2.0.3 Release and SNORT/update
-
Is Snort the only package on this box, or are other packages installed? I'm asking because the upgrade process for pfSense will kick off its own routine for reinstalling all packages on an upgrade, and those run for sometimes quite a while.
Bill
-
Also having similar issues with Snort VRT rules updates. This has happened 3 times I've noticed. It does not happen with ET rules. I'm running the paid Snort rules and ET, no GPL Snort rules since those should be in my paid rules. I'm running on 2.0.3-RELEASE (amd64) with a pretty typical single wan and single lan set-up. I also have the following packages:
arping
Cron
Dashboard Widget: Snort
iperf
nmap
OpenVPN Client Export Utility
pfBlocker
pfflowd
snort
Unbound
Zabbix-2 AgentHere is the log:
Apr 16 12:05:33 php: : Snort MD5 Attempts: 2
Apr 16 12:05:33 php: : There is a new set of Snort VRT rules posted. Downloading…
Apr 16 12:05:57 php: : Snort Rules Attempts: 1
Apr 16 12:05:58 php: : Emerging Threat rules are up to date...
Apr 16 12:06:05 php: : Updating rules configuration for: WAN ...
Apr 16 12:06:07 php: : Resolving and auto-enabling any flowbit-required rules for WAN...
Apr 16 12:06:14 php: : Building new sig-msg.map file for WAN...
Apr 16 12:06:16 SnortStartup[59944]: Snort STOP For Default IPS(30033_em1)…
Apr 16 12:06:17 snort[10971]: *** Caught Term-Signal
Apr 16 12:06:17 snort[10971]: *** Caught Term-Signal
Apr 16 12:06:17 kernel: em1: promiscuous mode disabled
Apr 16 12:06:17 snort[10971]: Could not remove pid file /var/run/snort_em130033.pid: No such file or directory
Apr 16 12:06:17 snort[10971]: Could not remove pid file /var/run/snort_em130033.pid: No such file or directory
Apr 16 12:06:18 SnortStartup[62959]: Snort SOFT START For Default IPS(30033_em1)…
Apr 16 12:06:18 kernel: pid 10971 (snort), uid 0: exited on signal 4
Apr 16 12:06:20 php: : Snort has restarted with your new set of rules...
Apr 16 12:06:20 php: : The Rules update has finished. -
Only package. :)
Is Snort the only package on this box, or are other packages installed? I'm asking because the upgrade process for pfSense will kick off its own routine for reinstalling all packages on an upgrade, and those run for sometimes quite a while.
Bill
-
Also having similar issues with Snort VRT rules updates. This has happened 3 times I've noticed. It does not happen with ET rules. I'm running the paid Snort rules and ET, no GPL Snort rules since those should be in my paid rules. I'm running on 2.0.3-RELEASE (amd64) with a pretty typical single wan and single lan set-up.
Here is the log:
Apr 16 12:05:33 php: : Snort MD5 Attempts: 2
Apr 16 12:05:33 php: : There is a new set of Snort VRT rules posted. Downloading…
Apr 16 12:05:57 php: : Snort Rules Attempts: 1
Apr 16 12:05:58 php: : Emerging Threat rules are up to date...
Apr 16 12:06:05 php: : Updating rules configuration for: WAN ...
Apr 16 12:06:07 php: : Resolving and auto-enabling any flowbit-required rules for WAN...
Apr 16 12:06:14 php: : Building new sig-msg.map file for WAN...
Apr 16 12:06:16 SnortStartup[59944]: Snort STOP For Default IPS(30033_em1)…
Apr 16 12:06:17 snort[10971]: *** Caught Term-Signal
Apr 16 12:06:17 snort[10971]: *** Caught Term-Signal
Apr 16 12:06:17 kernel: em1: promiscuous mode disabled
Apr 16 12:06:17 snort[10971]: Could not remove pid file /var/run/snort_em130033.pid: No such file or directory
Apr 16 12:06:17 snort[10971]: Could not remove pid file /var/run/snort_em130033.pid: No such file or directory
Apr 16 12:06:18 SnortStartup[62959]: Snort SOFT START For Default IPS(30033_em1)…
Apr 16 12:06:18 kernel: pid 10971 (snort), uid 0: exited on signal 4
Apr 16 12:06:20 php: : Snort has restarted with your new set of rules...
Apr 16 12:06:20 php: : The Rules update has finished.There is nothing really unusual in that series of log entries that I see. The process works like this:
1. Attempt to download the MD5 hash file for a rule set (in this case, Snort VRT).
2. The code will retry the download up to 5 times before giving up. In this case, it took 2 tries to get the file.
3. If the rules have changed (MD5 mismatch), it downloads the new rules.
4. It unpacks and installs the rules (Snort VRT in this instance).
5. It then restarts Snort on all interfaces.So dissecting this from the log entries you posted, here is how the entries map out for the Snort restart –
Send the STOP command to the Snort process ...
Apr 16 12:06:16 SnortStartup[59944]: Snort STOP For Default IPS(30033_em1)...The Snort process acknowledges receipt of the STOP command …
Apr 16 12:06:17 snort[10971]: *** Caught Term-SignalNote – ignore the double entry, that's a quirk of syslog on pfSense
Just to be double-sure the PID file is cleared so it won't interfere with subsequent starts, the code deletes the file.
This causes the pkill command to complain that it could not delete the file, too. The error is harmless.Apr 16 12:06:17 snort[10971]: Could not remove pid file /var/run/snort_em130033.pid: No such file or directoryNow start Snort back up again …
Apr 16 12:06:18 SnortStartup[62959]: Snort SOFT START For Default IPS(30033_em1)...So, this looks like a normal rules update and restart of Snort. Did you find that Snort was not actually restarting, or what exactly is the rule update issue you are having?
Bill
-
Get this when uninstalling…
kipping package deletion for mysql-client-5.5.30 because it is a dependency.
Starting package deletion for barnyard2-1.12...done.
Starting package deletion for mysql-client-5.5...done.
Skipping package deletion for libnet11-1.1.6,1 because it is a dependency.
Skipping package deletion for libdnet-1.11_3 because it is a dependency.
Skipping package deletion for libpcap-1.3.0 because it is a dependency.
Skipping package deletion for daq-2.0.0 because it is a dependency.
Starting package deletion for snort-2.9.4.1...done.
Starting package deletion for libnet11-1.1.2...done.
Starting package deletion for daq-2.0...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands...These are harmless errors and can be safely ignored.
Bill
-
Only package. :)
I did some more research in the pfSense package install process, and I don't think there is really anything wrong with your sequence of events. The package reinstall routines that are part of pfSense itself go through and collect up all the rc.d startup scripts for all the installed packages and cycles through them one-by-one issuing the "restart" command to the packages.
For the Snort package, restart means issue a "STOP", wait 2 seconds (I believe that's the interval), and then issue the START command.
Bill
-
So, this looks like a normal rules update and restart of Snort. Did you find that Snort was not actually restarting, or what exactly is the rule update issue you are having?
Bill
Snort is not restarting. I figured it had something to do with:
Apr 16 12:06:18 kernel: pid 10971 (snort), uid 0: exited on signal 4
-
I had the same problem today. I had to uninstall Bandwidthd + Snort, reboot the system and reinstall them again. Aparently those two packages shared some libraries.
-
Snort is not restarting. I figured it had something to do with:
Apr 16 12:06:18 kernel: pid 10971 (snort), uid 0: exited on signal 4
Oops! Forgive me … I did not notice that line. Yes it does mean Snort choked on something. I'm doing a bit of Google research to see what I find.
Bill
-
I had the same problem today. I had to uninstall Bandwidthd + Snort, reboot the system and reinstall them again. Aparently those two packages shared some libraries.
Good catch. Either they share, or one installs a different version that chokes the other. An old version of "Windows DLL Hell", so to speak. When you reinstalled, what order did you do that? Did you reinstall Snort first or last?
Bill
-
Snort is not restarting. I figured it had something to do with:
Apr 16 12:06:18 kernel: pid 10971 (snort), uid 0: exited on signal 4
OK, had to do a quick reload of my memory for UNIX signals. Signal 4 seems to mean SIGILL which translates into "Illegal Instruction".
There are two common ways to get this. One is to have the wrong architecture code, and the other is some really bad corruption of a program. I did find several references to early C++ compilers on FreeBSD producing faulty code when attempting to optimize for Pentium 4 (P4) CPUs, but I hardly think that applies here. I'm more inclined to think some really incompatible library got sucked in, or the Snort binary or a library it uses got corrupted during installation.
At this point I recommend removing Snort using the "X" icon on the Installed Packages tab, and then reinstalling from the Available Packages tab.
Bill
