SNORT Randomly Exits Signal 4 after update

daboomer

I hate to resurrect the dead, but I have been suffering the Snort Randomly Stops problem, for a couple months.the only thread available is Suricata on ARM, but I am having this exact issue with Snort on Intel. On a Supermicro 5018D-FN8T Xeon D, running 2.4.5-Release-p1.

Two exit signal 4 and 1 signal 11. I have 3 interfaces with Snort enabled, 2 are set to block traffic and one is not.

Is there anywhere in particular I can look to solve this?

Any help would be appreciated!

Dec 17 13:00:00
php

[Snort] Alert tcpdump packet capture file cleanup job removed 1 tcpdump packet capture file(s) from /var/log/snort/snort_igb220604/...
Dec 17 12:59:05
php

[Snort] The Rules update has finished.
Dec 17 12:59:04
php

[Snort] Building new sid-msg.map file for GUEST_LAN...
Dec 17 12:59:03
php

[Snort] Enabling any flowbit-required rules for: GUEST_LAN...
Dec 17 12:59:03
php

[Snort] Enabling any flowbit-required rules for: GUEST_LAN...
Dec 17 12:59:02
php

[Snort] Updating rules configuration for: GUEST_LAN ...
Dec 17 12:59:02
php

[Snort] Building new sid-msg.map file for LAN...
Dec 17 12:59:01
php

[Snort] Enabling any flowbit-required rules for: LAN...
Dec 17 12:59:00
php

[Snort] Enabling any flowbit-required rules for: LAN...
Dec 17 12:58:59
php

[Snort] Updating rules configuration for: LAN ...
Dec 17 12:58:59
php

[Snort] Building new sid-msg.map file for DMZ...
Dec 17 12:58:58
php

[Snort] Enabling any flowbit-required rules for: DMZ...
Dec 17 12:58:58
php

[Snort] Enabling any flowbit-required rules for: DMZ...
Dec 17 12:58:56
php

[Snort] Updating rules configuration for: DMZ ...
Dec 17 12:58:56
php

[Snort] Building new sid-msg.map file for WAN...
Dec 17 12:58:55
php

[Snort] Enabling any flowbit-required rules for: WAN...
Dec 17 12:58:55
php

[Snort] Enabling any flowbit-required rules for: WAN...
Dec 17 12:58:54
php

[Snort] Updating rules configuration for: WAN ...
Dec 17 12:58:52
kernel

igb2: promiscuous mode disabled
Dec 17 12:58:52
kernel

pid 97563 (snort), jid 0, uid 0: exited on signal 11
Dec 17 12:58:52
kernel

ix0: promiscuous mode disabled
Dec 17 12:58:52
kernel

pid 97918 (snort), jid 0, uid 0: exited on signal 4
Dec 17 12:58:50
kernel

igb0: promiscuous mode disabled
Dec 17 12:58:50
kernel

pid 97111 (snort), jid 0, uid 0: exited on signal 4
Dec 17 12:58:42
php

[Snort] Emerging Threats Open rules are up to date...
Dec 17 12:58:42
php

[Snort] Snort AppID Open Text Rules file update downloaded successfully
Dec 17 12:58:42
php

[Snort] There is a new set of Snort AppID Open Text Rules posted. Downloading appid_rules.tar.gz...
Dec 17 12:58:41
php

[Snort] Snort OpenAppID detectors are up to date...
Dec 17 12:58:41
php

[Snort] Snort Subscriber rules file update downloaded successfully
Dec 17 12:58:00
php

[Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29161.tar.gz...

fireodo

@daboomer

Hi,

maybe you want to read this:

Snort exit with Signal 11

Snort exit Signal 4

PS. BTW: Tonight my Snort was exiting too with Signal 4, but is working as expected. As you can see in my signature, its Intel too.

Regards,
fireodo

daboomer

@fireodo I am reading those now again... but I just figured something out... It is only when there is an update downloaded from
Snort OpenAppID Detectors
My snort was updating every 12 hours, now daily, but the update that causes the issue is the exact same time as theSnort OpenAppID Detectors MD5 Signature date/time