Snort stops working after snort update (newest 2.0 RELEASE)

mschiek01

Ermal here is the system log.
Sep 30 09:03:55 snort[5170]: Snort exiting
Sep 30 09:03:55 snort[5170]: Snort exiting
Sep 30 09:03:54 snort[6986]: Snort exiting
Sep 30 09:03:54 snort[6986]: Snort exiting
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2408044 type=Limit tracking=src count=1 seconds=60 filtered=8
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2408044 type=Limit tracking=src count=1 seconds=60 filtered=8
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2406628 type=Limit tracking=src count=1 seconds=60 filtered=18
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2406628 type=Limit tracking=src count=1 seconds=60 filtered=18
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2403304 type=Limit tracking=src count=1 seconds=3600 filtered=1
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2403304 type=Limit tracking=src count=1 seconds=3600 filtered=1
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2001569 type=Both tracking=src count=70 seconds=60 filtered=331
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2001569 type=Both tracking=src count=70 seconds=60 filtered=331
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2406036 type=Limit tracking=src count=1 seconds=60 filtered=4
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2406036 type=Limit tracking=src count=1 seconds=60 filtered=4
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2001579 type=Both tracking=src count=70 seconds=60 filtered=330
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2001579 type=Both tracking=src count=70 seconds=60 filtered=330
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2408002 type=Limit tracking=src count=1 seconds=60 filtered=31
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2408002 type=Limit tracking=src count=1 seconds=60 filtered=31
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2406690 type=Limit tracking=src count=1 seconds=60 filtered=2
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2406690 type=Limit tracking=src count=1 seconds=60 filtered=2
Sep 30 09:03:53 snort[5170]: | gen-id=1 sig-id=2403312 type=Limit tracking=src count=1 seconds=3600 filtered

bmeeks

Just to add confirmation – I, too, have noticed this behavior of Snort not restarting upon a rules update.  However, you can immediately manually start it without issue.  Like one of the other posters, the only message in the log of note is "...snort exiting."  Not much help for troubleshooting.

I discovered my event by kicking off a manual update and then coming back an hour later to check that everything was cool.  Found pfSense running fine but Snort not running.  I looked in the log and saw only the "snort exiting" message.  I made no changes to anything and simply clicked the little green arrow icon to start Snort.  It then started up successfully.

This seems to have only occurred after my upgrade to the 2.0-Release.  Prior to that I was running the Release Candidate (RC3) and did not see this issue.

Slab

I'm experiencing the same problem since upgrading to 2.0-Release. The system log shows the usual Snort initialization messages but with the last one indicating 'Snort exiting' and it generally occurs just after midnight EST (I assume after a ruleset update …which I have set for once a day).

I also used to run with the AC-STD memory setting, but can no longer do so since the upgrade (Snort won't run for more than an hour or two with AC-STD, so I changed to AC-SPARSEBANDS). Last, Snort seems to take quite a bit longer to start up (several minutes) since the upgrade.

I hope that this problem is going to be investigated ... thx.

xarope

I hate to post a "me too" reply, but unfortunately, me too. Snort 2.9.0.5 pkg 2.0, pfsense 2.0-RELEASE (i386)
built on Tue Sep 13 17:28:43 EDT 2011.

All I can find in the kernel log for snort is "snort exiting".  And as with the others, this always happens overnight.  Unlike the others, I had upgraded/updated to 2.0 final, a few weeks ago.  But only noticed this behaviour since, maybe end of last week?

Prior to that, snort had been running ok.

So I'm suspecting maybe it's one of the rules that's causing a problem?  From memory, one of the snort categories always caused me problems (e.g. snort_exploit.rules), so maybe another is doing the same thing?

Update: I just tried a manual update of rules, and restarted snort.  Now the snort instance running on my WAN interface (AC-BNFA) has died a few minutes later (15 minutes), and with an error message "kernel: pid 23257 (snort), uid 920: exited on signal 11".  More logs:

Oct 5 11:32:43 	snort[35687]: PID path stat checked out ok, PID path set to /var/log/snort/run
Oct 5 11:32:43 	snort[35687]: PID path stat checked out ok, PID path set to /var/log/snort/run
Oct 5 11:32:43 	snort[35687]: Writing PID "35687" to file "/var/log/snort/run/snort_em0_vlan78035309.pid"
Oct 5 11:32:43 	snort[35687]: Writing PID "35687" to file "/var/log/snort/run/snort_em0_vlan78035309.pid"
Oct 5 11:32:43 	snort[35687]: Set gid to 920
Oct 5 11:32:43 	snort[35687]: Set gid to 920
Oct 5 11:32:43 	snort[35687]: Set uid to 920
Oct 5 11:32:43 	snort[35687]: Set uid to 920
Oct 5 11:32:43 	snort[35687]:
Oct 5 11:32:43 	snort[35687]:
Oct 5 11:32:43 	snort[35687]: --== Initialization Complete ==--
Oct 5 11:32:43 	snort[35687]: --== Initialization Complete ==--
Oct 5 11:32:43 	snort[35687]: Commencing packet processing (pid=35687)
Oct 5 11:32:43 	snort[35687]: Commencing packet processing (pid=35687)
Oct 5 11:48:26 	kernel: pid 23257 (snort), uid 920: exited on signal 11

xarope

And famous last words, now snort on the WAN interface is crashing regularly after a restart:

Oct 5 12:52:44 	snort[14024]: Set uid to 920
Oct 5 12:52:44 	snort[14024]:
Oct 5 12:52:44 	snort[14024]:
Oct 5 12:52:44 	snort[14024]: --== Initialization Complete ==--
Oct 5 12:52:44 	snort[14024]: --== Initialization Complete ==--
Oct 5 12:52:44 	snort[14024]: Commencing packet processing (pid=14024)
Oct 5 12:52:44 	snort[14024]: Commencing packet processing (pid=14024)
Oct 5 13:42:06 	kernel: pid 14024 (snort), uid 920: exited on signal 11

I'll have to start disabling rules and see if it is indeed the rules causing the problem…

xarope

FYI I removed snort_exploit.so.rules from the categories I was using on the WAN interface (as well as snort_exploit.rules that I always had issues with crashing snort pretty much from startup), yesterday afternoon.  Monitored last night and this morning, snort hasn't crash yet.

So might be worth your while to test as well to see if it is this set of rules causing your snort problem.

mentalhemroids

Just got this in my system logs after what appears to be an update; things have been running really solid up until now.

Oct 6 12:06:43 snort[39831]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 6 12:06:43 snort[39831]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 6 12:04:14 snort[39831]: 377 out of 1024 flowbits in use.
Oct 6 12:04:14 snort[39831]: 377 out of 1024 flowbits in use.

Now Snort service is stopped.  I forced an update and it's back up and going again.

We'll see what happens next.  So far so good. :)

mentalhemroids

Got this error again; once this morning and once now.  I don't know if it's related to updates, because I have it set for 12 hours and it hasn't been yet.

Oct 7 12:06:20 snort[11782]: FATAL ERROR: Could not create rule maps
Oct 7 12:06:20 snort[11782]: FATAL ERROR: Could not create rule maps
Oct 7 12:03:36 snort[11782]: 377 out of 1024 flowbits in use.
Oct 7 12:03:36 snort[11782]: 377 out of 1024 flowbits in use.

Doing manual update of rules starts it up again.

mentalhemroids

And got this again with a slightly different error.

Oct 7 20:27:08 kernel: pid 27248 (snort), uid 920: exited on signal 11
Oct 7 20:27:07 snort[27248]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 7 20:27:07 snort[27248]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 7 20:25:09 snort[27248]: 377 out of 1024 flowbits in use.
Oct 7 20:25:09 snort[27248]: 377 out of 1024 flowbits in use.

eri--

I will try to give it a look and reproduce it somehow depending on availble time.
Seems like something has changed somewhere….

mentalhemroids

Okay, an update on what I'm seeing.  I have the snort.exploits running on both servers with no problem(I don't know if we should compare rules running.), but I did have spamd installed/running and I uninstalled it and also did an install of County Block.  So far the Snort service has not quit; ermal… I don't know if that helps with anything you are looking at, but I know the one p3 system I have running has not quit out at all, where my xeon system was exiting almost every 6 hours or so and seemed consistant.  My updates are set for 12 hours and all I would have to do is run the update check and it would somehow repair and start the service again.  It didn't even download any new rules, it would run through some of the other standard processes and then say things were updated.

Let you know if anything changes.  I'm sure it's tough trying to pin point issues when so many other software packages have to be considered.  Thanks for your work on this ermal.

Update 10/9/11@7:05am So far so good; no exits or errors after update.  Still keeping an eye on things.

mentalhemroids

Stopped again -

Oct 9 12:05:57 kernel: pid 44648 (snort), uid 920: exited on signal 11
Oct 9 12:05:56 snort[44648]: FATAL ERROR: Could not create rule maps
Oct 9 12:05:56 snort[44648]: FATAL ERROR: Could not create rule maps
Oct 9 12:03:39 snort[44648]: 377 out of 1024 flowbits in use.
Oct 9 12:03:39 snort[44648]: 377 out of 1024 flowbits in use.

** UPDATE **

11/10/2011 - Error and exit again today.

Oct 10 12:05:44 snort[56669]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 10 12:05:44 snort[56669]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 10 12:03:42 snort[56669]: 377 out of 1024 flowbits in use.
Oct 10 12:03:42 snort[56669]: 377 out of 1024 flowbits in use.

mentalhemroids

Still getting these messages - fyi, but only on my xeon system; i386 system has not gone down at all.  Is there a process that happens every 6 hours or less?  I know this is not happening from the updates set to run every 12 hours.  I'm going to change my updates to 6 hours and see if that helps.

Oct 12 12:07:37 snort[62719]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 12 12:07:37 snort[62719]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 12 12:04:49 snort[62719]: 377 out of 1024 flowbits in use.
Oct 12 12:04:49 snort[62719]: 377 out of 1024 flowbits in use.

jamesdean

@mentalhemroids

Looks like snort.org updated code that references fpcreate.c.

http://www.snort.org/downloads/1165

Your going to have to wait till will update the port to the newest version.

mentalhemroids

@jamesdean:

@mentalhemroids

Looks like snort.org updated code that references fpcreate.c.

http://www.snort.org/downloads/1165

Your going to have to wait till will update the port to the newest version.

Thanks for the update jamesdean!  Hope things are well!  I'll wait to hear any news.

Slab

Well, Snort continues to randomly terminate and I don't see the fpcreate.c errors posted above. The last bit of my system log is attached, but it just indicates that Snort is exiting…

Oct 13 03:06:47 	snort[22289]: ===============================================================================
Oct 13 03:06:47 	snort[22289]: SSL Preprocessor:
Oct 13 03:06:47 	snort[22289]: SSL Preprocessor:
Oct 13 03:06:47 	snort[22289]: SSL packets decoded: 15472
Oct 13 03:06:47 	snort[22289]: SSL packets decoded: 15472
Oct 13 03:06:47 	snort[22289]: Client Hello: 1990
Oct 13 03:06:47 	snort[22289]: Client Hello: 1990
Oct 13 03:06:47 	snort[22289]: Server Hello: 1917
Oct 13 03:06:47 	snort[22289]: Server Hello: 1917
Oct 13 03:06:47 	snort[22289]: Certificate: 1425
Oct 13 03:06:47 	snort[22289]: Certificate: 1425
Oct 13 03:06:47 	snort[22289]: Server Done: 4049
Oct 13 03:06:47 	snort[22289]: Server Done: 4049
Oct 13 03:06:47 	snort[22289]: Client Key Exchange: 1281
Oct 13 03:06:47 	snort[22289]: Client Key Exchange: 1281
Oct 13 03:06:47 	snort[22289]: Server Key Exchange: 199
Oct 13 03:06:47 	snort[22289]: Server Key Exchange: 199
Oct 13 03:06:47 	snort[22289]: Change Cipher: 3541
Oct 13 03:06:47 	snort[22289]: Change Cipher: 3541
Oct 13 03:06:47 	snort[22289]: Finished: 0
Oct 13 03:06:47 	snort[22289]: Finished: 0
Oct 13 03:06:47 	snort[22289]: Client Application: 3118
Oct 13 03:06:47 	snort[22289]: Client Application: 3118
Oct 13 03:06:47 	snort[22289]: Server Application: 1489
Oct 13 03:06:47 	snort[22289]: Server Application: 1489
Oct 13 03:06:47 	snort[22289]: Alert: 610
Oct 13 03:06:47 	snort[22289]: Alert: 610
Oct 13 03:06:47 	snort[22289]: Unrecognized records: 5002
Oct 13 03:06:47 	snort[22289]: Unrecognized records: 5002
Oct 13 03:06:47 	snort[22289]: Completed handshakes: 0
Oct 13 03:06:47 	snort[22289]: Completed handshakes: 0
Oct 13 03:06:47 	snort[22289]: Bad handshakes: 0
Oct 13 03:06:47 	snort[22289]: Bad handshakes: 0
Oct 13 03:06:47 	snort[22289]: Sessions ignored: 1489
Oct 13 03:06:47 	snort[22289]: Sessions ignored: 1489
Oct 13 03:06:47 	snort[22289]: Detection disabled: 23
Oct 13 03:06:47 	snort[22289]: Detection disabled: 23
Oct 13 03:06:47 	snort[22289]: ===============================================================================
Oct 13 03:06:47 	snort[22289]: ===============================================================================
Oct 13 03:06:50 	snort[22289]: Snort exiting
Oct 13 03:06:50 	snort[22289]: Snort exiting

mentalhemroids

No errors or exits after unselecting emerging-current_events.rules; I don't know if that is the real reason, but it is working so far for me on the xeon system; never had that selected on the i386 system.  I still feel the issue comes from overwhelming memory with rules.

Slab

Although memory utilization might indeed be an issue, I don't have emerging-current_events.rules selected in my configuration. In addition, my server has 4 gigs of RAM and since the only package that I've installed and run is Snort, I would think that would be more than enough.

With Snort running, the dashboard indicates about 37% memory utilization. With the previous release of Snort running on pfSense 2.0-RC1, the dashboard showed about 50% memory utilization …but Snort never once failed in that configuration.

mentalhemroids

@Slab

Are you running i386 or x64?  My xeon is i386 and I have another p3 i386; do we know if this is affecting both platforms or just one?  I know x64 has had other issues that are referred in previous posts.

Slab

@mentalhemroids:

@Slab

Are you running i386 or x64?

I'm running the i386 version.