Snort stops working after snort update (newest 2.0 RELEASE)

mentalhemroids

And got this again with a slightly different error.

Oct 7 20:27:08 kernel: pid 27248 (snort), uid 920: exited on signal 11
Oct 7 20:27:07 snort[27248]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 7 20:27:07 snort[27248]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 7 20:25:09 snort[27248]: 377 out of 1024 flowbits in use.
Oct 7 20:25:09 snort[27248]: 377 out of 1024 flowbits in use.

eri--

I will try to give it a look and reproduce it somehow depending on availble time.
Seems like something has changed somewhere….

mentalhemroids

Okay, an update on what I'm seeing.  I have the snort.exploits running on both servers with no problem(I don't know if we should compare rules running.), but I did have spamd installed/running and I uninstalled it and also did an install of County Block.  So far the Snort service has not quit; ermal… I don't know if that helps with anything you are looking at, but I know the one p3 system I have running has not quit out at all, where my xeon system was exiting almost every 6 hours or so and seemed consistant.  My updates are set for 12 hours and all I would have to do is run the update check and it would somehow repair and start the service again.  It didn't even download any new rules, it would run through some of the other standard processes and then say things were updated.

Let you know if anything changes.  I'm sure it's tough trying to pin point issues when so many other software packages have to be considered.  Thanks for your work on this ermal.

Update 10/9/11@7:05am So far so good; no exits or errors after update.  Still keeping an eye on things.

mentalhemroids

Stopped again -

Oct 9 12:05:57 kernel: pid 44648 (snort), uid 920: exited on signal 11
Oct 9 12:05:56 snort[44648]: FATAL ERROR: Could not create rule maps
Oct 9 12:05:56 snort[44648]: FATAL ERROR: Could not create rule maps
Oct 9 12:03:39 snort[44648]: 377 out of 1024 flowbits in use.
Oct 9 12:03:39 snort[44648]: 377 out of 1024 flowbits in use.

** UPDATE **

11/10/2011 - Error and exit again today.

Oct 10 12:05:44 snort[56669]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 10 12:05:44 snort[56669]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 10 12:03:42 snort[56669]: 377 out of 1024 flowbits in use.
Oct 10 12:03:42 snort[56669]: 377 out of 1024 flowbits in use.

mentalhemroids

Still getting these messages - fyi, but only on my xeon system; i386 system has not gone down at all.  Is there a process that happens every 6 hours or less?  I know this is not happening from the updates set to run every 12 hours.  I'm going to change my updates to 6 hours and see if that helps.

Oct 12 12:07:37 snort[62719]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 12 12:07:37 snort[62719]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 12 12:04:49 snort[62719]: 377 out of 1024 flowbits in use.
Oct 12 12:04:49 snort[62719]: 377 out of 1024 flowbits in use.

jamesdean

@mentalhemroids

Looks like snort.org updated code that references fpcreate.c.

http://www.snort.org/downloads/1165

Your going to have to wait till will update the port to the newest version.

mentalhemroids

@jamesdean:

@mentalhemroids

Looks like snort.org updated code that references fpcreate.c.

http://www.snort.org/downloads/1165

Your going to have to wait till will update the port to the newest version.

Thanks for the update jamesdean!  Hope things are well!  I'll wait to hear any news.

Slab

Well, Snort continues to randomly terminate and I don't see the fpcreate.c errors posted above. The last bit of my system log is attached, but it just indicates that Snort is exiting…

Oct 13 03:06:47 	snort[22289]: ===============================================================================
Oct 13 03:06:47 	snort[22289]: SSL Preprocessor:
Oct 13 03:06:47 	snort[22289]: SSL Preprocessor:
Oct 13 03:06:47 	snort[22289]: SSL packets decoded: 15472
Oct 13 03:06:47 	snort[22289]: SSL packets decoded: 15472
Oct 13 03:06:47 	snort[22289]: Client Hello: 1990
Oct 13 03:06:47 	snort[22289]: Client Hello: 1990
Oct 13 03:06:47 	snort[22289]: Server Hello: 1917
Oct 13 03:06:47 	snort[22289]: Server Hello: 1917
Oct 13 03:06:47 	snort[22289]: Certificate: 1425
Oct 13 03:06:47 	snort[22289]: Certificate: 1425
Oct 13 03:06:47 	snort[22289]: Server Done: 4049
Oct 13 03:06:47 	snort[22289]: Server Done: 4049
Oct 13 03:06:47 	snort[22289]: Client Key Exchange: 1281
Oct 13 03:06:47 	snort[22289]: Client Key Exchange: 1281
Oct 13 03:06:47 	snort[22289]: Server Key Exchange: 199
Oct 13 03:06:47 	snort[22289]: Server Key Exchange: 199
Oct 13 03:06:47 	snort[22289]: Change Cipher: 3541
Oct 13 03:06:47 	snort[22289]: Change Cipher: 3541
Oct 13 03:06:47 	snort[22289]: Finished: 0
Oct 13 03:06:47 	snort[22289]: Finished: 0
Oct 13 03:06:47 	snort[22289]: Client Application: 3118
Oct 13 03:06:47 	snort[22289]: Client Application: 3118
Oct 13 03:06:47 	snort[22289]: Server Application: 1489
Oct 13 03:06:47 	snort[22289]: Server Application: 1489
Oct 13 03:06:47 	snort[22289]: Alert: 610
Oct 13 03:06:47 	snort[22289]: Alert: 610
Oct 13 03:06:47 	snort[22289]: Unrecognized records: 5002
Oct 13 03:06:47 	snort[22289]: Unrecognized records: 5002
Oct 13 03:06:47 	snort[22289]: Completed handshakes: 0
Oct 13 03:06:47 	snort[22289]: Completed handshakes: 0
Oct 13 03:06:47 	snort[22289]: Bad handshakes: 0
Oct 13 03:06:47 	snort[22289]: Bad handshakes: 0
Oct 13 03:06:47 	snort[22289]: Sessions ignored: 1489
Oct 13 03:06:47 	snort[22289]: Sessions ignored: 1489
Oct 13 03:06:47 	snort[22289]: Detection disabled: 23
Oct 13 03:06:47 	snort[22289]: Detection disabled: 23
Oct 13 03:06:47 	snort[22289]: ===============================================================================
Oct 13 03:06:47 	snort[22289]: ===============================================================================
Oct 13 03:06:50 	snort[22289]: Snort exiting
Oct 13 03:06:50 	snort[22289]: Snort exiting

mentalhemroids

No errors or exits after unselecting emerging-current_events.rules; I don't know if that is the real reason, but it is working so far for me on the xeon system; never had that selected on the i386 system.  I still feel the issue comes from overwhelming memory with rules.

Slab

Although memory utilization might indeed be an issue, I don't have emerging-current_events.rules selected in my configuration. In addition, my server has 4 gigs of RAM and since the only package that I've installed and run is Snort, I would think that would be more than enough.

With Snort running, the dashboard indicates about 37% memory utilization. With the previous release of Snort running on pfSense 2.0-RC1, the dashboard showed about 50% memory utilization …but Snort never once failed in that configuration.

mentalhemroids

@Slab

Are you running i386 or x64?  My xeon is i386 and I have another p3 i386; do we know if this is affecting both platforms or just one?  I know x64 has had other issues that are referred in previous posts.

Slab

@mentalhemroids:

@Slab

Are you running i386 or x64?

I'm running the i386 version.

AhnHEL

Might be common knowledge but restarting an OpenVPN Server causes Snort to exit as well if anyone is investigating strange Snort stoppages.

mentalhemroids

@onhel:

Might be common knowledge but restarting an OpenVPN Server causes Snort to exit as well if anyone is investigating strange Snort stoppages.

Good to know… I had OpenVPN enabled, but haven't used it.  I just disabled the instance and we'll see if that makes a difference too.  I had Snort exit our around midnight for the first time in more than a day, so I thought I was making progress.
One test at time.

mentalhemroids

Error just a few minutes ago…  going to run update again and things will be fine for a while.  OpenVPN is disabled.

Oct 19 12:06:33 kernel: pid 60457 (snort), uid 920: exited on signal 11
Oct 19 12:06:32 snort[60457]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 19 12:06:32 snort[60457]: FATAL ERROR: fpcreate.c(1557) Failed to compile port group patterns.
Oct 19 12:03:47 snort[60457]: 377 out of 1024 flowbits in use.
Oct 19 12:03:47 snort[60457]: 377 out of 1024 flowbits in use.

lonevipr

Everything of mine was working fine when I went to bed last night. Power went out in the middle of the night & my pfsense box went to hell in a handbasket.

Had to issue a backup config to get everything working. Now Snort was working perfectly before. Now it's broke. I'm getting a

snort[2391]: FATAL ERROR: /usr/local/etc/snort/snort_19773_nfe0/snort.conf(308) Unknown output plugin: "alert_pf"

This error was suppose to be fixed months ago.
http://redmine.pfsense.org/issues/1590

Not sure how when i reinstalled snort why i'm getting this. Is there a bsd command I can issue to check to make sure all dependencies for snort are installed? I've even tried uninstalling & reinstalling snort numerous times with no help. I know this error has to do with "block offenders" is enabled, but it was enabled & running fine before power outage. I do want it to block offenders.

I ran the "ln -s /lib/libpcap.so.7 /lib/libpcap.so.1" listed as the fix. But my error log still shows same error & putty says that the file exists.

Edit:Turned off "block offenders" to see if I could get it running with just alerts. Now i'm getting another error.

snort[60765]: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SSLPP (IPV6) version 1.1.4 (-2)

Now this error isn't really listed on the bug tracker. Thoughts?

Seb

Snort on my primary failed last night (but not my secondary - see below), presumably around the time of the update:

# ps aux | grep snort
root    45898  0.0  0.1  3524  1252   0  R+   10:47AM   0:00.00 grep snort

Unfortunately I don't have the part of the log right before Snort stopped, as my system.log file reached 512144 bytes, and it is a circular log file created using clog, and I didn't realise that until now. In the meantime I started Snort on this interface again, and it spat out so much initialization stuff that the old log lines have gone.

FYI, /var/log/system.log ended in:
CLOGÜ|Ð#

One can use the clog command to view it in the correct order (works like cat), but with a -f option like tail.
Ref: http://software.wwwi.com/syslogd/clog.html
http://www.mail-archive.com/support@pfsense.com/msg11756.html
http://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_%28clog%29

Time to reconfigure my logging! ;)

On my secondary pfSense, Snort did not stop last night.  It looks like it is running updates at the moment though:

# ps aux | grep snort
snort   20183  0.2 18.0 584668 374676  ??  Ss    1:46PM   5:21.62 /usr/local/bin/snort -u snort -g snort -R 39540 -D -q -l /var/log/snort --pid-path /var/log/snort/run -
root      960  0.0  0.0  1268     8  ??  RN   12:04PM   0:00.00 sh -c /bin/sh /usr/local/etc/rc.d/snort.sh start
root    19765  0.0  0.9 57692 19628  ??  SNs  12:03PM   0:01.27 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php
root     1102  0.0  0.0  1848   728   0  RL+  12:04PM   0:00.00 grep snort
# date
Fri Oct 21 12:05:25 BST 2011
# ps aux | grep snort
root    36334  0.0  0.1  3524  1256   0  S+   12:07PM   0:00.00 grep snort

And NOW it has stopped!  >:(
Time to disable automatic updates!  :'(  (Not having the latest rules is better than not running Snort at all!)

# clog /var/log/system.log | tail
Oct 21 12:04:56 pfSense2 snort[20183]: ===============================================================================
Oct 21 12:04:56 pfSense2 snort[20183]: ===============================================================================
Oct 21 12:04:56 pfSense2 snort[20183]: +-----------------------[filtered events]--------------------------------------
Oct 21 12:04:56 pfSense2 snort[20183]: +-----------------------[filtered events]--------------------------------------
Oct 21 12:04:56 pfSense2 snort[20183]: | gen-id=1      sig-id=2002911    type=Threshold tracking=src count=5   seconds=60  filtered=1
Oct 21 12:04:56 pfSense2 snort[20183]: | gen-id=1      sig-id=2002911    type=Threshold tracking=src count=5   seconds=60  filtered=1
Oct 21 12:04:56 pfSense2 snort[20183]: | gen-id=1      sig-id=2001219    type=Threshold tracking=src count=5   seconds=120 filtered=1
Oct 21 12:04:56 pfSense2 snort[20183]: | gen-id=1      sig-id=2001219    type=Threshold tracking=src count=5   seconds=120 filtered=1
Oct 21 12:04:57 pfSense2 snort[20183]: Snort exiting
Oct 21 12:04:57 pfSense2 snort[20183]: Snort exiting
#

Edit:Using Snort 2.9.0.5 pkg v. 2.0 on pfSense 2.0

mentalhemroids

Did another clean install with restore of config with no packages.  Installed the following packages - vnstat2, mtr-nox11, lightsquid, darkstat, snort, and squid.  The updates are sure messing things up; I agree with Seb… I'm going to try turning my updates off too.

bdwyer

Having same issue here, pfSense 2.0 amd64, Snort 2.9.0.5 pkg v. 2.0.  Find Snort not running in the morning when I wake up, 12 hour update schedule, AC-STD algorithm.  Disabling automatic updates for the time being, kind of sucks.  Oh well.

hytek

PFSense 2.0 i386
Snort 2.9
AC-STD
Everything default
4GB RAM, P4 3.2GHz, Intel Pro1000 4 Port PCI-E NIC
WAN Disables randomly as well. I also have the LAN enabled, which it never disables itself.

Setting updates to "Never" for the time being.