Snort won't restart
-
I am having a problem with Snort not being able to restart without manual intervention (starting it from Services or rebooting) The error is always the same. I get a scrolling alert that shows (most recent):
.:. 02-05-07 21:34:02 - [squid] .:.
When I check the system logs, I find:
Feb 5 21:34:02 last message repeated 13 times
Feb 5 21:34:01 php: : New alert found: The squid package is missing required dependencies and must be reinstalled.
Feb 5 21:34:00 php: : Reloading Squid for configuration syncThis started a few days ago with the January 30 or 31 snapshot (can't remember which). I have tried all the snapshots up to 1.0.1-Snapshot-02-02-7 built on Mon Feb 5 16:55:31 EST 2007. Rebooting or manually starting it fixes it until the next time it checks for a new DHCP IP on the WAN connection. Even if the IP doesn't change, the check_reload_status triggers rc.newwanip and Snort (as well as Squid) gets restarted.
I have already tried reinstalling Snort and Squid but that only works until the next check_reload_status. The fact that the scrolling error shows Squid and not Snort makes this even more confusing.
-
ditto
-
Same problem.
I will try later to uninstall squid to see if snort keeps running without shuting down,
and after that if it works, try to uninstall snort and reinstall squid to see if squid runs without
nagginig "The squid package is missing required dependencies and must be reinstalled.". -
After uninstalling squid and keeping snort, i get rid of that nag message about dependencies not installed,
but snort feels like taking a long vacation without my approval,
it shuts down itself. I ran top inside a ssh, and snort is gone from the processlist. -
**** Running 1.0.1-SNAPSHOT-02-14-2007 built on Fri Feb 16 16:17:51 EST 2007 ****
I got this from the remote syslog.
It looks like some type of termination/restart/whatever happeneds every time a DHCP renewal occurs.
It sounds strange, at least to me that snort needs to restart every time there is a DHCP renewal,
plus that it fails a proper restart.Notice the bold parts, and specially "Mar 7 09:40:22 php: : Dynamic WAN interface present. Restarting snort due to filter changes. ".
What type of "filter changes" is it referring to?+–-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| message |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Mar 7 09:35:34 snort2c[43230]: attack detected non-whitelisted ip: 84.94.24.42 blocked ! |
| Mar 7 09:35:29 last message repeated 4 times |
| Mar 7 09:35:34 snort2c[43230]: attack detected non-whitelisted ip: 84.94.24.42 blocked ! |
| Mar 7 09:36:00 dhclient[42113]: DHCPREQUEST on fxp0 to 81.228.3.186 port 67 |
| Mar 7 09:36:36 last message repeated 2 times |
| Mar 7 09:38:02 last message repeated 4 times |
| Mar 7 09:39:10 dhclient[42113]: DHCPREQUEST on fxp0 to 81.228.3.186 port 67 |
| Mar 7 09:40:05 dhclient[42113]: DHCPREQUEST on fxp0 to 255.255.255.255 port 67 |
| Mar 7 09:40:05 dhclient[42113]: DHCPACK from 81.236.128.1 |
| Mar 7 09:40:06 dhclient[42113]: bound to 81.236.129.20 – renewal in 600 seconds. |
| Mar 7 09:40:10 check_reload_status: rc.newwanip starting |
| Mar 7 09:40:11 php: : Informational: rc.newwanip is starting. |
| Mar 7 09:40:11 login: login on ttyv0 as root |
| Mar 7 09:40:14 php: : Informational: DHClient spawned /etc/rc.newwanip and the new ip is wan - 81.236.129.20. |
| Mar 7 09:40:14 php: : Creating rrd update script |
| Mar 7 09:40:16 php: : Resyncing configuration for all packages. |
| Mar 7 09:40:16 php: : Configuring slbd |
| Mar 7 09:40:16 snort2c[43230]: SIGTERM received - exiting |
| Mar 7 09:40:16 snort2c[43230]: SIGTERM received - exiting |
| Mar 7 09:40:16 check_reload_status: reloading filter |
| Mar 7 09:40:20 php: : FTP proxy disabled for interface LAN - ignoring. |
| Mar 7 09:40:22 php: : [SNORT] Snort_dynamic_ip_reload.php is starting. |
| Mar 7 09:40:22 php: : Dynamic WAN interface present. Restarting snort due to filter changes. |
| Mar 7 09:40:22 snort[43227]: *** Caught Term-Signal |
| Mar 7 09:40:22 snort[43227]: *** Caught Term-Signal |
| Mar 7 09:40:22 snort[43227]: Final Flow Statistics |
| Mar 7 09:40:22 snort[43227]: Final Flow Statistics |
| Mar 7 09:40:22 snort[43227]: ,–--[ FLOWCACHE STATS ]–-------- |
| Mar 7 09:40:22 snort[43227]: ,–--[ FLOWCACHE STATS ]–-------- |
| Mar 7 09:40:22 snort[43227]: Memcap: 10485760 Overhead Bytes 16400 used(%10.246935)/blocks (1074469/5912) Overhead blocks: 1 Could Hold: (58579) |
| Mar 7 09:40:22 snort[43227]: Memcap: 10485760 Overhead Bytes 16400 used(%10.246935)/blocks (1074469/5912) Overhead blocks: 1 Could Hold: (58579) |
| Mar 7 09:40:22 snort[43227]: IPV4 count: 5911 frees: 0 low_time: 1173255892, high_time: 1173256162, diff: 0h:04:30s |
| Mar 7 09:40:22 snort[43227]: IPV4 count: 5911 frees: 0 low_time: 1173255892, high_time: 1173256162, diff: 0h:04:30s |
| Mar 7 09:40:22 snort[43227]: finds: 4945728 reversed: 3126933(%0.000000) find_success: 4939817 find_fail: 5911 percent_success: (%0.000000) new_flows: 5911 |
| Mar 7 09:40:22 snort[43227]: finds: 4945728 reversed: 3126933(%0.000000) find_success: 4939817 find_fail: 5911 percent_success: (%0.000000) new_flows: 5911 |
| Mar 7 09:40:22 snort[43227]: Protocol: 1 (%0.000000) finds: 362 reversed: 80(%0.000000) find_success: 186 find_fail: 176 percent_success: (%0.000000) new_flows: 176 |
| Mar 7 09:40:22 snort[43227]: Protocol: 1 (%0.000000) finds: 362 reversed: 80(%0.000000) find_success: 186 find_fail: 176 percent_success: (%0.000000) new_flows: 176 |
| Mar 7 09:40:22 snort[43227]: Protocol: 6 (%0.000000) finds: 4935248 reversed: 3122716(%0.000000) find_success: 4933800 find_fail: 1448 percent_success: (%0.000000) new_flows: 1448 |
| Mar 7 09:40:22 snort[43227]: Protocol: 6 (%0.000000) finds: 4935248 reversed: 3122716(%0.000000) find_success: 4933800 find_fail: 1448 percent_success: (%0.000000) new_flows: 1448 |
| Mar 7 09:40:22 snort[43227]: Protocol: 17 (%0.000000) finds: 10118 reversed: 4137(%0.000000) find_success: 5831 find_fail: 4287 percent_success: (%0.000000) new_flows: 4287 |
| Mar 7 09:40:22 snort[43227]: Protocol: 17 (%0.000000) finds: 10118 reversed: 4137(%0.000000) find_success: 5831 find_fail: 4287 percent_success: (%0.000000) new_flows: 4287 |
| Mar 7 09:40:22 snort[43227]: Snort received 3818455 packets |
| Mar 7 09:40:22 snort[43227]: Snort received 3818455 packets |
| Mar 7 09:40:22 snort[43227]: Analyzed: 3809475(99.765%) |
| Mar 7 09:40:22 snort[43227]: Analyzed: 3809475(99.765%) |
| Mar 7 09:40:22 snort[43227]: Dropped: 8842(0.232%) |
| Mar 7 09:40:22 snort[43227]: Dropped: 8842(0.232%) |
| Mar 7 09:40:22 snort[43227]: Outstanding: 138(0.004%) |
| Mar 7 09:40:22 snort[43227]: Outstanding: 138(0.004%) |
| Mar 7 09:40:22 snort[43227]: =============================================================================== |
| Mar 7 09:40:22 snort[43227]: =============================================================================== |
| Mar 7 09:40:22 snort[43227]: Breakdown by protocol: |
| Mar 7 09:40:22 snort[43227]: Breakdown by protocol: |
| Mar 7 09:40:22 snort[43227]: TCP: 3751895 (98.489%) |
| Mar 7 09:40:22 snort[43227]: TCP: 3751895 (98.489%) |
| Mar 7 09:40:22 snort[43227]: UDP: 10122 (0.266%) |
| Mar 7 09:40:22 snort[43227]: UDP: 10122 (0.266%) |
| Mar 7 09:40:22 snort[43227]: ICMP: 365 (0.010%) |
| Mar 7 09:40:22 snort[43227]: ICMP: 365 (0.010%) |
| Mar 7 09:40:22 snort[43227]: ARP: 47058 (1.235%) |
| Mar 7 09:40:22 snort[43227]: ARP: 47058 (1.235%) |
| Mar 7 09:40:22 snort[43227]: EAPOL: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: EAPOL: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: IPv6: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: IPv6: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: ETHLOOP: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: ETHLOOP: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: IPX: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: IPX: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: FRAG: 8 (0.000%) |
| Mar 7 09:40:22 snort[43227]: FRAG: 8 (0.000%) |
| Mar 7 09:40:22 snort[43227]: OTHER: 31 (0.001%) |
| Mar 7 09:40:22 snort[43227]: OTHER: 31 (0.001%) |
| Mar 7 09:40:22 snort[43227]: DISCARD: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: DISCARD: 0 (0.000%) |
| Mar 7 09:40:22 snort[43227]: =============================================================================== |
| Mar 7 09:40:22 snort[43227]: =============================================================================== |
| Mar 7 09:40:22 snort[43227]: Action Stats: |
| Mar 7 09:40:22 snort[43227]: Action Stats: |
| Mar 7 09:40:22 snort[43227]: ALERTS: 3 |
| Mar 7 09:40:22 snort[43227]: ALERTS: 3 |
| Mar 7 09:40:22 snort[43227]: Fragmentation Stats: |
| Mar 7 09:40:22 snort[43227]: Fragmentation Stats: |
| Mar 7 09:40:22 snort[43227]: Fragmented IP Packets: 8 (0.000%) |
| Mar 7 09:40:22 snort[43227]: Fragmented IP Packets: 8 (0.000%) |
| Mar 7 09:40:22 snort[43227]: Fragment Trackers: 4 |
| Mar 7 09:40:22 snort[43227]: Fragment Trackers: 4 |
| Mar 7 09:40:22 snort[43227]: Rebuilt IP Packets: 0 |
| Mar 7 09:40:22 snort[43227]: Rebuilt IP Packets: 0 |
| Mar 7 09:40:22 snort[43227]: Frag elements used: 0 |
| Mar 7 09:40:22 snort[43227]: Frag elements used: 0 |
| Mar 7 09:40:22 snort[43227]: Discarded(incomplete): 0 |
| Mar 7 09:40:22 snort[43227]: Discarded(incomplete): 0 |
| Mar 7 09:40:22 snort[43227]: Discarded(timeout): 1 |
| Mar 7 09:40:22 snort[43227]: Discarded(timeout): 1 |
| Mar 7 09:40:22 snort[43227]: Frag2 memory faults: 0 |
| Mar 7 09:40:22 snort[43227]: Frag2 memory faults: 0 |
| Mar 7 09:40:22 snort[43227]: =============================================================================== |
| Mar 7 09:40:22 snort[43227]: =============================================================================== |
| Mar 7 09:40:22 snort[43227]: TCP Stream Reassembly Stats: |
| Mar 7 09:40:22 snort[43227]: TCP Stream Reassembly Stats: |
| Mar 7 09:40:22 snort[43227]: TCP Packets Used: 3751884 (98.488%) |
| Mar 7 09:40:22 snort[43227]: TCP Packets Used: 3751884 (98.488%) |
| Mar 7 09:40:22 snort[43227]: Stream Trackers: 2006 |
| Mar 7 09:40:22 snort[43227]: Stream Trackers: 2006 |
| Mar 7 09:40:22 snort[43227]: Stream flushes: 1183364 |
| Mar 7 09:40:22 snort[43227]: Stream flushes: 1183364 |
| Mar 7 09:40:22 snort[43227]: Segments used: 2363635 |
| Mar 7 09:40:22 snort[43227]: Segments used: 2363635 |
| Mar 7 09:40:22 snort[43227]: Segments Queued: 2363246 |
| Mar 7 09:40:22 snort[43227]: Segments Queued: 2363246 |
| Mar 7 09:40:22 snort[43227]: Stream4 Memory Faults: 0 |
| Mar 7 09:40:34 SnortStartup[48565]: Ram free BEFORE starting Snort: 15M – Ram free AFTER starting Snort: 15M -- Mode ac-sparsebands -- Snort memory usage: |
| Mar 7 09:40:42 SnortStartup[48598]: Ram free BEFORE starting Snort: 15M – Ram free AFTER starting Snort: 15M -- Mode ac-sparsebands -- Snort memory usage: |
| Mar 7 09:40:42 check_reload_status: updating dyndns |
| Mar 7 09:41:18 dnsmasq[524]: reading /etc/resolv.conf |
| Mar 7 09:41:18 dnsmasq[524]: using nameserver 195.67.199.41#53 |
| Mar 7 09:41:18 dnsmasq[524]: using nameserver 195.67.199.40#53 |
| Mar 7 09:41:18 dnsmasq[524]: using nameserver 195.67.199.39#53 -
This behavior was changed in the last week. Please upgrade to a recent snapshot.
-
Ahh, thanks for the update :D.
-
It's back :'(.
Running 1.0.1-SNAPSHOT-03-18-2007 built on Thu Mar 8 22:14:44 EST 2007.Got this from syslog:
| Mar 13 02:16:32 snort2c[87594]: attack detected non-whitelisted ip: 60.27.190.214 blocked ! |
| Mar 13 02:17:57 dhclient[81270]: DHCPREQUEST on xl1 to 255.255.255.255 port 67 |
| Mar 13 02:17:57 dhclient[81270]: DHCPACK from 81.236.128.1 |
| Mar 13 02:17:57 dhclient[81270]: bound to 81.236.134.3 – renewal in 600 seconds. |
| Mar 13 02:27:57 dhclient[81270]: DHCPREQUEST on xl1 to 81.228.3.186 port 67 |
| Mar 13 02:28:28 last message repeated 3 times |
| Mar 13 02:29:58 last message repeated 2 times |
| Mar 13 02:35:03 last message repeated 2 times |
| Mar 13 02:37:58 dhclient[81270]: DHCPDISCOVER on xl1 to 255.255.255.255 port 67 interval 8 |
| Mar 13 02:37:58 dhclient[81270]: DHCPOFFER from 81.236.128.1 |
| Mar 13 02:38:00 dhclient[81270]: DHCPREQUEST on xl1 to 255.255.255.255 port 67 |
| Mar 13 02:38:00 dhclient[81270]: DHCPACK from 81.236.128.1 |
| Mar 13 02:38:00 dhclient[81270]: bound to 81.236.134.3 – renewal in 600 seconds. |
| Mar 13 02:38:01 login: login on ttyv0 as root |
| Mar 13 02:38:10 snort2c[87594]: SIGTERM received - exiting |
| Mar 13 02:38:28 SnortStartup[74604]: Ram free BEFORE starting Snort: 40M – Ram free AFTER starting Snort: 39M -- Mode ac-sparsebands -- Snort memory usage: |
| Mar 13 02:38:28 snort[87591]: *** Caught Term-Signal |
| Mar 13 02:38:28 snort[87591]: Final Flow Statistics |
| Mar 13 02:38:28 snort[87591]: ,–--[ FLOWCACHE STATS ]–-------- |
| Mar 13 02:38:28 snort[87591]: Memcap: 10485760 Overhead Bytes 16400 used(%79.610596)/blocks (8347776/46545) Overhead blocks: 1 Could Hold: (58579) |
| Mar 13 02:38:28 snort[87591]: IPV4 count: 46544 frees: 0 low_time: 1173728308, high_time: 1173747400, diff: 5h:18:12s |
| Mar 13 02:38:28 snort[87591]: finds: 130156627 reversed: 68755550(%0.000000) find_success: 130110083 find_fail: 46544 percent_success: (%0.000000) new_flows: 46544 |
| Mar 13 02:38:28 snort[87591]: Protocol: 1 (%0.000000) finds: 4265 reversed: 1352(%0.000000) find_success: 3427 find_fail: 838 percent_success: (%0.000000) new_flows: 838 |
| Mar 13 02:38:28 snort[87591]: Protocol: 6 (%0.000000) finds: 130118608 reversed: 68746792(%0.000000) find_success: 130092296 find_fail: 26312 percent_success: (%0.000000) new_flows: 26312 |
| Mar 13 02:38:28 snort[87591]: Protocol: 17 (%0.000000) finds: 33754 reversed: 7406(%0.000000) find_success: 14360 find_fail: 19394 percent_success: (%0.000000) new_flows: 19394 |
| Mar 13 02:38:28 snort[87591]: Snort received 163787886 packets |
| Mar 13 02:38:28 snort[87591]: Analyzed: 107665066(65.734%) |
| Mar 13 02:38:28 snort[87591]: Dropped: 56122706(34.265%) |
| Mar 13 02:38:28 snort[87591]: Outstanding: 114(0.000%) |
| Mar 13 02:38:28 snort[87591]: =============================================================================== |
| Mar 13 02:38:28 snort[87591]: Breakdown by protocol: |
| Mar 13 02:38:28 snort[87591]: TCP: 107045797 (99.425%) |
| Mar 13 02:38:28 snort[87591]: UDP: 33754 (0.031%) |
| Mar 13 02:38:28 snort[87591]: ICMP: 4420 (0.004%) |
| Mar 13 02:38:28 snort[87591]: ARP: 580490 (0.539%) |
| Mar 13 02:38:28 snort[87591]: EAPOL: 0 (0.000%) |
| Mar 13 02:38:28 snort[87591]: IPv6: 0 (0.000%) |
| Mar 13 02:38:28 snort[87591]: ETHLOOP: 0 (0.000%) |
| Mar 13 02:38:28 snort[87591]: IPX: 0 (0.000%) |
| Mar 13 02:38:28 snort[87591]: FRAG: 0 (0.000%) |
| Mar 13 02:38:28 snort[87591]: OTHER: 605 (0.001%) |
| Mar 13 02:38:28 snort[87591]: DISCARD: 0 (0.000%) |
| Mar 13 02:38:28 snort[87591]: =============================================================================== |
| Mar 13 02:38:28 snort[87591]: Action Stats: |
| Mar 13 02:38:28 snort[87591]: ALERTS: 39 |
| Mar 13 02:38:28 snort[87591]: LOGGED: 123 |
| Mar 13 02:38:28 snort[87591]: PASSED: 0 |
| Mar 13 02:38:28 snort[87591]: =============================================================================== |
| Mar 13 02:38:28 snort[87591]: TCP Stream Reassembly Stats: |
| Mar 13 02:38:28 snort[87591]: TCP Packets Used: 107045780 (99.425%) |
| Mar 13 02:38:28 snort[87591]: Stream Trackers: 35912 |
| Mar 13 02:38:28 snort[87591]: Stream flushes: 23072828 |
| Mar 13 02:38:28 snort[87591]: Segments used: 55005722 |
| Mar 13 02:38:28 snort[87591]: Segments Queued: 56073646 |
| Mar 13 02:38:28 snort[87591]: Stream4 Memory Faults: 2159 |
| Mar 13 02:38:28 snort[87591]: =============================================================================== |
| Mar 13 02:38:28 snort[87591]: Snort exiting |
| Mar 13 02:38:47 SnortStartup[74706]: Ram free BEFORE starting Snort: 64M – Ram free AFTER starting Snort: 64M -- Mode ac-sparsebands -- Snort memory usage: |
| Mar 13 02:39:26 dnsmasq[572]: reading /etc/resolv.conf |
| Mar 13 02:39:26 dnsmasq[572]: using nameserver 195.67.199.41#53 |
| Mar 13 02:39:26 dnsmasq[572]: using nameserver 195.67.199.40#53 |
| Mar 13 02:39:26 dnsmasq[572]: using nameserver 195.67.199.39#53 |
| Mar 13 02:40:21 sshd[75185]: Accepted keyboard-interactive/pam for root from 192.168.11.1 port 3358 ssh2 |
| Mar 13 02:48:00 dhclient[81270]: DHCPREQUEST on xl1 to 81.228.3.186 port 67 |
| Mar 13 02:48:40 last message repeated 4 times |
| Mar 13 02:50:27 last message repeated 4 times |