New Snort pkg 2.5.5 – Read Before you Update to Understand Changed Defaults
-
OK. Let me know if the time delay helps out any. The restart of Snort has been a sore spot for quite a while even before I started modifying the code a bit. I know Ermal tried a few different tricks about this time last year when he was making some significant updates to the Snort code.
It seems quite sensitive to the number of active rules users have. At least I've noticed that on my test virtual machines. The more rules, the longer the startup time for sure. I think that may be playing into the "randomness" of this issue among users. By that I mean it impacts some, but not others. Several things could be at play here. Number of active rules, capability (speed) of the underlying hardware, etc.
Bill
-
Bill,
The auto update ran this morning at 12am and the same thing happened and Snort did not restart properly. I went and started it manually and it started up just fine. I pasted the logs again just incase you wanted to check em out.
SYS log
Apr 18 00:06:08 php: : The Rules update has finished.
Apr 18 00:06:04 php: : Building new sig-msg.map file for WAN…
Apr 18 00:05:52 php: : Resolving and auto-enabling any flowbit-required rules for WAN...
Apr 18 00:05:48 kernel: em2: promiscuous mode disabled
Apr 18 00:05:48 kernel: pid 44849 (snort), uid 0: exited on signal 4
Apr 18 00:05:48 php: : Updating rules configuration for: WAN ...
Apr 18 00:05:41 php: : EmergingThreats rules file update downloaded succsesfully
Apr 18 00:05:39 php: : There is a new set of EmergingThreats rules posted. Downloading...
Apr 18 00:05:39 php: : Snort Rules Attempts: 1
Apr 18 00:04:48 php: : There is a new set of Snort VRT rules posted. Downloading...
Apr 18 00:04:48 php: : Snort MD5 Attempts: 2update log
Starting rules update… Time: 2013-04-18 00:03:01
Downloading Snort VRT md5 file...
Checking Snort VRT md5 file...
There is a new set of Snort VRT rules posted. Downloading...
Done downloading rules file.
Downloading EmergingThreats md5 file...
Checking EmergingThreats md5.
There is a new set of EmergingThreats rules posted. Downloading...
Done downloading EmergingThreats rules file.
Extracting and installing EmergingThreats.org rules...
Installation of EmergingThreats.org rules completed.
Extracting and installing Snort VRT rules...
Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
Installation of Snort VRT rules completed.
Copying new config and map files...
Updating rules configuration for: WAN ...
The Rules update has finished. Time: 2013-04-18 00:06:08This is what the log looks like when i toggle manually I never see the promiscuous mode enabled line when it attempts the auto update and then restarts.
Apr 18 04:58:22 kernel: em2: promiscuous mode enabled
Apr 18 04:58:22 php: /snort/snort_interfaces.php: Interface Rule START for Wan(em2)...
Apr 18 04:57:47 php: /snort/snort_interfaces.php: Toggle(snort starting) for WAN(Wan)... -
Bill,
The auto update ran this morning at 12am and the same thing happened and Snort did not restart properly. I went and started it manually and it started up just fine. I pasted the logs again just incase you wanted to check em out.
OK. I discovered a clue in another user's post on the Snort 2.5.5 Issues Thread about the possible cause of this. I'm researching to be sure about the cause, then can issue a fix.
Bill
-
Bill for what its worth, this problem also happens with the manual rules update. I disabled auto update so it wouldnt run last night. Then I manually did the rules update this morning and same behavior happened.
-
Good catch! I posted some logs from last night regarding the soft start issue in Snort. Both FW's killed Snort after update despite one of them had the fix from Bill.
-
Bill for what its worth, this problem also happens with the manual rules update. I disabled auto update so it wouldnt run last night. Then I manually did the rules update this morning and same behavior happened.
Did you have the change in the snort.sh file that removed the call to rc_stop() in the restart section of the file? The restart of Snort is called from within the GUI code that does the rules update, and it will call the restart script if the update is done manually or automatically.
Ermal reminded me of something else when I consulted him on this. A SOFT START of Snort will fail when a rule update contains updates to SO (Shared Objects) rules. That is one set of changes Snort cannot "refresh" without shutting down and restarting.
Bill
-
Bill for what its worth, this problem also happens with the manual rules update. I disabled auto update so it wouldnt run last night. Then I manually did the rules update this morning and same behavior happened.
Did you have the change in the snort.sh file that removed the call to rc_stop() in the restart section of the file? The restart of Snort is called from within the GUI code that does the rules update, and it will call the restart script if the update is done manually or automatically.
Ermal reminded me of something else when I consulted him on this. A SOFT START of Snort will fail when a rule update contains updates to SO (Shared Objects) rules. That is one set of changes Snort cannot "refresh" without shutting down and restarting.
Bill
The only thing I have done is edit the sleep as you requested.. I didnt see any thing mentioned removing the rc_stop… Did I miss that in a post?
Yea I know about the failed starts every now and then with the so rules.. Even prior to updating it would fail every once and a while and it was due to that.. not often but it would happen..
So what exactly do i need to remove and I will give that a shot? Is this being discussed in another thread too?
-
So what exactly do i need to remove and I will give that a shot? Is this being discussed in another thread too?
It's from this post: http://forum.pfsense.org/index.php/topic,60994.msg330447.html#msg330447
That version of an interim fix may still get tripped up with the SO rules update issue. That one is just endemic to Snort. Snort is supposed to restart itself under those circumstances, though.
I am working on a permanent fix based on what I currently think is happening. Plan on revamping how the shell script works for these restarts (especially the stops). More feedback from folks having the problem is always welcome!
Bill
-
So what exactly do i need to remove and I will give that a shot? Is this being discussed in another thread too?
It's from this post: http://forum.pfsense.org/index.php/topic,60994.msg330447.html#msg330447
That version of an interim fix may still get tripped up with the SO rules update issue. That one is just endemic to Snort. Snort is supposed to restart itself under those circumstances, though.
I am working on a permanent fix based on what I currently think is happening. Plan on revamping how the shell script works for these restarts (especially the stops). More feedback from folks having the problem is always welcome!
Bill
Ahh.. let me make those changes and I will see if that fixes it. well as much as it can. Thanks
-
Bill,
I am going to keep my replies going forward in the topic you linked so everything is together. As you can see in that post there I am having to redo the tests for you.