Snort 2.9.2.3 pkg v. 2.5.1 service fails overnight, unable to restart
-
I set up the package on 7/27 on PF2.01/Amd64
When the updates processed (last night I think) things broke. I removed the package, reinstalled about 3pm EST and it seems to have fixed things. Just FYI.
This is my exact setup, and I'm still having trouble after a few re-installs. Fails overnight, restart manually is successful.
-
I must eat my words! Snort died again last night!
from logs:
20 snort[32228]: Initializing rule chains... Jul 31 12:03:20 snort[32228]: FATAL ERROR: /usr/local/etc/snort/snort_13690_em0/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf Jul 31 12:03:20 snort[32228]: FATAL ERROR: /usr/local/etc/snort/snort_13690_em0/preproc_rules/sensitive-data.rules(1) Unknown ClassType: sdf Jul 31 12:03:20 php: : Snort has restarted with your new set of rules... Jul 31 12:03:20 kernel: em0: promiscuous mode disabledUnchecking the "sensitive-data" checkbox for the CC# check, etc. in preprocessors was enough to get snort running again, albeit without some useful checks.
-
I must eat my words! Snort died again last night!
Unchecking the "sensitive-data" checkbox for the CC# check, etc. in preprocessors was enough to get snort running again, albeit without some useful checks.
This is my exact same issue. I'm not sure how to find logs for past snort events?
-
Services… System logs.
-
Services… System logs.
Unfortunately it only displays the last 50 events, which doesn't take me back to the overnight failure.
-
blundar,
the sdf problem is known for quite a while and if you search backwards in this thread you'll find a way of handling it.
-
you can change the number of lines using the settings tab. I have mine set to 500.
-
you can change the number of lines using the settings tab. I have mine set to 500.
Thanks - can't believe I never noticed that. I'll check it again first thing in the AM.
-
dumb question, is everyone seeing updated rules? Since Sunday, i've had the same hash:
SNORT.ORG >>> "7017498f85ec6d0fc34c904c950ed8c1"
EMERGINGTHREATS.NET >>> 13611f17ed1c94d40c8f0a78566dbb90I've been deleting the hash to force a manual update.. The auto update kicks off but nothing is downloaded since there isn't a new hash
-
dumb question, are is everyone seeing updated rules? Since Sunday, i've had the same hash:
SNORT.ORG >>> "7017498f85ec6d0fc34c904c950ed8c1"
EMERGINGTHREATS.NET >>> 13611f17ed1c94d40c8f0a78566dbb90I've been deleting the hash to force a manual update.. The auto update kicks off but nothing is downloaded since there isn't a new hash
Sunday-Monday was the only day snort did not fail during updates, so it's possible there just weren't any that night. I can't account for Monday, however.
-
You can check the actual MD5 Hash of "Only Registered Users" here:
http://www.snort.org/downloads/1778/show_md5
It is still:
"7017498f85ec6d0fc34c904c950ed8c1"I am also checking that, because I also suspect snort to only update ET rules automatically. Manual updates work so far.
Greets, Judex
-
auto update finally kicked for snort for me… 2 test boxes fresh installs of pfsense and snort...
box with using snort and et with sensitive data preprocessor enabled: failed to reload, the usually error everyone is seeing
box with using snort and et with sensitive data preprocessor disabled: reloaded fineIMHO, I feel the sensitive preprocessor option should be removed from snort until a working fix can be applied to the package. or a warning that auto updates should be disabled and and to run updates manually
-
Finally getting back to the original post, I think this is what's causing the issue:
kernel: pid 31475 (snort), uid 0, was killed: out of swap space
As a test, I disabled updates. As expected, snort ran fine until I did a manual update. The error above was what showed up after running the update. Restarting snort by hand brought success.
Is the swap space error helpful? I do not have a swap partition on my install, as I have significant excess RAM.