Snort exited on signal 11
-
I have an issue where Snort exits when it updates rules. I can manually start it and it starts and runs fine, until the next update when it fails again.
Here is what I see in the logs:
Feb 8 12:05:23 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Feb 8 12:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for LAN…
Feb 8 12:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
Feb 8 12:05:20 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
Feb 8 12:05:20 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 49 obsoleted rules category files.
Feb 8 12:05:20 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
Feb 8 12:05:18 kernel pid 3372 (snort), uid 0: exited on signal 11
Feb 8 12:05:14 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
Feb 8 12:05:14 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date…
Feb 8 12:05:11 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Feb 8 12:05:00 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2990.tar.gz…The update completes but Snort is not running after that. I would appreciate any suggestions.
Thanks!
-
This is still occuring… today I see 'exited on signal 10'.
Mar 14 00:06:00 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Mar 14 00:06:00 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for LAN…
Mar 14 00:05:59 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
Mar 14 00:05:57 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
Mar 14 00:05:57 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 51 obsoleted rules category files.
Mar 14 00:05:57 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
Mar 14 00:05:56 kernel pid 23837 (snort), uid 0: exited on signal 10
Mar 14 00:05:48 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
Mar 14 00:05:23 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
Mar 14 00:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date…
Mar 14 00:05:21 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Mar 14 00:05:01 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2990.tar.gz…I would appreciate any advice on how to troubleshoot this issue.
-
Signal 10 is a bus error and usually indicates the program binary attempted some type of unaligned memory access. What hardware are you running on? Is it perhaps an ARM CPU? If so, you most definitely need to update to the latest Snort 2.9.11.1 package. That package has some fixes for ARM hardware. From your log post, you are running version 2.9.9.0, which is not the latest.
Bill
-
Thanks for the tip, I had missed that I was not running the latest package. I'm running an Intel CPU:
Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)I've installed the latest snort package, hopefully that will take care of it.
-
Thanks for the tip, I had missed that I was not running the latest package. I'm running an Intel CPU:
Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)I've installed the latest snort package, hopefully that will take care of it.
A Signal 10 would be very unexpected on an Intel CPU with Snort. On an Intel platform that may indicate a possibly failing memory chip or other memory component. Signal 11 is not unheard of, but Signal 10 is rare.
Bill