Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not Restarting after update

    pfSense Packages
    2
    4
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      Does anyone else have issues with Snort not restarting after the Rule update process?

      ps aux shows no running or crashed processes.

      An email notification process would be nice to have?

      Router "A"

      Apr 1 20:01:31 kernel: pid 8509 (snort), uid 0: exited on signal 11
      Apr 1 20:01:30 kernel: pid 8263 (snort), uid 0: exited on signal 11
      Apr 1 20:01:29 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
      Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
      Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
      Apr 1 20:01:12 check_reload_status: Reloading filter
      Apr 1 20:01:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
      Apr 1 20:01:12 check_reload_status: Restarting ipsec tunnels
      Apr 1 20:01:12 check_reload_status: updating dyndns WANGW
      Apr 1 20:00:18 check_reload_status: Reloading filter
      Apr 1 20:00:18 check_reload_status: Syncing firewall
      Apr 1 20:00:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

      Router "B"

      Apr 1 14:51:48 kernel: MCA: CPU 0 COR ICACHE LG IRD error
      Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
      Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
      Apr 1 14:51:48 kernel: MCA: Bank 2, Status 0x9000000000000153
      Apr 1 14:51:48 kernel: MCA: Misc 0x14000298002a0
      Apr 1 14:51:48 kernel: MCA: Address 0xae6d80
      Apr 1 14:51:48 kernel: MCA: CPU 0 COR OVER GCACHE L1 SNOOP error
      Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
      Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
      Apr 1 14:51:48 kernel: MCA: Bank 0, Status 0xcc00000120040189
      Apr 1 14:41:24 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      Apr 1 14:41:22 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
      Apr 1 14:41:21 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
      Apr 1 14:41:09 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
      Apr 1 14:41:08 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
      Apr 1 14:41:07 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
      Apr 1 14:40:55 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
      Apr 1 14:40:55 kernel: bge0: promiscuous mode disabled
      Apr 1 14:40:55 kernel: pid 87199 (snort), uid 0: exited on signal 11
      Apr 1 14:40:55 kernel: rl0: promiscuous mode disabled
      Apr 1 14:40:55 kernel: pid 57983 (snort), uid 0: exited on signal 11
      Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Expected File MD5: e78dad26533484b210a6994ecdccfd70
      Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: 5ec97993d2795f31dd481fd556a99ebc
      Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file download failed. Bad MD5 checksum…
      Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
      Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
      Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
      Apr 1 14:40:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

      Router "C"

      Apr 1 15:03:00 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      Apr 1 15:02:58 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
      Apr 1 15:02:57 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
      Apr 1 15:02:52 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
      Apr 1 15:02:48 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
      Apr 1 15:02:47 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
      Apr 1 15:02:46 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
      Apr 1 15:02:39 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
      Apr 1 15:02:34 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
      Apr 1 15:02:30 kernel: bge1: promiscuous mode disabled
      Apr 1 15:02:30 kernel: pid 81441 (snort), uid 0: exited on signal 10
      Apr 1 15:02:30 kernel: pid 64065 (snort), uid 0: exited on signal 10
      Apr 1 15:02:22 check_reload_status: Reloading filter
      Apr 1 15:02:22 check_reload_status: Restarting OpenVPN tunnels/interfaces
      Apr 1 15:02:22 check_reload_status: Restarting ipsec tunnels
      Apr 1 15:02:22 check_reload_status: updating dyndns WAN_PPPOE
      Apr 1 15:02:15 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
      Apr 1 15:02:14 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
      Apr 1 15:01:32 check_reload_status: Reloading filter
      Apr 1 15:01:32 check_reload_status: Restarting OpenVPN tunnels/interfaces
      Apr 1 15:01:32 check_reload_status: Restarting ipsec tunnels
      Apr 1 15:01:32 check_reload_status: updating dyndns WAN_PPPOE
      Apr 1 15:01:21 check_reload_status: Reloading filter
      Apr 1 15:01:21 check_reload_status: Restarting OpenVPN tunnels/interfaces
      Apr 1 15:01:21 check_reload_status: Restarting ipsec tunnels
      Apr 1 15:01:21 check_reload_status: updating dyndns WAN_PPPOE
      Apr 1 15:00:26 check_reload_status: Reloading filter
      Apr 1 15:00:26 check_reload_status: Restarting OpenVPN tunnels/interfaces
      Apr 1 15:00:26 check_reload_status: Restarting ipsec tunnels
      Apr 1 15:00:26 check_reload_status: updating dyndns WAN_PPPOE
      Apr 1 15:00:22 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @BBcan17:

        Does anyone else have issues with Snort not restarting after the Rule update process?

        ps aux shows no running or crashed processes.

        An email notification process would be nice to have?

        Router "A"

        Apr 1 20:01:31 kernel: pid 8509 (snort), uid 0: exited on signal 11
        Apr 1 20:01:30 kernel: pid 8263 (snort), uid 0: exited on signal 11
        Apr 1 20:01:29 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
        Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
        Apr 1 20:01:24 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
        Apr 1 20:01:12 check_reload_status: Reloading filter
        Apr 1 20:01:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
        Apr 1 20:01:12 check_reload_status: Restarting ipsec tunnels
        Apr 1 20:01:12 check_reload_status: updating dyndns WANGW
        Apr 1 20:00:18 check_reload_status: Reloading filter
        Apr 1 20:00:18 check_reload_status: Syncing firewall
        Apr 1 20:00:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

        Router "B"

        Apr 1 14:51:48 kernel: MCA: CPU 0 COR ICACHE LG IRD error
        Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
        Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
        Apr 1 14:51:48 kernel: MCA: Bank 2, Status 0x9000000000000153
        Apr 1 14:51:48 kernel: MCA: Misc 0x14000298002a0
        Apr 1 14:51:48 kernel: MCA: Address 0xae6d80
        Apr 1 14:51:48 kernel: MCA: CPU 0 COR OVER GCACHE L1 SNOOP error
        Apr 1 14:51:48 kernel: MCA: Vendor "GenuineIntel", ID 0xf43, APIC ID 0
        Apr 1 14:51:48 kernel: MCA: Global Cap 0x0000000000180204, Status 0x0000000000000000
        Apr 1 14:51:48 kernel: MCA: Bank 0, Status 0xcc00000120040189
        Apr 1 14:41:24 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
        Apr 1 14:41:22 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
        Apr 1 14:41:21 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
        Apr 1 14:41:09 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
        Apr 1 14:41:08 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
        Apr 1 14:41:07 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
        Apr 1 14:40:55 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
        Apr 1 14:40:55 kernel: bge0: promiscuous mode disabled
        Apr 1 14:40:55 kernel: pid 87199 (snort), uid 0: exited on signal 11
        Apr 1 14:40:55 kernel: rl0: promiscuous mode disabled
        Apr 1 14:40:55 kernel: pid 57983 (snort), uid 0: exited on signal 11
        Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Expected File MD5: e78dad26533484b210a6994ecdccfd70
        Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Downloaded File MD5: 5ec97993d2795f31dd481fd556a99ebc
        Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file download failed. Bad MD5 checksum…
        Apr 1 14:40:50 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Pro rules file update downloaded successfully
        Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Pro rules posted. Downloading etpro.rules.tar.gz…
        Apr 1 14:40:46 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
        Apr 1 14:40:02 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

        Router "C"

        Apr 1 15:03:00 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
        Apr 1 15:02:58 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for LAN…
        Apr 1 15:02:57 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
        Apr 1 15:02:52 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
        Apr 1 15:02:48 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
        Apr 1 15:02:47 php: snort_check_for_rule_updates.php: [Snort] Building new sig-msg.map file for WAN…
        Apr 1 15:02:46 php: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
        Apr 1 15:02:39 php: rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
        Apr 1 15:02:34 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
        Apr 1 15:02:30 kernel: bge1: promiscuous mode disabled
        Apr 1 15:02:30 kernel: pid 81441 (snort), uid 0: exited on signal 10
        Apr 1 15:02:30 kernel: pid 64065 (snort), uid 0: exited on signal 10
        Apr 1 15:02:22 check_reload_status: Reloading filter
        Apr 1 15:02:22 check_reload_status: Restarting OpenVPN tunnels/interfaces
        Apr 1 15:02:22 check_reload_status: Restarting ipsec tunnels
        Apr 1 15:02:22 check_reload_status: updating dyndns WAN_PPPOE
        Apr 1 15:02:15 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
        Apr 1 15:02:14 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
        Apr 1 15:01:32 check_reload_status: Reloading filter
        Apr 1 15:01:32 check_reload_status: Restarting OpenVPN tunnels/interfaces
        Apr 1 15:01:32 check_reload_status: Restarting ipsec tunnels
        Apr 1 15:01:32 check_reload_status: updating dyndns WAN_PPPOE
        Apr 1 15:01:21 check_reload_status: Reloading filter
        Apr 1 15:01:21 check_reload_status: Restarting OpenVPN tunnels/interfaces
        Apr 1 15:01:21 check_reload_status: Restarting ipsec tunnels
        Apr 1 15:01:21 check_reload_status: updating dyndns WAN_PPPOE
        Apr 1 15:00:26 check_reload_status: Reloading filter
        Apr 1 15:00:26 check_reload_status: Restarting OpenVPN tunnels/interfaces
        Apr 1 15:00:26 check_reload_status: Restarting ipsec tunnels
        Apr 1 15:00:26 check_reload_status: updating dyndns WAN_PPPOE
        Apr 1 15:00:22 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2956.tar.gz…

        I have not seen a problem with my home firewall, but then I probably am not running as many rules (especially ET rules) as you may be.  My first guess would be a problem with a new or updated rule that got downloaded.  I did see what could be a similar issue a day or so back when testing the new Snort update in my virtual machine army.  I did not investigate it any further, and the next time it did not happen.

        As for an e-mail when Snort fails to restart after an update, I may be able to get something in place.  I will put that on my TODO list of features.

        Bill

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          Thanks Bill,

          Are there any other logs that I could look at to see where the issue could be? One of those routers is using the Open ET ruleset ("C") so its most likely not a recent rule, as the open ruleset is 30 days behind.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @BBcan17:

            Thanks Bill,

            Are there any other logs that I could look at to see where the issue could be? One of those routers is using the Open ET ruleset ("C") so its most likely not a recent rule, as the open ruleset is 30 days behind.

            Snort logs everything it logs to the system log, so if nothing is there to give a hint, you are out of luck.  Snort is not as "helpful" with logging as Suricata.  All of that is under control of the binary, so nothing can be done from the GUI package side.

            As for those rules, my understanding is the 30-day timer is actually per rule.  So some "rule X" in the set may hit 30-days old today and wind up in the ET Open collection while other rules may not.  At least that's how I believe it works on the Snort subscriber versus registered-user rules.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.