Snort no long running
-
I have Snort 4.1.3_2 installed on my PFSENSE.
This morning I discovered that my plugin is no longer running - so I tried to restarted it by everytime I click on the cycle arrow - it try's but don't.
it has been running fine for the pass few months as I was monitoring a ping attacks and I wanted to make sure I was not being hacked.
I have tried removing it and re-installation it but this didn't resolve the issue.
I have tried to find the logs to see what is happening but I can't find them, so can someone please inform me on where they are - or if this is a knowledge issue of the package and there is a know solution
-
I have got the same situation.
-
i've got this error in log:
FATAL ERROR: /usr/local/etc/snort/snort_17455_em1.5/rules/snort.rules(10922) Unable to process the IP address: [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000].
-
Same here!
-
After removing the "download of Emerging Threats Open rules", and a force update of rules, Snort restated.
Obviously without the Emerging Threats Open rules. -
ok problem solved.
if you remove the line from the file snort.rules the snort starts again.
-
this is the line
alert tcp [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 377"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522376; rev:4374; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2021_03_19;)
-
@infosamu-it said in Snort no long running:
i've got this error in log:
FATAL ERROR: /usr/local/etc/snort/snort_17455_em1.5/rules/snort.rules(10922) Unable to process the IP address: [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000].
where is the log files so that I can check this myself ?
-
From the GUI, status>system logs.
-
It looks like the rule has been fixed.
Force an update
Start or restart Snort -
@ramosel Yep! fixed. Thank you.
-
yes, it works!
-
@rogerboomhouser said in Snort no long running:
GUI, status>system
thanks, for the info, and now my is working to.