Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT no longer scanning Stopped 6/28/24 at 21 hour

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 272 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      The Party of Hell No
      last edited by

      First apologies if this is the wrong place to start.

      open SNORT page, click on interfaces all looks good for a few seconds and then all the green icons change to empty rectangular boxes. No snort entries on GUI since 06/28/24. The last entries in the log - application scan said DNS from my wife's laptop to the DNS servers offered by my ISP.

      No changes to SNORT or pfSense immediately preceding the stoppage. Last change in the previous 7 days was the update of patch manager.

      Is there an update to SNORT which is not being offered to 24.03-RELEASE? The reason is it is SNORT is acting like it needs to be updated.

      S stephenw10S 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @The Party of Hell No
        last edited by

        @The-Party-of-Hell-No what is “patch manager”?

        You can reinstall the snort (any) package from system/packages.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        T 1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator @The Party of Hell No
          last edited by

          @The-Party-of-Hell-No said in SNORT no longer scanning Stopped 6/28/24 at 21 hour:

          then all the green icons change to empty rectangular boxes.

          That sounds like a client side cache issue, icons not loaded. Try a different browser.

          T 1 Reply Last reply Reply Quote 0
          • T
            The Party of Hell No @stephenw10
            last edited by

            @stephenw10
            Well I tried Edge - same thing few seconds of green check then a small blank rectangle
            Also does not explain lack of alerts in the dashboard. I am making an assumption if the green check does not stay and no alerts - showing real time scans - then I assume Snort is not working.

            1 Reply Last reply Reply Quote 0
            • T
              The Party of Hell No @SteveITS
              last edited by

              @SteveITS
              Okay, okay not the patch manager - System - Patch which required an update.
              So I have executed a reinstall of the package and nothing changed; should I get more aggressive and delete/remove SNORT and then install the package?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Check the system logs after you try to start it.

                T 1 Reply Last reply Reply Quote 0
                • T
                  The Party of Hell No @stephenw10
                  last edited by The Party of Hell No

                  @stephenw10
                  so I started an archived boot environment and had same problem.
                  Yes in the System Logs, General there are hundreds? of:
                  Invalid direct service AppId, 5340, for 0x8457b4c20 0x1b5a706b6e80
                  with many different digits not all the same.
                  and:
                  AppInfo: AppId 7338 is UNKNOWN
                  multiple with differing 4 digit numbers.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Hmm, sounds like it's pulled in some invalid signatures. Or doesn't have pre-processors enabled for the signatures it has. And just did it again from the older BE.

                    Try disabling OpenAppID.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.