Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Stopping

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 3 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      datajunkie
      last edited by

      Snort seems to just stop, I have the service watchdog on it, but still just stops.  I have to force-ably re-enable it.  Anything I need to investigate?

      System
      2.3.1-RELEASE-p5 (amd64)
      built on Thu Jun 16 12:53:15 CDT 2016
      FreeBSD 10.3-RELEASE-p3

      snort security 3.2.9.1_14 Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.

      Package Dependencies:
        barnyard2-1.13   snort-2.9.8.3

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @datajunkie:

        Snort seems to just stop, I have the service watchdog on it, but still just stops.  I have to force-ably re-enable it.  Anything I need to investigate?

        System
        2.3.1-RELEASE-p5 (amd64)
        built on Thu Jun 16 12:53:15 CDT 2016
        FreeBSD 10.3-RELEASE-p3

        snort security 3.2.9.1_14 Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.

        Package Dependencies:
          barnyard2-1.13   snort-2.9.8.3

        Never run the Service Watchdog package on Snort!  The watchdog package does not understand when Snort is updating rules and needs to self restart.  It sees Snort stopped (it actually just sees the PID file missing in /var/run) and immediately trys to restart it.  This restart will collide with the Snort self-restart happening at the end of a rules update.  The result is either multiple duplicate Snort processes, or one or more of the processes will just die.

        Snort takes a long time to start up, and if multiple events on your firewall are triggering a "restart all packages" command, Snort can get killed.  One thing that can trigger "restart all pacakges" is WAN IP address renewals if using DHCP.

        Bill

        1 Reply Last reply Reply Quote 0
        • D
          datajunkie
          last edited by

          Wow… I would have never known that, thanks for the heads up.  Let me see if that clears up the situation.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @datajunkie:

            Wow… I would have never known that, thanks for the heads up.  Let me see if that clears up the situation.

            Yeah, the issue with the Watchdog package is that it tries to restart everything it finds not running on each scan.  For some more primitive packages, that is OK.  For more complex packages like Snort or Suricata that have their own reasons for stopping and restarting, the Watchdog package interferes with their operation.

            Bill

            1 Reply Last reply Reply Quote 0
            • D
              datajunkie
              last edited by

              So I turned off the Service Watchdog and still seeing the same issue.  There wasn't much logging to go off of on why it might be stopping.

              Log Update:
              Starting rules update…  Time: 2016-07-14 10:33:19
              Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
              Checking Snort VRT rules md5 file...
              Snort VRT rules are up to date.
              Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
              Checking Snort OpenAppID detectors md5 file...
              Snort OpenAppID detectors are up to date.
              Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
              Checking Snort GPLv2 Community Rules md5 file...
              There is a new set of Snort GPLv2 Community Rules posted.
              Downloading file 'community-rules.tar.gz'...
              Done downloading rules file.
              Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
              Checking Emerging Threats Open rules md5 file...
              Emerging Threats Open rules are up to date.
              Extracting and installing Snort GPLv2 Community Rules...
              Installation of Snort GPLv2 Community Rules completed.
              Copying new config and map files...
              Updating rules configuration for: WAN ...
              The Rules update has finished.  Time: 2016-07-14 10:33:39

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @datajunkie:

                So I turned off the Service Watchdog and still seeing the same issue.  There wasn't much logging to go off of on why it might be stopping.

                Log Update:
                Starting rules update…  Time: 2016-07-14 10:33:19
                Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
                Checking Snort VRT rules md5 file...
                Snort VRT rules are up to date.
                Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
                Checking Snort OpenAppID detectors md5 file...
                Snort OpenAppID detectors are up to date.
                Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
                Checking Snort GPLv2 Community Rules md5 file...
                There is a new set of Snort GPLv2 Community Rules posted.
                Downloading file 'community-rules.tar.gz'...
                Done downloading rules file.
                Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
                Checking Emerging Threats Open rules md5 file...
                Emerging Threats Open rules are up to date.
                Extracting and installing Snort GPLv2 Community Rules...
                Installation of Snort GPLv2 Community Rules completed.
                Copying new config and map files...
                Updating rules configuration for: WAN ...
                The Rules update has finished.  Time: 2016-07-14 10:33:39

                You can enable verbose startup logging by checking a box at the bottom of the GLOBAL SETTINGS tab.  Check that box and save the change.  Next time Snort restarts it will log pretty much everything to the system log.  Some hints may emerge there.  At each rules update Snort will stop and restart itself.

                What is currently in the system log?  Does the process run until the rules update and then fail to restart after that, or does is just die randomly during the day?

                Bill

                1 Reply Last reply Reply Quote 0
                • S
                  slui1984
                  last edited by

                  i have the same issue..upgrade to (3.2.9.1_14), now the snort unable to start.. please help!!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.