[Snort-users] Snort Services Failed to Start

Joel Esler (jesler) jesler at ...589...
Tue Jun 24 11:16:57 EDT 2014


I’m just telling you what the error means:

Jun 24 13:00:31 discovery snort[789]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SSH version 1.1.3 (-2)
Jun 24 13:00:31 discovery snort[784]: Starting snort: ERROR size 840 != 864

So, Snort is trying to load an old preprocessor.  Need to find where it is trying to load it from (in your snort.conf) and delete it.


On Jun 24, 2014, at 11:13 AM, <greg.mcnathansonsnuf003 at ...16876...<mailto:greg.mcnathansonsnuf003 at ...16876...>> <greg.mcnathansonsnuf003 at ...16876...<mailto:greg.mcnathansonsnuf003 at ...16876...>> wrote:

Hello Joel,

thanks for your help.

I'm sure  /usr/local/lib/snort_dynamicpreprocessor  contains only files from 2.9.6.1, because I deleted the dir before installation.

ls -l /usr/local/lib/snort_dynamicpreprocessor

total 13704
-rw-r--r--. 1 root root 2929744 Jun  2 23:54 libsf_dce2_preproc.a
-rwxr-xr-x. 1 root root    1275 Jun  2 23:54 libsf_dce2_preproc.la
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_dce2_preproc.so -> libsf_dce2_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_dce2_preproc.so.0 -> libsf_dce2_preproc.so.0.0.0
-rwxr-xr-x. 1 root root 1670215 Jun  2 23:54 libsf_dce2_preproc.so.0.0.0
-rw-r--r--. 1 root root  351914 Jun  2 23:54 libsf_dnp3_preproc.a
-rwxr-xr-x. 1 root root    1275 Jun  2 23:54 libsf_dnp3_preproc.la
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_dnp3_preproc.so -> libsf_dnp3_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_dnp3_preproc.so.0 -> libsf_dnp3_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  246414 Jun  2 23:54 libsf_dnp3_preproc.so.0.0.0
-rw-r--r--. 1 root root  127602 Jun  2 23:54 libsf_dns_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_dns_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_dns_preproc.so -> libsf_dns_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_dns_preproc.so.0 -> libsf_dns_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  132305 Jun  2 23:54 libsf_dns_preproc.so.0.0.0
-rw-r--r--. 1 root root 1096660 Jun  2 23:54 libsf_ftptelnet_preproc.a
-rwxr-xr-x. 1 root root    1310 Jun  2 23:54 libsf_ftptelnet_preproc.la
lrwxrwxrwx. 1 root root      32 Jun  2 23:54 libsf_ftptelnet_preproc.so -> libsf_ftptelnet_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      32 Jun  2 23:54 libsf_ftptelnet_preproc.so.0 -> libsf_ftptelnet_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  650168 Jun  2 23:54 libsf_ftptelnet_preproc.so.0.0.0
-rw-r--r--. 1 root root  361626 Jun  2 23:54 libsf_gtp_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_gtp_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_gtp_preproc.so -> libsf_gtp_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_gtp_preproc.so.0 -> libsf_gtp_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  231840 Jun  2 23:54 libsf_gtp_preproc.so.0.0.0
-rw-r--r--. 1 root root  480042 Jun  2 23:54 libsf_imap_preproc.a
-rwxr-xr-x. 1 root root    1275 Jun  2 23:54 libsf_imap_preproc.la
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_imap_preproc.so -> libsf_imap_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_imap_preproc.so.0 -> libsf_imap_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  354247 Jun  2 23:54 libsf_imap_preproc.so.0.0.0
-rw-r--r--. 1 root root  314326 Jun  2 23:54 libsf_modbus_preproc.a
-rwxr-xr-x. 1 root root    1289 Jun  2 23:54 libsf_modbus_preproc.la
lrwxrwxrwx. 1 root root      29 Jun  2 23:54 libsf_modbus_preproc.so -> libsf_modbus_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      29 Jun  2 23:54 libsf_modbus_preproc.so.0 -> libsf_modbus_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  193645 Jun  2 23:54 libsf_modbus_preproc.so.0.0.0
-rw-r--r--. 1 root root  473890 Jun  2 23:54 libsf_pop_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_pop_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_pop_preproc.so -> libsf_pop_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_pop_preproc.so.0 -> libsf_pop_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  348693 Jun  2 23:54 libsf_pop_preproc.so.0.0.0
-rw-r--r--. 1 root root  255888 Jun  2 23:54 libsf_reputation_preproc.a
-rwxr-xr-x. 1 root root    1317 Jun  2 23:54 libsf_reputation_preproc.la
lrwxrwxrwx. 1 root root      33 Jun  2 23:54 libsf_reputation_preproc.so -> libsf_reputation_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      33 Jun  2 23:54 libsf_reputation_preproc.so.0 -> libsf_reputation_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  268676 Jun  2 23:54 libsf_reputation_preproc.so.0.0.0
-rw-r--r--. 1 root root  459080 Jun  2 23:54 libsf_sdf_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_sdf_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_sdf_preproc.so -> libsf_sdf_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_sdf_preproc.so.0 -> libsf_sdf_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  256103 Jun  2 23:54 libsf_sdf_preproc.so.0.0.0
-rw-r--r--. 1 root root  567996 Jun  2 23:54 libsf_sip_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_sip_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_sip_preproc.so -> libsf_sip_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_sip_preproc.so.0 -> libsf_sip_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  336522 Jun  2 23:54 libsf_sip_preproc.so.0.0.0
-rw-r--r--. 1 root root  767290 Jun  2 23:54 libsf_smtp_preproc.a
-rwxr-xr-x. 1 root root    1275 Jun  2 23:54 libsf_smtp_preproc.la
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_smtp_preproc.so -> libsf_smtp_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      27 Jun  2 23:54 libsf_smtp_preproc.so.0 -> libsf_smtp_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  473661 Jun  2 23:54 libsf_smtp_preproc.so.0.0.0
-rw-r--r--. 1 root root  124594 Jun  2 23:54 libsf_ssh_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_ssh_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_ssh_preproc.so -> libsf_ssh_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_ssh_preproc.so.0 -> libsf_ssh_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  130553 Jun  2 23:54 libsf_ssh_preproc.so.0.0.0
-rw-r--r--. 1 root root  160256 Jun  2 23:54 libsf_ssl_preproc.a
-rwxr-xr-x. 1 root root    1268 Jun  2 23:54 libsf_ssl_preproc.la
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_ssl_preproc.so -> libsf_ssl_preproc.so.0.0.0
lrwxrwxrwx. 1 root root      26 Jun  2 23:54 libsf_ssl_preproc.so.0 -> libsf_ssl_preproc.so.0.0.0
-rwxr-xr-x. 1 root root  147687 Jun  2 23:54 libsf_ssl_preproc.so.0.0.0

In snort.conf the path is correctly set:

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor


What else can I do?


Greg



Gesendet: Dienstag, 24. Juni 2014 um 16:16 Uhr
Von: "Joel Esler (jesler)" <jesler at ...589...<mailto:jesler at ...589...>>
An: "greg.mcnathansonsnuf003 at ...16876...<mailto:greg.mcnathansonsnuf003 at ...979...16876...>" <greg.mcnathansonsnuf003 at ...16876...<mailto:greg.mcnathansonsnuf003 at ...16876...>>
Cc: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Betreff: Re: [Snort-users] Snort Services Failed to Start
Looks like you are using the 2.9.5.6 dynamic preprocessors with Snort 2.9.6.1.  You’ll probably want to delete things in /usr/local/lib/snort_dynamicpreprocessor and reinstall 2.9.6.1


On Jun 24, 2014, at 9:12 AM, greg.mcnathansonsnuf003 at ...16876...<x-msg://14/greg.mcnathansonsnuf003@...16876...> wrote:

Hi snort experts,

is there any solution for this?
I have the same problem as Steven Vona.

Starting snort: ERROR size 840 != 864

I updated from snort 2.9.5.6 to version 2.9.6.1 on a Fedora 20 machine (x86_64). (Kernel 3.14.4-200.fc20.x86_64)

journactl -b -0 -u snort.service

...
Jun 24 13:00:30 discovery snort[789]: Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor...
Jun 24 13:00:30 discovery snort[789]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so...
Jun 24 13:00:30 discovery snort[789]: done
...
Jun 24 13:00:31 discovery snort[789]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...
Jun 24 13:00:31 discovery snort[789]: done
Jun 24 13:00:31 discovery snort[789]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor
Jun 24 13:00:31 discovery snort[789]: Log directory = /var/log/snort
....
Jun 24 13:00:31 discovery snort[789]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Jun 24 13:00:31 discovery snort[789]: alert_fragments: INACTIVE
Jun 24 13:00:31 discovery snort[789]: alert_large_fragments: INACTIVE
Jun 24 13:00:31 discovery snort[789]: alert_incomplete: INACTIVE
Jun 24 13:00:31 discovery snort[789]: alert_multiple_requests: INACTIVE
Jun 24 13:00:31 discovery snort[789]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SSH version 1.1.3 (-2)
Jun 24 13:00:31 discovery snort[784]: Starting snort: ERROR size 840 != 864
Jun 24 13:00:31 discovery snort[784]: [FAILED]
Jun 24 13:00:31 discovery snort[822]: Stopping snort: [FAILED]
Jun 24 13:00:31 discovery systemd[1]: Started Snort IDS system.

The /usr/local/lib/snort_dynamicpreprocessor directory contains only new files from snort 2.9.6.1.


Config parameters for installation of snort 2.9.6.1:

$ ./configure --enable-sourcefire --enable-zlib --enable-reload --enable-reload-error-restart

Config parameters for installation of daq 2.0.2:

$ ./configure


I haven't been able to use libnetfilter_queue libraries and libnfnetlink libraries from the fedora 20 repository. Usage of these libraries resulted in segmentation faults.
So I use an older version of these libraries (libnetfilter_queue 1.1.0 and libnfnetlink 0.2.0). With these libraries no segmentation faults occured.

Any ideas, what to do to get snort running?


Any help would be greatly appreciated.

Greg






------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140624/5ba3fdbc/attachment.html>


More information about the Snort-users mailing list