Snort wont start on pfsense firewall

R

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
I am trying to get snort to start, but when I click the green "play" button, nothing happens. It just reloads the page, and it does not actually start. Is there any way to get this to work? I've had it installed for a while, figured it was working, but saw there are zero logs, and then realized it was not even on. I've ran the rule update, setup all the categories and all that.
 
Yeah I selected WAN.

Though, do I need barnyard2 enabled? I just disabled it as it needs a SQL server and I don't have one setup, but if I have to, I'll set one.
 
Well it is green, but I'm guessing that means it's off, because I have to click on that to turn it on, or does it mean it's already on?

fw.png


And yeah, I see zero logs, like if I go in alerts, it's just blank. I would like to actually be able to see what's going on and see what's getting blocked etc.
 
Yeah I checked all of them. Figured if I run into problems I'll uncheck as needed, but so far none seem to be taking any effect. Unless nobody is trying to hack me, but with all the bots out there, I'm sure I would be seeing lot of logs.
 
Looks like I might be having the same problem. Using the gui, the status indicator never changes no matter how many times i click it, it just stays green. Using `ps` in the shell confirms that it is NOT running. Funny thing is, if i run snort by hand it seems to run fine.
 
I solved this not too long ago, I ended up unchecking all the emergingthreat categories. There's one in there that conflicts. From my understanding though those are the best rules as they get updated very often with stuff like spammer IPs and what not. I did not get a chance to troubleshoot further to find out which one is the culpit though.
 
You'll have to check the logs, it'll sometimes tell you why they aren't starting.

Most likely what folks have mentioned here about some categories conflicting. Settings conflicts are the #1 reason why things won't start in pfSense.
 
Resurrecting this thread in case the OP hasn't figured if out -- I just ran into the same thing. Enable the http pre-processor on the interface tab. Some of the rules depend on it.
 
Lots of necro threads from people having the same problems lately. This thread was revived TWICE! First by what looks like a random googler, then once by a forum member.

It gives me a warm feeling when my pfsense OpenVPN site to site bridge guide gets bumped :D
 
I ended up disabling snort. Problem is it kept doing false positives on lot of sites I visit, and even if I put the IP in the white list it still blocked it anyway, so I gave up on it. The idea was neat, but it was just too much hassle.
 
If SNORT refuses to start, you need to check your system log and disable the rule categorie(s) that are causing it to not start.

In regards to SNORT's false detection and blocking, you should first start it in "non blocking" mode and use your network how it's normally used, and visit the websites you normally visit everyday. Then check the Snort Alerts tab... and then watch this video on how to suppress the rules that are causing your normally used websites to be blocked: http://www.youtube.com/watch?v=uQ7OrxtiAes

That video is very good in demonstrating how to properly configure SNORT on PFsense to not block wanted traffic.
 
You must log in or register to reply here.
Back
Top