Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort failing to restart after rules update - manual restart works fine

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      paddyboyfloyd
      last edited by

      Running Snort 3.2.9.1_14 on pfSense 2.3.2.  3-4 times a week when SNORT updates the rules overnight, the two interfaces fail to restart.  System logs do not show any attempt to restart the interfaces.  When I log in, I can manually start the interfaces with out issue.    I don't see any log in the System log that a start was generated on the interface.  Only items in System log from last night:
      Oct 31 00:05:15 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules are up to date…
      Oct 31 00:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules are up to date…
      Oct 31 00:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
      Oct 31 00:05:18 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      Oct 31 00:05:18 check_reload_status Syncing firewall
      But when I manually started interface, no issue:
      Oct 31 09:48:42 php-fpm 96951 /index.php: Successful login for user 'admin' from: 192.168.1.103
      Oct 31 09:49:00 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: LAN …
      Oct 31 09:49:17 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: LAN…
      Oct 31 09:49:19 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for LAN…
      Oct 31 09:49:26 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
      Oct 31 09:49:43 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
      Oct 31 09:49:45 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
      Oct 31 09:49:52 php-fpm 9467 /snort/snort_interfaces.php: Starting Snort on LAN(em2) per user request...
      Oct 31 09:49:52 php-fpm 9467 /snort/snort_interfaces.php: [Snort] Snort START for LAN(em2)…
      Oct 31 09:51:48 kernel em2: promiscuous mode enabled

      Any idea as to why SNORT is not starting or attempting to start the interface after the update?

      1 Reply Last reply Reply Quote 0
      • B Offline
        benofishal
        last edited by

        I am also having this problem. Anyone with any light to shed?

        1 Reply Last reply Reply Quote 0
        • U Offline
          u3c307
          last edited by

          is your memory setting set to AC-BNFA-NQ?

          1 Reply Last reply Reply Quote 0
          • P Offline
            paddyboyfloyd
            last edited by

            Currently algorithm is set to AC-BNFA.  I tried to run it on ACS, but it basically maxed out the RAM and made the interface very unusable.  It's running on a 2.3.2 on a Quad core celeron with 4GB RAM.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.