Snort 2.9.2.3 pkg v. 2.5.4 killed by World of Tanks

Supermule

I see this when streaming via VPN pn PFsense…

Snort suddenly stops without reason

php: /status_services.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Mar 17 21:26:14 SnortStartup[24393]: Snort STOP For Internet(36256_em0)…

bmeeks

A load-based bug is going to perhaps be difficult to find.  Are you up to building a separate FreeBSD 8.1 virtual machine (or actual box) and run the traffic through it in just pure sniffing mode?  Take pfSense out of the mix and maybe just do alerting on a clean FreeBSD 8.1 kernel.  If that crashes, then try the 8.2 kernel.  Other options are the Snort 2.9.4.1 binary on the 8.1 or 8.2 kernels.  There are compilation instructions for Snort on FreeBSD posted on the Snort.org web site (in the documentation section).

Bill

Fesoj

Yes, exactly. Get the "independent" sniffing mode working and then see what can be done for pfSense.

eri--

I updated the binary to snort 2.4.9.1 so try with that.

Fesoj

I'll wait a couple of hours such that the repository is udpated && then I'll update.

dwood

Not sure if this is a snort binary update timing issue or not.  The package installation fails on amd64, 2.0.2 This from the install packages window

Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.68.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/mysql-client-5.1.68.tbz.
of mysql-client-5.1.68 failed!

Installation aborted.Backing up libraries..

eri--

Heh that was fast.
The binaries are being built they will be uploaded shortly.

grandrivers

having some rules issues

snort[67221]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.

darklogic

@dwood:

Not sure if this is a snort binary update timing issue or not.  The package installation fails on amd64, 2.0.2 This from the install packages window

Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.68.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/mysql-client-5.1.68.tbz.
of mysql-client-5.1.68 failed!

Installation aborted.Backing up libraries..

I am still having the same exact issue with installing/upgrading SNORT.

rt_rex

Don't know if its on propose I looked and the path  http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/ is missing

In this path http://files.pfsense.org/packages/8/All/mysql-client-5.1.68.tbz the file is missing.

Fesoj

I update my snort package to 2.9.4.1 pkg v. 2.5.4.

It is now running fine for 2 days and hasn't crashed a single time. I am using a limited set of ET rules only, so I don't have the problems related to so rules.