Snort stops working after snort update (newest 2.0 RELEASE)

hytek

PFSense 2.0 i386
Snort 2.9
AC-STD
Everything default
4GB RAM, P4 3.2GHz, Intel Pro1000 4 Port PCI-E NIC
WAN Disables randomly as well. I also have the LAN enabled, which it never disables itself.

Setting updates to "Never" for the time being.

Surtr

I'm having a similar problem, but mine seems to be related to Barnyard2.

FATAL ERROR: Failed to Lock PID File "/var/log/snort/run/barnyard2/17612_dc0.pid"

I guess it's not killing barnyard2 when it updates and refuses to start if it's already running.

mentalhemroids

Just did a manual update of rules and Snort exited after trying to reload.  I don't know if this is part of the problem, but here is the system log from xeon x86 system - Hope this helps someone make sense of things.  The system has been running fine since it was set to not auto update rules.  Normally if I tell it to run Update Rules again it will go through the process and start working again; I posted the retry log under this first one.

Oct 28 12:07:04 snort[56418]: Snort exiting
Oct 28 12:07:04 snort[56418]: Snort exiting
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=5000001 type=Both tracking=src count=30 seconds=3 filtered=73
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=5000001 type=Both tracking=src count=30 seconds=3 filtered=73
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2406874 type=Limit tracking=src count=1 seconds=60 filtered=71
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2406874 type=Limit tracking=src count=1 seconds=60 filtered=71
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=5000004 type=Both tracking=src count=100 seconds=60 filtered=13
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=5000004 type=Both tracking=src count=100 seconds=60 filtered=13
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403316 type=Limit tracking=src count=1 seconds=3600 filtered=24
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403316 type=Limit tracking=src count=1 seconds=3600 filtered=24
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2009698 type=Both tracking=src count=100 seconds=60 filtered=13
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2009698 type=Both tracking=src count=100 seconds=60 filtered=13
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403313 type=Limit tracking=src count=1 seconds=3600 filtered=12
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403313 type=Limit tracking=src count=1 seconds=3600 filtered=12
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=100000158 type=Both tracking=src count=100 seconds=60 filtered=13
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=100000158 type=Both tracking=src count=100 seconds=60 filtered=13
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403308 type=Limit tracking=src count=1 seconds=3600 filtered=1
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403308 type=Limit tracking=src count=1 seconds=3600 filtered=1
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403306 type=Limit tracking=src count=1 seconds=3600 filtered=12
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403306 type=Limit tracking=src count=1 seconds=3600 filtered=12
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403302 type=Limit tracking=src count=1 seconds=3600 filtered=8
Oct 28 12:07:02 snort[56418]: | gen-id=1 sig-id=2403302 type=Limit tracking=src count=1 seconds=3600 filtered=8
Oct 28 12:07:02 snort[56418]: +–---------------------[filtered events]–------------------------------------
Oct 28 12:07:02 snort[56418]: +–---------------------[filtered events]–------------------------------------
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: Detection disabled: 343
Oct 28 12:07:02 snort[56418]: Detection disabled: 343
Oct 28 12:07:02 snort[56418]: Sessions ignored: 7753
Oct 28 12:07:02 snort[56418]: Sessions ignored: 7753
Oct 28 12:07:02 snort[56418]: Bad handshakes: 0
Oct 28 12:07:02 snort[56418]: Bad handshakes: 0
Oct 28 12:07:02 snort[56418]: Completed handshakes: 0
Oct 28 12:07:02 snort[56418]: Completed handshakes: 0
Oct 28 12:07:02 snort[56418]: Unrecognized records: 12892
Oct 28 12:07:02 snort[56418]: Unrecognized records: 12892
Oct 28 12:07:02 snort[56418]: Alert: 949
Oct 28 12:07:02 snort[56418]: Alert: 949
Oct 28 12:07:02 snort[56418]: Server Application: 7754
Oct 28 12:07:02 snort[56418]: Server Application: 7754
Oct 28 12:07:02 snort[56418]: Client Application: 2372
Oct 28 12:07:02 snort[56418]: Client Application: 2372
Oct 28 12:07:02 snort[56418]: Finished: 0
Oct 28 12:07:02 snort[56418]: Finished: 0
Oct 28 12:07:02 snort[56418]: Change Cipher: 7714
Oct 28 12:07:02 snort[56418]: Change Cipher: 7714
Oct 28 12:07:02 snort[56418]: Server Key Exchange: 33
Oct 28 12:07:02 snort[56418]: Server Key Exchange: 33
Oct 28 12:07:02 snort[56418]: Client Key Exchange: 389
Oct 28 12:07:02 snort[56418]: Client Key Exchange: 389
Oct 28 12:07:02 snort[56418]: Server Done: 7800
Oct 28 12:07:02 snort[56418]: Server Done: 7800
Oct 28 12:07:02 snort[56418]: Certificate: 3762
Oct 28 12:07:02 snort[56418]: Certificate: 3762
Oct 28 12:07:02 snort[56418]: Server Hello: 6779
Oct 28 12:07:02 snort[56418]: Server Hello: 6779
Oct 28 12:07:02 snort[56418]: Client Hello: 840
Oct 28 12:07:02 snort[56418]: Client Hello: 840
Oct 28 12:07:02 snort[56418]: SSL packets decoded: 31984
Oct 28 12:07:02 snort[56418]: SSL packets decoded: 31984
Oct 28 12:07:02 snort[56418]: SSL Preprocessor:
Oct 28 12:07:02 snort[56418]: SSL Preprocessor:
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: Reassembled: 0
Oct 28 12:07:02 snort[56418]: Reassembled: 0
Oct 28 12:07:02 snort[56418]: Max fragment size: 0
Oct 28 12:07:02 snort[56418]: Max fragment size: 0
Oct 28 12:07:02 snort[56418]: Fragments: 0
Oct 28 12:07:02 snort[56418]: Fragments: 0
Oct 28 12:07:02 snort[56418]: Packets: 2
Oct 28 12:07:02 snort[56418]: Packets: 2
Oct 28 12:07:02 snort[56418]: Packet stats
Oct 28 12:07:02 snort[56418]: Packet stats
Oct 28 12:07:02 snort[56418]: Connectionless
Oct 28 12:07:02 snort[56418]: Connectionless
Oct 28 12:07:02 snort[56418]: DCE/RPC
Oct 28 12:07:02 snort[56418]: DCE/RPC
Oct 28 12:07:02 snort[56418]:
Oct 28 12:07:02 snort[56418]:
Oct 28 12:07:02 snort[56418]: Packets: 2
Oct 28 12:07:02 snort[56418]: Packets: 2
Oct 28 12:07:02 snort[56418]: Packet stats
Oct 28 12:07:02 snort[56418]: Packet stats
Oct 28 12:07:02 snort[56418]: Total sessions: 2
Oct 28 12:07:02 snort[56418]: Total sessions: 2
Oct 28 12:07:02 snort[56418]: UDP
Oct 28 12:07:02 snort[56418]: UDP
Oct 28 12:07:02 snort[56418]: Transports
Oct 28 12:07:02 snort[56418]: Transports
Oct 28 12:07:02 snort[56418]:
Oct 28 12:07:02 snort[56418]:
Oct 28 12:07:02 snort[56418]: Total sessions autodetected: 2
Oct 28 12:07:02 snort[56418]: Total sessions autodetected: 2
Oct 28 12:07:02 snort[56418]: Total sessions: 2
Oct 28 12:07:02 snort[56418]: Total sessions: 2
Oct 28 12:07:02 snort[56418]: dcerpc2 Preprocessor Statistics
Oct 28 12:07:02 snort[56418]: dcerpc2 Preprocessor Statistics
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: Total packets processed: 1820376
Oct 28 12:07:02 snort[56418]: Total packets processed: 1820376
Oct 28 12:07:02 snort[56418]: Gzip Decompressed Data Processed: n/a
Oct 28 12:07:02 snort[56418]: Gzip Decompressed Data Processed: n/a
Oct 28 12:07:02 snort[56418]: Gzip Compressed Data Processed: n/a
Oct 28 12:07:02 snort[56418]: Gzip Compressed Data Processed: n/a
Oct 28 12:07:02 snort[56418]: HTTP Response Gzip packets extracted: 0
Oct 28 12:07:02 snort[56418]: HTTP Response Gzip packets extracted: 0
Oct 28 12:07:02 snort[56418]: Self-referencing paths ("./"): 0
Oct 28 12:07:02 snort[56418]: Self-referencing paths ("./"): 0
Oct 28 12:07:02 snort[56418]: Extra slashes ("//"): 0
Oct 28 12:07:02 snort[56418]: Extra slashes ("//"): 0
Oct 28 12:07:02 snort[56418]: Directory traversals: 0
Oct 28 12:07:02 snort[56418]: Directory traversals: 0
Oct 28 12:07:02 snort[56418]: Base 36: 0
Oct 28 12:07:02 snort[56418]: Base 36: 0
Oct 28 12:07:02 snort[56418]: Non-ASCII representable: 0
Oct 28 12:07:02 snort[56418]: Non-ASCII representable: 0
Oct 28 12:07:02 snort[56418]: Double unicode: 0
Oct 28 12:07:02 snort[56418]: Double unicode: 0
Oct 28 12:07:02 snort[56418]: Unicode: 0
Oct 28 12:07:02 snort[56418]: Unicode: 0
Oct 28 12:07:02 snort[56418]: HTTP Response Cookies extracted: 0
Oct 28 12:07:02 snort[56418]: HTTP Response Cookies extracted: 0
Oct 28 12:07:02 snort[56418]: HTTP response Headers extracted: 0
Oct 28 12:07:02 snort[56418]: HTTP response Headers extracted: 0
Oct 28 12:07:02 snort[56418]: Post parameters extracted: 0
Oct 28 12:07:02 snort[56418]: Post parameters extracted: 0
Oct 28 12:07:02 snort[56418]: HTTP Request Cookies extracted: 0
Oct 28 12:07:02 snort[56418]: HTTP Request Cookies extracted: 0
Oct 28 12:07:02 snort[56418]: HTTP Request Headers extracted: 2
Oct 28 12:07:02 snort[56418]: HTTP Request Headers extracted: 2
Oct 28 12:07:02 snort[56418]: GET methods: 2
Oct 28 12:07:02 snort[56418]: GET methods: 2
Oct 28 12:07:02 snort[56418]: POST methods: 0
Oct 28 12:07:02 snort[56418]: POST methods: 0
Oct 28 12:07:02 snort[56418]: HTTP Inspect - encodings (Note: stream-reassembled packets included):
Oct 28 12:07:02 snort[56418]: HTTP Inspect - encodings (Note: stream-reassembled packets included):
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: Tracked: 97335
Oct 28 12:07:02 snort[56418]: Tracked: 97335
Oct 28 12:07:02 snort[56418]: Inspected: 0
Oct 28 12:07:02 snort[56418]: Inspected: 0
Oct 28 12:07:02 snort[56418]: Dropped: 0
Oct 28 12:07:02 snort[56418]: Dropped: 0
Oct 28 12:07:02 snort[56418]: UDP Port Filter
Oct 28 12:07:02 snort[56418]: UDP Port Filter
Oct 28 12:07:02 snort[56418]: Tracked: 2261915
Oct 28 12:07:02 snort[56418]: Tracked: 2261915
Oct 28 12:07:02 snort[56418]: Inspected: 0
Oct 28 12:07:02 snort[56418]: Inspected: 0
Oct 28 12:07:02 snort[56418]: Dropped: 0
Oct 28 12:07:02 snort[56418]: Dropped: 0
Oct 28 12:07:02 snort[56418]: TCP Port Filter
Oct 28 12:07:02 snort[56418]: TCP Port Filter
Oct 28 12:07:02 snort[56418]: Internal Events: 0
Oct 28 12:07:02 snort[56418]: Internal Events: 0
Oct 28 12:07:02 snort[56418]: Events: 0
Oct 28 12:07:02 snort[56418]: Events: 0
Oct 28 12:07:02 snort[56418]: UDP Discards: 0
Oct 28 12:07:02 snort[56418]: UDP Discards: 0
Oct 28 12:07:02 snort[56418]: UDP Timeouts: 26191
Oct 28 12:07:02 snort[56418]: UDP Timeouts: 26191
Oct 28 12:07:02 snort[56418]: UDP Sessions Deleted: 95524
Oct 28 12:07:02 snort[56418]: UDP Sessions Deleted: 95524
Oct 28 12:07:02 snort[56418]: UDP Sessions Created: 95524
Oct 28 12:07:02 snort[56418]: UDP Sessions Created: 95524
Oct 28 12:07:02 snort[56418]: TCP Gaps: 4
Oct 28 12:07:02 snort[56418]: TCP Gaps: 4
Oct 28 12:07:02 snort[56418]: TCP Discards: 1904603
Oct 28 12:07:02 snort[56418]: TCP Discards: 1904603
Oct 28 12:07:02 snort[56418]: TCP Segments Used: 12
Oct 28 12:07:02 snort[56418]: TCP Segments Used: 12
Oct 28 12:07:02 snort[56418]: TCP Rebuilt Packets: 10
Oct 28 12:07:02 snort[56418]: TCP Rebuilt Packets: 10
Oct 28 12:07:02 snort[56418]: TCP Segments Released: 14
Oct 28 12:07:02 snort[56418]: TCP Segments Released: 14
Oct 28 12:07:02 snort[56418]: TCP Segments Queued: 14
Oct 28 12:07:02 snort[56418]: TCP Segments Queued: 14
Oct 28 12:07:02 snort[56418]: TCP Overlaps: 28
Oct 28 12:07:02 snort[56418]: TCP Overlaps: 28
Oct 28 12:07:02 snort[56418]: TCP Timeouts: 24093
Oct 28 12:07:02 snort[56418]: TCP Timeouts: 24093
Oct 28 12:07:02 snort[56418]: TCP StreamTrackers Deleted: 69780
Oct 28 12:07:02 snort[56418]: TCP StreamTrackers Deleted: 69780
Oct 28 12:07:02 snort[56418]: TCP StreamTrackers Created: 69780
Oct 28 12:07:02 snort[56418]: TCP StreamTrackers Created: 69780
Oct 28 12:07:02 snort[56418]: ICMP Prunes: 0
Oct 28 12:07:02 snort[56418]: ICMP Prunes: 0
Oct 28 12:07:02 snort[56418]: UDP Prunes: 0
Oct 28 12:07:02 snort[56418]: UDP Prunes: 0
Oct 28 12:07:02 snort[56418]: TCP Prunes: 0
Oct 28 12:07:02 snort[56418]: TCP Prunes: 0
Oct 28 12:07:02 snort[56418]: ICMP sessions: 0
Oct 28 12:07:02 snort[56418]: ICMP sessions: 0
Oct 28 12:07:02 snort[56418]: UDP sessions: 69333
Oct 28 12:07:02 snort[56418]: UDP sessions: 69333
Oct 28 12:07:02 snort[56418]: TCP sessions: 62313
Oct 28 12:07:02 snort[56418]: TCP sessions: 62313
Oct 28 12:07:02 snort[56418]: Total sessions: 131646
Oct 28 12:07:02 snort[56418]: Total sessions: 131646
Oct 28 12:07:02 snort[56418]: Stream5 statistics:
Oct 28 12:07:02 snort[56418]: Stream5 statistics:
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: Frag Nodes Deleted: 93
Oct 28 12:07:02 snort[56418]: Frag Nodes Deleted: 93
Oct 28 12:07:02 snort[56418]: Frag Nodes Inserted: 93
Oct 28 12:07:02 snort[56418]: Frag Nodes Inserted: 93
Oct 28 12:07:02 snort[56418]: FragTrackers Auto Freed: 0
Oct 28 12:07:02 snort[56418]: FragTrackers Auto Freed: 0
Oct 28 12:07:02 snort[56418]: FragTrackers Dumped: 47
Oct 28 12:07:02 snort[56418]: FragTrackers Dumped: 47
Oct 28 12:07:02 snort[56418]: FragTrackers Added: 47
Oct 28 12:07:02 snort[56418]: FragTrackers Added: 47
Oct 28 12:07:02 snort[56418]: Drops: 0
Oct 28 12:07:02 snort[56418]: Drops: 0
Oct 28 12:07:02 snort[56418]: Alerts: 0
Oct 28 12:07:02 snort[56418]: Alerts: 0
Oct 28 12:07:02 snort[56418]: Anomalies: 0
Oct 28 12:07:02 snort[56418]: Anomalies: 0
Oct 28 12:07:02 snort[56418]: Overlaps: 0
Oct 28 12:07:02 snort[56418]: Overlaps: 0
Oct 28 12:07:02 snort[56418]: Timeouts: 0
Oct 28 12:07:02 snort[56418]: Timeouts: 0
Oct 28 12:07:02 snort[56418]: Memory Faults: 0
Oct 28 12:07:02 snort[56418]: Memory Faults: 0
Oct 28 12:07:02 snort[56418]: Discards: 0
Oct 28 12:07:02 snort[56418]: Discards: 0
Oct 28 12:07:02 snort[56418]: Frags Reassembled: 46
Oct 28 12:07:02 snort[56418]: Frags Reassembled: 46
Oct 28 12:07:02 snort[56418]: Total Fragments: 93
Oct 28 12:07:02 snort[56418]: Total Fragments: 93
Oct 28 12:07:02 snort[56418]: Frag3 statistics:
Oct 28 12:07:02 snort[56418]: Frag3 statistics:
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: Ignore: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Ignore: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Blacklist: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Blacklist: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Whitelist: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Whitelist: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Replace: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Replace: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Block: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Block: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Allow: 5598597 ( 99.994%)
Oct 28 12:07:02 snort[56418]: Allow: 5598597 ( 99.994%)
Oct 28 12:07:02 snort[56418]: Verdicts:
Oct 28 12:07:02 snort[56418]: Verdicts:
Oct 28 12:07:02 snort[56418]: Event Limit: 240
Oct 28 12:07:02 snort[56418]: Event Limit: 240
Oct 28 12:07:02 snort[56418]: Log Limit: 0
Oct 28 12:07:02 snort[56418]: Log Limit: 0
Oct 28 12:07:02 snort[56418]: Queue Limit: 0
Oct 28 12:07:02 snort[56418]: Queue Limit: 0
Oct 28 12:07:02 snort[56418]: Match Limit: 0
Oct 28 12:07:02 snort[56418]: Match Limit: 0
Oct 28 12:07:02 snort[56418]: Passed: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Passed: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Logged: 162 ( 0.003%)
Oct 28 12:07:02 snort[56418]: Logged: 162 ( 0.003%)
Oct 28 12:07:02 snort[56418]: Alerts: 162 ( 0.003%)
Oct 28 12:07:02 snort[56418]: Alerts: 162 ( 0.003%)
Oct 28 12:07:02 snort[56418]: Action Stats:
Oct 28 12:07:02 snort[56418]: Action Stats:
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: Total: 5598653
Oct 28 12:07:02 snort[56418]: Total: 5598653
Oct 28 12:07:02 snort[56418]: S5 G 2: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: S5 G 2: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: S5 G 1: 10 ( 0.000%)
Oct 28 12:07:02 snort[56418]: S5 G 1: 10 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Bad TTL: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Bad TTL: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Bad Chk Sum: 3147469 ( 56.218%)
Oct 28 12:07:02 snort[56418]: Bad Chk Sum: 3147469 ( 56.218%)
Oct 28 12:07:02 snort[56418]: Other: 823780 ( 14.714%)
Oct 28 12:07:02 snort[56418]: Other: 823780 ( 14.714%)
Oct 28 12:07:02 snort[56418]: All Discard: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: All Discard: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: ICMP Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: ICMP Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: UDP Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: UDP Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: TCP Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: TCP Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6 Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6 Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP4 Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP4 Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Eth Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Eth Disc: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Eth Loop: 6861 ( 0.123%)
Oct 28 12:07:02 snort[56418]: Eth Loop: 6861 ( 0.123%)
Oct 28 12:07:02 snort[56418]: IPX: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IPX: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: ARP: 224 ( 0.004%)
Oct 28 12:07:02 snort[56418]: ARP: 224 ( 0.004%)
Oct 28 12:07:02 snort[56418]: MPLS: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: MPLS: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE Loop: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE Loop: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE IPX: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE IPX: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE ARP: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE ARP: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE PPTP: 202481 ( 3.617%)
Oct 28 12:07:02 snort[56418]: GRE PPTP: 202481 ( 3.617%)
Oct 28 12:07:02 snort[56418]: GRE IP6 Ext: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE IP6 Ext: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE IP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE IP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE IP4: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE IP4: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE VLAN: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE VLAN: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE Eth: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE Eth: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: GRE: 202481 ( 3.617%)
Oct 28 12:07:02 snort[56418]: GRE: 202481 ( 3.617%)
Oct 28 12:07:02 snort[56418]: IP6/IP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6/IP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6/IP4: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6/IP4: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP4/IP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP4/IP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP4/IP4: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP4/IP4: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: EAPOL: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: EAPOL: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: ICMP-IP: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: ICMP-IP: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Teredo: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Teredo: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: TCP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: TCP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: UDP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: UDP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: ICMP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: ICMP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Frag6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Frag6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6 Opts: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6 Opts: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6 Ext: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6 Ext: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: IP6: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: TCP: 4358462 ( 77.848%)
Oct 28 12:07:02 snort[56418]: TCP: 4358462 ( 77.848%)
Oct 28 12:07:02 snort[56418]: UDP: 205479 ( 3.670%)
Oct 28 12:07:02 snort[56418]: UDP: 205479 ( 3.670%)
Oct 28 12:07:02 snort[56418]: ICMP: 1318 ( 0.024%)
Oct 28 12:07:02 snort[56418]: ICMP: 1318 ( 0.024%)
Oct 28 12:07:02 snort[56418]: Frag: 93 ( 0.002%)
Oct 28 12:07:02 snort[56418]: Frag: 93 ( 0.002%)
Oct 28 12:07:02 snort[56418]: IP4: 5590425 ( 99.853%)
Oct 28 12:07:02 snort[56418]: IP4: 5590425 ( 99.853%)
Oct 28 12:07:02 snort[56418]: VLAN: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: VLAN: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Eth: 5598653 (100.000%)
Oct 28 12:07:02 snort[56418]: Eth: 5598653 (100.000%)
Oct 28 12:07:02 snort[56418]: Breakdown by protocol (includes rebuilt packets):
Oct 28 12:07:02 snort[56418]: Breakdown by protocol (includes rebuilt packets):
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: Injected: 0
Oct 28 12:07:02 snort[56418]: Injected: 0
Oct 28 12:07:02 snort[56418]: Outstanding: 358 ( 0.006%)
Oct 28 12:07:02 snort[56418]: Outstanding: 358 ( 0.006%)
Oct 28 12:07:02 snort[56418]: Filtered: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Filtered: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Dropped: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Dropped: 0 ( 0.000%)
Oct 28 12:07:02 snort[56418]: Analyzed: 5598598 ( 99.994%)
Oct 28 12:07:02 snort[56418]: Analyzed: 5598598 ( 99.994%)
Oct 28 12:07:02 snort[56418]: Received: 5598956
Oct 28 12:07:02 snort[56418]: Received: 5598956
Oct 28 12:07:02 snort[56418]: Packet I/O Totals:
Oct 28 12:07:02 snort[56418]: Packet I/O Totals:
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:02 snort[56418]: ===============================================================================
Oct 28 12:07:00 snort[56418]: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
Oct 28 12:07:00 snort[56418]: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
Oct 28 12:07:00 snort[56418]: Snort Reload: Any change to the dynamic detection configuration requires a restart.
Oct 28 12:07:00 snort[56418]: Snort Reload: Any change to the dynamic detection configuration requires a restart.
Oct 28 12:07:00 snort[56418]: Found pid path directive (/var/log/snort/run)
Oct 28 12:07:00 snort[56418]: Found pid path directive (/var/log/snort/run)
Oct 28 12:07:00 snort[56418]: Search-Method = AC-Sparse-Bands
Oct 28 12:07:00 snort[56418]: Search-Method = AC-Sparse-Bands
Oct 28 12:07:00 snort[56418]: Detection:
Oct 28 12:07:00 snort[56418]: Detection:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 6503:6504 ]
Oct 28 12:07:00 snort[56418]: [ 6503:6504 ]
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_BRIGHTSTORE' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 2103 2105 2107 ]
Oct 28 12:07:00 snort[56418]: [ 2103 2105 2107 ]
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_TCP' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_TCP' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 135 593 1024:65535 ]
Oct 28 12:07:00 snort[56418]: [ 135 593 1024:65535 ]
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_UDP_SHORT' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 135 1024:65535 ]
Oct 28 12:07:00 snort[56418]: [ 135 1024:65535 ]
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_UDP_LONG' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 135 139 445 593 1024:65535 ]
Oct 28 12:07:00 snort[56418]: [ 135 139 445 593 1024:65535 ]
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_IP_LONG' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 138 1024:65535 ]
Oct 28 12:07:00 snort[56418]: [ 138 1024:65535 ]
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCADG_IP_UDP' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCADG_IP_UDP' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 139 445 ]
Oct 28 12:07:00 snort[56418]: [ 139 445 ]
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_IP_TCP' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'DCERPC_NCACN_IP_TCP' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 5060:5090 16384:32768 ]
Oct 28 12:07:00 snort[56418]: [ 5060:5090 16384:32768 ]
Oct 28 12:07:00 snort[56418]: PortVar 'SIP_PROXY_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'SIP_PROXY_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 443 465 563 636 989:990 992:995 ]
Oct 28 12:07:00 snort[56418]: [ 443 465 563 636 989:990 992:995 ]
Oct 28 12:07:00 snort[56418]: PortVar 'SSL_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'SSL_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 25 143 465 691 ]
Oct 28 12:07:00 snort[56418]: [ 25 143 465 691 ]
Oct 28 12:07:00 snort[56418]: PortVar 'MAIL_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'MAIL_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 23 ]
Oct 28 12:07:00 snort[56418]: [ 23 ]
Oct 28 12:07:00 snort[56418]: PortVar 'TELNET_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'TELNET_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 44 ]
Oct 28 12:07:00 snort[56418]: [ 44 ]
Oct 28 12:07:00 snort[56418]: PortVar 'SSH_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'SSH_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 161 ]
Oct 28 12:07:00 snort[56418]: [ 161 ]
Oct 28 12:07:00 snort[56418]: PortVar 'SNMP_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'SNMP_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 25 ]
Oct 28 12:07:00 snort[56418]: [ 25 ]
Oct 28 12:07:00 snort[56418]: PortVar 'SMTP_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'SMTP_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 139 445 ]
Oct 28 12:07:00 snort[56418]: [ 139 445 ]
Oct 28 12:07:00 snort[56418]: PortVar 'SMB_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'SMB_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 514 ]
Oct 28 12:07:00 snort[56418]: [ 514 ]
Oct 28 12:07:00 snort[56418]: PortVar 'RSH_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'RSH_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 513 ]
Oct 28 12:07:00 snort[56418]: [ 513 ]
Oct 28 12:07:00 snort[56418]: PortVar 'RLOGIN_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'RLOGIN_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 111 32770:32779 ]
Oct 28 12:07:00 snort[56418]: [ 111 32770:32779 ]
Oct 28 12:07:00 snort[56418]: PortVar 'SUNRPC_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'SUNRPC_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 110 ]
Oct 28 12:07:00 snort[56418]: [ 110 ]
Oct 28 12:07:00 snort[56418]: PortVar 'POP3_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'POP3_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 109 ]
Oct 28 12:07:00 snort[56418]: [ 109 ]
Oct 28 12:07:00 snort[56418]: PortVar 'POP2_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'POP2_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 119 ]
Oct 28 12:07:00 snort[56418]: [ 119 ]
Oct 28 12:07:00 snort[56418]: PortVar 'NNTP_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'NNTP_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 1433 ]
Oct 28 12:07:00 snort[56418]: [ 1433 ]
Oct 28 12:07:00 snort[56418]: PortVar 'MSSQL_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'MSSQL_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 6665:6669 7000 ]
Oct 28 12:07:00 snort[56418]: [ 6665:6669 7000 ]
Oct 28 12:07:00 snort[56418]: PortVar 'IRC_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'IRC_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 143 ]
Oct 28 12:07:00 snort[56418]: [ 143 ]
Oct 28 12:07:00 snort[56418]: PortVar 'IMAP_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'IMAP_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 20:22 3500:3600 ]
Oct 28 12:07:00 snort[56418]: [ 20:22 3500:3600 ]
Oct 28 12:07:00 snort[56418]: PortVar 'FTP_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'FTP_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 79 ]
Oct 28 12:07:00 snort[56418]: [ 79 ]
Oct 28 12:07:00 snort[56418]: PortVar 'FINGER_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'FINGER_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 53 ]
Oct 28 12:07:00 snort[56418]: [ 53 ]
Oct 28 12:07:00 snort[56418]: PortVar 'DNS_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'DNS_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 113 ]
Oct 28 12:07:00 snort[56418]: [ 113 ]
Oct 28 12:07:00 snort[56418]: PortVar 'AUTH_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'AUTH_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 1521 ]
Oct 28 12:07:00 snort[56418]: [ 1521 ]
Oct 28 12:07:00 snort[56418]: PortVar 'ORACLE_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'ORACLE_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 0:79 81:65535 ]
Oct 28 12:07:00 snort[56418]: [ 0:79 81:65535 ]
Oct 28 12:07:00 snort[56418]: PortVar 'SHELLCODE_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'SHELLCODE_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: [ 80 ]
Oct 28 12:07:00 snort[56418]: [ 80 ]
Oct 28 12:07:00 snort[56418]: PortVar 'HTTP_PORTS' defined :
Oct 28 12:07:00 snort[56418]: PortVar 'HTTP_PORTS' defined :
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]: –== Reloading Snort ==--
Oct 28 12:07:00 snort[56418]: –== Reloading Snort ==--
Oct 28 12:07:00 snort[56418]:
Oct 28 12:07:00 snort[56418]:
Oct 28 12:06:59 SnortStartup[49791]: Snort Soft Reload For 62376_bge1…
Oct 28 12:06:59 SnortStartup[42833]: Snort already running, soft restart
Oct 28 12:06:59 SnortStartup[41409]: Snort Startup files Sync…

---

Retry by telling it to Update Rules one more time. Second Update log below.

---

Oct 28 12:15:29 SnortStartup[41211]: Snort HARD Reload For 62376_bge1…
Oct 28 12:15:28 snort[41138]: Commencing packet processing (pid=41138)
Oct 28 12:15:28 snort[41138]: Commencing packet processing (pid=41138)
Oct 28 12:15:28 snort[41138]: –== Initialization Complete ==--
Oct 28 12:15:28 snort[41138]: –== Initialization Complete ==--
Oct 28 12:15:28 snort[41138]:
Oct 28 12:15:28 snort[41138]:
Oct 28 12:15:28 snort[41138]: Set uid to 920
Oct 28 12:15:28 snort[41138]: Set uid to 920
Oct 28 12:15:28 snort[41138]: Set gid to 920
Oct 28 12:15:28 snort[41138]: Set gid to 920
Oct 28 12:15:28 snort[41138]: Writing PID "41138" to file "/var/log/snort/run/snort_bge162376.pid"
Oct 28 12:15:28 snort[41138]: Writing PID "41138" to file "/var/log/snort/run/snort_bge162376.pid"
Oct 28 12:15:28 snort[41138]: PID path stat checked out ok, PID path set to /var/log/snort/run
Oct 28 12:15:28 snort[41138]: PID path stat checked out ok, PID path set to /var/log/snort/run
Oct 28 12:15:28 snort[41138]: Checking PID path…
Oct 28 12:15:28 snort[41138]: Checking PID path…
Oct 28 12:15:28 snort[41138]: Decoding Ethernet
Oct 28 12:15:28 snort[41138]: Decoding Ethernet
Oct 28 12:15:28 snort[41138]: Reload thread started, thread 0x7a21afc0 (41138)
Oct 28 12:15:28 snort[41138]: Reload thread started, thread 0x7a21afc0 (41138)
Oct 28 12:15:28 snort[41138]: Reload thread starting…
Oct 28 12:15:28 snort[41138]: Reload thread starting…
Oct 28 12:15:28 snort[41138]: Daemon initialized, signaled parent pid: 31126
Oct 28 12:15:28 snort[41138]: Daemon initialized, signaled parent pid: 31126
Oct 28 12:15:28 snort[31126]: Initializing daemon mode
Oct 28 12:15:28 snort[31126]: Initializing daemon mode
Oct 28 12:15:28 snort[31126]: Acquiring network traffic from "bge1".
Oct 28 12:15:28 snort[31126]: Acquiring network traffic from "bge1".
Oct 28 12:15:28 snort[31126]: pcap DAQ configured to passive.
Oct 28 12:15:28 snort[31126]: pcap DAQ configured to passive.
Oct 28 12:15:28 snort[31126]: +–--------------------------------------------------------------
Oct 28 12:15:28 snort[31126]: +–--------------------------------------------------------------
Oct 28 12:15:28 snort[31126]: | DFA : 831.45
Oct 28 12:15:28 snort[31126]: | DFA : 831.45
Oct 28 12:15:28 snort[31126]: | Fail States : 4.03
Oct 28 12:15:28 snort[31126]: | Fail States : 4.03
Oct 28 12:15:28 snort[31126]: | Match Lists : 12.96
Oct 28 12:15:28 snort[31126]: | Match Lists : 12.96
Oct 28 12:15:28 snort[31126]: | Patterns : 8.84
Oct 28 12:15:28 snort[31126]: | Patterns : 8.84
Oct 28 12:15:28 snort[31126]: | Memory (MB) : 857.69
Oct 28 12:15:28 snort[31126]: | Memory (MB) : 857.69
Oct 28 12:15:28 snort[31126]: | Match States : 135064
Oct 28 12:15:28 snort[31126]: | Match States : 135064
Oct 28 12:15:28 snort[31126]: | Patterns : 133688
Oct 28 12:15:28 snort[31126]: | Patterns : 133688
Oct 28 12:15:28 snort[31126]: | State Density : 28.3%
Oct 28 12:15:28 snort[31126]: | State Density : 28.3%
Oct 28 12:15:28 snort[31126]: | Transitions : 76469380
Oct 28 12:15:28 snort[31126]: | Transitions : 76469380
Oct 28 12:15:28 snort[31126]: | States : 1055879
Oct 28 12:15:28 snort[31126]: | States : 1055879
Oct 28 12:15:28 snort[31126]: | Characters : 1428102
Oct 28 12:15:28 snort[31126]: | Characters : 1428102
Oct 28 12:15:28 snort[31126]: | Instances : 1103
Oct 28 12:15:28 snort[31126]: | Instances : 1103
Oct 28 12:15:28 snort[31126]: | Sizeof State : 4 bytes
Oct 28 12:15:28 snort[31126]: | Sizeof State : 4 bytes
Oct 28 12:15:28 snort[31126]: | Alphabet Size : 256 Chars
Oct 28 12:15:28 snort[31126]: | Alphabet Size : 256 Chars
Oct 28 12:15:28 snort[31126]: | Finite Automaton : DFA
Oct 28 12:15:28 snort[31126]: | Finite Automaton : DFA
Oct 28 12:15:28 snort[31126]: | Storage Format : Sparse-Bands
Oct 28 12:15:28 snort[31126]: | Storage Format : Sparse-Bands
Oct 28 12:15:28 snort[31126]: +- [ Aho-Corasick Summary ] –-----------------------------------
Oct 28 12:15:28 snort[31126]: +- [ Aho-Corasick Summary ] –-----------------------------------
Oct 28 12:15:28 snort[31126]: [ Port Based Pattern Matching Memory ]
Oct 28 12:15:28 snort[31126]: [ Port Based Pattern Matching Memory ]
Oct 28 12:15:28 snort[31126]:
Oct 28 12:15:28 snort[31126]:
Oct 28 12:14:07 snort[31126]: 405 out of 1024 flowbits in use.
Oct 28 12:14:07 snort[31126]: 405 out of 1024 flowbits in use.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'email.rtf' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'email.rtf' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.htm' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.htm' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.bmp' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.bmp' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'js.rename.unescape' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'js.rename.unescape' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'csv.download' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'csv.download' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.plf' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.plf' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'java_class_file.request' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'java_class_file.request' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.http.javaclient.vulnerable' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.http.javaclient.vulnerable' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'starttls.attempt' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'starttls.attempt' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.xlw' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.xlw' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'is_proto_irc' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'is_proto_irc' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.mkv' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.mkv' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.pub' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.pub' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.pct' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.pct' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.wma' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.wma' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.lnk' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.lnk' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'tlsv1.client_change_cipher_spec' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'tlsv1.client_change_cipher_spec' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.http.javaclient' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.http.javaclient' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'maki_file.request' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'maki_file.request' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ipp.application' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ipp.application' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.dxf' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.dxf' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'PtakkS_Keepalive' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'PtakkS_Keepalive' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'BrAin_Wiper_Chat' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'BrAin_Wiper_Chat' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'email.pdf' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'email.pdf' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.bin' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.bin' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.rat' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.rat' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.DROPIP' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.DROPIP' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.stat_code_407' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.stat_code_407' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.oless.v4' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.oless.v4' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ms.publisher.file' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ms.publisher.file' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.exe' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.exe' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.xls.biff5' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.xls.biff5' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.eps.download' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.eps.download' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.CompIP' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.CompIP' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.msproducer' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.msproducer' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.BotccIP' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.BotccIP' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'asp.upload' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'asp.upload' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.ttf' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.ttf' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.realplayer' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.realplayer' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.chm' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.chm' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.pmd' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.pmd' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.torrent' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.torrent' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.oless.v3' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.oless.v3' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'emf.request' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'emf.request' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.xpm' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.xpm' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'backup_file.request' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'backup_file.request' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.DshieldIP' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.DshieldIP' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.Evil' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.Evil' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.disco' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.disco' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'vnc.auth' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'vnc.auth' is checked but not ever set.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'Backdoor.Bersek.Init' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'Backdoor.Bersek.Init' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'exe.download' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'exe.download' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.RBN' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.RBN' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.lzh' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.lzh' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.deploy' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'http.deploy' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'net.application' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'net.application' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'snipernet' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: flowbits key 'snipernet' is set but not ever checked.
Oct 28 12:14:07 snort[31126]: Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
Oct 28 12:14:07 snort[31126]: Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
Oct 28 12:14:07 snort[31126]: Verifying Preprocessor Configurations!
Oct 28 12:14:07 snort[31126]: Verifying Preprocessor Configurations!
Oct 28 12:14:07 snort[31126]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Oct 28 12:14:07 snort[31126]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Oct 28 12:14:07 snort[31126]: –-----------------------------------------------------------------------------
Oct 28 12:14:07 snort[31126]: –-----------------------------------------------------------------------------
Oct 28 12:14:07 snort[31126]: | none
Oct 28 12:14:07 snort[31126]: | none
Oct 28 12:14:07 snort[31126]: +–---------------------[suppression]–----------------------------------------
Oct 28 12:14:07 snort[31126]: +–---------------------[suppression]–----------------------------------------
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2408027 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2408027 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406733 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406733 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500709 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500709 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501007 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501007 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500550 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500550 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501217 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501217 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406761 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406761 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406102 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406102 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406066 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406066 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406773 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406773 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501031 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501031 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501229 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501229 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500218 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500218 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501005 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501005 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406599 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406599 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2404427 type=Limit tracking=src count=1 seconds=3600
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2404427 type=Limit tracking=src count=1 seconds=3600
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406090 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406090 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2404078 type=Limit tracking=src count=1 seconds=3600
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2404078 type=Limit tracking=src count=1 seconds=3600
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500586 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500586 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406189 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406189 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2404433 type=Limit tracking=src count=1 seconds=3600
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2404433 type=Limit tracking=src count=1 seconds=3600
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406585 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406585 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500042 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500042 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500180 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500180 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500891 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500891 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500661 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500661 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500254 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500254 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500673 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500673 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406749 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406749 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500685 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500685 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406521 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406521 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2404101 type=Limit tracking=src count=1 seconds=3600
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2404101 type=Limit tracking=src count=1 seconds=3600
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501329 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501329 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406545 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406545 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501349 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501349 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500204 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500204 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406719 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406719 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406838 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406838 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501041 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501041 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501193 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501193 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501341 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2501341 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406100 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2406100 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500871 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500871 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500063 type=Limit tracking=src count=1 seconds=60
Oct 28 12:14:07 snort[31126]: | gen-id=1 sig-id=2500063 type=Limit tracking=

Seb

I've just reported this as a bug: http://redmine.pfsense.org/issues/1982

RonpfS

I do experience many snort failure after update. If I do the update manualy, snort start without problem.

The Update start a 00:03 every day for a DAILY update. If all pfsense boxes do that at the same time, could that create some issues? Can the servers provide all the data to all pfsense boxes? It might me nice to be able to specify the update time or chose the time 'randomly'.

I also noticed that when the WAN IP change, strange things also happens like blocking of the WAN IP !!!.
A manual restart fix the problems.

Seb

@RonpfS:

I do experience many snort failure after update. If I do the update manualy, snort start without problem.
…

Do you mean that if you update manually, AFTER the automatic update, or more specifically: WHEN snort is not running, snort starts without problems?  Because if so, that is because the update is different when snort is not running.  See my bug report: http://redmine.pfsense.org/issues/1982

---

Everyone,
Which rules are you running?  Snort Free, Snort Paid-for, Emerging Threats (free), or two of these?  I'm currently using Snort Free and Emerging Threats.

mentalhemroids

@Seb:

@RonpfS:

I do experience many snort failure after update. If I do the update manualy, snort start without problem.
…

@Seb:

Do you mean that if you update manually, AFTER the automatic update, or more specifically: WHEN snort is not running, snort starts without problems?  Because if so, that is because the update is different when snort is not running.  See my bug report: http://redmine.pfsense.org/issues/1982

I can't speak for RonpfS, but one of my systems (x86 P3 w/ 512mb RAM) does the updates fine on a 12 hour schedule.  It fails every so often, but very rare.  My other system (x86 Xeon(TM) CPU 3.06GHz w/ 3GB RAM) has updates turned off and when I do run updates manually the updates go through, but Snort never starts/fails; then I have to click on update again and it finally starts up and runs until I tell it to update.  I just tried a reinstall of the package today and ran the updates; the same thing happened… after the updates ran I had to click update a second time to get the Snort service to start.

---

@Seb:

Everyone,
Which rules are you running?  Snort Free, Snort Paid-for, Emerging Threats (free), or two of these?  I'm currently using Snort Free and Emerging Threats.

I am running free Snort rules and Emerging Threats on both machines, but with only certain rules enabled.  I tried to have both systems using as much of the same ones as possible, but I'm limited on the P3 with it having less memory.

Hope this helps Seb.

RonpfS

@Seb:

@RonpfS:

I do experience many snort failure after update. If I do the update manualy, snort start without problem.
…

Do you mean that if you update manually, AFTER the automatic update, or more specifically: WHEN snort is not running, snort starts without problems?  Because if so, that is because the update is different when snort is not running.  See my bug report: http://redmine.pfsense.org/issues/1982

---

When snort is running, it fails after auto update, a manual update will start snort.

I'm currently using x86 Snort 2.9.0.5 pkg v. 2.0 with Snort Free and Emerging Threats
I have pfBlocker in use as well.

I reinstalled the snort package an hour ago … no alert since !!!!

I figured out that /usr/local/bin/barnyard2 went missing in action  ???
and  reinstalled it

cd /usr/local/bin
fetch http://files.pfsense.com/packages/8/All/barnyard2 
chmod 555 /usr/local/bin/barnyard2

No alerts logged ?

with snort is running, I updated the rules, snort exited
I ran update again while snort was stopped, it started ok

Sill no alerts logged

After many reinstall, a rebooot …
I reinstalled all package
I removed snort
I installed banyard2
I installed snort
finally I am getting alerts ....
:)

But it is impossible to fonction with snort enabled ...

I am gettting
2 3 TCP (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Unknown Traffic 69.64.6.7 80 -> 96.43.226.245 58850 120:3:1 11/03-22:26:05

just browsing any site ....  ???

I am throwing the towel ... disable snort for now

mentalhemroids

@RonpfS  I don't think it is bad/wrong/error that you are getting those errors from http inspect; there might be legit reasons that the sites you visit cause errors.  I don't use Barnyard, so I can't give any feedback on that, but I have always had alerts show up.

RonpfS

I am getting this 'http_inspect' Alert browsing  forum.pfsense.org !!!
Something broke somewhere so I will wait later to reinstall snort

mentalhemroids

@RonpfS:

I am getting this 'http_inspect' Alert browsing  forum.pfsense.org !!!
Something broke somewhere so I will wait later to reinstall snort

;D I just whitelisted pfsense.org . . . just to be safe.

RonpfS

I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1

I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1

johnnybe

@RonpfS:

I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1

I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1

Yep, it happened to me as well. That's why I have this line in the Snort>Supress tab:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120,sig_id 3

RonpfS

@johnnybe:

@RonpfS:

I reinstall snort from scratch this morning.
Things are ok if I set HTTP server flow depth to -1

I tried leaving the field empty, 0, 1460 and anytime I browse forum.pfsense.org or any other site the site is blocked with the following: !?!

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3:1

Yep, it happened to me as well. That's why I have this line in the Snort>Supress tab:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120,sig_id 3

Yup … that works fine with this suppress line  ;D

Thank you

serialdie

I am not sure what you guys are doing to get snort to work… I still cant get snort to log and or block.

pfsenseddc

@jamesdean:

@mentalhemroids

Looks like snort.org updated code that references fpcreate.c.

http://www.snort.org/downloads/1165

Your going to have to wait till will update the port to the newest version.

Hi,
When one triggers 'Update rules' the snort is restarting using SIGHUP - according to code at file /usr/local/pkg/snort/snort.inc, line 1278.
But when you look at system.log you see following entries:

(...)
Nov  6 08:26:09 pfsense SnortStartup[31407]: Snort Startup files Sync...
Nov  6 08:26:09 pfsense SnortStartup[33474]: Snort already running, soft restart
(...)
Nov  6 08:26:40 pfsense snort[20195]: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
(...)
Nov  6 08:26:43 pfsense snort[20195]: Snort exiting

I guess that is the reason why manual stop/start works, but automatic one doesn't.

Kind regards,

–  
John

RonpfS

@serialdie:

I am not sure what you guys are doing to get snort to work… I still cant get snort to log and or block.

Reinstalling does not fix problem.

To get it to run, I uninstalled snort
then I installed snort
I uncheck Keep snort settings after deinstall, save
I click Reset, save
I uninstalled snort again

After that, I installed snort and started from scratch.
It is working, but it did not restart after the last automatic update, same problem as pfsenseddc mentionned:
the

2011-11-06 00:05:38	Daemon.Info	xxx	SnortStartup[54021]: Snort Startup files Sync...
2011-11-06 00:05:38	Daemon.Info	xxx	SnortStartup[55697]: Snort already running, soft restart
2011-11-06 00:05:38	Daemon.Info	xxx	SnortStartup[55926]: Snort Soft Reload For 18203_pppoe0...
2011-11-06 00:05:39	Daemon.Notice	xxx	snort[17907]:
2011-11-06 00:05:39	Daemon.Notice	xxx	snort[17907]:         --== Reloading Snort ==--
2011-11-06 00:05:39	Daemon.Notice	xxx	snort[17907]:
2011-11-06 00:05:39	Daemon.Notice	xxx	snort[17907]: PortVar 'HTTP_PORTS' defined :

 ---

2011-11-06 00:06:13	Daemon.Notice	xxx	snort[17907]: Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
2011-11-06 00:06:13	Daemon.Error	xxx	snort[17907]: http_inspect:  Changing decompress_depth requires a restart.
2011-11-06 00:06:14	Daemon.Notice	xxx	snort[17907]: Reload via Signal HUP does not work if you aren't root or are chroot'ed.

2011-11-06 00:06:14	Kernel.Info	xxx	kernel: pppoe0: promiscuous mode disabled

2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: ===============================================================================
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: Packet I/O Totals:

 ---

2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: +-----------------------[filtered events]--------------------------------------
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=1      sig-id=2013479    type=Both      tracking=src count=20  seconds=360 filtered=5
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=1      sig-id=2002911    type=Threshold tracking=src count=5   seconds=60  filtered=3
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=1      sig-id=2001219    type=Threshold tracking=src count=5   seconds=120 filtered=2
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=1      sig-id=2001972    type=Both      tracking=src count=20  seconds=360 filtered=1
2011-11-06 00:06:16	Daemon.Notice	xxx	snort[17907]: | gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=158
2011-11-06 00:06:18	Daemon.Notice	xxx	snort[17907]: Snort exiting

Maybe you can spot this behaviour by looking at the Status: RRD Graphs / System /  Processor
the graph will show almost no User Nice utilisation after restart or update.

Seb

@pfsenseddc:

Hi,
When one triggers 'Update rules' the snort is restarting using SIGHUP - according to code at file /usr/local/pkg/snort/snort.inc, line 1278.
But when you look at system.log you see following entries:

(...)
Nov  6 08:26:09 pfsense SnortStartup[31407]: Snort Startup files Sync...
Nov  6 08:26:09 pfsense SnortStartup[33474]: Snort already running, soft restart
(...)
Nov  6 08:26:40 pfsense snort[20195]: Reload via Signal HUP does not work if you aren't root or are chroot'ed.
(...)
Nov  6 08:26:43 pfsense snort[20195]: Snort exiting

I guess that is the reason why manual stop/start works, but automatic one doesn't.

Kind regards,

–  
John

@pfsenseddc:  Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982

pfsenseddc

@Seb:

(…)
Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982
(...)

Below is ugly but quick fix that works for me (output from command: diff /usr/local/pkg/snort/snort.inc /usr/local/pkg/snort/snort.inc_org):

 1278,1281c1278
< 	# developer sar:20111031 - SIGHUP doesn't work if snort is running chrooted or if php is not running as root
< 	# before: # /bin/kill -HUP \${snort_pid}
< 	/bin/kill \${snort_pid}
< 	sleep 10
---
> 	/bin/kill -HUP \${snort_pid}

You probably need to restart the pfsense after modification or/and modify /usr/local/etc/rc.d/snort.sh manually also.
Regards,
–
John

bdwyer

@pfsenseddc:

@Seb:

(…)
Yes, that is more or less what I discovered and wrote in the bug report:
http://redmine.pfsense.org/issues/1982
(...)

Below is ugly but quick fix that works for me (output from command: diff /usr/local/pkg/snort/snort.inc /usr/local/pkg/snort/snort.inc_org):

 1278,1281c1278
< 	# developer sar:20111031 - SIGHUP doesn't work if snort is running chrooted or if php is not running as root
< 	# before: # /bin/kill -HUP \${snort_pid}
< 	/bin/kill \${snort_pid}
< 	sleep 10
---
> 	/bin/kill -HUP \${snort_pid}

You probably need to restart the pfsense after modification or/and modify /usr/local/etc/rc.d/snort.sh manually also.
Regards,
–
John

Good job guys, glad this got figured out.  Hopefully this is reflected in the package code soon.