Upgrade Snort ASAP
-
Sounds like memory issues to me. Try to disable some rules or test with only few rules enabled just to confirm this assumption.
-
I uninstalled it and reinstalled it yet again…. and now it works fine (for now) going on an hour without messing up. I have all the rulesets enabled and AC-sparcebands, same setup i had last time.
So, I'm chalking it up to gremlins. That and the fact that Comcast scans me about a trillion times a day :p Probably testing out that exploit on their customers..... jerks.
Thanks for your help.
-
I would not advise running all rulesets with only 460 Ram. That might be part of your problem. If Snort starts eating up a lot of memory, processes will start to be killed, including snort. I have 1gig and having all rulesets checked pushes me over 600mb.
-
hmmm My upgraded snort instance runnig fine until today morning, that I saw in my logs
Feb 23 07:23:17 snort[45790]: FATAL ERROR: Unable to allocate memory! (7566277 bytes in use) Feb 23 07:23:17 snort[45790]: FATAL ERROR: Unable to allocate memory! (7566277 bytes in use) Feb 23 07:13:20 snort2c[45793]: attack detected non-whitelisted ip: 86.97.202.41 blocked !:-
Does anybody experienced this? -
crazy… when looking at >STATUS >SERVICES snort seems to be stopped... ?
when starting it with the button it tells me to be started and the status still tells me snort to be stopped...
cosmetic error or serious bug ?
When starting in in the CLI it tells me in the last lines:
ERROR: /usr/local/etc/snort/snort.conf(xx) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Fatal Error, Quitting..What has happened ?
It's the same error on all my 2 local systems…
Seems to have something to do with the xxx-sample-files in /usr/local/etc/snort/ because snort cannot find the xxx.map-files, because they are NOT present... only the samples...
I have no idea how they are generated, but perhaps it helps ?You can get it running MANUALLY FROM THE CLI by changing manually in /usr/local/etc/snort/snort.conf
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 to preprocessor http_inspect: global iis_unicode_map unicode.map-sample 1252
include classification.config-sample to include classification.config-sample
include reference.config-sample to include reference.config-sampleor just rename the files above…
-
crazy… when looking at >STATUS >SERVICES snort seems to be stopped... ?
when starting it with the button it tells me to be started and the status still tells me snort to be stopped...
cosmetic error or serious bug ?
When starting in in the CLI it tells me in the last lines:
ERROR: /usr/local/etc/snort/snort.conf(xx) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Fatal Error, Quitting..What has happened ?
It's the same error on all my 2 local systems…
Seems to have something to do with the xxx-sample-files in /usr/local/etc/snort/ because snort cannot find the xxx.map-files, because they are NOT present... only the samples...
I have no idea how they are generated, but perhaps it helps ?You can get it running MANUALLY FROM THE CLI by changing manually in /usr/local/etc/snort/snort.conf
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 to preprocessor http_inspect: global iis_unicode_map unicode.map-sample 1252
include classification.config-sample to include classification.config-sample
include reference.config-sample to include reference.config-sampleor just rename the files above…
That is wierd. Never had that trouble. Reinstall Snort and those files will be regenerated.
-
yes !
looking better :-) -
Hi , just upgraded but snort wont start? when i'm trying to start it form comandline "snort -d" i get this error msg :
ERROR: /usr/local/etc/snort/snort.conf(42) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.
Fatal Error, Quitting..Is it a minor bug ??
-
Configure it first…
-
Configure it first…
I reinstalled the pakage , and when i looked at the settings it semed like it was configured ( aka: all settings was the same as before )
after i read your answer i just hit the save button aka resaving the configuration and now it works :-)Thank you for superb support :-)