FAILED]
Jun 24 13:00:31 discovery systemd[1]: Started Snort IDS system.
 
The /usr/local/lib/snort_dynamicpreprocessor directory contains only new files from snort 2.9.6.1.
 
 
Config parameters for installation of snort 2.9.6.1:
 
$ ./configure --enable-sourcefire --enable-zlib --enable-reload --enable-reload-error-restart
 
Config parameters for installation of daq 2.0.2:
 
$ ./configure
 
 
I haven't been able to use libnetfilter_queue libraries and libnfnetlink libraries from the fedora 20 repository. Usage 
of these libraries resulted in segmentation faults.
So I use an older version of these libraries (libnetfilter_queue 1.1.0 and libnfnetlink 0.2.0). With these libraries no 
segmentation faults occured.
 
Any ideas, what to do to get snort running?
 
 
Any help would be greatly appreciated.
 
Greg
 
 
 
 
 
 ------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft_______________________________________________[http://p.sf.net/sfu/Bonitasoft_______________________________________________]
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users[https://lists.sourceforge.net/lists/listinfo/snort-users]
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users[http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users]

Please visit http://blog.snort.org[http://blog.snort.org] to stay current on all the latest Snort 
news!------------------------------------------------------------------------------ Open source business process 
management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition 
Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards 
http://p.sf.net/sfu/Bonitasoft_______________________________________________[http://p.sf.net/sfu/Bonitasoft_______________________________________________]
 Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users[https://lists.sourceforge.net/lists/listinfo/snort-users] 
Snort-users list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users[http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users]
 Please visit http://blog.snort.org[http://blog.snort.org] to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Re: Snort Services Failed to Start greg . mcnathansonsnuf003 (Jun 24)
- Re: Snort Services Failed to Start Joel Esler (jesler) (Jun 24)
  - Re: Snort Services Failed to Start greg . mcnathansonsnuf003 (Jun 24)
    - Re: Snort Services Failed to Start Joel Esler (jesler) (Jun 24)
    - Re: Snort Services Failed to Start greg . mcnathansonsnuf003 (Jun 24)
    - Re: Snort Services Failed to Start greg . mcnathansonsnuf003 (Jun 24)