Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort exited on signal 11

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 598 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sboyle
      last edited by

      I have an issue where Snort exits when it updates rules.  I can manually start it and it starts and runs fine, until the next update when it fails again.

      Here is what I see in the logs:
      Feb 8 12:05:23 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      Feb 8 12:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for LAN…
      Feb 8 12:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
      Feb 8 12:05:20 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
      Feb 8 12:05:20 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 49 obsoleted rules category files.
      Feb 8 12:05:20 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
      Feb 8 12:05:18 kernel pid 3372 (snort), uid 0: exited on signal 11
      Feb 8 12:05:14 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date…
      Feb 8 12:05:14 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date…
      Feb 8 12:05:11 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
      Feb 8 12:05:00 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2990.tar.gz…

      The update completes but Snort is not running after that.  I would appreciate any suggestions.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • S
        sboyle
        last edited by

        This is still occuring… today I see 'exited on signal 10'.

        Mar 14 00:06:00 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
        Mar 14 00:06:00 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for LAN…
        Mar 14 00:05:59 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN…
        Mar 14 00:05:57 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN …
        Mar 14 00:05:57 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 51 obsoleted rules category files.
        Mar 14 00:05:57 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
        Mar 14 00:05:56 kernel pid 23837 (snort), uid 0: exited on signal 10
        Mar 14 00:05:48 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
        Mar 14 00:05:23 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
        Mar 14 00:05:22 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date…
        Mar 14 00:05:21 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
        Mar 14 00:05:01 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2990.tar.gz…

        I would appreciate any advice on how to troubleshoot this issue.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Signal 10 is a bus error and usually indicates the program binary attempted some type of unaligned memory access.  What hardware are you running on?  Is it perhaps an ARM CPU?  If so, you most definitely need to update to the latest Snort 2.9.11.1 package.  That package has some fixes for ARM hardware.  From your log post, you are running version 2.9.9.0, which is not the latest.

          Bill

          1 Reply Last reply Reply Quote 0
          • S
            sboyle
            last edited by

            Thanks for the tip, I had missed that I was not running the latest package.  I'm running an Intel CPU:
            Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHz
            4 CPUs: 1 package(s) x 4 core(s)
            AES-NI CPU Crypto: Yes (active)

            I've installed the latest snort package, hopefully that will take care of it.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @sboyle:

              Thanks for the tip, I had missed that I was not running the latest package.  I'm running an Intel CPU:
              Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHz
              4 CPUs: 1 package(s) x 4 core(s)
              AES-NI CPU Crypto: Yes (active)

              I've installed the latest snort package, hopefully that will take care of it.

              A Signal 10 would be very unexpected on an Intel CPU with Snort.  On an Intel platform that may indicate a possibly failing memory chip or other memory component.  Signal 11 is not unheard of, but Signal 10 is rare.

              Bill

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.