Snort turning itself OFF
-
Hi
I noticed Snort turned itself off past few days after rules update. Rules update success but found Snort is stopped???
Not good at all. I was OK before even if rules update failed, it's never stopped by itself. I ran Snort package update 2 day ago but it still doing that.
Is anybody have same issue? What might be wrong or changed?
Thanks.PS. i have Snort logs setup on local system (SSD) and checked log size option are limited. Log exceed memory should not be an issue.
-
Hi
I noticed Snort turned itself off past few days after rules update. Rules update success but found Snort is stopped???
Not good at all. I was OK before even if rules update failed, it's never stopped by itself. I ran Snort package update 2 day ago but it still doing that.
Is anybody have same issue? What might be wrong or changed?
Thanks.PS. i have Snort logs setup on local system (SSD) and checked log size option are limited. Log exceed memory should not be an issue.
Have you looked back through your firewall's system log to see what, if any, messages might have been logged by Snort as it restarted from the rules update? The most likely possibility is a rule syntax error of some sort with one of your enabled rules (or even a newly added rule). Those happen from time to time as the rules are modified by the authors/vendors.
Bill
-
This happened to me yesterday as well. When I checked the interface, snort was stopped. I simply restarted and all is well. These issue happen so rarely and typically fix themselves, so that I am neither worried nor inclined to start a research project over this issue.
-
Hi
I noticed Snort turned itself off past few days after rules update. Rules update success but found Snort is stopped???
Not good at all. I was OK before even if rules update failed, it's never stopped by itself. I ran Snort package update 2 day ago but it still doing that.
Is anybody have same issue? What might be wrong or changed?
Thanks.PS. i have Snort logs setup on local system (SSD) and checked log size option are limited. Log exceed memory should not be an issue.
Have you looked back through your firewall's system log to see what, if any, messages might have been logged by Snort as it restarted from the rules update? The most likely possibility is a rule syntax error of some sort with one of your enabled rules (or even a newly added rule). Those happen from time to time as the rules are modified by the authors/vendors.
Bill
Yes, I did. Rules update happened 00:07. Before that Snort shows some ping IP ("Misc Attacks") Log Alerts. After 00:07 nothing until I restarted snort in the morning. No any records in the system log. I will check logs if it's happen again.
Thanks.