Snort not Restarting after update
-
Does anyone else have issues with Snort not restarting after the Rule update process?
ps aux shows no running or crashed processes.
An email notification process would be nice to have?
Router "A"
Apr 1 20:01:31 kernel: pid 8509 (snort), uid 0: exited on signal 11
Apr 1 20:01:30 kernel: pid 8263 (snort), uid 0: exited on signal 11
Apr 1 20:01:29 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Apr 1 20:01:12 check_reload_status: Reloading filter
Apr 1 20:01:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 20:01:12 check_reload_status: Restarting ipsec tunnels
Apr 1 20:01:12 check_reload_status: updating dyndns WANGW
Apr 1 20:00:18 check_reload_status: Reloading filter
Apr 1 20:00:18 check_reload_status: Syncing firewall
Apr 1 20:00:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…Router "B"
Apr 1 14:51:48 kernel: MCA: CPU 0 COR ICACHE LG IRD error
Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
Apr 1 14:51:48 kernel: MCA: Bank 2, Status 0x9000000000000153
Apr 1 14:51:48 kernel: MCA: Misc 0x14000298002a0
Apr 1 14:51:48 kernel: MCA: Address 0xae6d80
Apr 1 14:51:48 kernel: MCA: CPU 0 COR OVER GCACHE L1 SNOOP error
Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
Apr 1 14:51:48 kernel: MCA: Bank 0, Status 0xcc00000120040189
Apr 1 14:41:24 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Apr 1 14:41:22 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
Apr 1 14:41:21 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
Apr 1 14:41:09 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
Apr 1 14:41:08 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
Apr 1 14:41:07 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 1 14:40:55 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
Apr 1 14:40:55 kernel: bge0: promiscuous mode disabled
Apr 1 14:40:55 kernel: pid 87199 (snort), uid 0: exited on signal 11
Apr 1 14:40:55 kernel: rl0: promiscuous mode disabled
Apr 1 14:40:55 kernel: pid 57983 (snort), uid 0: exited on signal 11
Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Expected File MD5: e78dad26533484b210a6994ecdccfd70
Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: 5ec97993d2795f31dd481fd556a99ebc
Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file download failed. Bad MD5 checksum…
Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Apr 1 14:40:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…Router "C"
Apr 1 15:03:00 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Apr 1 15:02:58 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
Apr 1 15:02:57 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
Apr 1 15:02:52 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Apr 1 15:02:48 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
Apr 1 15:02:47 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
Apr 1 15:02:46 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 1 15:02:39 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Apr 1 15:02:34 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
Apr 1 15:02:30 kernel: bge1: promiscuous mode disabled
Apr 1 15:02:30 kernel: pid 81441 (snort), uid 0: exited on signal 10
Apr 1 15:02:30 kernel: pid 64065 (snort), uid 0: exited on signal 10
Apr 1 15:02:22 check_reload_status: Reloading filter
Apr 1 15:02:22 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 15:02:22 check_reload_status: Restarting ipsec tunnels
Apr 1 15:02:22 check_reload_status: updating dyndns WAN_PPPOE
Apr 1 15:02:15 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
Apr 1 15:02:14 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Apr 1 15:01:32 check_reload_status: Reloading filter
Apr 1 15:01:32 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 15:01:32 check_reload_status: Restarting ipsec tunnels
Apr 1 15:01:32 check_reload_status: updating dyndns WAN_PPPOE
Apr 1 15:01:21 check_reload_status: Reloading filter
Apr 1 15:01:21 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 15:01:21 check_reload_status: Restarting ipsec tunnels
Apr 1 15:01:21 check_reload_status: updating dyndns WAN_PPPOE
Apr 1 15:00:26 check_reload_status: Reloading filter
Apr 1 15:00:26 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 15:00:26 check_reload_status: Restarting ipsec tunnels
Apr 1 15:00:26 check_reload_status: updating dyndns WAN_PPPOE
Apr 1 15:00:22 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz… -
@BBcan17:
Does anyone else have issues with Snort not restarting after the Rule update process?
ps aux shows no running or crashed processes.
An email notification process would be nice to have?
Router "A"
Apr 1 20:01:31 kernel: pid 8509 (snort), uid 0: exited on signal 11
Apr 1 20:01:30 kernel: pid 8263 (snort), uid 0: exited on signal 11
Apr 1 20:01:29 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Apr 1 20:01:12 check_reload_status: Reloading filter
Apr 1 20:01:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 20:01:12 check_reload_status: Restarting ipsec tunnels
Apr 1 20:01:12 check_reload_status: updating dyndns WANGW
Apr 1 20:00:18 check_reload_status: Reloading filter
Apr 1 20:00:18 check_reload_status: Syncing firewall
Apr 1 20:00:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…Router "B"
Apr 1 14:51:48 kernel: MCA: CPU 0 COR ICACHE LG IRD error
Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
Apr 1 14:51:48 kernel: MCA: Bank 2, Status 0x9000000000000153
Apr 1 14:51:48 kernel: MCA: Misc 0x14000298002a0
Apr 1 14:51:48 kernel: MCA: Address 0xae6d80
Apr 1 14:51:48 kernel: MCA: CPU 0 COR OVER GCACHE L1 SNOOP error
Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
Apr 1 14:51:48 kernel: MCA: Bank 0, Status 0xcc00000120040189
Apr 1 14:41:24 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Apr 1 14:41:22 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
Apr 1 14:41:21 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
Apr 1 14:41:09 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
Apr 1 14:41:08 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
Apr 1 14:41:07 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 1 14:40:55 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
Apr 1 14:40:55 kernel: bge0: promiscuous mode disabled
Apr 1 14:40:55 kernel: pid 87199 (snort), uid 0: exited on signal 11
Apr 1 14:40:55 kernel: rl0: promiscuous mode disabled
Apr 1 14:40:55 kernel: pid 57983 (snort), uid 0: exited on signal 11
Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Expected File MD5: e78dad26533484b210a6994ecdccfd70
Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: 5ec97993d2795f31dd481fd556a99ebc
Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file download failed. Bad MD5 checksum…
Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Apr 1 14:40:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…Router "C"
Apr 1 15:03:00 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Apr 1 15:02:58 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
Apr 1 15:02:57 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
Apr 1 15:02:52 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Apr 1 15:02:48 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
Apr 1 15:02:47 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
Apr 1 15:02:46 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
Apr 1 15:02:39 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Apr 1 15:02:34 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
Apr 1 15:02:30 kernel: bge1: promiscuous mode disabled
Apr 1 15:02:30 kernel: pid 81441 (snort), uid 0: exited on signal 10
Apr 1 15:02:30 kernel: pid 64065 (snort), uid 0: exited on signal 10
Apr 1 15:02:22 check_reload_status: Reloading filter
Apr 1 15:02:22 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 15:02:22 check_reload_status: Restarting ipsec tunnels
Apr 1 15:02:22 check_reload_status: updating dyndns WAN_PPPOE
Apr 1 15:02:15 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
Apr 1 15:02:14 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Apr 1 15:01:32 check_reload_status: Reloading filter
Apr 1 15:01:32 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 15:01:32 check_reload_status: Restarting ipsec tunnels
Apr 1 15:01:32 check_reload_status: updating dyndns WAN_PPPOE
Apr 1 15:01:21 check_reload_status: Reloading filter
Apr 1 15:01:21 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 15:01:21 check_reload_status: Restarting ipsec tunnels
Apr 1 15:01:21 check_reload_status: updating dyndns WAN_PPPOE
Apr 1 15:00:26 check_reload_status: Reloading filter
Apr 1 15:00:26 check_reload_status: Restarting OpenVPN tunnels/interfaces
Apr 1 15:00:26 check_reload_status: Restarting ipsec tunnels
Apr 1 15:00:26 check_reload_status: updating dyndns WAN_PPPOE
Apr 1 15:00:22 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…I have not seen a problem with my home firewall, but then I probably am not running as many rules (especially ET rules) as you may be. My first guess would be a problem with a new or updated rule that got downloaded. I did see what could be a similar issue a day or so back when testing the new Snort update in my virtual machine army. I did not investigate it any further, and the next time it did not happen.
As for an e-mail when Snort fails to restart after an update, I may be able to get something in place. I will put that on my TODO list of features.
Bill
-
Thanks Bill,
Are there any other logs that I could look at to see where the issue could be? One of those routers is using the Open ET ruleset ("C") so its most likely not a recent rule, as the open ruleset is 30 days behind.
-
@BBcan17:
Thanks Bill,
Are there any other logs that I could look at to see where the issue could be? One of those routers is using the Open ET ruleset ("C") so its most likely not a recent rule, as the open ruleset is 30 days behind.
Snort logs everything it logs to the system log, so if nothing is there to give a hint, you are out of luck. Snort is not as "helpful" with logging as Suricata. All of that is under control of the binary, so nothing can be done from the GUI package side.
As for those rules, my understanding is the 30-day timer is actually per rule. So some "rule X" in the set may hit 30-days old today and wind up in the ET Open collection while other rules may not. At least that's how I believe it works on the Snort subscriber versus registered-user rules.
Bill