Snort stops after rules update
-
Hello,
Was wondering if someone can help, snort seems to stop after the rules update and doesn't restart itself.
In the log I see this
Jun 6 00:05:05 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29111.tar.gz... Jun 6 00:05:27 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort Subscriber rules file update downloaded successfully Jun 6 00:05:28 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date... Jun 6 00:05:29 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort OpenAppID RULES detectors posted. Downloading appid_rules.tar.gz... Jun 6 00:05:29 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID RULES detectors file update downloaded successfully Jun 6 00:05:30 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz... Jun 6 00:05:31 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file update downloaded successfully Jun 6 00:05:37 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz... Jun 6 00:06:43 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully Jun 6 00:06:53 kernel pid 94232 (snort), uid 0: exited on signal 11 Jun 6 00:06:58 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories. Jun 6 00:06:58 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Removed 51 obsoleted rules category files. Jun 6 00:06:58 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN ... Jun 6 00:07:12 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Checking for rules dependent on disabled preprocessors for: WAN... Jun 6 00:07:23 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN... Jun 6 00:07:23 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Checking flowbit rules dependent on disabled preprocessors for: WAN... Jun 6 00:07:24 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for WAN... Jun 6 00:07:25 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Have plenty of ram 8Gb in the box, changed the pattern match to AC-BNFA-NQ as a couple of people on here said that resolves it but get the same every night.
Thanks
Steve -
This happened to me, and I tried:
-
DID NOT WORK: Forcing updates to get new MD5 hashes. Some updates had failed, and this made the "Result" Success again. However, the non-starting symptom continued.
-
WORKED: Change the time of the day when updates occur. This did the trick for me, and I haven't had any problems since. Not sure exactly what the problem was, but the non-starts were occurring on only one of the scheduled update times. It was 0:05 and 12:05, changed to 8:45 once a day and have had no problems for two weeks now.
I'm changing it back to two updates a day, but keeping 8:45. Hope it works.
-