Snort inilization failure

PC_Arcade

Yep, me. I've only been running SNORT.

Although I will add Squid as soon as it becomes available again.

acs uses significantly less memory for me too and also works as intended. Thank coldfusion

sullrich

@yoda715:

Question is, why?

No idea.  This is now a SNORT issue and this should be asked on their lists.

PC_Arcade

I think the latest version of SNORT (2.6.1.1) fixes this issue

yoda715

Not sure if this fixes our issue.

This is the issue solved in 2.6.1.1: "Fix problem with snort using high CPU and reprocessing the same rebuilt packets at session end or ACK in middle of packet when there are gaps in the packet sequence."

PC_Arcade

certainly seems to :)

Running in sparsebands now, only been up for ~5 minutes, but that's ~3 more than I've managed before

yoda715

I updated to the 2.6.1.1 versions and now I cant even get Snort to boot up on any performance setting. I am getting brand new errors now:

Nov 24 14:53:39 snort2c[1571]: unable to open alertfile - exit
Nov 24 14:53:39 snort2c[1571]: unable to open alertfile - exit
Nov 24 14:53:39 snort2c[1571]: snort2c running in daemon mode pid: 1571
Nov 24 14:53:39 snort2c[1571]: snort2c running in daemon mode pid: 1571

I am running the 1.0.1-SNAPSHOT-11-24-2006

sullrich

Oh bugger.  I'll check it out a bit later tonite.

yoda715

Thanks Scott.

PC_Arcade

Didn't do that for me, BUT it also didn't trigger any alerts

yoda715

Try running a port scan from http://www.grc.com. You should see it appear in alert as a ping.

ColdFusion

I'm pretty much screwed with the same alert after I upgraded SNORT. Now the service will not start and stay running.

yoda715

Scott, I see where you reverted snort back to the 2.6.0.2.5. I reverted back to that version and I'm still getting the same error. The trouble must be in the latest snapshot.

PC_Arcade

@yoda715:

Try running a port scan from http://www.grc.com. You should see it appear in alert as a ping.

I know, and it doesn't.

I've reverted back to the older version and it still doesn't raise any alerts at all  ???

yoda715

What snapshot are you running? I'm thinking it has something to do with that since I too reverted back to the older version of snort.

ColdFusion

Version 1.01

PC_Arcade

@yoda715:

What snapshot are you running? I'm thinking it has something to do with that since I too reverted back to the older version of snort.

1.0.1-SNAPSHOT-11-19-2006

ColdFusion

Well, it boiled down to me just re-installing pfSense(1.01) and re-installing SNORT. It started fine. I kept getting could not open alert file…..no matter what I did.......but now (keeping my fingers crossed) everything looks good.

PC_Arcade

I think I'd rather do without snort than re-install from scratch

sullrich

Backup your configuration, reinstall, restore configuration.

It takes about 6 minutes on a 800 mhz machine.

hoba

If you backup your configuration to a media (floppy/USB stick) to /conf/config.xml your users will only see 2 short downtimes while the pfSense is rebooting. The livecd will come up with your old config and the system will be usable while you are installing it to the hdd  ;)